diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te index 8250e42a..69a804d9 100644 --- a/private/debug_camera_app.te +++ b/private/debug_camera_app.te @@ -13,4 +13,6 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) + # Follow priv-app symlinks. This is used for dynamite functionality. + allow debug_camera_app privapp_data_file:lnk_file r_file_perms; ') diff --git a/private/google_camera_app.te b/private/google_camera_app.te index 4ce84afb..81e3527c 100644 --- a/private/google_camera_app.te +++ b/private/google_camera_app.te @@ -14,3 +14,6 @@ hal_client_domain(google_camera_app, hal_power) # Library code may try to access vendor properties, but should be denied dontaudit google_camera_app vendor_default_prop:file { getattr map open }; + +# Follow priv-app symlinks. This is used for dynamite functionality. +allow google_camera_app privapp_data_file:lnk_file r_file_perms; diff --git a/radio/dmd.te b/radio/dmd.te index 6216106a..be820be8 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,9 +30,4 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) - -# Allow proxy to register as android Service -binder_use(dmd) -add_service(dmd, liboemservice_proxy) -allow dmd radio_vendor_data_file:dir create_dir_perms; -allow dmd radio_vendor_data_file:file create_file_perms; \ No newline at end of file +binder_call(dmd, liboemservice_proxy_default) diff --git a/radio/file_contexts b/radio/file_contexts index 8d74be8e..1fcdfdd3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 16976c9c..3a093c82 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -16,3 +16,4 @@ binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) +hal_client_domain(grilservice_app, hal_power_stats) diff --git a/radio/liboemservice_proxy.te b/radio/liboemservice_proxy.te new file mode 100644 index 00000000..9a4a61a7 --- /dev/null +++ b/radio/liboemservice_proxy.te @@ -0,0 +1,34 @@ +type liboemservice_proxy_default, domain; +type liboemservice_proxy_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(liboemservice_proxy_default) + +# Allow proxy to register as android service. +binder_use(liboemservice_proxy_default); +add_service(liboemservice_proxy_default, liboemservice_proxy_service); + +get_prop(liboemservice_proxy_default, hwservicemanager_prop) +binder_call(liboemservice_proxy_default, hwservicemanager) +binder_call(liboemservice_proxy_default, dmd) +allow liboemservice_proxy_default hal_vendor_oem_hwservice:hwservice_manager find; +allow liboemservice_proxy_default radio_vendor_data_file:dir create_dir_perms; +allow liboemservice_proxy_default radio_vendor_data_file:file create_file_perms; + +# Grant to access serial device for external logging tool +allow liboemservice_proxy_default serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow liboemservice_proxy_default radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow liboemservice_proxy_default vendor_slog_file:dir create_dir_perms; +allow liboemservice_proxy_default vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow liboemservice_proxy_default node:tcp_socket node_bind; +allow liboemservice_proxy_default self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(liboemservice_proxy_default, vendor_diag_prop) +set_prop(liboemservice_proxy_default, vendor_slog_prop) +set_prop(liboemservice_proxy_default, vendor_modem_prop) +get_prop(liboemservice_proxy_default, vendor_persist_config_default_prop) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index ecd27394..aaf2aab2 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -41,6 +41,7 @@ userdebug_or_eng(` dontaudit modem_diagnostic_app default_prop:file r_file_perms; # Modem Log Mask Library Permissions - binder_call(modem_diagnostic_app, liboemservice_proxy) - allow modem_diagnostic_app liboemservice_proxy:service_manager find; + allow modem_diagnostic_app liboemservice_proxy_service:service_manager find; + binder_use(modem_diagnostic_app) + binder_call(modem_diagnostic_app, liboemservice_proxy_default) ') diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3b8b55e4..57ed142b 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -33,3 +33,6 @@ set_prop(modem_svc_sit, vendor_modem_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) diff --git a/radio/private/service_contexts b/radio/private/service_contexts index fdd49d4b..289e8e22 100644 --- a/radio/private/service_contexts +++ b/radio/private/service_contexts @@ -1,4 +1 @@ telephony.oem.oemrilhook u:object_r:radio_service:s0 - -# DMD oemservice aidl proxy -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy:s0 \ No newline at end of file diff --git a/radio/service.te b/radio/service.te index 620a3d4b..f2790d71 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,2 +1,2 @@ -# dmd liboemservice_proxy -type liboemservice_proxy, hal_service_type, service_manager_type; +# define liboemservice_proxy_service +type liboemservice_proxy_service, hal_service_type, service_manager_type; diff --git a/radio/service_contexts b/radio/service_contexts new file mode 100644 index 00000000..ce755180 --- /dev/null +++ b/radio/service_contexts @@ -0,0 +1,2 @@ +# DMD oemservice aidl proxy +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 074f500f..5a5f9d28 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -20,3 +20,8 @@ get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) get_prop(systemui_app, qemu_hw_prop) +# Allow writing and removing wmshell protolog in /data/misc/wmtrace. +userdebug_or_eng(` + allow systemui_app wm_trace_data_file:dir rw_dir_perms; + allow systemui_app wm_trace_data_file:file create_file_perms; +') diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1d2ea187..114b90e4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,21 +1,18 @@ dumpstate app_zygote process b/288049050 -dumpstate virtual_camera binder b/312894238 -dumpstate virtual_camera process b/312894238 -hal_face_default traced_producer_socket sock_file b/305600857 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 +kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -rild default_prop file b/315720601 -rild default_prop file b/315720874 -surfaceflinger selinuxfs file b/313804706 +rfsd vendor_cbd_prop file b/323086582 system_server sysfs_batteryinfo file b/294967729 -systemui_app wm_trace_data_file dir b/288049075 -twoshay chre_socket sock_file b/315104508 -twoshay chre_socket sock_file b/315104941 +system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 +vendor_init default_prop file b/323087197 +vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 +vendor_init vendor_volte_mif_off property_service b/316816642 diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te new file mode 100644 index 00000000..24c43fa2 --- /dev/null +++ b/tracking_denials/dmd.te @@ -0,0 +1,2 @@ +# b/323471016 +dontaudit dmd servicemanager:binder { call }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 975e2c4c..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/299553227 -dontaudit priv_app default_android_service:service_manager { find }; diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te index 7690191b..a00fb690 100644 --- a/vendor/con_monitor_app.te +++ b/vendor/con_monitor_app.te @@ -5,6 +5,8 @@ app_domain(con_monitor_app); allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app batterystats_service:service_manager find; allow con_monitor_app virtual_device_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; binder_call(con_monitor_app, system_server); binder_call(con_monitor_app, servicemanager); diff --git a/vendor/device.te b/vendor/device.te index fdb49579..6ed4db3d 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -4,10 +4,7 @@ type custom_ab_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; -type hw_jpg_device, dev_type; -userdebug_or_eng(` - typeattribute hw_jpg_device mlstrustedobject; -') +type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; type uci_device, dev_type; diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 4437dfaf..539c3b29 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -23,6 +23,7 @@ allow dump_power persist_battery_file:file r_file_perms; allow dump_power vendor_shell_exec:file execute_no_trans; allow dump_power battery_mitigation_exec:file execute_no_trans; allow dump_power sysfs_iio_devices:dir search; +allow dump_power sysfs:dir r_dir_perms; userdebug_or_eng(` allow dump_power debugfs:dir r_dir_perms; diff --git a/vendor/file_contexts b/vendor/file_contexts index 5a91c43d..8e92d3e1 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,7 +9,6 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f4415e1b..8e0a72e9 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -68,6 +68,8 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 @@ -90,6 +92,18 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/p genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp1_success_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 @@ -217,13 +231,16 @@ genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-11-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 @@ -255,6 +272,8 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 @@ -271,6 +290,7 @@ genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:obje genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/cur_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/capacity_headroom u:object_r:sysfs_gpu:s0 # GSA logs genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 5c4aef45..3eed6973 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -41,3 +41,7 @@ add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; allow hal_graphics_composer_default vendor_log_file:dir search; + +# allow HWC to access IStats AIDL +allow hal_graphics_composer_default fwk_stats_service:service_manager find; +binder_call(hal_graphics_composer_default, system_server); diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te index 012debcf..001b5fac 100644 --- a/vendor/hal_power_stats_default.te +++ b/vendor/hal_power_stats_default.te @@ -3,6 +3,7 @@ r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_display) r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 4086fb37..3d89a09f 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -23,3 +23,6 @@ allow hal_usb_impl sysfs_wakeup:file r_file_perms; # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; diff --git a/vendor/property_contexts b/vendor/property_contexts index 32563633..0f3eee98 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -23,6 +23,7 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix +ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int diff --git a/vendor/twoshay.te b/vendor/twoshay.te index 0456028b..dc511ea2 100644 --- a/vendor/twoshay.te +++ b/vendor/twoshay.te @@ -6,4 +6,6 @@ binder_call(twoshay, hal_radioext_default) # b/315347346 # b/314721681 unix_socket_connect(twoshay, chre, chre) +# TODO(b/248615564): Remove above rule after CHRE multiclient HAL is launched. +unix_socket_connect(twoshay, chre, hal_contexthub_default) allow twoshay self:capability2 block_suspend;