From 9ea8cdc64f7f113b603346975bfbca58a6df96ef Mon Sep 17 00:00:00 2001 From: chenkris Date: Thu, 12 Dec 2024 08:10:15 +0000 Subject: [PATCH 01/14] zuma: Add selinux permission for fth Fix the following avc denials: avc: denied { open } for path="/dev/fth_fd" dev="tmpfs" ino=1575 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { read } for name="wakeup96" dev="sysfs" ino=101698 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 383048849 Test: ls -lZ /sys/devices/platform/odm//odm:fps_touch_handler/wakeup Test: authenticate fingerprint Flag: EXEMPT NDK Change-Id: Iec9de84c8faa6790f9f27c5875b5a822a02fcee9 --- vendor/file_contexts | 1 + vendor/genfs_contexts | 2 ++ 2 files changed, 3 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 444e96d8..953f12e6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -100,6 +100,7 @@ is_flag_disabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` /dev/gxp u:object_r:gxp_device:s0 /dev/mali0 u:object_r:gpu_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/fth_fd u:object_r:fingerprint_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4b6ad96f..13af49b0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -290,6 +290,8 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From e408d5681ebb2b78eb8101852c6ea20e2ad9b7e4 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 13 Dec 2024 14:34:28 +0800 Subject: [PATCH 02/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT sepolicy Bug: 383949325 Change-Id: I3392bafe7873812b2e7df6ecec5725097eb085ab --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cfb0d77a..be746798 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -39,4 +39,5 @@ vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 vendor_init default_prop property_service b/359428180 vendor_init vendor_volte_mif_off property_service b/316816642 +zygote aconfig_storage_metadata_file dir b/383949325 zygote zygote capability b/379207101 From d077655445312da7b5c5dc8b43d6e998f8dd6cf6 Mon Sep 17 00:00:00 2001 From: timmyli Date: Fri, 13 Dec 2024 21:23:17 +0000 Subject: [PATCH 03/14] Remove hal_camera_default aconfig_storage_metadata_file from bug map Bug: 383013471 Test: manual test to see no avc denial Flag: EXEMPT bug fix Change-Id: I1958da80539ae17ab48c3aa9f70f7ea3707ea2db --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index be746798..92f7ad07 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 -hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From 29cd1c7a2d1d75aed2a6001ca067275150e700c0 Mon Sep 17 00:00:00 2001 From: Timmy Li Date: Mon, 16 Dec 2024 16:32:22 -0800 Subject: [PATCH 04/14] Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Revert submission 30893287-hal_camera_default_ aconfig_storage_metadata_file Reason for revert: b/384580942 Reverted changes: /q/submissionid:30893287-hal_camera_default_+aconfig_storage_metadata_file Change-Id: I8bed2f61c7fc0ee6f0fb8cfc15bdb435d30dc70d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 92f7ad07..be746798 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From b2f00a1549322c7c4f521a41d9d7f70ca367c0de Mon Sep 17 00:00:00 2001 From: Liz Prucka Date: Thu, 7 Nov 2024 18:25:07 +0000 Subject: [PATCH 05/14] Restrict ioctl access for appdomain to gpu_device Add a list of Mali-specific ioctls (ioctl_defines). Define categories for these ioctls (ioctl_macros). This list was gathered by the ARM GPU team. All defined ioctls are granted access. Deprecated ioctls and ioctls intended for GPU development are logged to estimate the impact of their removal. During testing, no logging was observed during the launch of the top 100 apps. It is unlikely that such logging would spam the device's log. Bug: 384720119 Test: Csuite test of top 100 apps Flag: EXEMPT uses build system flag: RELEASE_PIXEL_MALI_SEPOLICY_ENABLED Change-Id: I49f7ffade42e1039e13601a81d814d33dfbc3e5a --- vendor/gpu.te | 10 ++++++ vendor/ioctl_defines | 73 ++++++++++++++++++++++++++++++++++++++ vendor/ioctl_macros | 83 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 vendor/gpu.te create mode 100644 vendor/ioctl_defines create mode 100644 vendor/ioctl_macros diff --git a/vendor/gpu.te b/vendor/gpu.te new file mode 100644 index 00000000..24e901d0 --- /dev/null +++ b/vendor/gpu.te @@ -0,0 +1,10 @@ +# Policy to enable only production gpu ioctls. +is_flag_enabled(RELEASE_PIXEL_MALI_SEPOLICY_ENABLED, ` + # Allow gpu ioctls used in production. + allowxperm appdomain gpu_device:chr_file ioctl { unpriv_gpu_ioctls instrumentation_gpu_ioctls }; + # Audit gpu ioctl commands which have been deprecated, + # or are intended for development of the GPU. + auditallow appdomain gpu_device:chr_file ioctl; + allowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls }; + auditallowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls }; +') diff --git a/vendor/ioctl_defines b/vendor/ioctl_defines new file mode 100644 index 00000000..4bf35075 --- /dev/null +++ b/vendor/ioctl_defines @@ -0,0 +1,73 @@ +define(`KBASE_IOCTL_VERSION_CHECK_JM', `0x8000') +define(`KBASE_IOCTL_SET_FLAGS', `0x8001') +define(`KBASE_IOCTL_JOB_SUBMIT', `0x8002') +define(`KBASE_IOCTL_GET_GPUPROPS', `0x8003') +define(`KBASE_IOCTL_POST_TERM', `0x8004') +define(`KBASE_IOCTL_MEM_ALLOC', `0x8005') +define(`KBASE_IOCTL_MEM_QUERY', `0x8006') +define(`KBASE_IOCTL_MEM_FREE', `0x8007') +define(`KBASE_IOCTL_HWCNT_READER_SETUP', `0x8008') +define(`KBASE_IOCTL_DISJOINT_QUERY', `0x800c') +define(`KBASE_IOCTL_GET_DDK_VERSION', `0x800d') +define(`KBASE_IOCTL_MEM_JIT_INIT', `0x800e') +define(`KBASE_IOCTL_MEM_SYNC', `0x800f') +define(`KBASE_IOCTL_MEM_FIND_CPU_OFFSET', `0x8010') +define(`KBASE_IOCTL_GET_CONTEXT_ID', `0x8011') +define(`KBASE_IOCTL_TLSTREAM_ACQUIRE', `0x8012') +define(`KBASE_IOCTL_TLSTREAM_FLUSH', `0x8013') +define(`KBASE_IOCTL_MEM_COMMIT', `0x8014') +define(`KBASE_IOCTL_MEM_ALIAS', `0x8015') +define(`KBASE_IOCTL_MEM_IMPORT', `0x8016') +define(`KBASE_IOCTL_MEM_FLAGS_CHANGE', `0x8017') +define(`KBASE_IOCTL_STREAM_CREATE', `0x8018') +define(`KBASE_IOCTL_FENCE_VALIDATE', `0x8019') +define(`KBASE_IOCTL_MEM_PROFILE_ADD', `0x801b') +define(`KBASE_IOCTL_SOFT_EVENT_UPDATE', `0x801c') +define(`KBASE_IOCTL_STICKY_RESOURCE_MAP', `0x801d') +define(`KBASE_IOCTL_STICKY_RESOURCE_UNMAP', `0x801e') +define(`KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET', `0x801f') +define(`KBASE_IOCTL_HWCNT_SET', `0x8020') +define(`KBASE_IOCTL_CINSTR_GWT_START', `0x8021') +define(`KBASE_IOCTL_CINSTR_GWT_STOP', `0x8022') +define(`KBASE_IOCTL_CINSTR_GWT_DUMP', `0x8023') +define(`KBASE_IOCTL_CS_QUEUE_REGISTER', `0x8024') +define(`KBASE_IOCTL_CS_QUEUE_KICK', `0x8025') +define(`KBASE_IOCTL_MEM_EXEC_INIT', `0x8026') +define(`KBASE_IOCTL_CS_QUEUE_BIND', `0x8027') +define(`KBASE_IOCTL_CS_QUEUE_REGISTER_EX', `0x8028') +define(`KBASE_IOCTL_CS_QUEUE_TERMINATE', `0x8029') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6', `0x802a') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE', `0x802b') +define(`KBASE_IOCTL_CS_EVENT_SIGNAL', `0x802c') +define(`KBASE_IOCTL_KCPU_QUEUE_CREATE', `0x802d') +define(`KBASE_IOCTL_KCPU_QUEUE_DELETE', `0x802e') +define(`KBASE_IOCTL_KCPU_QUEUE_ENQUEUE', `0x802f') +define(`KBASE_IOCTL_CS_TILER_HEAP_INIT', `0x8030') +define(`KBASE_IOCTL_CS_TILER_HEAP_TERM', `0x8031') +define(`KBASE_IOCTL_GET_CPU_GPU_TIMEINFO', `0x8032') +define(`KBASE_IOCTL_CS_GET_GLB_IFACE', `0x8033') +define(`KBASE_IOCTL_VERSION_CHECK_CSF', `0x8034') +define(`KBASE_IOCTL_CS_CPU_QUEUE_DUMP', `0x8035') +define(`KBASE_IOCTL_CONTEXT_PRIORITY_CHECK', `0x8036') +define(`KBASE_IOCTL_SET_LIMITED_CORE_COUNT', `0x8037') +define(`KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO', `0x8038') +define(`KBASE_IOCTL_KINSTR_PRFCNT_SETUP', `0x8039') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE', `0x803a') +define(`KBASE_IOCTL_MEM_ALLOC_EX', `0x803b') +define(`KBASE_IOCTL_READ_USER_PAGE', `0x803c') +define(`KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS', `0x803d') +define(`KBASE_IOCTL_APC_REQUEST', `0x8042') +define(`KBASE_IOCTL_BUFFER_LIVENESS_UPDATE', `0x8043') +define(`KBASE_HWCNT_READER_GET_HWVER', `0xBE00') +define(`KBASE_HWCNT_READER_GET_BUFFER_SIZE', `0xBE01') +define(`KBASE_HWCNT_READER_DUMP', `0xBE10') +define(`KBASE_HWCNT_READER_CLEAR', `0xBE11') +define(`KBASE_HWCNT_READER_GET_BUFFER', `0xBE20') +define(`KBASE_HWCNT_READER_PUT_BUFFER', `0xBE21') +define(`KBASE_HWCNT_READER_SET_INTERVAL', `0xBE30') +define(`KBASE_HWCNT_READER_ENABLE_EVENT', `0xBE40') +define(`KBASE_HWCNT_READER_DISABLE_EVENT', `0xBE41') +define(`KBASE_HWCNT_READER_GET_API_VERSION', `0xBEFF') +define(`KBASE_IOCTL_KINSTR_PRFCNT_CMD', `0xBF00') +define(`KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE', `0xBF01') +define(`KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE', `0xBF10') diff --git a/vendor/ioctl_macros b/vendor/ioctl_macros new file mode 100644 index 00000000..3874e049 --- /dev/null +++ b/vendor/ioctl_macros @@ -0,0 +1,83 @@ +define(`unpriv_gpu_ioctls', `{ + KBASE_IOCTL_VERSION_CHECK_JM + KBASE_IOCTL_SET_FLAGS + KBASE_IOCTL_JOB_SUBMIT + KBASE_IOCTL_GET_GPUPROPS + KBASE_IOCTL_POST_TERM + KBASE_IOCTL_MEM_ALLOC + KBASE_IOCTL_MEM_QUERY + KBASE_IOCTL_MEM_FREE + KBASE_IOCTL_DISJOINT_QUERY + KBASE_IOCTL_GET_DDK_VERSION + KBASE_IOCTL_MEM_JIT_INIT + KBASE_IOCTL_MEM_SYNC + KBASE_IOCTL_MEM_FIND_CPU_OFFSET + KBASE_IOCTL_GET_CONTEXT_ID + KBASE_IOCTL_MEM_COMMIT + KBASE_IOCTL_MEM_ALIAS + KBASE_IOCTL_MEM_IMPORT + KBASE_IOCTL_MEM_FLAGS_CHANGE + KBASE_IOCTL_STREAM_CREATE + KBASE_IOCTL_FENCE_VALIDATE + KBASE_IOCTL_MEM_PROFILE_ADD + KBASE_IOCTL_SOFT_EVENT_UPDATE + KBASE_IOCTL_STICKY_RESOURCE_MAP + KBASE_IOCTL_STICKY_RESOURCE_UNMAP + KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET + KBASE_IOCTL_CS_QUEUE_REGISTER + KBASE_IOCTL_CS_QUEUE_KICK + KBASE_IOCTL_MEM_EXEC_INIT + KBASE_IOCTL_CS_QUEUE_BIND + KBASE_IOCTL_CS_QUEUE_REGISTER_EX + KBASE_IOCTL_CS_QUEUE_TERMINATE + KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE + KBASE_IOCTL_CS_EVENT_SIGNAL + KBASE_IOCTL_KCPU_QUEUE_CREATE + KBASE_IOCTL_KCPU_QUEUE_DELETE + KBASE_IOCTL_KCPU_QUEUE_ENQUEUE + KBASE_IOCTL_CS_TILER_HEAP_INIT + KBASE_IOCTL_CS_TILER_HEAP_TERM + KBASE_IOCTL_GET_CPU_GPU_TIMEINFO + KBASE_IOCTL_CS_GET_GLB_IFACE + KBASE_IOCTL_VERSION_CHECK_CSF + KBASE_IOCTL_CS_CPU_QUEUE_DUMP + KBASE_IOCTL_CONTEXT_PRIORITY_CHECK + KBASE_IOCTL_SET_LIMITED_CORE_COUNT + KBASE_IOCTL_CS_QUEUE_GROUP_CREATE + KBASE_IOCTL_MEM_ALLOC_EX + KBASE_IOCTL_READ_USER_PAGE + KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS + KBASE_IOCTL_APC_REQUEST + KBASE_IOCTL_BUFFER_LIVENESS_UPDATE +}') + +define(`instrumentation_gpu_ioctls', `{ + KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO + KBASE_IOCTL_KINSTR_PRFCNT_SETUP + KBASE_IOCTL_TLSTREAM_ACQUIRE + KBASE_IOCTL_TLSTREAM_FLUSH + KBASE_IOCTL_KINSTR_PRFCNT_CMD + KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE + KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE +}') + +define(`debug_gpu_ioctls', `{ + KBASE_IOCTL_HWCNT_SET + KBASE_IOCTL_CINSTR_GWT_START + KBASE_IOCTL_CINSTR_GWT_STOP + KBASE_IOCTL_CINSTR_GWT_DUMP +}') + +define(`deprecated_gpu_ioctls', `{ + KBASE_HWCNT_READER_GET_HWVER + KBASE_HWCNT_READER_GET_BUFFER_SIZE + KBASE_HWCNT_READER_DUMP + KBASE_HWCNT_READER_CLEAR + KBASE_HWCNT_READER_GET_BUFFER + KBASE_HWCNT_READER_PUT_BUFFER + KBASE_HWCNT_READER_SET_INTERVAL + KBASE_HWCNT_READER_ENABLE_EVENT + KBASE_HWCNT_READER_DISABLE_EVENT + KBASE_HWCNT_READER_GET_API_VERSION + KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6 +}') From bdfee8a704c2357898e9ea928e4b4698d1d25649 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 24 Dec 2024 18:32:39 +0800 Subject: [PATCH 06/14] Update SELinux error. Test: SELinuxUncheckedDenialBootTest Bug: 385858590 Bug: 385858993 Bug: 385829048 Flag: EXEMPT bugfix Change-Id: I946909b9bc1aec1728c9999d25bdccfe70443fd9 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index