From 1492b4913adf9ad275c54c73961419cb47bbee08 Mon Sep 17 00:00:00 2001 From: Nattharat Jariyanuntanaet Date: Thu, 15 Aug 2024 13:22:07 +0000 Subject: [PATCH 01/23] Update sepolicy for nfc antenna selftest values Allow persist.vendor.nfc.antenna. to be vendor public values for NFC companion app to access from userdebug or eng builds avc: denied { read } for name="u:object_r:vendor_nfc_antenna_prop:s0" dev="tmpfs" ino=414 scontext=u:r:untrusted_app:s0:c79,c257,c512,c768 tcontext=u:object_r:vendor_nfc_antenna_prop:s0 tclass=file permissive=0 app=com.google.android.apps.internal.nfcassistancetool Bug: 361050657 Test: m selinux_policy Flag: NONE add permission Change-Id: I47c54642dbc801dfcaee8330e75a29d11030337c --- legacy/whitechapel_pro/property.te | 2 ++ legacy/whitechapel_pro/property_contexts | 1 + vendor/hal_nfc_default.te | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 7fe48175..ff5ef044 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -1,4 +1,6 @@ +# Vendor vendor_internal_prop(vendor_nfc_prop) +vendor_restricted_prop(vendor_nfc_antenna_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_camera_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index fa5c9170..a4222060 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -3,6 +3,7 @@ persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_pro # NFC persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 +persist.vendor.nfc.antenna. u:object_r:vendor_nfc_antenna_prop:s0 # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te index d71d9e28..d4dcf471 100644 --- a/vendor/hal_nfc_default.te +++ b/vendor/hal_nfc_default.te @@ -1,5 +1,9 @@ # HAL NFC property -get_prop(hal_nfc_default, vendor_nfc_prop) +set_prop(hal_nfc_default, vendor_nfc_prop) +set_prop(hal_nfc_default, vendor_nfc_antenna_prop) +userdebug_or_eng( + get_prop(untrusted_app, vendor_nfc_antenna_prop) +) # SecureElement property set_prop(hal_nfc_default, vendor_secure_element_prop) From e6639e9e9fa5b80bc718e6f6431d908a190c2ce0 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 25 Sep 2024 12:03:44 +0800 Subject: [PATCH 02/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 369475700 Test: scanBugreport Bug: 369475363 Bug: 359428180 Test: scanAvcDeniedLogRightAfterReboot Bug: 369475225 Bug: 359428180 Flag: EXEMPT NDK Change-Id: I154c0c347aa62a5eb262c2a8174ad3b3f2ba03aa --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 48bf2b9d..6fac843c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,8 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 +edgetpu_vendor_server shell_data_file dir b/369475225 +edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 @@ -13,6 +15,7 @@ modem_svc_sit hal_radioext_default process b/364446415 modem_svc_sit modem_ml_svc_sit file b/360060606 modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 +ramdump ramdump capability b/369475700 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 From e40a281856c480811821fd3d5f7a48c8c30905cf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Sep 2024 08:36:06 +0000 Subject: [PATCH 03/23] Fix error in systemui when toggling airplane mode avc: denied { read } for name="u:object_r:radio_cdma_ecm_prop:s0" dev="tmpfs" ino=321 scontext=u:r:systemui_app:s0:c3,c257,c512,c768 tcontext=u:object_r:radio_cdma_ecm_prop:s0 tclass=file Bug: 197722115 Bug: 359381748 Test: make selinux_policy Flag: EXEMPT bugfix Change-Id: I96d17e562ac1cc0e0e0597ce332e94be95652026 --- system_ext/private/systemui_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 5a5f9d28..d33ac332 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -1,3 +1,4 @@ +# SEPolicy for System UI typeattribute systemui_app coredomain; app_domain(systemui_app) @@ -19,6 +20,7 @@ allow systemui_app statsmanager_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) get_prop(systemui_app, qemu_hw_prop) +get_prop(systemui_app, radio_cdma_ecm_prop) # Allow writing and removing wmshell protolog in /data/misc/wmtrace. userdebug_or_eng(` From c6822be533fb20dead9e38a3ca89b458e9d01b5d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Sep 2024 12:40:00 +0000 Subject: [PATCH 04/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 369540836 Test: scanBugreport Bug: 369540673 Bug: 359428180 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428180 Flag: EXEMPT NDK Change-Id: I096e8d513a393d70fc70edf658dcdf7650072c9a --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6fac843c..405e1051 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,6 +15,8 @@ modem_svc_sit hal_radioext_default