aml_tz6_351400020 (13155446,com.google.android.go.tzdata6,com.google.android.tzdata6)

-----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ9i73wAKCRDorT+BmrEO eFyZAJ9IQBDv9E9ZB7Ppgj2kGj+Z8a8iZQCbBRcFG3AkrkG3vXd5rPxiL3uBGMs= =k2kR -----END PGP SIGNATURE----- gpgsig -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgPpdpjxPACTIhnlvYz0GM4BR7FJ +rYv3jMbfxNKD3JvcAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQB3RSeLIi3sutWu5eLBkGv3qULe7wvcnp+eQNfVSTK55IzI4RV3kCVsLz7/UHnqwrj s/meZWH5zxGceSJfUhnwA= -----END SSH SIGNATURE----- Merge tag 'aml_tz6_351400020' into staging/lineage-23.0_merge-aml_tz6_351400020 aml_tz6_351400020 (13155446,com.google.android.go.tzdata6,com.google.android.tzdata6) # -----BEGIN PGP SIGNATURE----- # # iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ9i73wAKCRDorT+BmrEO # eFyZAJ9IQBDv9E9ZB7Ppgj2kGj+Z8a8iZQCbBRcFG3AkrkG3vXd5rPxiL3uBGMs= # =k2kR # -----END PGP SIGNATURE----- # gpg: Signature made Tue Mar 18 02:18:39 2025 EET # gpg: using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78 # gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [ultimate] # By Nina Chen (5) and others # Via Android Build Coastguard Worker (9) and others * tag 'aml_tz6_351400020': Update SELinux error Consolidate SELinux for faceauth_rawimage RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Update SELinux error Update SELinux error zuma: update selinux to allow UMI on user build Remove sced sepolicy rule Update SELinux error Update SELinux error. Restrict ioctl access for appdomain to gpu_device Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Remove hal_camera_default aconfig_storage_metadata_file from bug map Update SELinux error zuma: Add selinux permission for fth Change-Id: I4608f407b5123cae5d545e41ce717e9efe0ea7d5
2025-06-23 05:17:12 +03:00 · 2025-06-23 05:17:12 +03:00 · b214980bfe
commit b214980bfe
parent 38f8a3ecfc ceb2396a11
11 changed files with 177 additions and 32 deletions
--- a/sepolicy/radio/file_contexts
+++ b/sepolicy/radio/file_contexts
@ -3,7 +3,6 @@
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/dmd                                                             u:object_r:dmd_exec:s0
-/vendor/bin/sced                                                            u:object_r:sced_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/modem_logging_control                                           u:object_r:modem_logging_control_exec:s0
 /vendor/bin/modem_ml_svc_sit                                                u:object_r:modem_ml_svc_sit_exec:s0
--- a/sepolicy/radio/modem_svc_sit.te
+++ b/sepolicy/radio/modem_svc_sit.te
@ -48,6 +48,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms;
 allow modem_svc_sit modem_img_file:lnk_file r_file_perms;

 # Allow modem_svc_sit to access socket for UMI
-userdebug_or_eng(`
-  allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink };
-')
+allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write };
+
--- a/sepolicy/radio/sced.te
+++ b/sepolicy/radio/sced.te
@ -1,23 +0,0 @@
-type sced, domain;
-type sced_exec, vendor_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  init_daemon_domain(sced)
-  typeattribute sced vendor_executes_system_violators;
-
-  hwbinder_use(sced)
-  binder_call(sced, dmd)
-  binder_call(sced, vendor_telephony_silentlogging_app)
-
-  get_prop(sced, hwservicemanager_prop)
-  allow sced self:packet_socket create_socket_perms_no_ioctl;
-
-  allow sced self:capability net_raw;
-  allow sced shell_exec:file rx_file_perms;
-  allow sced tcpdump_exec:file rx_file_perms;
-  allow sced vendor_shell_exec:file x_file_perms;
-  allow sced vendor_slog_file:dir create_dir_perms;
-  allow sced vendor_slog_file:file create_file_perms;
-  allow sced hidl_base_hwservice:hwservice_manager add;
-  allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
-')
--- a/sepolicy/radio/vendor_telephony_silentlogging_app.te
+++ b/sepolicy/radio/vendor_telephony_silentlogging_app.te
@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms
 allow vendor_telephony_silentlogging_app app_api_service:service_manager find;
 allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_silentlogging_app, dmd)
-binder_call(vendor_telephony_silentlogging_app, sced)

 userdebug_or_eng(`
 # Silent Logging
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@ -5,13 +5,17 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361725982
 dumpstate app_zygote process b/288049050
 edgetpu_vendor_server shell_data_file dir b/369475225
 edgetpu_vendor_server shell_data_file dir b/369475363
+hal_bluetooth_btlinux proc file b/390293495
 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030
 hal_camera_default aconfig_storage_metadata_file dir b/383013471
+hal_drm_widevine system_userdir_file dir b/393955151
 hal_radioext_default radio_vendor_data_file file b/312590044
 incidentd debugfs_wakeup_sources file b/288049561
 incidentd incidentd anon_inode b/288049561
 init init capability b/379207041
 insmod-sh insmod-sh key b/274374722
+insmod-sh kmsg_device chr_file b/388949246
+insmod-sh vendor_edgetpu_debugfs dir b/385858993
 kernel dm_device blk_file b/319403445
 modem_svc_sit hal_radioext_default process b/364446415
 modem_svc_sit modem_ml_svc_sit file b/360060606
@ -25,6 +29,7 @@ platform_app vendor_rild_prop file b/372121912
 priv_app audio_config_prop file b/379246064
 radio audio_config_prop file b/379245771
 ramdump ramdump capability b/369475700
+ramdump_app default_prop file b/386149375
 shell sysfs_net file b/330081782
 ssr_detector_app default_prop file b/340722729
 system_server sysfs_batteryinfo file b/294967729
@ -39,4 +44,5 @@ vendor_init default_prop file b/323087490
 vendor_init default_prop property_service b/315104235
 vendor_init default_prop property_service b/359428180
 vendor_init vendor_volte_mif_off property_service b/316816642
+zygote aconfig_storage_metadata_file dir b/383949325
 zygote zygote capability b/379207101
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@ -54,4 +54,3 @@ type sysfs_ospm, sysfs_type, fs_type;

 # GSA
 type sysfs_gsa_log, sysfs_type, fs_type;
-type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@ -102,6 +102,7 @@ is_flag_disabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
 /dev/gxp                                                                    u:object_r:gxp_device:s0
 /dev/mali0                                                                  u:object_r:gpu_device:s0
 /dev/goodix_fp                                                              u:object_r:fingerprint_device:s0
+/dev/fth_fd                                                                 u:object_r:fingerprint_device:s0
 /dev/logbuffer_tcpm                                                         u:object_r:logbuffer_device:s0
 /dev/logbuffer_usbpd                                                        u:object_r:logbuffer_device:s0
 /dev/logbuffer_ssoc                                                         u:object_r:logbuffer_device:s0
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@ -290,6 +290,8 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup
 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/                                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/                                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/110f0000.drmdp/wakeup                                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup                                                         u:object_r:sysfs_wakeup:s0

 # Trusty
 genfscon sysfs /module/trusty_virtio/parameters/use_high_wq               u:object_r:sysfs_trusty:s0
@ -334,9 +336,6 @@ genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq
 genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq       u:object_r:sysfs_aoc_udfps:s0
 genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status     u:object_r:sysfs_aoc_notifytimeout:s0

-# Faceauth
-genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0
-
 # Bluetooth
 genfscon sysfs /devices/platform/155d0000.serial/uart_dbg                    u:object_r:sysfs_bt_uart:s0

--- a/sepolicy/vendor/gpu.te
+++ b/sepolicy/vendor/gpu.te
@ -0,0 +1,10 @@
+# Policy to enable only production gpu ioctls.
