From 84531ff361197864c1f6cf7670b1304740cadb2f Mon Sep 17 00:00:00 2001 From: Sungtak Lee Date: Tue, 27 Feb 2024 18:05:41 +0000 Subject: [PATCH 01/33] Add AIDL media.c2 into service_contexts Bug: 321808716 Change-Id: I7c79bc46112b8330c6d2a62db030ecc13d1cece4 --- vendor/service_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/service_contexts b/vendor/service_contexts index ffa2639b..00cf9c5b 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -3,3 +3,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_ vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 arm.mali.platform.ICompression/default u:object_r:arm_mali_platform_service:s0 + +android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 From 7baab4b7e73ffe542b2e160a814c9172203a7f75 Mon Sep 17 00:00:00 2001 From: John Chang Date: Wed, 6 Mar 2024 16:09:09 +0000 Subject: [PATCH 02/33] display: change vrr.enabled to xrr.version Bug: 328001545 Test: Test MRR Version 2 is properly configured Change-Id: Ide6493d77a6047023f20fbd9c5723a36033e3691 --- vendor/property_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/property_contexts b/vendor/property_contexts index 0f3eee98..a4b22742 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -24,6 +24,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string -ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool +ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 3694b1a7f1ff4c5ab1d36916da131e2b6cb5517d Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Wed, 6 Mar 2024 11:07:18 -0800 Subject: [PATCH 03/33] Add SOC specific ETE sysfs paths Also remove deprecated ETE sysfs paths. Bug: 321061072 Test: run profcollectd on device Change-Id: If56e9c4c51dc0e5f3f36e8c80671d67e910510c9 --- legacy/whitechapel_pro/genfs_contexts | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 9fd12dc3..65e52d3e 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -64,13 +64,14 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 -# Coresight ETM -genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 +# ARM ETE +genfscon sysfs /devices/platform/ete0 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete1 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete2 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete3 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete4 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete5 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete6 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete7 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete8 u:object_r:sysfs_devices_cs_etm:s0 From 28e6526f849a998173fd57b0481e625327b157cb Mon Sep 17 00:00:00 2001 From: John Chang Date: Wed, 6 Mar 2024 16:09:09 +0000 Subject: [PATCH 04/33] display: change vrr.enabled to xrr.version Bug: 328001545 Test: Test MRR Version 2 is properly configured Change-Id: Ide6493d77a6047023f20fbd9c5723a36033e3691 --- vendor/property_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/property_contexts b/vendor/property_contexts index 0f3eee98..a4b22742 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -24,6 +24,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string -ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool +ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 3f707d13c29300fab31a1ba6a8657771ba4946a8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 12 Mar 2024 16:54:51 +0000 Subject: [PATCH 05/33] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Change-Id: Ieca53f3092355c72784d4216c138cbb7cc9c7fa4 Signed-off-by: Spade Lee --- vendor/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index f4f447a1..35304f76 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -1,5 +1,6 @@ # Battery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; From 110a712be919a51691bb2ae7d660512bdf4f8697 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 18 Mar 2024 02:58:29 +0000 Subject: [PATCH 06/33] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 330081782 Change-Id: I43805cda5b66b30999578b7a842fda6fe296003d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 114b90e4..a4b95ddf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 rfsd vendor_cbd_prop file b/323086582 +shell sysfs_net file b/330081782 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 From 57d222ff5ff8041084afb2e26e3f7f36b08b7525 Mon Sep 17 00:00:00 2001 From: Oleg Blinnikov Date: Tue, 19 Mar 2024 15:53:53 +0000 Subject: [PATCH 07/33] persist.sys.hdcp_checking property added Change-Id: I518db2909d2356a42421a626288365bb7458cc9c Bug: 321344894 Test: modify property, see that max_ver file modified --- system_ext/private/property_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 2f40ca40..bd245c99 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Telephony telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool + +# HDCP setting of the display connected via USB port +persist.sys.hdcp_checking u:object_r:usb_control_prop:s0 exact string From 6ad6fb5edb418564864df60e4576418d5f6d7fb8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:52:45 +0000 Subject: [PATCH 