From 31c017f325a21509f245b82204c2ef7d2ea108d9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 18 Dec 2023 03:28:40 +0000 Subject: [PATCH 01/43] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 316816737 Bug: 316816642 Change-Id: Ie61999d23158c81e2acb4d23eb106cb6f61f9b88 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1d2ea187..550c847f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 +modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 rild default_prop file b/315720601 @@ -19,3 +20,4 @@ twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104235 +vendor_init vendor_volte_mif_off property_service b/316816642 From f8f64b668c39f06718901519dd3de87e8009a5a0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 19 Dec 2023 06:27:10 +0000 Subject: [PATCH 02/43] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 316991604 Change-Id: Ic90ace8d5b6ac787030f6fd26d96f41677fcca42 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 550c847f..e84ee29d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,7 @@ dumpstate app_zygote process b/288049050 dumpstate virtual_camera binder b/312894238 dumpstate virtual_camera process b/312894238 hal_face_default traced_producer_socket sock_file b/305600857 +hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 From a2e896913966ba3aab9a14e75040d98a5e813630 Mon Sep 17 00:00:00 2001 From: Chi Zhang Date: Wed, 29 Nov 2023 16:35:03 -0800 Subject: [PATCH 03/43] Allow GRIL to get power stats. SELinux : avc: denied { find } for pid=3147 uid=10219 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:grilservice_app:s0:c219,c256,c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 Bug: 286187143 Test: build and boot Change-Id: I6df25e78ba8fa8efaa7f51aed8e981ac382dcd29 --- radio/grilservice_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 16976c9c..3a093c82 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -16,3 +16,4 @@ binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) +hal_client_domain(grilservice_app, hal_power_stats) From 5c28db1f6b6955848185ceed38024bd85d2a5a76 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Wed, 20 Dec 2023 07:27:32 +0000 Subject: [PATCH 04/43] rfsd: add new property to sepolicy Bug: 307481296 Change-Id: Icd287f863fd6d309297ce984f4ce387fb5d3ae24 --- radio/rfsd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/rfsd.te b/radio/rfsd.te index 898e7fca..6391e488 100644 --- a/radio/rfsd.te +++ b/radio/rfsd.te @@ -29,6 +29,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +get_prop(rfsd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; From 79ba49730b3e946d674da213ddf684cfe28b71ce Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 21 Dec 2023 07:37:01 +0000 Subject: [PATCH 05/43] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 317316633 Change-Id: I8c1b97d6c65ec06e0a13e1447538f7cebf21d962 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e84ee29d..5f2ea8df 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,6 +15,7 @@ rild default_prop file b/315720601 rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 +system_suspend sysfs_batteryinfo dir b/317316633 systemui_app wm_trace_data_file dir b/288049075 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 From d26ab660b898db8708cb6a9ff54e5ffbce1fb69f Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Thu, 21 Dec 2023 20:12:45 +0000 Subject: [PATCH 06/43] display: support primary display preferred mode property Bug: 315895938 Test: check default mode after factory reset Change-Id: Ia5a4c12537d50faf54ed5ea82d24e52a623c34e3 Signed-off-by: Shiyong Li --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index 32563633..0f3eee98 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -23,6 +23,7 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix +ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 5b30dbfbb3e1f4bcd599c27fb3fe85b6d8e80dbf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 26 Dec 2023 19:13:52 +0800 Subject: [PATCH 07/43] Allow SysUI to write protolog file This is enabled on debuggable builds only, includes - Grant mlstrustedsubject typeattribute to wm_trace_data_file - Grant systemui_app the write access to wm_trace_data_file Bug: 251513116 Fix: 288049075 Test: make sepolicy Change-Id: Ifa5a5281c6e8c7ecedcd601fc8cc58c4be6bdc3b --- system_ext/private/systemui_app.te | 5 +++++ tracking_denials/bug_map | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 074f500f..5a5f9d28 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -20,3 +20,8 @@ get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) get_prop(systemui_app, qemu_hw_prop) +# Allow writing and removing wmshell protolog in /data/misc/wmtrace. +userdebug_or_eng(` + allow systemui_app wm_trace_data_file:dir rw_dir_perms; + allow systemui_app wm_trace_data_file:file create_file_perms; +') diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5f2ea8df..1114e82e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -16,7 +16,6 @@ rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 -systemui_app wm_trace_data_file dir b/288049075 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 From 404089ca94ec293ae71407fb8692b31c70b5b58e Mon Sep 17 00:00:00 2001 From: timtmlin Date: Wed, 27 Dec 2023 15:22:42 +0800 Subject: [PATCH 08/43] Remove obsolete entries Bug: 315720601 Bug: 315720874 Test: make Change-Id: I538c76e009c6d29c9d2cac39778decc679446906 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1114e82e..4f8949e4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,8 +11,6 @@ insmod-sh insmod-sh key b/274374722 modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -rild default_prop file b/315720601 -rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 From 8587126f451e72bc1e10c722b9abc7049cfae9e3 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Wed, 27 Dec 2023 00:01:56 -0800 Subject: [PATCH 09/43] [zuma] Update chre sepolicy for socket connection With multiclient HAL, the socket server domain changes from chre to hal_contexthub_default. Bug: 248615564 Test: updated the sepolicies and observed that avc violation logs disappears. Change-Id: I4b2d27b436c9d81bd0d0cdc5b3c1540884c37fec --- vendor/twoshay.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/twoshay.te b/vendor/twoshay.te index 0456028b..dc511ea2 100644 --- a/vendor/twoshay.te +++ b/vendor/twoshay.te @@ -6,4 +6,6 @@ binder_call(twoshay, hal_radioext_default) # b/315347346 # b/314721681 unix_socket_connect(twoshay, chre, chre) +# TODO(b/248615564): Remove above rule after CHRE multiclient HAL is launched. +unix_socket_connect(twoshay, chre, hal_contexthub_default) allow twoshay self:capability2 block_suspend; From 76ea52118602653556efc4f2686dea3235f0f9a7 Mon Sep 17 00:00:00 2001 From: Jan Sebechlebsky Date: Wed, 27 Dec 2023 14:04:36 +0100 Subject: [PATCH 10/43] Remove bug_map entry for dumpstate <-> virtual_camera The denial was fixed in aosp/2852613. Bug: 312894238 Test: N/A Change-Id: I3121489729e23afa10904cb97f547e965e0c68f4 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e84ee29d..3458f07e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,4 @@ dumpstate app_zygote process b/288049050 -dumpstate virtual_camera binder b/312894238 -dumpstate virtual_camera process b/312894238 hal_face_default traced_producer_socket sock_file b/305600857 hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 From 839ddde474d043fab661fd74098f1a0eddf37e97 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Thu, 28 Dec 2023 12:00:51 +0800 Subject: [PATCH 11/43] audio: remove denials list for dcservice Bug: 299553227 Test: boot to home with test build b/299553227#comment8 Change-Id: I9ee23a9aa753d891d233e337908c2091d63f3834 Signed-off-by: Jasmine Cha --- tracking_denials/priv_app.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 975e2c4c..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/299553227 -dontaudit priv_app default_android_service:service_manager { find }; From 0d7dcca863dff4b9b5e3ff207db099eff6323c8e Mon Sep 17 00:00:00 2001 From: Kiyoung Kim Date: Tue, 2 Jan 2024 11:17:41 +0900 Subject: [PATCH 12/43] Remove SELinux error from b/313804706 Remove SELinux error from b/313804706 as the issue is solved now. Bug: 313804706 Test: No selinux denial error from boot with husky-trunk_staging-userdebug build Change-Id: I19c7fba663abac4d180b6a144f0aff5d108806f6 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 27035630..2c7e39ee 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,7 +9,6 @@ insmod-sh insmod-sh key b/274374722 modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 twoshay chre_socket sock_file b/315104508 From 728e6baa645080ad0b65c86745c65da21ac773d6 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 2 Jan 2024 08:43:06 +0000 Subject: [PATCH 13/43] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=387 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 316250607 Change-Id: If1942986a0804e24b13c021740f7df8f406e53c2 --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3b8b55e4..57ed142b 