+is_flag_enabled(RELEASE_PIXEL_MALI_SEPOLICY_ENABLED, `
+  # Allow gpu ioctls used in production.
+  allowxperm appdomain gpu_device:chr_file ioctl { unpriv_gpu_ioctls instrumentation_gpu_ioctls };
+  # Audit gpu ioctl commands which have been deprecated,
+  # or are intended for development of the GPU.
+  auditallow appdomain gpu_device:chr_file ioctl;
+  allowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls };
+  auditallowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls };
+')
--- a/sepolicy/vendor/ioctl_defines
+++ b/sepolicy/vendor/ioctl_defines
@ -0,0 +1,73 @@
+define(`KBASE_IOCTL_VERSION_CHECK_JM', `0x8000')
+define(`KBASE_IOCTL_SET_FLAGS', `0x8001')
+define(`KBASE_IOCTL_JOB_SUBMIT', `0x8002')
+define(`KBASE_IOCTL_GET_GPUPROPS', `0x8003')
+define(`KBASE_IOCTL_POST_TERM', `0x8004')
+define(`KBASE_IOCTL_MEM_ALLOC', `0x8005')
+define(`KBASE_IOCTL_MEM_QUERY', `0x8006')
+define(`KBASE_IOCTL_MEM_FREE', `0x8007')
+define(`KBASE_IOCTL_HWCNT_READER_SETUP', `0x8008')
+define(`KBASE_IOCTL_DISJOINT_QUERY', `0x800c')
+define(`KBASE_IOCTL_GET_DDK_VERSION', `0x800d')
+define(`KBASE_IOCTL_MEM_JIT_INIT', `0x800e')
+define(`KBASE_IOCTL_MEM_SYNC', `0x800f')
+define(`KBASE_IOCTL_MEM_FIND_CPU_OFFSET', `0x8010')
+define(`KBASE_IOCTL_GET_CONTEXT_ID', `0x8011')
+define(`KBASE_IOCTL_TLSTREAM_ACQUIRE', `0x8012')
+define(`KBASE_IOCTL_TLSTREAM_FLUSH', `0x8013')
+define(`KBASE_IOCTL_MEM_COMMIT', `0x8014')
+define(`KBASE_IOCTL_MEM_ALIAS', `0x8015')
+define(`KBASE_IOCTL_MEM_IMPORT', `0x8016')
+define(`KBASE_IOCTL_MEM_FLAGS_CHANGE', `0x8017')
+define(`KBASE_IOCTL_STREAM_CREATE', `0x8018')
+define(`KBASE_IOCTL_FENCE_VALIDATE', `0x8019')
+define(`KBASE_IOCTL_MEM_PROFILE_ADD', `0x801b')
+define(`KBASE_IOCTL_SOFT_EVENT_UPDATE', `0x801c')
+define(`KBASE_IOCTL_STICKY_RESOURCE_MAP', `0x801d')
+define(`KBASE_IOCTL_STICKY_RESOURCE_UNMAP', `0x801e')
+define(`KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET', `0x801f')
+define(`KBASE_IOCTL_HWCNT_SET', `0x8020')
+define(`KBASE_IOCTL_CINSTR_GWT_START', `0x8021')
+define(`KBASE_IOCTL_CINSTR_GWT_STOP', `0x8022')
+define(`KBASE_IOCTL_CINSTR_GWT_DUMP', `0x8023')
+define(`KBASE_IOCTL_CS_QUEUE_REGISTER', `0x8024')
+define(`KBASE_IOCTL_CS_QUEUE_KICK', `0x8025')
+define(`KBASE_IOCTL_MEM_EXEC_INIT', `0x8026')
+define(`KBASE_IOCTL_CS_QUEUE_BIND', `0x8027')
+define(`KBASE_IOCTL_CS_QUEUE_REGISTER_EX', `0x8028')