08/33] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I0e0c2fee4d508cc4e76714df0efbe5eca7ca5966 Signed-off-by: Spade Lee --- vendor/kernel.te | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/vendor/kernel.te b/vendor/kernel.te index 7eca5ce6..0f35bfed 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -8,19 +8,16 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -no_debugfs_restriction(` +userdebug_or_eng(` allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; ') -dontaudit kernel vendor_maxfg_debugfs:dir search; dontaudit kernel sepolicy_file:file getattr; dontaudit kernel system_bootstrap_lib_file:dir getattr; dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; - -allow kernel vendor_regmap_debugfs:dir search; - From 1db18cf4b3603b81c4db17247bfee6e2327608f3 Mon Sep 17 00:00:00 2001 From: Hungyen Weng Date: Wed, 20 Mar 2024 23:00:09 +0000 Subject: [PATCH 09/33] Allow modem_svc to access modem files and perfetto Bug: 330730987 Test: Confirmed that modem_svc is able to access token db files in modem partition Test: Confiemed that modem_svc can send traces to perfetto Change-Id: Ic8b724e0e8d72f5ead83e75ab85471bcbdaf8749 --- radio/modem_svc_sit.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 57ed142b..6733a264 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -20,7 +20,7 @@ allow modem_svc_sit modem_stat_data_file:file create_file_perms; allow modem_svc_sit vendor_fw_file:dir search; allow modem_svc_sit vendor_fw_file:file r_file_perms; -allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; @@ -36,3 +36,12 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(modem_svc_sit) + +# Allow modem_svc_sit to access modem image file/dir +allow modem_svc_sit modem_img_file:dir r_dir_perms; +allow modem_svc_sit modem_img_file:file r_file_perms; +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From c8c92bd5930e1840f2d92c763719ea87894584f0 Mon Sep 17 00:00:00 2001 From: Megha Patil Date: Fri, 27 Oct 2023 04:05:48 +0000 Subject: [PATCH 10/33] Sepolicy for the new property to switch Modem Binary Sepolicy Rules added for telephony.TnNtn.image_switch BUG: b/298322438 Bug: 323087490 Test: Test Binding sequence of Service Change-Id: Ie79aff94159d79a573ec92546a5d3e390b802b22 --- radio/cbd.te | 1 + radio/vendor_init.te | 1 + system_ext/private/pixelntnservice_app.te | 5 +++++ system_ext/private/property_contexts | 1 + system_ext/private/seapp_contexts | 3 +++ system_ext/public/pixelntnservice_app.te | 1 + system_ext/public/property.te | 3 ++- 7 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 system_ext/private/pixelntnservice_app.te create mode 100644 system_ext/public/pixelntnservice_app.te diff --git a/radio/cbd.te b/radio/cbd.te index 6827772a..9657084a 100644 --- a/radio/cbd.te +++ b/radio/cbd.te @@ -5,6 +5,7 @@ init_daemon_domain(cbd) set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) +get_prop(cbd, telephony_modem_prop) allow cbd mnt_vendor_file:dir r_dir_perms; diff --git a/radio/vendor_init.te b/radio/vendor_init.te index ed6f530b..592f7236 100644 --- a/radio/vendor_init.te +++ b/radio/vendor_init.te @@ -1,4 +1,5 @@ set_prop(vendor_init, vendor_cbd_prop) +get_prop(vendor_init, telephony_modem_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te new file mode 100644 index 00000000..8bf71cc9 --- /dev/null +++ b/system_ext/private/pixelntnservice_app.te @@ -0,0 +1,5 @@ +typeattribute pixelntnservice_app coredomain; + +app_domain(pixelntnservice_app); +allow pixelntnservice_app app_api_service:service_manager find; +set_prop(pixelntnservice_app, telephony_modem_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index bd245c99..15d2624f 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,4 +1,5 @@ # Telephony +telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool # HDCP setting of the display connected via USB port diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index c3ec6d38..8705d162 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -4,3 +4,6 @@ user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=a # PixelDisplayService user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all + +# PixelNtnService +user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te new file mode 100644 index 00000000..10661b66 --- /dev/null +++ b/system_ext/public/pixelntnservice_app.te @@ -0,0 +1 @@ +type pixelntnservice_app, domain; diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8ad51ac0..4dd97a51 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,6 +1,7 @@ # Telephony system_public_prop(telephony_ril_prop) +system_restricted_prop(telephony_modem_prop) userdebug_or_eng(` set_prop(shell, telephony_ril_prop) -') \ No newline at end of file +') From c24ead7ce9327145633ca822d3dfa47813a3092d Mon Sep 17 00:00:00 2001 From: Albert Wang Date: Thu, 21 Dec 2023 15:05:26 +0800 Subject: [PATCH 11/33] usb: correct the xhci wakeup path Error log: Error opening kernel wakelock stats for: wakeup177 (...xhci-hcd-exynos.5.auto/usb1/1-1/wakeup/wakeup177): Permission denied bug: 311087938 Test: boot to home and host mode works well Change-Id: I8bdd38499dec3852ba33510f40e58cebd3a4560f --- vendor/genfs_contexts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e0a72e9..a3680c80 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -243,11 +243,11 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb1 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 6546398c275f432dec3bed7563abb8385840f0ce Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Thu, 21 Mar 2024 17:05:37 +0000 Subject: [PATCH 12/33] Add the selinux policy for MDS to access modem_state file Add the selinux policy for MDS to access modem_state file avc deny: 2024-03-25 16:05:58.244 9667-9667 DiagnosticServi com.google.mds I type=1400 audit(0.0:14): avc: denied { read } for name="modem_state" dev="sysfs" ino=76870 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.mds 2024-03-25 16:05:58.244 9667-9667 DiagnosticServi com.google.mds I type=1400 audit(0.0:15): avc: denied { open } for path="/sys/devices/platform/cpif/modem_state" dev="sysfs" ino=76870 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.mds 2024-03-25 16:05:58.244 9667-9667 DiagnosticServi com.google.mds I type=1400 audit(0.0:16): avc: denied { getattr } for path="/sys/devices/platform/cpif/modem_state" dev="sysfs" ino=76870 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.mds Bug: 331202327 Change-Id: I5e0088d274bc4f45010a19631ecbaece7cc3cc42 --- radio/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index aaf2aab2..03e3af64 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -7,6 +7,8 @@ allow modem_diagnostic_app app_api_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` + allow modem_diagnostic_app sysfs_modem_state:file r_file_perms; + hal_client_domain(modem_diagnostic_app, hal_power_stats); allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; From e9c8f2af69f879dc5c5bb50a38d20fdeffceef1d Mon Sep 17 00:00:00 2001 From: cweichun Date: Fri, 29 Mar 2024 12:15:46 +0000 Subject: [PATCH 13/33] display: low-light blocking zone support Bug: 315876417 Test: verify the functionality works Change-Id: Id8972d4c9057aa76f72dd32d47a5d07c0822645b --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index a4b22742..463772e1 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -25,5 +25,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string +ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 0ac2d9f7bc0a8293eeb458975cc796f4a9db0588 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:52:45 +0000 Subject: [PATCH 14/33] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I0e0c2fee4d508cc4e76714df0efbe5eca7ca5966 Signed-off-by: Spade Lee --- vendor/kernel.te | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/vendor/kernel.te b/vendor/kernel.te index 7eca5ce6..0f35bfed 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -8,19 +8,16 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -no_debugfs_restriction(` +userdebug_or_eng(` allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; ') -dontaudit kernel vendor_maxfg_debugfs:dir search; dontaudit kernel sepolicy_file:file getattr; dontaudit kernel system_bootstrap_lib_file:dir getattr; dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; - -allow kernel vendor_regmap_debugfs:dir search; - From 495b0120ea4c9d31a13d6a769953cc20713f8185 Mon Sep 17 00:00:00 2001 From: cweichun Date: Fri, 29 Mar 2024 12:15:46 +0000 Subject: [PATCH 15/33] display: low-light blocking zone support Bug: 315876417 Test: verify the functionality works Change-Id: Id8972d4c9057aa76f72dd32d47a5d07c0822645b --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index a4b22742..463772e1 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -25,5 +25,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string +ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From df85139d173644b7ec44cb7151845026872a1648 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:26:37 +0800 Subject: [PATCH 16/33] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual Change-Id: Id42c4de6c29d4a95f8a68a5732c4732edfb71da8 --- radio/seapp_contexts | 3 --- radio/ssr_detector.te | 24 ------------------------ vendor/ramdump_app.te | 24 ------------------------ vendor/seapp_contexts | 3 --- 4 files changed, 54 deletions(-) delete mode 100644 radio/ssr_detector.te delete mode 100644 vendor/ramdump_app.te diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9caa3947..4a274136 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -1,6 +1,3 @@ -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te deleted file mode 100644 index 2caf6d77..00000000 --- a/radio/ssr_detector.te +++ /dev/null @@ -1,24 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/vendor/ramdump_app.te b/vendor/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/vendor/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index ed23ae5a..1e77caae 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,9 +1,6 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From 22844d59ca50ee427e3975c869471b48b4e2e4ec Mon Sep 17 00:00:00 2001 From: kadirpili Date: Wed, 27 Mar 2024 06:26:53 +0000 Subject: [PATCH 17/33] rsfd: add get_prop for cbd property Bug: 323086582 Test: flash ROM and check for rfsd sepolicy