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -33,3 +33,6 @@ set_prop(modem_svc_sit, vendor_modem_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) From 0e9173dfa22de790c01a05907493d3519938260f Mon Sep 17 00:00:00 2001 From: Ilya Matyukhin Date: Thu, 4 Jan 2024 22:21:00 +0000 Subject: [PATCH 14/43] face: remove tracking for 305600857 The policy was fixed in: Ia8e4599e7cd44c815e88a34ee7d9229a3391b598 Bug: 305600857 Test: adb logcat | grep "avc:" Change-Id: I831acc083c118ca35d095d040aedcd9b85cfb3a5 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 27035630..6ed026a4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ dumpstate app_zygote process b/288049050 -hal_face_default traced_producer_socket sock_file b/305600857 hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 From 93020c0564fbcc38e6e3f507341b67398e12102f Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 2 Jan 2024 08:43:06 +0000 Subject: [PATCH 15/43] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=387 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 316250607 Change-Id: If1942986a0804e24b13c021740f7df8f406e53c2 (cherry picked from commit 728e6baa645080ad0b65c86745c65da21ac773d6) --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3b8b55e4..57ed142b 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -33,3 +33,6 @@ set_prop(modem_svc_sit, vendor_modem_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) From 8b023136429b2039637c5cfa3be06e8aa369dc1c Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Wed, 3 Jan 2024 09:44:21 +0000 Subject: [PATCH 16/43] Remove tracking for b/316991604. - no need to fix, so just remove the tracking record Bug: 316991604 Test: manual test Change-Id: Ifa70774650d3beaed5abd57297a3372f8d33661e --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 68c91720..70ebaae2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ dumpstate app_zygote process b/288049050 -hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 From 52beafc4c45ba3f7394c62e0cf7e40980f17a093 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Fri, 15 Dec 2023 16:19:17 -0800 Subject: [PATCH 17/43] [zuma] Use common settings for Contexthub HAL Test: compilation Bug: 248615564 Change-Id: I6691b23af6e532584f4dee9618c264b20b8873c0 --- vendor/file_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index daf2f404..8ac4afc9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,7 +9,6 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 From 137c2ebd5ab839f5164058b2c5c028de9e4b4ebe Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Wed, 10 Jan 2024 06:14:37 +0000 Subject: [PATCH 18/43] selinux: label wakeup for BMS I2C 0x36, 0x69 Bug: 319035561 Change-Id: Ib57dba71691f70b75fbae23208125fa750b32dc1 Signed-off-by: Ken Yang --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f4415e1b..87f4fd49 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -220,10 +220,12 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 From 1d8bcd694bfb8fe074992af35b2ee7652e1414a8 Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Thu, 11 Jan 2024 09:48:44 -0800 Subject: [PATCH 19/43] Remove modem_svc selinux error from denials bug_map This property was removed and is not being used anymore. So modem_svc will not need to read it. Bug: 316816737 Change-Id: Iaee56d15ca69e91fe952eaa188d3aaec69edf5dc Signed-off-by: Mahesh Kallelil --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2c7e39ee..e1c17e16 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 -modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 From d6e79769c1af51cd774a14d3b9650c156145cc5c Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Fri, 12 Jan 2024 07:31:14 +0000 Subject: [PATCH 20/43] Allow Powerstats service to access refresh rate residency node Bug: 315424658 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: I86288b4f523b4463a46d710a6556fa6852d4bea0 --- vendor/genfs_contexts | 2 ++ vendor/hal_power_stats_default.te | 1 + 2 files changed, 3 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 87f4fd49..71a14d92 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -68,6 +68,8 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te index 012debcf..001b5fac 100644 --- a/vendor/hal_power_stats_default.te +++ b/vendor/hal_power_stats_default.te @@ -3,6 +3,7 @@ r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_display) r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) From 0d32d1c172c19186a7ac4fd3eb316a9b947d612d Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Mon, 15 Jan 2024 04:54:47 +0000 Subject: [PATCH 21/43] Change the type of hw_jpg_device for selinux policy so that the GCA release flavor could access hw_jpg_device Bug: 320410642 Test:m Change-Id: If77a097b4ca823322ef41b13d6283390dac69d6c --- vendor/device.