set necessary domains to permissive

Bug: 254378739 Test: enforce and boot to home Change-Id: I1dc8f400971e0926dbb2c5c0ac6f0ef99250e067
2023-01-03 13:40:18 +08:00 · 2023-01-03 13:40:18 +08:00 · 97748d82a9
commit 97748d82a9
parent bd992ad2b4
7 changed files with 94 additions and 51 deletions
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@ -3,3 +3,4 @@ dontaudit mediaprovider_app vendor_file:file { getattr };
 dontaudit mediaprovider_app vendor_file:file { map };
 dontaudit mediaprovider_app vendor_file:file { open };
 dontaudit mediaprovider_app vendor_file:file { read };
+permissive mediaprovider_app;
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@ -1 +1,4 @@
+userdebug_or_eng(`
+  permissive odrefresh;
  dontaudit odrefresh property_type:file *;
+')
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  permissive system_suspend;
+')
--- a/tracking_denials/bootdevice_sysdev.te
+++ b/tracking_denials/bootdevice_sysdev.te
@ -1,2 +0,0 @@
-# b/261105238
-dontaudit bootdevice_sysdev sysfs:filesystem { associate };
--- a/tracking_denials/permissive.te
+++ b/tracking_denials/permissive.te
@ -1,48 +1,84 @@
 userdebug_or_eng(`
-  permissive pixelstats_vendor;
-  permissive logger_app;
-  permissive fastbootd;
 permissive audioserver;
-  permissive hal_bluetooth_btlinux;
+permissive bootanim;
 permissive bootdevice_sysdev;
 permissive charger_vendor;
 permissive chre;
-  permissive kernel;
-  permissive bootanim;
+permissive citadeld;
+permissive con_monitor_app;
+permissive dumpstate;
+permissive edgetpu_logging;
+permissive euiccpixel_app;
+permissive fastbootd;
+permissive gmscore_app;
+permissive google_camera_app;
+permissive gxp_logging;
+permissive hal_bluetooth_btlinux;
+permissive hal_bootctl_default;
+permissive hal_camera_default;
+permissive hal_confirmationui_default;
+permissive hal_contexthub_default;
+permissive hal_dumpstate_default;
+permissive hal_fingerprint_default;
 permissive hal_graphics_allocator_default;
 permissive hal_graphics_composer_default;
 permissive hal_health_storage_default;
+permissive hal_neuralnetworks_armnn;
+permissive hal_neuralnetworks_darwinn;
+permissive hal_power_default;
 permissive hal_power_stats_default;
-  permissive hal_fingerprint_default;
-  permissive gxp_logging;
-  permissive hal_contexthub_default;
-  permissive hal_sensors_default;
-  permissive recovery;
-  permissive con_monitor_app;
 permissive hal_secure_element_st54spi;
-  permissive ofl_app;
-  permissive hal_thermal_default;
 permissive hal_secure_element_uicc;
+permissive hal_sensors_default;
+permissive hal_thermal_default;
 permissive hal_usb_gadget_impl;
 permissive hal_usb_impl;
-  permissive hal_camera_default;
+permissive hal_uwb_default;
 permissive hal_uwb_vendor_default;
-  permissive google_camera_app;
-  permissive uwb_vendor_app;
+permissive hal_vibrator_default;
 permissive hal_wifi_ext;
+permissive hal_wireless_charger;
 permissive hal_wlc;
+permissive hbmsvmanager_app;
+permissive hwservicemanager;
+permissive incidentd;
 permissive init;
+permissive insmod-sh;
+permissive installd;
+permissive isolated_app;
+permissive kernel;
 permissive logd;
+permissive logger_app;
 permissive mediacodec_google;
 permissive mediacodec_samsung;
+permissive mediaserver;
+permissive mediaswcodec;
+permissive nfc;
+permissive ofl_app;
+permissive pixelstats_vendor;
 permissive platform_app;
-  permissive hbmsvmanager_app;
+permissive priv_app;
+permissive proc_vendor_sched;
+permissive rebalance_interrupts_vendor;
+permissive recovery;
+permissive rild;
 permissive rlsservice;
+permissive secure_element;
+permissive servicemanager;
+permissive shell;
+permissive ssr_detector_app;
+permissive system_app;
 permissive system_server;
 permissive tcpdump_logger;
-  permissive vendor_init;
 permissive tee;
+permissive toolbox;
 permissive trusty_apploader;
 permissive trusty_metricsd;
+permissive untrusted_app;
+permissive untrusted_app_30;
+permissive usbd;
+permissive uwb_vendor_app;
+permissive vendor_init;
 permissive vold;
+permissive zygote;
 ')
--- a/tracking_denials/proc_vendor_sched.te
+++ b/tracking_denials/proc_vendor_sched.te
@ -1,2 +0,0 @@
-# b/260366398
-dontaudit proc_vendor_sched proc:filesystem { associate };
--- a/vendor/file.te
+++ b/vendor/file.te
@ -8,3 +8,7 @@ type sysfs_mfc, sysfs_type, fs_type;

 # Trusty
 type sysfs_trusty, sysfs_type, fs_type;
+
+# mount FS
+allow proc_vendor_sched proc:filesystem associate;
+allow bootdevice_sysdev sysfs:filesystem associate;