logs Change-Id: I6f8c555614386fda784b4532a4b004d5fe857bc6 --- radio/rfsd.te | 1 + tracking_denials/bug_map | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/radio/rfsd.te b/radio/rfsd.te index 898e7fca..fbec6cdd 100644 --- a/radio/rfsd.te +++ b/radio/rfsd.te @@ -29,6 +29,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +set_prop(rfsd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a4b95ddf..61936571 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,7 +7,6 @@ insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -rfsd vendor_cbd_prop file b/323086582 shell sysfs_net file b/330081782 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 From fb44539d8d32fc5ad9237b694115faa87e68c04e Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Wed, 10 Apr 2024 23:34:49 +0000 Subject: [PATCH 18/33] allow vendor init to access compaction_proactiveness Bug: 332916849 Test: boot Change-Id: If1930fe0f174f2794296ded69d29420f2e59f6c2 Signed-off-by: Martin Liu --- vendor/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 78228049..30f180b1 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -35,3 +35,4 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; +allow vendor_init proc_compaction_proactiveness:file w_file_perms; From 41c22587a2cadf6277723d6cd93d4124e016530a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 12 Apr 2024 21:58:43 +0000 Subject: [PATCH 19/33] Remove rlsservice sepolicy. rlsservice is not included on zuma and later, only gs101/gs201. Relevant code search link: https://source.corp.google.com/h/googleplex-android/platform/superproject/main/+/main:vendor/google/services/LyricCameraHAL/src/apex/Android.bp;l=26;drc=e4b49a6d945df6d5210c35251de8046b162d799d Bug: 278627483 Test: presubmit Change-Id: I15398ddeea8c0a10920c987e55789ba4a8322774 --- legacy/whitechapel_pro/vndservice_contexts | 1 - vendor/file_contexts | 1 - vendor/hal_camera_default.te | 8 ------ vendor/rlsservice.te | 32 ---------------------- 4 files changed, 42 deletions(-) delete mode 100644 legacy/whitechapel_pro/vndservice_contexts delete mode 100644 vendor/rlsservice.te diff --git a/legacy/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts deleted file mode 100644 index 66cab482..00000000 --- a/legacy/whitechapel_pro/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -rlsservice u:object_r:rls_service:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index 8e92d3e1..b45d1ecb 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 /vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0 -/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 2ddbeb6f..af60b9aa 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -43,10 +43,6 @@ userdebug_or_eng(` set_prop(hal_camera_default, vendor_camera_debug_prop); ') -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - hal_client_domain(hal_camera_default, hal_graphics_allocator); hal_client_domain(hal_camera_default, hal_graphics_composer) hal_client_domain(hal_camera_default, hal_power); @@ -80,10 +76,6 @@ binder_call(hal_camera_default, hal_radioext_default); # Allows camera HAL to access the hw_jpeg /dev/video12. allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - # Allow access to always-on compute device node allow hal_camera_default aoc_device:chr_file rw_file_perms; diff --git a/vendor/rlsservice.te b/vendor/rlsservice.te deleted file mode 100644 index 186471a7..00000000 --- a/vendor/rlsservice.te +++ /dev/null @@ -1,32 +0,0 @@ -type rlsservice, domain; -type rlsservice_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(rlsservice) -vndbinder_use(rlsservice) -add_service(rlsservice, rls_service) - -# access rainbow sensor calibration files -allow rlsservice persist_file:dir search; -allow rlsservice persist_camera_file:dir search; -allow rlsservice persist_camera_file:file r_file_perms; -allow rlsservice mnt_vendor_file:dir search; - -# access device files -allow rlsservice rls_device:chr_file rw_file_perms; - -binder_call(rlsservice, hal_camera_default) - -# Allow access to display backlight information -allow rlsservice sysfs_leds:dir search; -allow rlsservice sysfs_leds:file r_file_perms; - -# Allow access to always-on compute device node -allow rlsservice device:dir r_file_perms; -allow rlsservice aoc_device:chr_file rw_file_perms; - -# For observing apex file changes -allow rlsservice apex_info_file:file r_file_perms; - -# Allow read camera property -get_prop(rlsservice, vendor_camera_prop); - From e028d802db7cfa0b8caf34ff24c1b87a0f840315 Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Thu, 18 Apr 2024 01:53:34 +0000 Subject: [PATCH 20/33] move common MM policy to gs common folder Bug: 332916849 Bug: 309409009 Test: boot Change-Id: I05803943752f7b021c9d4f97b475b493f6ceadcb Signed-off-by: Martin Liu --- vendor/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 30f180b1..399626ca 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -34,5 +34,3 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; -allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; -allow vendor_init proc_compaction_proactiveness:file w_file_perms; From 