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index fdb49579..6ed4db3d 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -4,10 +4,7 @@ type custom_ab_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; -type hw_jpg_device, dev_type; -userdebug_or_eng(` - typeattribute hw_jpg_device mlstrustedobject; -') +type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; type uci_device, dev_type; From 148d3558f8b84623dea91a455ca436789adcc9b6 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 16 Jan 2024 19:20:02 +0000 Subject: [PATCH 22/43] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 319403445 Change-Id: I470afdd191741401c197ae32bfff18e9d8b90a96 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8757806e..6c1b6e54 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 +kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 From 2d8e52e176ef51abe6e46fe557d42ecf790a3548 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 17 Jan 2024 17:42:53 +0000 Subject: [PATCH 23/43] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 320693841 Change-Id: Ia3ffe885f02a8db86d6bd024d34135fd1ce30d7b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6c1b6e54..a2da69bc 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 +system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 From 4e48a457277af5cf825478a7836d9c5a6c8fb738 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Thu, 18 Jan 2024 00:16:07 +0800 Subject: [PATCH 24/43] Allow dump_power to read directories under "/sys/class/power_supply" Bug: 320613177 Change-Id: I1a39ddb5fbbf4c62fa5b96e3562b34f2f2091c13 Signed-off-by: Kyle Tso --- vendor/dump_power.te | 1 + vendor/genfs_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 4437dfaf..e4f8bc09 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -13,6 +13,7 @@ allow dump_power sysfs_batteryinfo:dir r_dir_perms; allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power sysfs_wlc:dir search; allow dump_power sysfs_wlc:file r_file_perms; +allow dump_power sysfs_power_dump:dir r_dir_perms; allow dump_power sysfs_power_dump:file r_file_perms; allow dump_power mitigation_vendor_data_file:dir rw_dir_perms; allow dump_power mitigation_vendor_data_file:file create_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 71a14d92..27d054b8 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -211,6 +211,7 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/chg_stats genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply u:object_r:sysfs_power_dump:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 770a65f4a9d0e8fc4a30bbf0d717d5622353c6c7 Mon Sep 17 00:00:00 2001 From: Imo Richard Umoren Date: Mon, 22 Jan 2024 18:32:09 +0000 Subject: [PATCH 25/43] Update Tracking Denial Bug Map Removes tracking denial for twoshay from bug map Bug: b/315104941 Test: Manually tested on HK3 DVT Change-Id: I6cd8f390e98fc98925ed807a2ff24a33c51c75cd --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a2da69bc..cfa4e3d9 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -10,8 +10,6 @@ pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 -twoshay chre_socket sock_file b/315104508 -twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104235 From 3d156c0ad6ac29a8176bff26f8790a8da97a654e Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Thu, 21 Sep 2023 11:31:41 +0000 Subject: [PATCH 26/43] [displayport-stats] add sysfs access permission on Zuma devices. Bug: 266898132 Test: Build Change-Id: I4c5bd4729f837c843668c447abbbe4c34beb3fce --- vendor/genfs_contexts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 27d054b8..d7badfbe 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -92,6 +92,18 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/p genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp1_success_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 From 3b3042135034a62bd7cacdc634f52d959a32e932 Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Mon, 15 Jan 2024 04:54:47 +0000 Subject: [PATCH 27/43] Change the type of hw_jpg_device for selinux policy so that the GCA release flavor could access hw_jpg_device Bug: 320410642 Test:m (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d32d1c172c19186a7ac4fd3eb316a9b947d612d) Merged-In: If77a097b4ca823322ef41b13d6283390dac69d6c Change-Id: If77a097b4ca823322ef41b13d6283390dac69d6c --- vendor/device.