From 1095231e3806a64e3a8b2c029704f3ee43c388a7 Mon Sep 17 00:00:00 2001 From: Yixuan Wang Date: Tue, 21 Mar 2023 22:17:57 +0000 Subject: [PATCH] Add hal_contexthub_default to zuma sepolicy; Remove dontaudit rules for chre [ 7.760870] type=1400 audit(1669944054.440:61): avc: denied { write } for comm="android.hardwar" name="chre" dev="tmpfs" ino=1099 scontext=u:r:hal_contexthub_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1 [ 12.519414] type=1400 audit(1669944059.196:138): avc: denied {connectto } for comm="android.hardwar" path="/dev/socket/chre"scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1 Bug: 264489794 Bug: 261105224 Test: atest scanAvcDeniedLogRightAfterReboot Change-Id: I7bf13913188deedc987f82e54626a18357ab84c5 --- legacy/whitechapel_pro/file_contexts | 1 - tracking_denials/chre.te | 4 ---- tracking_denials/hal_contexthub_default.te | 7 ------- tracking_denials/system_suspend.te | 2 -- vendor/file_contexts | 1 + vendor/hal_contexthub_default.te | 2 ++ 6 files changed, 3 insertions(+), 14 deletions(-) delete mode 100644 tracking_denials/chre.te delete mode 100644 tracking_denials/hal_contexthub_default.te delete mode 100644 tracking_denials/system_suspend.te create mode 100644 vendor/hal_contexthub_default.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 21451224..a694d515 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -2,7 +2,6 @@ /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor libraries diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te deleted file mode 100644 index beee716f..00000000 --- a/tracking_denials/chre.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/261105224 -dontaudit chre hal_system_suspend_service:service_manager { find }; -dontaudit chre servicemanager:binder { call }; -dontaudit chre system_suspend_server:binder { call }; diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te deleted file mode 100644 index 3c9a51fb..00000000 --- a/tracking_denials/hal_contexthub_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261105182 -dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; -dontaudit hal_contexthub_default chre_socket:sock_file { write }; -# b/264489794 -userdebug_or_eng(` - permissive hal_contexthub_default; -') \ No newline at end of file diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te deleted file mode 100644 index b834b57b..00000000 --- a/tracking_denials/system_suspend.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/261105356 -dontaudit system_suspend_server chre:binder { transfer }; diff --git a/vendor/file_contexts b/vendor/file_contexts index 7b271aae..f2bdeb14 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te new file mode 100644 index 00000000..7e0eef2b --- /dev/null +++ b/vendor/hal_contexthub_default.te @@ -0,0 +1,2 @@ +# Allow context hub HAL to communicate with daemon via socket +unix_socket_connect(hal_contexthub_default, chre, chre)