7c420c07034266304961464528c700ecebece8e5 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:26:37 +0800 Subject: [PATCH 21/33] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df85139d173644b7ec44cb7151845026872a1648) Merged-In: Id42c4de6c29d4a95f8a68a5732c4732edfb71da8 Change-Id: Id42c4de6c29d4a95f8a68a5732c4732edfb71da8 --- radio/seapp_contexts | 3 --- radio/ssr_detector.te | 24 ------------------------ vendor/ramdump_app.te | 24 ------------------------ vendor/seapp_contexts | 3 --- 4 files changed, 54 deletions(-) delete mode 100644 radio/ssr_detector.te delete mode 100644 vendor/ramdump_app.te diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9caa3947..4a274136 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -1,6 +1,3 @@ -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te deleted file mode 100644 index 2caf6d77..00000000 --- a/radio/ssr_detector.te +++ /dev/null @@ -1,24 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/vendor/ramdump_app.te b/vendor/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/vendor/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index ed23ae5a..1e77caae 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,9 +1,6 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From c1341de4c3f63dcd7ec9adf15e6f6c0d6e0d1fa8 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Wed, 3 Apr 2024 15:14:36 -0700 Subject: [PATCH 22/33] Add necessary sepolicy for ro.vendor.persist.status This prop will be set to "mounted" after /mnt/vendor/persist mounts. Need this prop to synchronize different actions in init.rc script. Test: th Bug: 319335586 Change-Id: I9e8bd5e875956393d610b7def6be713565543d05 --- legacy/whitechapel_pro/property.te | 1 + vendor/property_contexts | 3 +++ vendor/tee.te | 5 +++++ vendor/vendor_init.te | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index a62eef67..7fe48175 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -6,6 +6,7 @@ vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_display_prop) +vendor_internal_prop(vendor_persist_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 463772e1..9da4b44b 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -28,3 +28,6 @@ ro.vendor.primarydisplay.xrr.version u:object_r:vendor ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int + +# For checking if persist partition is mounted +ro.vendor.persist.status u:object_r:vendor_persist_prop:s0 exact string diff --git a/vendor/tee.te b/vendor/tee.te index c99a02d9..ad16959b 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -10,6 +10,11 @@ allow tee tee_data_file:lnk_file r_file_perms; allow tee tee_persist_block_device:blk_file rw_file_perms; allow tee block_device:dir search; + +# /mnt/vendor/persist/ss/0 sometimes gets labeled as persist_ss_file, +# depending on the order of restorecon (b/336314247) +allow tee persist_ss_file:lnk_file read; + # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 399626ca..77d3da1c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -34,3 +34,7 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Allow vendor_init to read ro.vendor.persist.status +# to process init.rc actions +set_prop(vendor_init, vendor_persist_prop) From 276b386b6f150e4573588fa9e95abc8d4e7d9088 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Thu, 28 Mar 2024 20:21:00 -0700 Subject: [PATCH 23/33] Add necessary sepolicy for convert_modem_to_ext4 Test: reformat data as ext4, reboot Bug: 293313353 Change-Id: Iede84b1827166f1581d80077fe1c4d93d01a815b --- radio/copy_efs_files_to_data.te | 37 +++++++++++++++++++++++++++++++++ radio/file.te | 1 + radio/file_contexts | 2 ++ vendor/vendor_init.te | 3 +++ 4 files changed, 43 insertions(+) create mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te new file mode 100644 index 00000000..bfae50ed --- /dev/null +++ b/radio/copy_efs_files_to_data.te @@ -0,0 +1,37 @@ +type copy_efs_files_to_data, domain; +type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(copy_efs_files_to_data); + + + +# Allow creating files on /data/vendor/copied +allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; +allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; +allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; + + +# Allow execute binaries from /vendor/bin +allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; +allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; + +allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; + +allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; + + +# For reading files on /mnt/vendor/persist +allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; +allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; + +# For reading files on /mnt/vendor/efs +allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; + +# For reading files on /mnt/vendor/modem_userdata +allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; + +# Allow changing permission of files on /data/vendor/copied, part of cp -rp +allow copy_efs_files_to_data self:capability { fowner chown }; diff --git a/radio/file.te b/radio/file.te index daceb569..dcdf1302 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,5 