+define(`KBASE_IOCTL_CS_QUEUE_TERMINATE', `0x8029')
+define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6', `0x802a')
+define(`KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE', `0x802b')
+define(`KBASE_IOCTL_CS_EVENT_SIGNAL', `0x802c')
+define(`KBASE_IOCTL_KCPU_QUEUE_CREATE', `0x802d')
+define(`KBASE_IOCTL_KCPU_QUEUE_DELETE', `0x802e')
+define(`KBASE_IOCTL_KCPU_QUEUE_ENQUEUE', `0x802f')
+define(`KBASE_IOCTL_CS_TILER_HEAP_INIT', `0x8030')
+define(`KBASE_IOCTL_CS_TILER_HEAP_TERM', `0x8031')
+define(`KBASE_IOCTL_GET_CPU_GPU_TIMEINFO', `0x8032')
+define(`KBASE_IOCTL_CS_GET_GLB_IFACE', `0x8033')
+define(`KBASE_IOCTL_VERSION_CHECK_CSF', `0x8034')
+define(`KBASE_IOCTL_CS_CPU_QUEUE_DUMP', `0x8035')
+define(`KBASE_IOCTL_CONTEXT_PRIORITY_CHECK', `0x8036')
+define(`KBASE_IOCTL_SET_LIMITED_CORE_COUNT', `0x8037')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO', `0x8038')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_SETUP', `0x8039')
+define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE', `0x803a')
+define(`KBASE_IOCTL_MEM_ALLOC_EX', `0x803b')
+define(`KBASE_IOCTL_READ_USER_PAGE', `0x803c')
+define(`KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS', `0x803d')
+define(`KBASE_IOCTL_APC_REQUEST', `0x8042')
+define(`KBASE_IOCTL_BUFFER_LIVENESS_UPDATE', `0x8043')
+define(`KBASE_HWCNT_READER_GET_HWVER', `0xBE00')
+define(`KBASE_HWCNT_READER_GET_BUFFER_SIZE', `0xBE01')
+define(`KBASE_HWCNT_READER_DUMP', `0xBE10')
+define(`KBASE_HWCNT_READER_CLEAR', `0xBE11')
+define(`KBASE_HWCNT_READER_GET_BUFFER', `0xBE20')
+define(`KBASE_HWCNT_READER_PUT_BUFFER', `0xBE21')
+define(`KBASE_HWCNT_READER_SET_INTERVAL', `0xBE30')
+define(`KBASE_HWCNT_READER_ENABLE_EVENT', `0xBE40')
+define(`KBASE_HWCNT_READER_DISABLE_EVENT', `0xBE41')
+define(`KBASE_HWCNT_READER_GET_API_VERSION', `0xBEFF')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_CMD', `0xBF00')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE', `0xBF01')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE', `0xBF10')
--- a/sepolicy/vendor/ioctl_macros
+++ b/sepolicy/vendor/ioctl_macros
@ -0,0 +1,83 @@
+define(`unpriv_gpu_ioctls', `{
+  KBASE_IOCTL_VERSION_CHECK_JM
+  KBASE_IOCTL_SET_FLAGS
+  KBASE_IOCTL_JOB_SUBMIT
+  KBASE_IOCTL_GET_GPUPROPS
+  KBASE_IOCTL_POST_TERM
+  KBASE_IOCTL_MEM_ALLOC
+  KBASE_IOCTL_MEM_QUERY
+  KBASE_IOCTL_MEM_FREE