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 50b7c59a..9faa3e67 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -6,10 +6,7 @@ type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type, mlstrustedobject; -type hw_jpg_device, dev_type; -userdebug_or_eng(` - typeattribute hw_jpg_device mlstrustedobject; -') +type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; type uci_device, dev_type; From d7decd5eee10b73702459967cc92a69521cf926d Mon Sep 17 00:00:00 2001 From: Sean Callanan Date: Wed, 10 Jan 2024 21:08:43 +0000 Subject: [PATCH 28/43] Add `capacity_headroom` to gpu sysfs This allows userspace (notably the power HAL) to apply a boost to GPU frequency independent of previously measured load. Bug: 290625326 Test: boot, run modified Power HAL Change-Id: Ia71266ee751a36a960706ac8aacc7fdefdf8a0f0 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f4415e1b..b39a8bef 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -271,6 +271,7 @@ genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:obje genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/cur_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/capacity_headroom u:object_r:sysfs_gpu:s0 # GSA logs genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 From 0cdeda46b2104ca20091d99b43bd7997900e0b98 Mon Sep 17 00:00:00 2001 From: kierancyphus Date: Tue, 23 Jan 2024 15:22:43 +0800 Subject: [PATCH 29/43] liboemservice_proxy: Update sepolicy to hal This was wrongly configured originally, and has instead been modified to follow the advice from https://source.android.com/docs/core/architecture/aidl/aidl-hals#sepolicy. Test: atest vts_treble_vintf_vendor_test:DeviceManifest/SingleAidlTest Bug: 321867236 Change-Id: I75df4696660b2c052324313785b244c263ebd75b --- radio/dmd.te | 7 +------ radio/file_contexts | 1 + radio/liboemservice_proxy.te | 34 ++++++++++++++++++++++++++++++++++ radio/modem_diagnostic_app.te | 5 +++-- radio/private/service_contexts | 3 --- radio/service.te | 4 ++-- radio/service_contexts | 2 ++ 7 files changed, 43 insertions(+), 13 deletions(-) create mode 100644 radio/liboemservice_proxy.te create mode 100644 radio/service_contexts diff --git a/radio/dmd.te b/radio/dmd.te index 6216106a..be820be8 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,9 +30,4 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) - -# Allow proxy to register as android Service -binder_use(dmd) -add_service(dmd, liboemservice_proxy) -allow dmd radio_vendor_data_file:dir create_dir_perms; -allow dmd radio_vendor_data_file:file create_file_perms; \ No newline at end of file +binder_call(dmd, liboemservice_proxy_default) diff --git a/radio/file_contexts b/radio/file_contexts index 8d74be8e..1fcdfdd3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/liboemservice_proxy.te b/radio/liboemservice_proxy.te new file mode 100644 index 00000000..9a4a61a7 --- /dev/null +++ b/radio/liboemservice_proxy.te @@ -0,0 +1,34 @@ +type liboemservice_proxy_default, domain; +type liboemservice_proxy_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(liboemservice_proxy_default) + +# Allow proxy to register as android service. +binder_use(liboemservice_proxy_default); +add_service(liboemservice_proxy_default, liboemservice_proxy_service); + +get_prop(liboemservice_proxy_default, hwservicemanager_prop) +binder_call(liboemservice_proxy_default, hwservicemanager) +binder_call(liboemservice_proxy_default, dmd) +allow liboemservice_proxy_default hal_vendor_oem_hwservice:hwservice_manager find; +allow liboemservice_proxy_default radio_vendor_data_file:dir create_dir_perms; +allow liboemservice_proxy_default radio_vendor_data_file:file create_file_perms; + +# Grant to access serial device for external logging tool +allow liboemservice_proxy_default serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow liboemservice_proxy_default radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow liboemservice_proxy_default vendor_slog_file:dir create_dir_perms; +allow liboemservice_proxy_default vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow liboemservice_proxy_default node:tcp_socket node_bind; +allow liboemservice_proxy_default