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; +type modem_efs_image_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 1fcdfdd3..d4f29be0 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 +/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -23,6 +24,7 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 77d3da1c..02fee98d 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -38,3 +38,6 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Allow vendor_init to read ro.vendor.persist.status # to process init.rc actions set_prop(vendor_init, vendor_persist_prop) +# Allow vendor_init to read ro.product.build.16k_page.enabled +# to process init.rc actions +get_prop(vendor_init, enable_16k_pages_prop) From a78ae51ef1549da24901535bb8f9a2966c0c00a6 Mon Sep 17 00:00:00 2001 From: Kevin Ying Date: Mon, 22 Apr 2024 22:30:36 +0000 Subject: [PATCH 24/33] Add sepolicy for power_state node Bug: 329703995 Test: manual - used camera Change-Id: I1f156fe7f10210b933f360fef771cb37ff3cbedb Signed-off-by: Kevin Ying --- vendor/genfs_contexts | 1 + vendor/hal_camera_default.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e0a72e9..c9709307 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -77,6 +77,7 @@ genfscon sysfs /devices/platform/19470000.drmdecon/counters genfscon sysfs /devices/platform/19471000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19472000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index af60b9aa..b4f527fa 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -64,9 +64,10 @@ allow hal_camera_default apex_info_file:file r_file_perms; # Allow camera HAL to query current device clock frequencies. allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; -# Allow camera HAL to read backlight of display +# Allow camera HAL to read display info, including backlight allow hal_camera_default sysfs_leds:dir r_dir_perms; allow hal_camera_default sysfs_leds:file r_file_perms; +allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. From 52df1a478bd6624f14783f8fbec83f9c0990dbab Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 12 Mar 2024 16:54:51 +0000 Subject: [PATCH 25/33] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Signed-off-by: Spade Lee (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3f707d13c29300fab31a1ba6a8657771ba4946a8) Merged-In: Ieca53f3092355c72784d4216c138cbb7cc9c7fa4 Change-Id: Ieca53f3092355c72784d4216c138cbb7cc9c7fa4 --- vendor/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index f4f447a1..35304f76 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -1,5 +1,6 @@ # Battery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; From 2bf59857dada68a86de80311d7cba0ba6aad072e Mon Sep 17 00:00:00 2001 From: Pechetty Sravani Date: Tue, 7 May 2024 07:19:37 +0000 Subject: [PATCH 26/33] Revert "Add necessary sepolicy for convert_modem_to_ext4" Revert submission 26822004 Reason for revert: Reverted changes: /q/submissionid:26822004 Change-Id: I90e3bf5ecbdf6c058c56293cfba59c628ccc7aba --- radio/copy_efs_files_to_data.te | 37 --------------------------------- radio/file.te | 1 - radio/file_contexts | 2 -- vendor/vendor_init.te | 3 --- 4 files changed, 43 deletions(-) delete mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te deleted file mode 100644 index bfae50ed..00000000 --- a/radio/copy_efs_files_to_data.te +++ /dev/null @@ -1,37 +0,0 @@ -type copy_efs_files_to_data, domain; -type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(copy_efs_files_to_data); - - - -# Allow creating files on /data/vendor/copied -allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; -allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; -allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; - - -# Allow execute binaries from /vendor/bin -allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; -allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; - -allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; - -allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; - - -# For reading files on /mnt/vendor/persist -allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; -allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; - -# For reading files on /mnt/vendor/efs -allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; - -# For reading files on /mnt/vendor/modem_userdata -allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; - -# Allow changing permission of files on /data/vendor/copied, part of cp -rp -allow copy_efs_files_to_data self:capability { fowner chown }; diff --git a/radio/file.te b/radio/file.te index dcdf1302..daceb569 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,6 +1,5 @@ # Data type rild_vendor_data_file, file_type, data_file_type; -type modem_efs_image_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index d4f29be0..1fcdfdd3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,7 +12,6 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 -/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -24,7 +23,6 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 -/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 