From 6523ef55d88c5c3389603c70042edb86ff66d6fa Mon Sep 17 00:00:00 2001 From: Terry Huang Date: Thu, 9 Jan 2025 09:09:28 +0800 Subject: [PATCH 1/7] Remove sced sepolicy rule Bug: 381778782 Test: gts pass Flag: EXEMPT bugfix Change-Id: Ia252d9743577a0475940ff4191d337f68474989e --- radio/file_contexts | 1 - radio/sced.te | 23 --------------------- radio/vendor_telephony_silentlogging_app.te | 1 - 3 files changed, 25 deletions(-) delete mode 100644 radio/sced.te diff --git a/radio/file_contexts b/radio/file_contexts index e02a1aa1..6146f4dc 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -3,7 +3,6 @@ /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 diff --git a/radio/sced.te b/radio/sced.te deleted file mode 100644 index 2b08973a..00000000 --- a/radio/sced.te +++ /dev/null @@ -1,23 +0,0 @@ -type sced, domain; -type sced_exec, vendor_file_type, exec_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(sced) - typeattribute sced vendor_executes_system_violators; - - hwbinder_use(sced) - binder_call(sced, dmd) - binder_call(sced, vendor_telephony_silentlogging_app) - - get_prop(sced, hwservicemanager_prop) - allow sced self:packet_socket create_socket_perms_no_ioctl; - - allow sced self:capability net_raw; - allow sced shell_exec:file rx_file_perms; - allow sced tcpdump_exec:file rx_file_perms; - allow sced vendor_shell_exec:file x_file_perms; - allow sced vendor_slog_file:dir create_dir_perms; - allow sced vendor_slog_file:file create_file_perms; - allow sced hidl_base_hwservice:hwservice_manager add; - allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; -') diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te index 583f408f..a9497f5d 100644 --- a/radio/vendor_telephony_silentlogging_app.te +++ b/radio/vendor_telephony_silentlogging_app.te @@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) -binder_call(vendor_telephony_silentlogging_app, sced) userdebug_or_eng(` # Silent Logging From 6fb9c0088096fe0c8e22101731538c127e1988ae Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 10 Jan 2025 03:16:04 +0000 Subject: [PATCH 2/7] zuma: update selinux to allow UMI on user build Bug: 375335464 [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { write } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Flag: EXEMPT Critical modem system service Change-Id: Id238114b40a3cb70efab1d8c88bda070b054d991 --- radio/modem_svc_sit.te | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3f225310..039e55b3 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -48,6 +48,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; # Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') +allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write }; + From 5159a671f2c53409f0c95a74da40adebfc5c0be0 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 10 Jan 2025 10:48:56 +0800 Subject: [PATCH 3/7] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT bugfix Bug: 388949246 Change-Id: I35755091bde97e167173375033134a78c6eb6c69 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index aba5c495..df59b50c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 init init capability b/379207041 insmod-sh insmod-sh key b/274374722 +insmod-sh kmsg_device chr_file b/388949246 insmod-sh vendor_edgetpu_debugfs dir b/385858993 kernel dm_device blk_file b/319403445 modem_svc_sit hal_radioext_default process b/364446415 From ad7475258e2f090dde96fcab8977f1c7e04e7dc7 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 16 Jan 2025 12:09:28 +0800 Subject: [PATCH 4/7] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 390293495 Flag: EXEMPT bugfix Change-Id: Iba04cf0704d2711eb92fa35eba8129e84dbf1d4f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index df59b50c..47d9c4a7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,6 +5,7 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 edgetpu_vendor_server shell_data_file dir b/369475225 edgetpu_vendor_server shell_data_file dir b/369475363 +hal_bluetooth_btlinux proc file b/390293495 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_radioext_default radio_vendor_data_file file b/312590044 From f02227eeb156f708028a9672e0130e1b95091873 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Tue, 21 Jan 2025 14:20:53 +0800 Subject: [PATCH 5/7] RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Fix it by ag/31334770 and remove the tracking bug number. Bug: 385858590 Flag: EXEMPT bugfix Change-Id: I29717ab8926597c5def1f3cd10a61086d3af63d3 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 47d9c4a7..c7043d41 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -29,7 +29,6 @@ priv_app audio_config_prop file b/379246064 radio audio_config_prop file b/379245771 ramdump ramdump capability b/369475700 ramdump_app default_prop file b/386149375 -ramdump_app privapp_data_file lnk_file b/385858590 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 From 1fd52733f7625d970b342b9229211ebba3932da7 Mon Sep 17 00:00:00 2001 From: Ilya Matyukhin Date: Thu, 23 Jan 2025 19:15:21 +0000 Subject: [PATCH 6/7] Consolidate SELinux for faceauth_rawimage Per go/pixel-defrag, moves all related configuration from this board-specific directory to a feature-specific directory: "vendor/google_devices/gs-common/proprietary/biometrics/face/" + "sepolicy/rawimage_heap" Bug: 337889186 Bug: 391648492 Test: adb logcat | egrep "avc:\s+denied" Flag: EXEMPT refactor Change-Id: I2ee88197fe37ab276f603241520058f6ebee4a14 --- vendor/file.te | 1 - vendor/genfs_contexts | 3 --- 2 files changed, 4 deletions(-) diff --git a/vendor/file.te b/vendor/file.te index 6498f828..12cc48ed 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -54,4 +54,3 @@ type sysfs_ospm, sysfs_type, fs_type; # GSA type sysfs_gsa_log, sysfs_type, fs_type; -type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 13af49b0..ad67f0e0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -336,9 +336,6 @@ genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 -# Faceauth -genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0 - # Bluetooth genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 From 911468b0ed7c59b176984a000700fb21bd8fbb90 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 3 Feb 2025 11:05:24 +0800 Subject: [PATCH 7/7] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 393955151 Flag: EXEMPT bugfix Change-Id: Ic7b9b06967a42644e9ad462deb75d4b5e9f27569 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c7043d41..82dd7a27 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ edgetpu_vendor_server shell_data_file dir b/369475363 hal_bluetooth_btlinux proc file b/390293495 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_camera_default aconfig_storage_metadata_file dir b/383013471 +hal_drm_widevine system_userdir_file dir b/393955151 hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561