diff --git a/sepolicy/legacy/whitechapel_pro/file_contexts b/sepolicy/legacy/whitechapel_pro/file_contexts index 184c9977..dc98d477 100644 --- a/sepolicy/legacy/whitechapel_pro/file_contexts +++ b/sepolicy/legacy/whitechapel_pro/file_contexts @@ -14,6 +14,7 @@ /vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V2-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/radio/device.te b/sepolicy/radio/device.te index f3df48ae..5d2afca4 100644 --- a/sepolicy/radio/device.te +++ b/sepolicy/radio/device.te @@ -1,4 +1,4 @@ +# radio type modem_block_device, dev_type; type vendor_gnss_device, dev_type; -type modem_userdata_block_device, dev_type; -type efs_block_device, dev_type; + diff --git a/sepolicy/radio/grilservice_app.te b/sepolicy/radio/grilservice_app.te index 3a093c82..314a4488 100644 --- a/sepolicy/radio/grilservice_app.te +++ b/sepolicy/radio/grilservice_app.te @@ -17,3 +17,5 @@ binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) hal_client_domain(grilservice_app, hal_power_stats) +set_prop(grilservice_app, vendor_logger_prop) +set_prop(grilservice_app, vendor_modem_prop) diff --git a/sepolicy/radio/hal_radioext_default.te b/sepolicy/radio/hal_radioext_default.te index 7bc0e966..25cb7e5c 100644 --- a/sepolicy/radio/hal_radioext_default.te +++ b/sepolicy/radio/hal_radioext_default.te @@ -4,6 +4,7 @@ init_daemon_domain(hal_radioext_default) hwbinder_use(hal_radioext_default) get_prop(hal_radioext_default, hwservicemanager_prop) +set_prop(hal_radioext_default, vendor_gril_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, servicemanager) diff --git a/sepolicy/radio/modem_svc_sit.te b/sepolicy/radio/modem_svc_sit.te index 6733a264..2b348743 100644 --- a/sepolicy/radio/modem_svc_sit.te +++ b/sepolicy/radio/modem_svc_sit.te @@ -44,4 +44,9 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') diff --git a/sepolicy/radio/property.te b/sepolicy/radio/property.te index 16ccefce..4a2cc469 100644 --- a/sepolicy/radio/property.te +++ b/sepolicy/radio/property.te @@ -6,6 +6,7 @@ vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_gril_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) diff --git a/sepolicy/radio/property_contexts b/sepolicy/radio/property_contexts index 0cad5bcf..3f2c9176 100644 --- a/sepolicy/radio/property_contexts +++ b/sepolicy/radio/property_contexts @@ -38,6 +38,9 @@ vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 +# for GRIL +vendor.gril. u:object_r:vendor_gril_prop:s0 + # SSR Detector vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map index 607fdeba..48bf2b9d 100644 --- a/sepolicy/tracking_denials/bug_map +++ b/sepolicy/tracking_denials/bug_map @@ -1,19 +1,28 @@ +dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 +dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 +hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 +hal_vibrator_default default_android_service service_manager b/367943515 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 +modem_svc_sit hal_radioext_default process b/364446415 +modem_svc_sit modem_ml_svc_sit file b/360060606 +modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 -pixelstats_vendor sysfs file b/299553682 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 +system_server vendor_default_prop file b/366116488 system_suspend sysfs_batteryinfo dir b/317316633 +system_suspend sysfs_touch_gti dir b/350832258 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323087197 vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 +vendor_init default_prop property_service b/359428180 vendor_init vendor_volte_mif_off property_service b/316816642 diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te index 6ed4db3d..bbaa4c53 100644 --- a/sepolicy/vendor/device.te +++ b/sepolicy/vendor/device.te @@ -1,8 +1,7 @@ -type persist_block_device, dev_type; +# Block Devices type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; type mfg_data_block_device, dev_type; -type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; @@ -17,3 +16,4 @@ type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index f1d4f562..9304d983 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -24,7 +24,6 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 -/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index ddc44e42..441690ae 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -85,6 +85,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rat genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctrl u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 @@ -96,9 +97,22 @@ genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/fec_dsc_not_supported u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/fec_dsc_supported u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_other u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1366_768 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1440_900 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1600_900 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1920_1080 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_2560_1080 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_2560_1440 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_3440_1440 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_3840_2160 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_5120_2880 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_7680_4320 u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0 @@ -232,7 +246,7 @@ genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-11-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 @@ -242,6 +256,9 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca9 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +is_flag_enabled(RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED, ` +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 +') genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 @@ -275,6 +292,7 @@ genfscon sysfs /devices/virtual/wakeup/wakeup genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 @@ -327,3 +345,7 @@ genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:o # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# CPU +genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 +genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 diff --git a/sepolicy/vendor/hal_bluetooth_btlinux.te b/sepolicy/vendor/hal_bluetooth_btlinux.te index b2a7529c..625dd72e 100644 --- a/sepolicy/vendor/hal_bluetooth_btlinux.te +++ b/sepolicy/vendor/hal_bluetooth_btlinux.te @@ -10,3 +10,6 @@ allow hal_bluetooth_btlinux sysfs_bt_uart:file rw_file_perms; # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) + +# Allow access for AoC properties. +get_prop(hal_bluetooth_btlinux, vendor_aoc_prop) diff --git a/sepolicy/vendor/hal_usb_impl.te b/sepolicy/vendor/hal_usb_impl.te index 3d89a09f..7c320b65 100644 --- a/sepolicy/vendor/hal_usb_impl.te +++ b/sepolicy/vendor/hal_usb_impl.te @@ -20,6 +20,9 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +is_flag_enabled(RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED, ` +allow hal_usb_impl sysfs_udc:file r_file_perms; +') # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 8ef51a8c..bc411325 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,5 +1,5 @@ # Fingerprint -vendor_internal_prop(vendor_fingerprint_prop) +vendor_restricted_prop(vendor_fingerprint_prop) # Battery vendor_internal_prop(vendor_battery_defender_prop) diff --git a/sepolicy/vendor/ufs_firmware_update.te b/sepolicy/vendor/ufs_firmware_update.te index 04e532e2..8fbb5d17 100644 --- a/sepolicy/vendor/ufs_firmware_update.te +++ b/sepolicy/vendor/ufs_firmware_update.te @@ -1,6 +1,4 @@ -type ufs_firmware_update, domain; -type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; - +# ufs ffu userdebug_or_eng(` init_daemon_domain(ufs_firmware_update) @@ -10,3 +8,4 @@ userdebug_or_eng(` allow ufs_firmware_update sysfs:dir r_dir_perms; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; ') +