02fee98d..77d3da1c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -38,6 +38,3 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Allow vendor_init to read ro.vendor.persist.status # to process init.rc actions set_prop(vendor_init, vendor_persist_prop) -# Allow vendor_init to read ro.product.build.16k_page.enabled -# to process init.rc actions -get_prop(vendor_init, enable_16k_pages_prop) From be41aa688edab246d9e230f67319795ee59867ef Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Thu, 28 Mar 2024 20:21:00 -0700 Subject: [PATCH 27/33] Reland: Add necessary sepolicy for convert_modem_to_ext4 The original CL was reverted because it references enable_16k_pages_prop, which is only available on board API level > 202504. This reland removes enable_16k_pages_prop usage, and worked around it by reading PRODUCT_16K_DEVELOPER_OPTION at build time. Test: reformat data as ext4, reboot Bug: 293313353 Change-Id: Ibd8f57d1ef4fd2b0fd8b4170153d57fe9a9cefc2 --- radio/copy_efs_files_to_data.te | 37 +++++++++++++++++++++++++++++++++ radio/file.te | 1 + radio/file_contexts | 2 ++ 3 files changed, 40 insertions(+) create mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te new file mode 100644 index 00000000..bfae50ed --- /dev/null +++ b/radio/copy_efs_files_to_data.te @@ -0,0 +1,37 @@ +type copy_efs_files_to_data, domain; +type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(copy_efs_files_to_data); + + + +# Allow creating files on /data/vendor/copied +allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; +allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; +allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; + + +# Allow execute binaries from /vendor/bin +allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; +allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; + +allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; + +allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; + + +# For reading files on /mnt/vendor/persist +allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; +allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; + +# For reading files on /mnt/vendor/efs +allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; + +# For reading files on /mnt/vendor/modem_userdata +allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; + +# Allow changing permission of files on /data/vendor/copied, part of cp -rp +allow copy_efs_files_to_data self:capability { fowner chown }; diff --git a/radio/file.te b/radio/file.te index daceb569..dcdf1302 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,5 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; +type modem_efs_image_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 1fcdfdd3..d4f29be0 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 +/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -23,6 +24,7 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 From 4035d467adf38325eb8de056bc62641c5225e753 Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 20 Mar 2024 05:25:44 +0000 Subject: [PATCH 28/33] Allow fingerprint to access the folder /data/vendor/fingerprint Fix the following avc denial: android.hardwar: type=1400 audit(0.0:20): avc: denied { write } for name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 267766859 Test: Tested fingerprint under enforcing mode Change-Id: Iadd058432b7db8c20a949aeda1df5f8309663004 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 8e92d3e1..1be7e246 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -43,6 +43,7 @@ /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 +/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From cdc4acc647f47a3e45027642743b75e56581686e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 May 2024 03:50:08 +0000 Subject: [PATCH 29/33] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 340722729 Change-Id: I8f11ea5848724f18765cca2dda91a7d916b82f72 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 61936571..607fdeba 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 shell sysfs_net file b/330081782 +ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 From 090928722eb595f483f8c34d3cffb850c4b5591c Mon Sep 17 00:00:00 2001 From: chenkris Date: Tue, 28 May 2024 10:43:36 +0000 Subject: [PATCH 30/33] Add sepolicy for fingerprint HAL to check NSP file Fix the following avc denials: avc: denied { search } for name="copied" dev="dm-58" ino=428 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir avc: denied { search } for name="persist" dev="dm-58" ino=443 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_file:s0 tclass=dir avc: denied { search } for name="ss" dev="dm-58" ino=445 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=dir avc: denied { read } for name="nsp" dev="dm-58" ino=15500 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file avc: denied { open } for path="/data/vendor/copied/persist/ss/nsp" dev="dm-58" ino=15500 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file Bug: 335525798 Test: Use UDFPS repair tool to update calibration files Change-Id: Ic233a07ced8fd828c0e4b4ae1cffa93763a83b42 --- vendor/hal_fingerprint_default.