diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 26e441ab..68f910fb 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -2,7 +2,6 @@ /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 @@ -10,8 +9,6 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 -/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 diff --git a/legacy/whitechapel_pro/init-display-sh.te b/legacy/whitechapel_pro/init-display-sh.te deleted file mode 100644 index 54ff7d6e..00000000 --- a/legacy/whitechapel_pro/init-display-sh.te +++ /dev/null @@ -1,10 +0,0 @@ -type init-display-sh, domain; -type init-display-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(init-display-sh) - -allow init-display-sh self:capability sys_module; -allow init-display-sh vendor_kernel_modules:system module_load; -allow init-display-sh vendor_toolbox_exec:file execute_no_trans; - -dontaudit init-display-sh proc_cmdline:file r_file_perms; - diff --git a/legacy/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te deleted file mode 100644 index d987ac64..00000000 --- a/legacy/whitechapel_pro/init.te +++ /dev/null @@ -1,6 +0,0 @@ -allow init ram_device:blk_file w_file_perms; -allow init sysfs_scsi_devices_0000:file w_file_perms; - -# Workaround for b/193113005 that modem_img unlabeled after disable-verity -dontaudit init overlayfs_file:file rename; -dontaudit init overlayfs_file:chr_file unlink; diff --git a/legacy/whitechapel_pro/logd.te b/legacy/whitechapel_pro/logd.te deleted file mode 100644 index cc55e204..00000000 --- a/legacy/whitechapel_pro/logd.te +++ /dev/null @@ -1,2 +0,0 @@ -r_dir_file(logd, logbuffer_device) -allow logd logbuffer_device:chr_file r_file_perms; diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index e22d3c6d..4454bfdb 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -22,3 +22,9 @@ dontaudit con_monitor_app dumpstate:fifo_file { write }; dontaudit con_monitor_app system_server:fifo_file { write }; dontaudit con_monitor_app tombstoned:unix_stream_socket { connectto }; dontaudit con_monitor_app tombstoned_java_trace_socket:sock_file { write }; +# b/262455571 +dontaudit con_monitor_app data_file_type:dir { search }; +dontaudit con_monitor_app servicemanager:binder { call }; +dontaudit con_monitor_app statsd:unix_dgram_socket { sendto }; +dontaudit con_monitor_app statsdw_socket:sock_file { write }; +dontaudit con_monitor_app system_file:file { execute }; diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index cb4a9f6d..fdddd335 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -61,3 +61,5 @@ dontaudit euiccpixel_app dumpstate:fifo_file { write }; dontaudit euiccpixel_app system_server:fifo_file { write }; dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; +# b/262451641 +dontaudit euiccpixel_app permission_checker_service:service_manager { find }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 51e2d710..bfb0444d 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -3,3 +3,19 @@ dontaudit google_camera_app vendor_file:file { getattr }; dontaudit google_camera_app vendor_file:file { map }; dontaudit google_camera_app vendor_file:file { open }; dontaudit google_camera_app vendor_file:file { read }; +# b/262455755 +dontaudit google_camera_app activity_service:service_manager { find }; +dontaudit google_camera_app cameraserver_service:service_manager { find }; +dontaudit google_camera_app content_capture_service:service_manager { find }; +dontaudit google_camera_app device_state_service:service_manager { find }; +dontaudit google_camera_app edgetpu_app_service:service_manager { find }; +dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; +dontaudit google_camera_app edgetpu_device:chr_file { map }; +dontaudit google_camera_app edgetpu_device:chr_file { read write }; +dontaudit google_camera_app fwk_stats_service:service_manager { find }; +dontaudit google_camera_app game_service:service_manager { find }; +dontaudit google_camera_app mediaserver_service:service_manager { find }; +dontaudit google_camera_app netstats_service:service_manager { find }; +dontaudit google_camera_app sensorservice_service:service_manager { find }; +dontaudit google_camera_app surfaceflinger_service:service_manager { find }; +dontaudit google_camera_app thermal_service:service_manager { find }; diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te new file mode 100644 index 00000000..cde3a01c --- /dev/null +++ b/tracking_denials/hal_wifi_ext.te @@ -0,0 +1,2 @@ +# b/262455388 +dontaudit hal_wifi_ext grilservice_app:binder { call }; diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te index c3afb322..35fcf30b 100644 --- a/tracking_denials/hal_wlc.te +++ b/tracking_denials/hal_wlc.te @@ -3,3 +3,15 @@ dontaudit hal_wlc sysfs:file { getattr }; dontaudit hal_wlc sysfs:file { open }; dontaudit hal_wlc sysfs:file { read }; dontaudit hal_wlc sysfs:file { write }; +# b/262455719 +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { bind }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { create }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { getopt }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { read }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { setopt }; +dontaudit hal_wlc hwservicemanager:binder { call }; +dontaudit hal_wlc hwservicemanager:binder { transfer }; +dontaudit hal_wlc hwservicemanager_prop:file { getattr }; +dontaudit hal_wlc hwservicemanager_prop:file { map }; +dontaudit hal_wlc hwservicemanager_prop:file { open }; +dontaudit hal_wlc hwservicemanager_prop:file { read }; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index e8f13da8..5a5e1176 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -31,4 +31,6 @@ userdebug_or_eng(` permissive uwb_vendor_app; permissive hal_wifi_ext; permissive hal_wlc; + permissive init; + permissive logd; ') diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 19f9af87..8312d43e 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -18,3 +18,5 @@ dontaudit priv_app vendor_file:file { getattr }; dontaudit priv_app vendor_file:file { map }; dontaudit priv_app vendor_file:file { open }; dontaudit priv_app vendor_file:file { read }; +# b/262455954 +dontaudit priv_app euiccpixel_app:binder { call }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 7b5f543e..7ef08827 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -14,3 +14,5 @@ dontaudit system_server hal_usb_gadget_impl:binder { call }; dontaudit system_server hal_usb_gadget_impl:binder { transfer }; dontaudit system_server hal_usb_impl:binder { call }; dontaudit system_server hal_usb_impl:binder { transfer }; +# b/262455682 +dontaudit system_server con_monitor_app:process { setsched }; diff --git a/vendor/file_contexts b/vendor/file_contexts index 31211f82..5c1fef83 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -11,6 +11,8 @@ /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/legacy/whitechapel_pro/mediacodec_google.te b/vendor/mediacodec_google.te similarity index 53% rename from legacy/whitechapel_pro/mediacodec_google.te rename to vendor/mediacodec_google.te index 21aea333..a2009d64 100644 --- a/legacy/whitechapel_pro/mediacodec_google.te +++ b/vendor/mediacodec_google.te @@ -3,22 +3,6 @@ type mediacodec_google_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(mediacodec_google) -# can route /dev/binder traffic to /dev/vndbinder -vndbinder_use(mediacodec_google) - -hal_server_domain(mediacodec_google, hal_codec2) - -# mediacodec_google may use an input surface from a different Codec2 service -hal_client_domain(mediacodec_google, hal_codec2) - -hal_client_domain(mediacodec_google, hal_graphics_allocator) - -allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; -allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow mediacodec_google video_device:chr_file rw_file_perms; - -crash_dump_fallback(mediacodec_google) - # mediacodec_google should never execute any executable without a domain transition neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; @@ -27,4 +11,4 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; -neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; \ No newline at end of file +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; diff --git a/legacy/whitechapel_pro/mediacodec_samsung.te b/vendor/mediacodec_samsung.te similarity index 51% rename from legacy/whitechapel_pro/mediacodec_samsung.te rename to vendor/mediacodec_samsung.te index 2c5d7ede..8aec0da5 100644 --- a/legacy/whitechapel_pro/mediacodec_samsung.te +++ b/vendor/mediacodec_samsung.te @@ -2,26 +2,6 @@ type mediacodec_samsung, domain; type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(mediacodec_samsung) -hal_server_domain(mediacodec_samsung, hal_codec2) -add_service(mediacodec_samsung, eco_service) - -# can route /dev/binder traffic to /dev/vndbinder -vndbinder_use(mediacodec_samsung) - -allow mediacodec_samsung video_device:chr_file rw_file_perms; -allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; -allow mediacodec_samsung gpu_device:chr_file rw_file_perms; - -allow mediacodec_samsung sysfs_mfc:file r_file_perms; -allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; - -# can use graphics allocator -hal_client_domain(mediacodec_samsung, hal_graphics_allocator) - -binder_call(mediacodec_samsung, hal_camera_default) - -crash_dump_fallback(mediacodec_samsung) - # mediacodec_samsung should never execute any executable without a domain transition neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans;