From 5515229d16b6ba72ed1f4c9035452b41b5073f29 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 11:44:02 +0800 Subject: [PATCH 01/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379207041 Bug: 379207101 Flag: EXEMPT NDK Change-Id: Icf0da01e2bcf1f57d9048ac601a94d04db00e754 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2483e1ef..8cedf39b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -10,6 +10,7 @@ hal_vibrator_default default_android_service service_manager b/314054292 hal_vibrator_default default_android_service service_manager b/367943515 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 +init init capability b/379207041 insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 modem_svc_sit hal_radioext_default process b/364446415 @@ -34,3 +35,4 @@ vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 vendor_init default_prop property_service b/359428180 vendor_init vendor_volte_mif_off property_service b/316816642 +zygote zygote capability b/379207101 From 80c32be9f1ad7edeaa77e08ab7e63b7ba890f724 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 18:29:14 +0800 Subject: [PATCH 02/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379245855 Bug: 379246064 Bug: 379245771 Bug: 379245754 Change-Id: I2b8b5c74f406d59e5ac17280e365dd6733100719 --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8cedf39b..d271d27e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +bluetooth audio_config_prop file b/379245855 dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 @@ -21,6 +22,8 @@ pixelstats_vendor block_device dir b/369540673 pixelstats_vendor block_device dir b/369540836 platform_app vendor_fw_file dir b/372121912 platform_app vendor_rild_prop file b/372121912 +priv_app audio_config_prop file b/379246064 +radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 @@ -28,6 +31,7 @@ system_server sysfs_batteryinfo file b/294967729 system_server vendor_default_prop file b/366116488 system_suspend sysfs_batteryinfo dir b/317316633 system_suspend sysfs_touch_gti dir b/350832258 +untrusted_app audio_config_prop file b/379245754 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323087197 From 41e0d7662d9983ac92825b8136256e974b30065a Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Sun, 20 Oct 2024 15:59:22 +0000 Subject: [PATCH 03/18] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Flag: NONE local testing only Change-Id: I5502d8aeae7ca11b301bb8183201cf8294c811f9 --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zuma-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index ed9c2201..e02a1aa1 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,7 +12,6 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index fb77bf80..3f225310 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index abfaa288..56502eba 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 9880272db8b17397166c8e19e946c6301b471c7e Mon Sep 17 00:00:00 2001 From: "Liana Kazanova (xWF)" Date: Thu, 21 Nov 2024 17:53:56 +0000 Subject: [PATCH 04/18] Revert "modem_svc: move shared_modem_platform related sepolicy t..." Revert submission 30519089-move_modem_sepolicy Reason for revert: DroidMonitor: Potential culprit for http://b/380274930 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Reverted changes: /q/submissionid:30519089-move_modem_sepolicy Change-Id: I7fc88068835f662d1f1827488089f5898e88ff9d --- radio/file_contexts | 1 + radio/modem_svc_sit.te | 3 +++ zuma-sepolicy.mk | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/radio/file_contexts b/radio/file_contexts index e02a1aa1..ed9c2201 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3f225310..fb77bf80 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) +# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) + # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 56502eba..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor -BOARD_VENDOR_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 3c17e28269fc7545691075290631baf72dce0606 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Thu, 21 Nov 2024 22:25:31 +0000 Subject: [PATCH 05/18] Add udc sysfs to udc_sysfs fs context Meeded for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Starting at board level api 202504 due to its dependency on aosp/3337514 10956 10956 W android.hardwar: type=1400 audit(0.0:327): avc: denied { read } for name="state" dev="sysfs" ino=84394 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Shiba Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: Ied2d669df74a2f71771e672e27327b60e7687168 --- vendor/genfs_contexts | 5 +++++ vendor/hal_usb_impl.te | 3 +++ 2 files changed, 8 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4384177d..4b6ad96f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -346,3 +346,8 @@ genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u # CPU genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 + +# USB +starting_at_board_api(202504, ` +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 +') diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 3d89a09f..2e8652ea 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -20,6 +20,9 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +starting_at_board_api(202504, ` +allow hal_usb_impl sysfs_udc:file r_file_perms; +') # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; From b7ab33d8292670bab4d1f304bcbf50c5e490f54d Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 25 Nov 2024 10:46:57 +0800 Subject: [PATCH 06/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 380756119 Flag: EXEMPT NDK Change-Id: I252d772efcdc0b27467c6de41c685fb903e5a62d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d271d27e..143919d1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,6 +20,7 @@ modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 pixelstats_vendor block_device dir b/369540673 pixelstats_vendor block_device dir b/369540836 +platform_app radio_vendor_data_file dir b/380756119 platform_app vendor_fw_file dir b/372121912 platform_app vendor_rild_prop file b/372121912 priv_app audio_config_prop file b/379246064 From 9f5ced11341b144404a998577c08325af4695976 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 28 Nov 2024 10:56:21 +0800 Subject: [PATCH 07/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 381326735 Flag: EXEMPT sepolicy Change-Id: I8381703d4a44d7bce9ead55437e269684f0d5530 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 143919d1..76bc38cb 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +aconfigd apex_info_file file b/381326735 bluetooth audio_config_prop file b/379245855 dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 From 9f0f02d33e61a7ebefbf744b2dadf820443939e6 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 5 Dec 2024 10:49:18 +0800 Subject: [PATCH 08/18] Update SELinux error Remove b/376602341, b/314054292 and b/367943515 as they are closed Flag: EXEMPT sepolicy Test: SELinuxUncheckedDenialBootTest Bug: 382362125 Change-Id: I7911102a96cdb602fecf8dae5f87c41448b7e6ba --- tracking_denials/bluetooth.te | 2 ++ tracking_denials/bug_map | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) create mode 100644 tracking_denials/bluetooth.te diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te new file mode 100644 index 00000000..203d58a4 --- /dev/null +++ b/tracking_denials/bluetooth.te @@ -0,0 +1,2 @@ +# b/382362125 +dontaudit bluetooth default_android_service:service_manager { find }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 76bc38cb..bc90c7c2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,10 +6,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 -hal_fingerprint_default default_android_service service_manager b/376602341 hal_radioext_default radio_vendor_data_file file b/312590044 -hal_vibrator_default default_android_service service_manager b/314054292 -hal_vibrator_default default_android_service service_manager b/367943515 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 init init capability b/379207041 From 1b7a5a0078d63f2a874d13d65cb8e231d3ba16bd Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Fri, 6 Dec 2024 03:53:02 +0000 Subject: [PATCH 09/18] Allow tachyon service to make binder calls to GCA This permission is needed for tachyon service to call callbacks. AVC Error seen when tachyon tries accessing GCA: 12-02 11:40:03.212 6987 6987 W com.google.edge: type=1400 audit(0.0:17): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0 12-03 07:12:26.424 4166 4166 W com.google.edge: type=1400 audit(0.0:254): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0 Bug: 381787911 Flag: EXEMPT updates device sepolicy only Change-Id: I5544fbc11cea0d98dfdeffd9d2871fc037d87c61 --- vendor/debug_camera_app.te | 4 ++++ vendor/google_camera_app.te | 3 +++ 2 files changed, 7 insertions(+) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index 86394cf5..6474cb11 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,3 +1,4 @@ +# File containing sepolicies for GCA-Eng & GCA-Next. userdebug_or_eng(` # Allows GCA-Eng & GCA-Next access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; @@ -9,4 +10,7 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; + + # Allow tachyon_service to communicate with GCA-Eng via binder. + binder_call(edgetpu_tachyon_server, debug_camera_app); ') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index c572c26e..05aff08a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -8,3 +8,6 @@ allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map } # Allows GCA to access the hw_jpeg /dev/video12. allow google_camera_app hw_jpg_device:chr_file rw_file_perms; + +# Allow tachyon service to communicate with google_camera_app via binder. +binder_call(edgetpu_tachyon_server, google_camera_app); From 4b9ca7c0a74394ebcc50348847374aefd4878192 Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Sun, 8 Dec 2024 04:44:23 +0000 Subject: [PATCH 10/18] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Change-Id: I3570cf0e90ceebc1ac6d19850e53df6c721b0020 Flag: NONE local testing only --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zuma-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index ed9c2201..e02a1aa1 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,7 +12,6 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index fb77bf80..3f225310 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index abfaa288..56502eba 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking From b81b3428d8fa8c761fd2cc2fe3c6ed8b0123e5a8 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 9 Dec 2024 11:25:59 +0800 Subject: [PATCH 11/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 383013471 Flag: EXEMPT sepolicy Change-Id: Ia8c27c5031bb14d77f581b4569a8d39a5613244f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bc90c7c2..cfb0d77a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From 9ea8cdc64f7f113b603346975bfbca58a6df96ef Mon Sep 17 00:00:00 2001 From: chenkris Date: Thu, 12 Dec 2024 08:10:15 +0000 Subject: [PATCH 12/18] zuma: Add selinux permission for fth Fix the following avc denials: avc: denied { open } for path="/dev/fth_fd" dev="tmpfs" ino=1575 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { read } for name="wakeup96" dev="sysfs" ino=101698 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 383048849 Test: ls -lZ /sys/devices/platform/odm//odm:fps_touch_handler/wakeup Test: authenticate fingerprint Flag: EXEMPT NDK Change-Id: Iec9de84c8faa6790f9f27c5875b5a822a02fcee9 --- vendor/file_contexts | 1 + vendor/genfs_contexts | 2 ++ 2 files changed, 3 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 444e96d8..953f12e6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -100,6 +100,7 @@ is_flag_disabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` /dev/gxp u:object_r:gxp_device:s0 /dev/mali0 u:object_r:gpu_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/fth_fd u:object_r:fingerprint_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4b6ad96f..13af49b0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -290,6 +290,8 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From e408d5681ebb2b78eb8101852c6ea20e2ad9b7e4 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 13 Dec 2024 14:34:28 +0800 Subject: [PATCH 13/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT sepolicy Bug: 383949325 Change-Id: I3392bafe7873812b2e7df6ecec5725097eb085ab --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cfb0d77a..be746798 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -39,4 +39,5 @@ vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 vendor_init default_prop property_service b/359428180 vendor_init vendor_volte_mif_off property_service b/316816642 +zygote aconfig_storage_metadata_file dir b/383949325 zygote zygote capability b/379207101 From d077655445312da7b5c5dc8b43d6e998f8dd6cf6 Mon Sep 17 00:00:00 2001 From: timmyli Date: Fri, 13 Dec 2024 21:23:17 +0000 Subject: [PATCH 14/18] Remove hal_camera_default aconfig_storage_metadata_file from bug map Bug: 383013471 Test: manual test to see no avc denial Flag: EXEMPT bug fix Change-Id: I1958da80539ae17ab48c3aa9f70f7ea3707ea2db --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index be746798..92f7ad07 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 -hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From 29cd1c7a2d1d75aed2a6001ca067275150e700c0 Mon Sep 17 00:00:00 2001 From: Timmy Li Date: Mon, 16 Dec 2024 16:32:22 -0800 Subject: [PATCH 15/18] Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Revert submission 30893287-hal_camera_default_ aconfig_storage_metadata_file Reason for revert: b/384580942 Reverted changes: /q/submissionid:30893287-hal_camera_default_+aconfig_storage_metadata_file Change-Id: I8bed2f61c7fc0ee6f0fb8cfc15bdb435d30dc70d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 92f7ad07..be746798 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From b2f00a1549322c7c4f521a41d9d7f70ca367c0de Mon Sep 17 00:00:00 2001 From: Liz Prucka Date: Thu, 7 Nov 2024 18:25:07 +0000 Subject: [PATCH 16/18] Restrict ioctl access for appdomain to gpu_device Add a list of Mali-specific ioctls (ioctl_defines). Define categories for these ioctls (ioctl_macros). This list was gathered by the ARM GPU team. All defined ioctls are granted access. Deprecated ioctls and ioctls intended for GPU development are logged to estimate the impact of their removal. During testing, no logging was observed during the launch of the top 100 apps. It is unlikely that such logging would spam the device's log. Bug: 384720119 Test: Csuite test of top 100 apps Flag: EXEMPT uses build system flag: RELEASE_PIXEL_MALI_SEPOLICY_ENABLED Change-Id: I49f7ffade42e1039e13601a81d814d33dfbc3e5a --- vendor/gpu.te | 10 ++++++ vendor/ioctl_defines | 73 ++++++++++++++++++++++++++++++++++++++ vendor/ioctl_macros | 83 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 vendor/gpu.te create mode 100644 vendor/ioctl_defines create mode 100644 vendor/ioctl_macros diff --git a/vendor/gpu.te b/vendor/gpu.te new file mode 100644 index 00000000..24e901d0 --- /dev/null +++ b/vendor/gpu.te @@ -0,0 +1,10 @@ +# Policy to enable only production gpu ioctls. +is_flag_enabled(RELEASE_PIXEL_MALI_SEPOLICY_ENABLED, ` + # Allow gpu ioctls used in production. + allowxperm appdomain gpu_device:chr_file ioctl { unpriv_gpu_ioctls instrumentation_gpu_ioctls }; + # Audit gpu ioctl commands which have been deprecated, + # or are intended for development of the GPU. + auditallow appdomain gpu_device:chr_file ioctl; + allowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls }; + auditallowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls }; +') diff --git a/vendor/ioctl_defines b/vendor/ioctl_defines new file mode 100644 index 00000000..4bf35075 --- /dev/null +++ b/vendor/ioctl_defines @@ -0,0 +1,73 @@ +define(`KBASE_IOCTL_VERSION_CHECK_JM', `0x8000') +define(`KBASE_IOCTL_SET_FLAGS', `0x8001') +define(`KBASE_IOCTL_JOB_SUBMIT', `0x8002') +define(`KBASE_IOCTL_GET_GPUPROPS', `0x8003') +define(`KBASE_IOCTL_POST_TERM', `0x8004') +define(`KBASE_IOCTL_MEM_ALLOC', `0x8005') +define(`KBASE_IOCTL_MEM_QUERY', `0x8006') +define(`KBASE_IOCTL_MEM_FREE', `0x8007') +define(`KBASE_IOCTL_HWCNT_READER_SETUP', `0x8008') +define(`KBASE_IOCTL_DISJOINT_QUERY', `0x800c') +define(`KBASE_IOCTL_GET_DDK_VERSION', `0x800d') +define(`KBASE_IOCTL_MEM_JIT_INIT', `0x800e') +define(`KBASE_IOCTL_MEM_SYNC', `0x800f') +define(`KBASE_IOCTL_MEM_FIND_CPU_OFFSET', `0x8010') +define(`KBASE_IOCTL_GET_CONTEXT_ID', `0x8011') +define(`KBASE_IOCTL_TLSTREAM_ACQUIRE', `0x8012') +define(`KBASE_IOCTL_TLSTREAM_FLUSH', `0x8013') +define(`KBASE_IOCTL_MEM_COMMIT', `0x8014') +define(`KBASE_IOCTL_MEM_ALIAS', `0x8015') +define(`KBASE_IOCTL_MEM_IMPORT', `0x8016') +define(`KBASE_IOCTL_MEM_FLAGS_CHANGE', `0x8017') +define(`KBASE_IOCTL_STREAM_CREATE', `0x8018') +define(`KBASE_IOCTL_FENCE_VALIDATE', `0x8019') +define(`KBASE_IOCTL_MEM_PROFILE_ADD', `0x801b') +define(`KBASE_IOCTL_SOFT_EVENT_UPDATE', `0x801c') +define(`KBASE_IOCTL_STICKY_RESOURCE_MAP', `0x801d') +define(`KBASE_IOCTL_STICKY_RESOURCE_UNMAP', `0x801e') +define(`KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET', `0x801f') +define(`KBASE_IOCTL_HWCNT_SET', `0x8020') +define(`KBASE_IOCTL_CINSTR_GWT_START', `0x8021') +define(`KBASE_IOCTL_CINSTR_GWT_STOP', `0x8022') +define(`KBASE_IOCTL_CINSTR_GWT_DUMP', `0x8023') +define(`KBASE_IOCTL_CS_QUEUE_REGISTER', `0x8024') +define(`KBASE_IOCTL_CS_QUEUE_KICK', `0x8025') +define(`KBASE_IOCTL_MEM_EXEC_INIT', `0x8026') +define(`KBASE_IOCTL_CS_QUEUE_BIND', `0x8027') +define(`KBASE_IOCTL_CS_QUEUE_REGISTER_EX', `0x8028') +define(`KBASE_IOCTL_CS_QUEUE_TERMINATE', `0x8029') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6', `0x802a') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE', `0x802b') +define(`KBASE_IOCTL_CS_EVENT_SIGNAL', `0x802c') +define(`KBASE_IOCTL_KCPU_QUEUE_CREATE', `0x802d') +define(`KBASE_IOCTL_KCPU_QUEUE_DELETE', `0x802e') +define(`KBASE_IOCTL_KCPU_QUEUE_ENQUEUE', `0x802f') +define(`KBASE_IOCTL_CS_TILER_HEAP_INIT', `0x8030') +define(`KBASE_IOCTL_CS_TILER_HEAP_TERM', `0x8031') +define(`KBASE_IOCTL_GET_CPU_GPU_TIMEINFO', `0x8032') +define(`KBASE_IOCTL_CS_GET_GLB_IFACE', `0x8033') +define(`KBASE_IOCTL_VERSION_CHECK_CSF', `0x8034') +define(`KBASE_IOCTL_CS_CPU_QUEUE_DUMP', `0x8035') +define(`KBASE_IOCTL_CONTEXT_PRIORITY_CHECK', `0x8036') +define(`KBASE_IOCTL_SET_LIMITED_CORE_COUNT', `0x8037') +define(`KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO', `0x8038') +define(`KBASE_IOCTL_KINSTR_PRFCNT_SETUP', `0x8039') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE', `0x803a') +define(`KBASE_IOCTL_MEM_ALLOC_EX', `0x803b') +define(`KBASE_IOCTL_READ_USER_PAGE', `0x803c') +define(`KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS', `0x803d') +define(`KBASE_IOCTL_APC_REQUEST', `0x8042') +define(`KBASE_IOCTL_BUFFER_LIVENESS_UPDATE', `0x8043') +define(`KBASE_HWCNT_READER_GET_HWVER', `0xBE00') +define(`KBASE_HWCNT_READER_GET_BUFFER_SIZE', `0xBE01') +define(`KBASE_HWCNT_READER_DUMP', `0xBE10') +define(`KBASE_HWCNT_READER_CLEAR', `0xBE11') +define(`KBASE_HWCNT_READER_GET_BUFFER', `0xBE20') +define(`KBASE_HWCNT_READER_PUT_BUFFER', `0xBE21') +define(`KBASE_HWCNT_READER_SET_INTERVAL', `0xBE30') +define(`KBASE_HWCNT_READER_ENABLE_EVENT', `0xBE40') +define(`KBASE_HWCNT_READER_DISABLE_EVENT', `0xBE41') +define(`KBASE_HWCNT_READER_GET_API_VERSION', `0xBEFF') +define(`KBASE_IOCTL_KINSTR_PRFCNT_CMD', `0xBF00') +define(`KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE', `0xBF01') +define(`KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE', `0xBF10') diff --git a/vendor/ioctl_macros b/vendor/ioctl_macros new file mode 100644 index 00000000..3874e049 --- /dev/null +++ b/vendor/ioctl_macros @@ -0,0 +1,83 @@ +define(`unpriv_gpu_ioctls', `{ + KBASE_IOCTL_VERSION_CHECK_JM + KBASE_IOCTL_SET_FLAGS + KBASE_IOCTL_JOB_SUBMIT + KBASE_IOCTL_GET_GPUPROPS + KBASE_IOCTL_POST_TERM + KBASE_IOCTL_MEM_ALLOC + KBASE_IOCTL_MEM_QUERY + KBASE_IOCTL_MEM_FREE + KBASE_IOCTL_DISJOINT_QUERY + KBASE_IOCTL_GET_DDK_VERSION + KBASE_IOCTL_MEM_JIT_INIT + KBASE_IOCTL_MEM_SYNC + KBASE_IOCTL_MEM_FIND_CPU_OFFSET + KBASE_IOCTL_GET_CONTEXT_ID + KBASE_IOCTL_MEM_COMMIT + KBASE_IOCTL_MEM_ALIAS + KBASE_IOCTL_MEM_IMPORT + KBASE_IOCTL_MEM_FLAGS_CHANGE + KBASE_IOCTL_STREAM_CREATE + KBASE_IOCTL_FENCE_VALIDATE + KBASE_IOCTL_MEM_PROFILE_ADD + KBASE_IOCTL_SOFT_EVENT_UPDATE + KBASE_IOCTL_STICKY_RESOURCE_MAP + KBASE_IOCTL_STICKY_RESOURCE_UNMAP + KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET + KBASE_IOCTL_CS_QUEUE_REGISTER + KBASE_IOCTL_CS_QUEUE_KICK + KBASE_IOCTL_MEM_EXEC_INIT + KBASE_IOCTL_CS_QUEUE_BIND + KBASE_IOCTL_CS_QUEUE_REGISTER_EX + KBASE_IOCTL_CS_QUEUE_TERMINATE + KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE + KBASE_IOCTL_CS_EVENT_SIGNAL + KBASE_IOCTL_KCPU_QUEUE_CREATE + KBASE_IOCTL_KCPU_QUEUE_DELETE + KBASE_IOCTL_KCPU_QUEUE_ENQUEUE + KBASE_IOCTL_CS_TILER_HEAP_INIT + KBASE_IOCTL_CS_TILER_HEAP_TERM + KBASE_IOCTL_GET_CPU_GPU_TIMEINFO + KBASE_IOCTL_CS_GET_GLB_IFACE + KBASE_IOCTL_VERSION_CHECK_CSF + KBASE_IOCTL_CS_CPU_QUEUE_DUMP + KBASE_IOCTL_CONTEXT_PRIORITY_CHECK + KBASE_IOCTL_SET_LIMITED_CORE_COUNT + KBASE_IOCTL_CS_QUEUE_GROUP_CREATE + KBASE_IOCTL_MEM_ALLOC_EX + KBASE_IOCTL_READ_USER_PAGE + KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS + KBASE_IOCTL_APC_REQUEST + KBASE_IOCTL_BUFFER_LIVENESS_UPDATE +}') + +define(`instrumentation_gpu_ioctls', `{ + KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO + KBASE_IOCTL_KINSTR_PRFCNT_SETUP + KBASE_IOCTL_TLSTREAM_ACQUIRE + KBASE_IOCTL_TLSTREAM_FLUSH + KBASE_IOCTL_KINSTR_PRFCNT_CMD + KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE + KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE +}') + +define(`debug_gpu_ioctls', `{ + KBASE_IOCTL_HWCNT_SET + KBASE_IOCTL_CINSTR_GWT_START + KBASE_IOCTL_CINSTR_GWT_STOP + KBASE_IOCTL_CINSTR_GWT_DUMP +}') + +define(`deprecated_gpu_ioctls', `{ + KBASE_HWCNT_READER_GET_HWVER + KBASE_HWCNT_READER_GET_BUFFER_SIZE + KBASE_HWCNT_READER_DUMP + KBASE_HWCNT_READER_CLEAR + KBASE_HWCNT_READER_GET_BUFFER + KBASE_HWCNT_READER_PUT_BUFFER + KBASE_HWCNT_READER_SET_INTERVAL + KBASE_HWCNT_READER_ENABLE_EVENT + KBASE_HWCNT_READER_DISABLE_EVENT + KBASE_HWCNT_READER_GET_API_VERSION + KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6 +}') From bdfee8a704c2357898e9ea928e4b4698d1d25649 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 24 Dec 2024 18:32:39 +0800 Subject: [PATCH 17/18] Update SELinux error. Test: SELinuxUncheckedDenialBootTest Bug: 385858590 Bug: 385858993 Bug: 385829048 Flag: EXEMPT bugfix Change-Id: I946909b9bc1aec1728c9999d25bdccfe70443fd9 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index be746798..73cec6e3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 init init capability b/379207041 insmod-sh insmod-sh key b/274374722 +insmod-sh vendor_edgetpu_debugfs dir b/385858993 kernel dm_device blk_file b/319403445 modem_svc_sit hal_radioext_default process b/364446415 modem_svc_sit modem_ml_svc_sit file b/360060606 @@ -25,6 +26,7 @@ platform_app vendor_rild_prop file b/372121912 priv_app audio_config_prop file b/379246064 radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 +ramdump_app privapp_data_file lnk_file b/385858590 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 From 417ef69506906046f2e4be6970f9955f4953b7f5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 27 Dec 2024 07:20:11 +0000 Subject: [PATCH 18/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386149375 Flag: EXEMPT update sepolicy Change-Id: I1be4fa4b29e0e28b61c7ff1444169ab1d20fe5d5 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 73cec6e3..aba5c495 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,6 +26,7 @@ platform_app vendor_rild_prop file b/372121912 priv_app audio_config_prop file b/379246064 radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 +ramdump_app default_prop file b/386149375 ramdump_app privapp_data_file lnk_file b/385858590 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729