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index b0a81160..2e9368ac 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -41,3 +41,9 @@ allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; # Allow fingerprint to access sysfs_aoc_udfps allow hal_fingerprint_default sysfs_aoc:dir search; allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms; + +# Allow fingerprint to read nsp file +allow hal_fingerprint_default modem_efs_image_file:dir search; +allow hal_fingerprint_default persist_file:dir search; +allow hal_fingerprint_default persist_ss_file:dir search; +allow hal_fingerprint_default persist_ss_file:file r_file_perms; From 667f2a4670375c24d88cf2b9eb26e8e92c0f3efa Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Tue, 4 Jun 2024 09:58:54 -0700 Subject: [PATCH 31/33] Allow copy_efs_files_to_data to read efs block devices Previously, we rely on mount points to copy files out of efs partitions. Switch over to dump.f2fs to read directly from block device without mounting. This allows us to copy files out of efs partition in both 4K and 16K mode. Test: Boot ext4 device with dev option enabled Bug: 340965747 Change-Id: Ie3108319cfdb5d922a18863de7431c3cfcc4cf16 --- radio/copy_efs_files_to_data.te | 53 +++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te index bfae50ed..17e823ee 100644 --- a/radio/copy_efs_files_to_data.te +++ b/radio/copy_efs_files_to_data.te @@ -15,23 +15,46 @@ allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms } allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; -allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; +# Allow execute /vendor/bin/dump.f2fs +allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans }; + +# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs +allow copy_efs_files_to_data block_device:dir search; +allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms; + +# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist +allow copy_efs_files_to_data modem_efs_file:dir getattr; +allow copy_efs_files_to_data modem_userdata_file:dir getattr; +allow copy_efs_files_to_data persist_file:dir getattr; + + +allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms; +allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms; + +# dump.f2fs need to restore file permissions after dumping +# files from an f2fs image +allow copy_efs_files_to_data self:capability chown; +allow copy_efs_files_to_data self:capability fowner; + allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; -# For reading files on /mnt/vendor/persist -allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; -allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; -# For reading files on /mnt/vendor/efs -allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; - -# For reading files on /mnt/vendor/modem_userdata -allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; - -# Allow changing permission of files on /data/vendor/copied, part of cp -rp -allow copy_efs_files_to_data self:capability { fowner chown }; +# Should not write to any block devices. Only read from block device +# and dump files to /data/vendor/copied +dontaudit copy_efs_files_to_data dev_type:blk_file write; +# Setting xattr requires sys_admin +dontaudit copy_efs_files_to_data self:capability sys_admin; +# dump.f2fs would attempt to restore selinux on dumped files, but we +# will use restorecon to do the job. +dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_efs_file:file relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto; From 5ff76196c81a6e86917aef535ed761e8651079cc Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Wed, 29 May 2024 08:59:37 +0000 Subject: [PATCH 32/33] gps: Move hal_gnss_pixel declaration to device folder Bug: 343280252 Test: b/343280252 compile and abtd test Change-Id: Ief591d28aaea4223f05917d29bc896edec065613 --- vendor/hal_gnss_pixel.te | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 vendor/hal_gnss_pixel.te diff --git a/vendor/hal_gnss_pixel.te b/vendor/hal_gnss_pixel.te new file mode 100644 index 00000000..d73e28a9 --- /dev/null +++ b/vendor/hal_gnss_pixel.te @@ -0,0 +1,5 @@ +type hal_gnss_pixel, domain; +init_daemon_domain(hal_gnss_pixel) +type hal_gnss_pixel_exec, exec_type, vendor_file_type, file_type; +hal_server_domain(hal_gnss_pixel, hal_gnss) + From fb98394c54493b8d373d35a34e95f72708ae232a Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 26 Jun 2024 18:00:52 +0000 Subject: [PATCH 33/33] Add sepolicy for DisplayPort wakeup node Bug: 348125717 Test: ls -Z /sys/devices/platform/110f0000.drmdp/wakeup Flag: NONE (follow up fix for merged non-flagged CL pa/2839256) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77518a261471f7884e5b7c8ca73442df5c11e48e) Merged-In: I9181b2344f2448b9debe1522528545ce90de8768 Change-Id: I9181b2344f2448b9debe1522528545ce90de8768 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ddc44e42..7938c59f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -275,6 +275,7 @@ genfscon sysfs /devices/virtual/wakeup/wakeup genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0