process b/364446415 modem_svc_sit modem_ml_svc_sit file b/360060606 modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 +pixelstats_vendor block_device dir b/369540673 +pixelstats_vendor block_device dir b/369540836 ramdump ramdump capability b/369475700 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 From f688a56d8e9bcab7081bb76163446466b4dbda26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 1 Oct 2024 14:48:00 +1000 Subject: [PATCH 05/23] Remove duplicate service entries These entries are defined in the platform policy. Flag: EXEMPT bugfix Bug: 367832910 Test: TH Change-Id: I34e04111d74d0b7b4d9e3e4e359feb1b92b40593 --- vendor/service_contexts | 2 -- 1 file changed, 2 deletions(-) diff --git a/vendor/service_contexts b/vendor/service_contexts index 00cf9c5b..ffa2639b 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -3,5 +3,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_ vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 arm.mali.platform.ICompression/default u:object_r:arm_mali_platform_service:s0 - -android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 From ce7cdaa39fe568000763a3a4c73e02ac405bfe34 Mon Sep 17 00:00:00 2001 From: Ben Murdoch Date: Thu, 3 Oct 2024 15:01:54 +0000 Subject: [PATCH 06/23] Allow systemui_app to set 'debug.tracing.desktop_mode_visible_tasks' system property See also: Iad8dc7a66765856ee7affb707f2dba6c1bbfbf49 Bug: 363893429 Flag: EXEMPT, SEPolicy Test: Verified on device. Change-Id: I4916370be55d4d5fd5c53ac5418b8a2bd99e9b37 --- system_ext/private/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index d33ac332..3b8dadfd 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -27,3 +27,4 @@ userdebug_or_eng(` allow systemui_app wm_trace_data_file:dir rw_dir_perms; allow systemui_app wm_trace_data_file:file create_file_perms; ') +set_prop(systemui_app, debug_tracing_desktop_mode_visible_tasks_prop) From d898a7a7875a6434f856fa749fff9d79b031cdef Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 8 Oct 2024 11:25:58 +0800 Subject: [PATCH 07/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 372121912 Test: scanBugreport Bug: 359428180 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428180 Flag: EXEMPT NDK Change-Id: I88cf70ace59b6ca4cf66a4b0ffaf3bc8220f932b --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 405e1051..a7f7b3b3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -17,6 +17,8 @@ modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 pixelstats_vendor block_device dir b/369540673 pixelstats_vendor block_device dir b/369540836 +platform_app vendor_fw_file dir b/372121912 +platform_app vendor_rild_prop file b/372121912 ramdump ramdump capability b/369475700 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 From a6eb3139feba64f934a5e1242adf9b0d163fe470 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 9 Oct 2024 11:05:01 +0800 Subject: [PATCH 08/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 372348756 Bug: 372348383 Bug: 372348502 Flag: EXEMPT NDK Change-Id: I126496a25529a73293430c9a1e7009e82b161331 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a7f7b3b3..104567da 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,9 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 +hal_camera_default cgroup_desc_file file b/372348756 +hal_graphics_composer_default cgroup_desc_file file b/372348383 +hal_power_default cgroup_desc_file file b/372348502 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 hal_vibrator_default default_android_service service_manager b/367943515 From c2660d9ba428938e88f296b72981a7bc6a17f8ec Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Wed, 2 Oct 2024 04:01:42 +0000 Subject: [PATCH 09/23] modem_svc: use shared_modem_platform to replace all modem_svc_sit Bug: 368257019 Flag: NONE local testing only Change-Id: I9a9ff83d2bf3cf55b4c8806d808efde03ca2de70 --- radio/file_contexts | 2 +- radio/modem_svc_sit.