self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(liboemservice_proxy_default, vendor_diag_prop) +set_prop(liboemservice_proxy_default, vendor_slog_prop) +set_prop(liboemservice_proxy_default, vendor_modem_prop) +get_prop(liboemservice_proxy_default, vendor_persist_config_default_prop) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index ecd27394..aaf2aab2 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -41,6 +41,7 @@ userdebug_or_eng(` dontaudit modem_diagnostic_app default_prop:file r_file_perms; # Modem Log Mask Library Permissions - binder_call(modem_diagnostic_app, liboemservice_proxy) - allow modem_diagnostic_app liboemservice_proxy:service_manager find; + allow modem_diagnostic_app liboemservice_proxy_service:service_manager find; + binder_use(modem_diagnostic_app) + binder_call(modem_diagnostic_app, liboemservice_proxy_default) ') diff --git a/radio/private/service_contexts b/radio/private/service_contexts index fdd49d4b..289e8e22 100644 --- a/radio/private/service_contexts +++ b/radio/private/service_contexts @@ -1,4 +1 @@ telephony.oem.oemrilhook u:object_r:radio_service:s0 - -# DMD oemservice aidl proxy -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy:s0 \ No newline at end of file diff --git a/radio/service.te b/radio/service.te index 620a3d4b..f2790d71 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,2 +1,2 @@ -# dmd liboemservice_proxy -type liboemservice_proxy, hal_service_type, service_manager_type; +# define liboemservice_proxy_service +type liboemservice_proxy_service, hal_service_type, service_manager_type; diff --git a/radio/service_contexts b/radio/service_contexts new file mode 100644 index 00000000..ce755180 --- /dev/null +++ b/radio/service_contexts @@ -0,0 +1,2 @@ +# DMD oemservice aidl proxy +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 From a5df4f07bf774eb55aab6752aa2e8055f5a4d68e Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Thu, 25 Jan 2024 21:35:37 +0000 Subject: [PATCH 30/43] Revert "Allow dump_power to read directories under "/sys/class/p..." Revert submission 25915320-320613177 Reason for revert: Droidfood blocking bug: 322294676 Reverted changes: /q/submissionid:25915320-320613177 Change-Id: I5545dcd73cdce5ae029444c313bf5dc3f642a5c0 --- vendor/dump_power.te | 1 - vendor/genfs_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index e4f8bc09..4437dfaf 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -13,7 +13,6 @@ allow dump_power sysfs_batteryinfo:dir r_dir_perms; allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power sysfs_wlc:dir search; allow dump_power sysfs_wlc:file r_file_perms; -allow dump_power sysfs_power_dump:dir r_dir_perms; allow dump_power sysfs_power_dump:file r_file_perms; allow dump_power mitigation_vendor_data_file:dir rw_dir_perms; allow dump_power mitigation_vendor_data_file:file create_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 27d054b8..71a14d92 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -211,7 +211,6 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/chg_stats genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /class/power_supply u:object_r:sysfs_power_dump:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From aef38ed6a73f3d6619f1ebc3117188b3384b2195 Mon Sep 17 00:00:00 2001 From: Kadi Narmamatov Date: Tue, 30 Jan 2024 07:01:33 +0000 Subject: [PATCH 31/43] Revert "rfsd: add new property to sepolicy" Revert submission 25709311-rfsd-efs-erase Reason for revert: we don't need it for this repo, only for pro Reverted changes: /q/submissionid:25709311-rfsd-efs-erase Bug: 315104803 Change-Id: I54e24ae99087b102c1a2f677ce4a7b2cad670992 --- radio/rfsd.te | 1 - 1 file changed, 1 deletion(-) diff --git a/radio/rfsd.te b/radio/rfsd.te index 6391e488..898e7fca 100644 --- a/radio/rfsd.te +++ b/radio/rfsd.te @@ -29,7 +29,6 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) -get_prop(rfsd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; From bbd26c9cb876d0af5a242d5ffbf6531a6a372405 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 31 Jan 2024 02:58:43 +0000 Subject: [PATCH 32/43] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 323086582 Test: scanBugreport Bug: 323087490 Test: scanAvcDeniedLogRightAfterReboot Bug: 323087197 Change-Id: I99006484464f82125a63be9c26eb8d8051c57840 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cfa4e3d9..1a99a16a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,10 +7,13 @@ insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 +rfsd vendor_cbd_prop file b/323086582 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 +vendor_init default_prop file b/323087197 +vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 vendor_init vendor_volte_mif_off property_service b/316816642 From 98972beada4d9291fbc03d5f1331119be9e1a06a Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Fri, 26 Jan 2024 22:08:15 +0800 Subject: [PATCH 33/43] Allow dump_power to read sysfs directories dump_power needs to read the directories under /sys/class/power_supply. Bug: 320613177 Bug: 322294676 Change-Id: I7bc55b90d67a1d05bb097955ed632d62535e0f40 Signed-off-by: Kyle Tso --- vendor/dump_power.