be746798..73cec6e3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 init init capability b/379207041 insmod-sh insmod-sh key b/274374722 +insmod-sh vendor_edgetpu_debugfs dir b/385858993 kernel dm_device blk_file b/319403445 modem_svc_sit hal_radioext_default process b/364446415 modem_svc_sit modem_ml_svc_sit file b/360060606 @@ -25,6 +26,7 @@ platform_app vendor_rild_prop file b/372121912 priv_app audio_config_prop file b/379246064 radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 +ramdump_app privapp_data_file lnk_file b/385858590 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 From 417ef69506906046f2e4be6970f9955f4953b7f5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 27 Dec 2024 07:20:11 +0000 Subject: [PATCH 07/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386149375 Flag: EXEMPT update sepolicy Change-Id: I1be4fa4b29e0e28b61c7ff1444169ab1d20fe5d5 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 73cec6e3..aba5c495 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,6 +26,7 @@ platform_app vendor_rild_prop file b/372121912 priv_app audio_config_prop file b/379246064 radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 +ramdump_app default_prop file b/386149375 ramdump_app privapp_data_file lnk_file b/385858590 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 From 6523ef55d88c5c3389603c70042edb86ff66d6fa Mon Sep 17 00:00:00 2001 From: Terry Huang Date: Thu, 9 Jan 2025 09:09:28 +0800 Subject: [PATCH 08/14] Remove sced sepolicy rule Bug: 381778782 Test: gts pass Flag: EXEMPT bugfix Change-Id: Ia252d9743577a0475940ff4191d337f68474989e --- radio/file_contexts | 1 - radio/sced.te | 23 --------------------- radio/vendor_telephony_silentlogging_app.te | 1 - 3 files changed, 25 deletions(-) delete mode 100644 radio/sced.te diff --git a/radio/file_contexts b/radio/file_contexts index e02a1aa1..6146f4dc 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -3,7 +3,6 @@ /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 diff --git a/radio/sced.te b/radio/sced.te deleted file mode 100644 index 2b08973a..00000000 --- a/radio/sced.te +++ /dev/null @@ -1,23 +0,0 @@ -type sced, domain; -type sced_exec, vendor_file_type, exec_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(sced) - typeattribute sced vendor_executes_system_violators; - - hwbinder_use(sced) - binder_call(sced, dmd) - binder_call(sced, vendor_telephony_silentlogging_app) - - get_prop(sced, hwservicemanager_prop) - allow sced self:packet_socket create_socket_perms_no_ioctl; - - allow sced self:capability net_raw; - allow sced shell_exec:file rx_file_perms; - allow sced tcpdump_exec:file rx_file_perms; - allow sced vendor_shell_exec:file x_file_perms; - allow sced vendor_slog_file:dir create_dir_perms; - allow sced vendor_slog_file:file create_file_perms; - allow sced hidl_base_hwservice:hwservice_manager add; - allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; -') diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te index 583f408f..a9497f5d 100644 --- a/radio/vendor_telephony_silentlogging_app.te +++ b/radio/vendor_telephony_silentlogging_app.te @@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) -binder_call(vendor_telephony_silentlogging_app, sced) userdebug_or_eng(` # Silent Logging From 6fb9c0088096fe0c8e22101731538c127e1988ae Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 10 Jan 2025 03:16:04 +0000 Subject: [PATCH 09/14] zuma: update selinux to allow UMI on user build Bug: 375335464 [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { write } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Flag: EXEMPT Critical modem system service Change-Id: Id238114b40a3cb70efab1d8c88bda070b054d991 --- radio/modem_svc_sit.te | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3f225310..039e55b3 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -48,6 +48,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; # Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') +allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write }; + From 5159a671f2c53409f0c95a74da40adebfc5c0be0 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 10 Jan 2025 10:48:56 +0800 Subject: [PATCH 10/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT bugfix Bug: 388949246 Change-Id: I35755091bde97e167173375033134a78c6eb6c69 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index aba5c495..df59b50c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 init init capability b/379207041 insmod-sh insmod-sh key b/274374722 +insmod-sh kmsg_device chr_file b/388949246 insmod-sh vendor_edgetpu_debugfs dir b/385858993 kernel dm_device blk_file b/319403445 modem_svc_sit hal_radioext_default process b/364446415 From ad7475258e2f090dde96fcab8977f1c7e04e7dc7 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 16 Jan 2025 12:09:28 +0800 Subject: [PATCH 11/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 390293495 Flag: EXEMPT bugfix Change-Id: Iba04cf0704d2711eb92fa35eba8129e84dbf1d4f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index df59b50c..47d9c4a7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,6 +5,7 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 +hal_bluetooth_btlinux proc file b/390293495 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 From f02227eeb156f708028a9672e0130e1b95091873 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Tue, 21 Jan 2025 14:20:53 +0800 Subject: [PATCH 12/14] RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Fix it by ag/31334770 and remove the tracking bug number. Bug: 385858590 Flag: EXEMPT bugfix Change-Id: I29717ab8926597c5def1f3cd10a61086d3af63d3 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 47d9c4a7..c7043d41 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -29,7 +29,6 @@ priv_app audio_config_prop file b/379246064 radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 ramdump_app default_prop file b/386149375 -ramdump_app privapp_data_file lnk_file b/385858590 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 From 1fd52733f7625d970b342b9229211ebba3932da7 Mon Sep 17 00:00:00 2001 From: Ilya Matyukhin Date: Thu, 23 Jan 2025 19:15:21 +0000 Subject: [PATCH 13/14] Consolidate SELinux for faceauth_rawimage Per go/pixel-defrag, moves all related configuration from this board-specific directory to a feature-specific directory: "vendor/google_devices/gs-common/proprietary/biometrics/face/" + "sepolicy/rawimage_heap" Bug: 337889186 Bug: 391648492 Test: adb logcat | egrep "avc:\s+denied" Flag: EXEMPT refactor Change-Id: I2ee88197fe37ab276f603241520058f6ebee4a14 --- vendor/file.te | 1 - vendor/genfs_contexts | 3 --- 2 files changed, 4 deletions(-) diff --git a/vendor/file.te b/vendor/file.te index 6498f828..12cc48ed 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -54,4 +54,3 @@ type sysfs_ospm, sysfs_type, fs_type; # GSA type sysfs_gsa_log, sysfs_type, fs_type; -type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 13af49b0..ad67f0e0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -336,9 +336,6 @@ genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 -# Faceauth -genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0 - # Bluetooth genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 From 911468b0ed7c59b176984a000700fb21bd8fbb90 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 3 Feb 2025 11:05:24 +0800 Subject: [PATCH 14/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 393955151 Flag: EXEMPT bugfix Change-Id: Ic7b9b06967a42644e9ad462deb75d4b5e9f27569 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c7043d41..82dd7a27 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux proc file b/390293495 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_camera_default aconfig_storage_metadata_file dir b/383013471 +hal_drm_widevine system_userdir_file dir b/393955151 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561