From 77518a261471f7884e5b7c8ca73442df5c11e48e Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 26 Jun 2024 18:00:52 +0000 Subject: [PATCH 01/32] Add sepolicy for DisplayPort wakeup node Bug: 348125717 Test: ls -Z /sys/devices/platform/110f0000.drmdp/wakeup Flag: NONE (follow up fix for merged non-flagged CL pa/2839256) Change-Id: I9181b2344f2448b9debe1522528545ce90de8768 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ddc44e42..7938c59f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -275,6 +275,7 @@ genfscon sysfs /devices/virtual/wakeup/wakeup genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From 00484704f80ea3baa745fef22a1aaa72e89bb3ae Mon Sep 17 00:00:00 2001 From: Madhav Iyengar Date: Fri, 28 Jun 2024 01:09:10 +0000 Subject: [PATCH 02/32] Give bthal permission to read AoC version. Bug: 349661931 Flag: com.android.bluetooth.hal.flags.pixel_bt_aoc_offload_efw_xport Test: Allows bthal to choose between USF and EFW transports to communicate with AoC based on version. Change-Id: I3edbcafd4ee5d0c875618c1a1c1b89e1bbd4d1ec --- vendor/hal_bluetooth_btlinux.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index b2a7529c..625dd72e 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -10,3 +10,6 @@ allow hal_bluetooth_btlinux sysfs_bt_uart:file rw_file_perms; # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) + +# Allow access for AoC properties. +get_prop(hal_bluetooth_btlinux, vendor_aoc_prop) From ea95f2b4a4fa11faefa094b6e577d5938647313f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 3 Jul 2024 02:05:06 +0000 Subject: [PATCH 03/32] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 350832030 Bug: 350832258 Change-Id: Idd45bcee641af96f442ec2cd4443a3964d73f429 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 607fdeba..68366199 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ dumpstate app_zygote process b/288049050 +hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 @@ -11,6 +12,7 @@ shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 +system_suspend sysfs_touch_gti dir b/350832258 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323087197 From 1dac9a172686892bc13164ab2c11537e3e830245 Mon Sep 17 00:00:00 2001 From: Vishvam Mazumdar Date: Tue, 4 Jun 2024 18:28:01 +0000 Subject: [PATCH 04/32] Add SELinux policy to allow CPU Idle Histogram Stats in dumpstate. This change is to allow the CPU Idle Histogram Stats to be dumped in bugreports so that there is more insight into the idle behavior of devices in the field. Test: build/flash Test: adb bugreport Bug: 344908619 Flag: EXEMPT bugfix Change-Id: Ic1096564423a009a0180d7f771da8184688c1842 Signed-off-by: Vishvam Mazumdar --- vendor/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ddc44e42..d46d80a6 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -327,3 +327,7 @@ genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:o # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# CPU +genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 +genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 From 09d569ecdeaba2951e005a713ec82bded4be234e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Wed, 10 Jul 2024 22:19:13 +0000 Subject: [PATCH 05/32] Delete sepolicy for legacy VR services. None of the zuma devices include these services. Bug: 234559097 Test: presubmit Flag: EXEMPT dead code removal Change-Id: I79bc66b80c36df398fe872f4e99b86e9a828479c --- system_ext/private/systemui_app.te | 1 - 1 file changed, 1 deletion(-) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 5a5f9d28..1e8c53b6 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -11,7 +11,6 @@ allow systemui_app mediaserver_service:service_manager find; allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; -allow systemui_app vr_manager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; allow systemui_app statsmanager_service:service_manager find; From 8a81e8bf619c955c6e1df53d52c8e60a9820b3af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 11 Jul 2024 07:25:53 +0000 Subject: [PATCH 06/32] Delete sepolicy for legacy VR services. None of the zuma devices include these services. Bug: 234559097 Test: presubmit Flag: EXEMPT dead code removal (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09d569ecdeaba2951e005a713ec82bded4be234e) Merged-In: I79bc66b80c36df398fe872f4e99b86e9a828479c Change-Id: I79bc66b80c36df398fe872f4e99b86e9a828479c --- system_ext/private/systemui_app.te | 1 - 1 file changed, 1 deletion(-) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 5a5f9d28..1e8c53b6 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -11,7 +11,6 @@ allow systemui_app mediaserver_service:service_manager find; allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; -allow systemui_app vr_manager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; allow systemui_app statsmanager_service:service_manager find; From 62fd72732737ad44c69e439744630a2d731a50e1 Mon Sep 17 00:00:00 2001 From: PODISHETTY KUMAR Date: Thu, 11 Jul 2024 14:43:27 +0000 Subject: [PATCH 07/32] Revert "Delete sepolicy for legacy VR services." This reverts commit 09d569ecdeaba2951e005a713ec82bded4be234e. Reason for revert: Change-Id: Ia71e697e180b569480be9f029d9e729f42d5f855 --- system_ext/private/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 1e8c53b6..5a5f9d28 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -11,6 +11,7 @@ allow systemui_app mediaserver_service:service_manager find; allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; allow systemui_app statsmanager_service:service_manager find; From 6b8e432e3eba595f4d9eeacb63ca176a9183d777 Mon Sep 17 00:00:00 2001 From: Liana Kazanova Date: Thu, 11 Jul 2024 20:56:43 +0000 Subject: [PATCH 08/32] Revert "Delete sepolicy for legacy VR services." This reverts commit 8a81e8bf619c955c6e1df53d52c8e60a9820b3af. Reason for revert: Droidmonitor created revert due to b/352465601. Will