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 4437dfaf..539c3b29 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -23,6 +23,7 @@ allow dump_power persist_battery_file:file r_file_perms; allow dump_power vendor_shell_exec:file execute_no_trans; allow dump_power battery_mitigation_exec:file execute_no_trans; allow dump_power sysfs_iio_devices:dir search; +allow dump_power sysfs:dir r_dir_perms; userdebug_or_eng(` allow dump_power debugfs:dir r_dir_perms; From fdc9af0d88cafe053a7d1541367d0bb44bd90e96 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 2 Feb 2024 08:04:40 +0000 Subject: [PATCH 34/43] Update error on ROM 11396046 Bug: 323471016 Test: SELinuxUncheckedDenialBootTest Change-Id: I79953f209f474b8d71e06e197795b0d55c3ffce3 --- tracking_denials/dmd.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/dmd.te diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te new file mode 100644 index 00000000..24c43fa2 --- /dev/null +++ b/tracking_denials/dmd.te @@ -0,0 +1,2 @@ +# b/323471016 +dontaudit dmd servicemanager:binder { call }; From cfe12763f2c0a5d4b696f105e88ba888ac7bf23b Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Thu, 25 Jan 2024 12:36:37 +0800 Subject: [PATCH 35/43] Allow con_monitor_app to read/write the folder /data/vendor/radio Bug: 322266425 Test: after apply the patch, we can see the adum_log/adum_log_old files are included in dumpstate_board.bin successfully without denial Change-Id: Ic488a84a1942fbc424b08aa0cbd4d526014152cd --- vendor/con_monitor_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te index 7690191b..a00fb690 100644 --- a/vendor/con_monitor_app.te +++ b/vendor/con_monitor_app.te @@ -5,6 +5,8 @@ app_domain(con_monitor_app); allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app batterystats_service:service_manager find; allow con_monitor_app virtual_device_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; binder_call(con_monitor_app, system_server); binder_call(con_monitor_app, servicemanager); From 332714ffac860f46f389c6bedf8a7c1cc1cce98e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 6 Feb 2024 08:36:39 +0000 Subject: [PATCH 36/43] Allow camera_app can access priv-app symlinks Fix: 322417347 Test: make selinux_policy Change-Id: I467667b3a824a2e8b93e47c61c28ed9015fd44c3 --- private/debug_camera_app.te | 2 ++ private/google_camera_app.te | 3 +++ 2 files changed, 5 insertions(+) diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te index 8250e42a..69a804d9 100644 --- a/private/debug_camera_app.te +++ b/private/debug_camera_app.te @@ -13,4 +13,6 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) + # Follow priv-app symlinks. This is used for dynamite functionality. + allow debug_camera_app privapp_data_file:lnk_file r_file_perms; ') diff --git a/private/google_camera_app.te b/private/google_camera_app.te index 4ce84afb..81e3527c 100644 --- a/private/google_camera_app.te +++ b/private/google_camera_app.te @@ -14,3 +14,6 @@ hal_client_domain(google_camera_app, hal_power) # Library code may try to access vendor properties, but should be denied dontaudit google_camera_app vendor_default_prop:file { getattr map open }; + +# Follow priv-app symlinks. This is used for dynamite functionality. +allow google_camera_app privapp_data_file:lnk_file r_file_perms; From 6c5b44f1bb3a170c5e4f7227682a3248cab83f94 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Wed, 7 Feb 2024 05:13:45 +0000 Subject: [PATCH 37/43] hal_usb_impl: Grant read permission to usb overheat files Carried over from WHI PRO setting. Bug: 307583011 Test: no audit logs Change-Id: I45bb396f2597a4a8c150ad2975ecfa427d44f2a9 --- vendor/hal_usb_impl.