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/radio/file_contexts b/radio/file_contexts index d4f29be0..ed9c2201 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -6,13 +6,13 @@ /vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 2b348743..fb77bf80 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -1,3 +1,4 @@ +# Selinux rule for modem_svc_sit daemon type modem_svc_sit, domain; type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(modem_svc_sit) @@ -37,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) +# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) + # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) From bf1d975910090602252572360bba460c869ee5d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 15 Oct 2024 06:20:12 +0000 Subject: [PATCH 10/23] Revert "Update SELinux error" This reverts commit a6eb3139feba64f934a5e1242adf9b0d163fe470. Reason for revert: Caused by b/372273614, relevant CL was reverted Fix: 372348756 Change-Id: I1ca54668c33b80d5139526f6ecf8dd65864787e4 --- tracking_denials/bug_map | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 104567da..a7f7b3b3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,9 +4,6 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 -hal_camera_default cgroup_desc_file file b/372348756 -hal_graphics_composer_default cgroup_desc_file file b/372348383 -hal_power_default cgroup_desc_file file b/372348502 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 hal_vibrator_default default_android_service service_manager b/367943515 From 139f5304a3655b25887ba271cd7bc1fbb25a2619 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Tue, 29 Oct 2024 21:24:15 +0000 Subject: [PATCH 11/23] Revert^3 "Add udc sysfs to udc_sysfs fs context" 371f678632b6b155cb2261e2bccbf1eb098af104 Bug: 339241080 Change-Id: Ia1355fca00339bce7ba5554680b62509558c2b4f --- vendor/genfs_contexts | 3 --- vendor/hal_usb_impl.te | 3 --- 2 files changed, 6 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 78f6cee2..f43bce14 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -255,9 +255,6 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca9 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -is_flag_enabled(RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED, ` -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 -') genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 7c320b65..3d89a09f 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -20,9 +20,6 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; -is_flag_enabled(RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED, ` -allow hal_usb_impl sysfs_udc:file r_file_perms; -') # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; From 6f1672a38702773f7724f8f161857e13fe1808bb Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 31 Oct 2024 14:18:03 +0800 Subject: [PATCH 12/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 376602341 Flag: EXEMPT NDK Change-Id: I6b3a9d802022ace579de13dc03e1738ee31f7b6f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a7f7b3b3..2483e1ef 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 +hal_fingerprint_default default_android_service service_manager b/376602341 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 hal_vibrator_default default_android_service service_manager b/367943515 From 5515229d16b6ba72ed1f4c9035452b41b5073f29 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 11:44:02 +0800 Subject: [PATCH 13/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379207041 Bug: 379207101 Flag: EXEMPT NDK Change-Id: Icf0da01e2bcf1f57d9048ac601a94d04db00e754 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2483e1ef..8cedf39b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -10,6 +10,7 @@ hal_vibrator_default default_android_service service_manager b/314054292 hal_vibrator_default default_android_service service_manager b/367943515 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 +init init capability b/379207041 insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 modem_svc_sit hal_radioext_default process b/364446415 @@ -34,3 +35,4 @@ vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 vendor_init default_prop property_service b/359428180 vendor_init vendor_volte_mif_off property_service b/316816642 +zygote zygote capability b/379207101 From 80c32be9f1ad7edeaa77e08ab7e63b7ba890f724 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 18:29:14 +0800 Subject: [PATCH 14/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379245855 Bug: 379246064 Bug: 379245771 Bug: 379245754 Change-Id: I2b8b5c74f406d59e5ac17280e365dd6733100719 --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8cedf39b..d271d27e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +bluetooth audio_config_prop file b/379245855 dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 @@ -21,6 +22,8 @@ pixelstats_vendor block_device dir b/369540673 pixelstats_vendor block_device dir b/369540836 platform_app vendor_fw_file dir b/372121912 platform_app vendor_rild_prop file b/372121912 +priv_app audio_config_prop file b/379246064 +radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 @@ -28,6 +31,7 @@ system_server sysfs_batteryinfo file b/294967729 system_server vendor_default_prop file b/366116488 system_suspend sysfs_batteryinfo dir b/317316633 system_suspend sysfs_touch_gti dir b/350832258 +untrusted_app audio_config_prop file b/379245754 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323087197 From 41e0d7662d9983ac92825b8136256e974b30065a Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Sun, 20 Oct 2024 15:59:22 +0000 Subject: [PATCH 15/23] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Flag: NONE local testing only Change-Id: I5502d8aeae7ca11b301bb8183201cf8294c811f9 --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zuma-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index ed9c2201..e02a1aa1 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,7 +12,6 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index fb77bf80..3f225310 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index abfaa288..56502eba 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 9880272db8b17397166c8e19e946c6301b471c7e Mon Sep 17 00:00:00 2001 From: "Liana Kazanova (xWF)" Date: Thu, 21 Nov 2024 17:53:56 +0000 Subject: [PATCH 16/23] Revert "modem_svc: move shared_modem_platform related sepolicy t..." Revert submission 30519089-move_modem_sepolicy Reason for revert: DroidMonitor: Potential culprit for http://b/380274930 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Reverted changes: /q/submissionid:30519089-move_modem_sepolicy Change-Id: I7fc88068835f662d1f1827488089f5898e88ff9d --- radio/file_contexts | 1 + radio/modem_svc_sit.te | 3 +++ zuma-sepolicy.mk | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/radio/file_contexts b/radio/file_contexts index e02a1aa1..ed9c2201 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3f225310..fb77bf80 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) +# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) + # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 56502eba..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor -BOARD_VENDOR_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 3c17e28269fc7545691075290631baf72dce0606 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Thu, 21 Nov 2024 22:25:31 +0000 Subject: [PATCH 17/23] Add udc sysfs to udc_sysfs fs context Meeded for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Starting at board level api 202504 due to its dependency on aosp/3337514 10956 10956 W android.hardwar: type=1400 audit(0.0:327): avc: denied { read } for name="state" dev="sysfs" ino=84394 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Shiba Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: Ied2d669df74a2f71771e672e27327b60e7687168 --- vendor/genfs_contexts | 5 +++++ vendor/hal_usb_impl.te | 3 +++ 2 files changed, 8 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4384177d..4b6ad96f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -346,3 +346,8 @@ genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u # CPU genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 + +# USB +starting_at_board_api(202504, ` +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 +') diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 3d89a09f..2e8652ea 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -20,6 +20,9 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +starting_at_board_api(202504, ` +allow hal_usb_impl sysfs_udc:file r_file_perms; +') # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; From b7ab33d8292670bab4d1f304bcbf50c5e490f54d Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 25 Nov 2024 10:46:57 +0800 Subject: [PATCH 18/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 380756119 Flag: EXEMPT NDK Change-Id: I252d772efcdc0b27467c6de41c685fb903e5a62d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d271d27e..143919d1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,6 +20,7 @@ modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 pixelstats_vendor block_device dir b/369540673 pixelstats_vendor block_device dir b/369540836 +platform_app radio_vendor_data_file dir b/380756119 platform_app vendor_fw_file dir b/372121912 platform_app vendor_rild_prop file b/372121912 priv_app audio_config_prop file b/379246064 From 9f5ced11341b144404a998577c08325af4695976 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 28 Nov 2024 10:56:21 +0800 Subject: [PATCH 19/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 381326735 Flag: EXEMPT sepolicy Change-Id: I8381703d4a44d7bce9ead55437e269684f0d5530 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 143919d1..76bc38cb 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +aconfigd apex_info_file file b/381326735 bluetooth audio_config_prop file b/379245855 dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 From 9f0f02d33e61a7ebefbf744b2dadf820443939e6 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 5 Dec 2024 10:49:18 +0800 Subject: [PATCH 20/23] Update SELinux error Remove b/376602341, b/314054292 and b/367943515 as they are closed Flag: EXEMPT sepolicy Test: SELinuxUncheckedDenialBootTest Bug: 382362125 Change-Id: I7911102a96cdb602fecf8dae5f87c41448b7e6ba --- tracking_denials/bluetooth.te | 2 ++ tracking_denials/bug_map | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) create mode 100644 tracking_denials/bluetooth.te diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te new file mode 100644 index 00000000..203d58a4 --- /dev/null +++ b/tracking_denials/bluetooth.te @@ -0,0 +1,2 @@ +# b/382362125 +dontaudit bluetooth default_android_service:service_manager { find }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 76bc38cb..bc90c7c2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,10 +6,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 -hal_fingerprint_default default_android_service service_manager b/376602341 hal_radioext_default radio_vendor_data_file file b/312590044 -hal_vibrator_default default_android_service service_manager b/314054292 -hal_vibrator_default default_android_service service_manager b/367943515 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 init init capability b/379207041 From 1b7a5a0078d63f2a874d13d65cb8e231d3ba16bd Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Fri, 6 Dec 2024 03:53:02 +0000 Subject: [PATCH 21/23] Allow tachyon service to make binder calls to GCA This permission is needed for tachyon service to call callbacks. AVC Error seen when tachyon tries accessing GCA: 12-02 11:40:03.212 6987 6987 W com.google.edge: type=1400 audit(0.0:17): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0 12-03 07:12:26.424 4166 4166 W com.google.edge: type=1400 audit(0.0:254): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0 Bug: 381787911 Flag: EXEMPT updates device sepolicy only Change-Id: I5544fbc11cea0d98dfdeffd9d2871fc037d87c61 --- vendor/debug_camera_app.te | 4 ++++ vendor/google_camera_app.te | 3 +++ 2 files changed, 7 insertions(+) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index 86394cf5..6474cb11 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,3 +1,4 @@ +# File containing sepolicies for GCA-Eng & GCA-Next. userdebug_or_eng(` # Allows GCA-Eng & GCA-Next access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; @@ -9,4 +10,7 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; + + # Allow tachyon_service to communicate with GCA-Eng via binder. + binder_call(edgetpu_tachyon_server, debug_camera_app); ') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index c572c26e..05aff08a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -8,3 +8,6 @@ allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map } # Allows GCA to access the hw_jpeg /dev/video12. allow google_camera_app hw_jpg_device:chr_file rw_file_perms; + +# Allow tachyon service to communicate with google_camera_app via binder. +binder_call(edgetpu_tachyon_server, google_camera_app); From 4b9ca7c0a74394ebcc50348847374aefd4878192 Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Sun, 8 Dec 2024 04:44:23 +0000 Subject: [PATCH 22/23] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Change-Id: I3570cf0e90ceebc1ac6d19850e53df6c721b0020 Flag: NONE local testing only --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zuma-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index ed9c2201..e02a1aa1 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,7 +12,6 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index fb77bf80..3f225310 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index abfaa288..56502eba 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking From b81b3428d8fa8c761fd2cc2fe3c6ed8b0123e5a8 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 9 Dec 2024 11:25:59 +0800 Subject: [PATCH 23/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 383013471 Flag: EXEMPT sepolicy Change-Id: Ia8c27c5031bb14d77f581b4569a8d39a5613244f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bc90c7c2..cfb0d77a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561