+  KBASE_IOCTL_DISJOINT_QUERY
+  KBASE_IOCTL_GET_DDK_VERSION
+  KBASE_IOCTL_MEM_JIT_INIT
+  KBASE_IOCTL_MEM_SYNC
+  KBASE_IOCTL_MEM_FIND_CPU_OFFSET
+  KBASE_IOCTL_GET_CONTEXT_ID
+  KBASE_IOCTL_MEM_COMMIT
+  KBASE_IOCTL_MEM_ALIAS
+  KBASE_IOCTL_MEM_IMPORT
+  KBASE_IOCTL_MEM_FLAGS_CHANGE
+  KBASE_IOCTL_STREAM_CREATE
+  KBASE_IOCTL_FENCE_VALIDATE
+  KBASE_IOCTL_MEM_PROFILE_ADD
+  KBASE_IOCTL_SOFT_EVENT_UPDATE
+  KBASE_IOCTL_STICKY_RESOURCE_MAP
+  KBASE_IOCTL_STICKY_RESOURCE_UNMAP
+  KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET
+  KBASE_IOCTL_CS_QUEUE_REGISTER
+  KBASE_IOCTL_CS_QUEUE_KICK
+  KBASE_IOCTL_MEM_EXEC_INIT
+  KBASE_IOCTL_CS_QUEUE_BIND
+  KBASE_IOCTL_CS_QUEUE_REGISTER_EX
+  KBASE_IOCTL_CS_QUEUE_TERMINATE
+  KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE
+  KBASE_IOCTL_CS_EVENT_SIGNAL
+  KBASE_IOCTL_KCPU_QUEUE_CREATE
+  KBASE_IOCTL_KCPU_QUEUE_DELETE
+  KBASE_IOCTL_KCPU_QUEUE_ENQUEUE
+  KBASE_IOCTL_CS_TILER_HEAP_INIT
+  KBASE_IOCTL_CS_TILER_HEAP_TERM
+  KBASE_IOCTL_GET_CPU_GPU_TIMEINFO
+  KBASE_IOCTL_CS_GET_GLB_IFACE
+  KBASE_IOCTL_VERSION_CHECK_CSF
+  KBASE_IOCTL_CS_CPU_QUEUE_DUMP
+  KBASE_IOCTL_CONTEXT_PRIORITY_CHECK
+  KBASE_IOCTL_SET_LIMITED_CORE_COUNT
+  KBASE_IOCTL_CS_QUEUE_GROUP_CREATE
+  KBASE_IOCTL_MEM_ALLOC_EX
+  KBASE_IOCTL_READ_USER_PAGE
+  KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS
+  KBASE_IOCTL_APC_REQUEST
+  KBASE_IOCTL_BUFFER_LIVENESS_UPDATE
+}')
+
+define(`instrumentation_gpu_ioctls', `{
+  KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO
+  KBASE_IOCTL_KINSTR_PRFCNT_SETUP
+  KBASE_IOCTL_TLSTREAM_ACQUIRE
+  KBASE_IOCTL_TLSTREAM_FLUSH
+  KBASE_IOCTL_KINSTR_PRFCNT_CMD
+  KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE
+  KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE
+}')
+
+define(`debug_gpu_ioctls', `{
+  KBASE_IOCTL_HWCNT_SET
+  KBASE_IOCTL_CINSTR_GWT_START
+  KBASE_IOCTL_CINSTR_GWT_STOP
+  KBASE_IOCTL_CINSTR_GWT_DUMP
+}')
+
+define(`deprecated_gpu_ioctls', `{
+  KBASE_HWCNT_READER_GET_HWVER
+  KBASE_HWCNT_READER_GET_BUFFER_SIZE
+  KBASE_HWCNT_READER_DUMP
+  KBASE_HWCNT_READER_CLEAR
+  KBASE_HWCNT_READER_GET_BUFFER
+  KBASE_HWCNT_READER_PUT_BUFFER
+  KBASE_HWCNT_READER_SET_INTERVAL
+  KBASE_HWCNT_READER_ENABLE_EVENT
+  KBASE_HWCNT_READER_DISABLE_EVENT
+  KBASE_HWCNT_READER_GET_API_VERSION
+  KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6
+}')