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 4086fb37..3d89a09f 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -23,3 +23,6 @@ allow hal_usb_impl sysfs_wakeup:file r_file_perms; # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; From 15fda1a5010e2f73559c46faa031ef0b139ded9e Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Thu, 12 Oct 2023 12:13:14 +0000 Subject: [PATCH 38/43] Add HWC permission to access IStats AIDL avc: denied { call } for scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=0 Bug: 266898132 Test: Build and check log Change-Id: I7e5ec165df0d397250b09f5981c1f45aea27bd4c --- vendor/hal_graphics_composer_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 5c4aef45..3eed6973 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -41,3 +41,7 @@ add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; allow hal_graphics_composer_default vendor_log_file:dir search; + +# allow HWC to access IStats AIDL +allow hal_graphics_composer_default fwk_stats_service:service_manager find; +binder_call(hal_graphics_composer_default, system_server); From 1d8864cdeea30c6da40bc47e09247ab3d8d23e4c Mon Sep 17 00:00:00 2001 From: Will McVicker Date: Fri, 16 Feb 2024 15:15:55 -0800 Subject: [PATCH 39/43] Update tcpm i2c sepolicy with new device name The new names fix uninformative kernel wakelock names. Bug: 315190967 Bug: 323447554 Change-Id: I5e0a4e13484c9886be398782e580313892987e2f --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dfa264a9..017cef01 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -231,6 +231,7 @@ genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-11-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 From 161bbcd1e621f2f9ef4a615d1f2286d42c7aafae Mon Sep 17 00:00:00 2001 From: Peter Lin Date: Thu, 25 Jan 2024 04:12:11 +0000 Subject: [PATCH 40/43] add dsim wakeup labels Bug: 320693841 Bug: 321733124 test: ls sys/devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup -Z Change-Id: Ie99007455ef3879c8ee0aa1fa20801e4baf5e978 --- tracking_denials/bug_map | 1 - vendor/genfs_contexts | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cfa4e3d9..a4cf1924 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,7 +8,6 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 -system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index caa6b824..52410b9e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -260,6 +260,8 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From f75e76f91370231072cf8bb11621a9dfc12d4f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 21 Feb 2024 13:47:43 +1100 Subject: [PATCH 41/43] Remove persist.bootanim.color property definitions These now belong to the platform policy. Bug: 321088135 Test: build Change-Id: Ie7fcd37eeb176334e36a86d6ad3d66f42c1b841e --- legacy/private/property_contexts | 5 ----- zuma-sepolicy.mk | 1 - 2 files changed, 6 deletions(-) delete mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/legacy/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 2d80f554..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,7 +18,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private From 7b238e3659e11021e52d860025ada4806b439274 Mon Sep 17 00:00:00 2001 From: Rubin Xu Date: Fri, 23 Feb 2024 12:12:26 +0000 Subject: [PATCH 42/43] Revert "Remove persist.bootanim.color property definitions" Revert submission 26301396-bootanim_prop Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/quarterdeck/?branch=git_main&target=sdk_goog3_x86_64-trunk_staging-userdebug&lkgb=11487950&lkbb=11488141&fkbb=11488141 Bug: 326521604 Reverted changes: /q/submissionid:26301396-bootanim_prop Change-Id: Icad6e80687cd7cd2085018bca226b5f38f25db25 --- legacy/private/property_contexts | 5 +++++ zuma-sepolicy.mk | 1 + 2 files changed, 6 insertions(+) create mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts new file mode 100644 index 00000000..abcdd419 --- /dev/null +++ b/legacy/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index abfaa288..2d80f554 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,6 +18,7 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private From 97a16aff57df4bf32b8e05397018039486e499c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Sun, 25 Feb 2024 23:58:44 +0000 Subject: [PATCH 43/43] Revert^2 "Remove persist.bootanim.color property definitions" 7b238e3659e11021e52d860025ada4806b439274 Change-Id: I56143303453cce01d812997ed4a06d815f2a6859 --- legacy/private/property_contexts | 5 ----- zuma-sepolicy.mk | 1 - 2 files changed, 6 deletions(-) delete mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/legacy/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 2d80f554..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,7 +18,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private