be verifying through ABTD before submission Change-Id: I7543fe9078e88300d12c8a09867bdd1ecf5c8005 --- system_ext/private/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 1e8c53b6..5a5f9d28 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -11,6 +11,7 @@ allow systemui_app mediaserver_service:service_manager find; allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; allow systemui_app statsmanager_service:service_manager find; From 489a6e7843f627a06f52284b949d820e1138da73 Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Wed, 22 May 2024 11:11:18 +0000 Subject: [PATCH 09/32] Add permission for setting gril property 05-22 18:20:50.608 914 914 I auditd : type=1400 audit(0.0:97): avc: denied { write } for comm="radioext@1.0-se" name="property_service" dev="tmpfs" ino=849 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 343012301 Bug: 203824024 Test: manual test Flag: EXEMPT bugfix Change-Id: Ic08a1e1c6a0db29e329f121c813bebadbee5a5e9 --- radio/hal_radioext_default.te | 1 + radio/property.te | 1 + radio/property_contexts | 3 +++ 3 files changed, 5 insertions(+) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index 7bc0e966..25cb7e5c 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -4,6 +4,7 @@ init_daemon_domain(hal_radioext_default) hwbinder_use(hal_radioext_default) get_prop(hal_radioext_default, hwservicemanager_prop) +set_prop(hal_radioext_default, vendor_gril_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, servicemanager) diff --git a/radio/property.te b/radio/property.te index 16ccefce..4a2cc469 100644 --- a/radio/property.te +++ b/radio/property.te @@ -6,6 +6,7 @@ vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_gril_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) diff --git a/radio/property_contexts b/radio/property_contexts index 0cad5bcf..3f2c9176 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -38,6 +38,9 @@ vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 +# for GRIL +vendor.gril. u:object_r:vendor_gril_prop:s0 + # SSR Detector vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 From 49c9c8c3d7f75c2cdb5a0be52dfb362cae0a3c4d Mon Sep 17 00:00:00 2001 From: Mike McTernan Date: Mon, 15 Jul 2024 10:13:11 +0100 Subject: [PATCH 10/32] trusty: storageproxy: add fs_ready_rw property context Flag: EXEMPT bug fix Bug: 350362101 Test: ABTD Change-Id: I397a89ceb5a6a832043abb3792b0101ad89c97a7 --- legacy/whitechapel_pro/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index fa5c9170..49b5a138 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,3 +20,4 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 +ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 From fb98394c54493b8d373d35a34e95f72708ae232a Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 26 Jun 2024 18:00:52 +0000 Subject: [PATCH 11/32] Add sepolicy for DisplayPort wakeup node Bug: 348125717 Test: ls -Z /sys/devices/platform/110f0000.drmdp/wakeup Flag: NONE (follow up fix for merged non-flagged CL pa/2839256) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77518a261471f7884e5b7c8ca73442df5c11e48e) Merged-In: I9181b2344f2448b9debe1522528545ce90de8768 Change-Id: I9181b2344f2448b9debe1522528545ce90de8768 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ddc44e42..7938c59f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -275,6 +275,7 @@ genfscon sysfs /devices/virtual/wakeup/wakeup genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From ef8937f64c56e0434f6a8d2fb4b2aa328ad6ce34 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Thu, 30 Nov 2023 20:59:56 +0000 Subject: [PATCH 12/32] Add the selinux policy to allow the gril get/set vendor log properties. avc logs: 2024-07-17 06:00:41.024 8674-8674 binder:8674_1 com.google.android.grilservice W type=1400 audit(0.0:96): avc: denied { read } for name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=416 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 app=com.google.android.grilservice 2024-07-17 06:00:41.024 8674-8674 binder:8674_1 com.google.android.grilservice W type=1400 audit(0.0:97): avc: denied { read } for name="u:object_r:vendor_modem_prop:s0" dev="tmpfs" ino=418 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=file permissive=0 app=com.google.android.grilservice 2024-07-17 06:00:49.592 8674-8674 binder:8674_1 com.google.android.grilservice W type=1400 audit(0.0:99): avc: denied { write } for name="property_service" dev="tmpfs" ino=861 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 app=com.google.android.grilservice 2024-07-17 16:46:54.748 1-1 /system/bin/init init I type=1107 audit(0.0:103): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.verbose_logging_enabled pid=2152 uid=10238 gid=10238 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_logger_prop:s0 tclass=property_service permissive=1' 2024-07-17 16:49:33.256 1-1 /system/bin/init init I type=1107 audit(0.0:116): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.modem.extensive_logging_enabled pid=2152 uid=10238 gid=10238 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=property_service permissive=1' Bug: 293947661 Change-Id: Iec1cc221a543543da28416a5bc7d7ddacde959c5 --- radio/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 3a093c82..314a4488 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -17,3 +17,5 @@ binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) hal_client_domain(grilservice_app, hal_power_stats) +set_prop(grilservice_app, vendor_logger_prop) +set_prop(grilservice_app, vendor_modem_prop) From eb5a3cd47a82c33284214eb08dab32bdbab696ef Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Tue, 21 May 2024 22:56:24 +0000 Subject: [PATCH 13/32] Add udc sysfs to udc_sysfs fs context This is needed for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Bug: 339241080 Test: tested on Shiba Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: Iab3c20569cb22d7524ca303f6cb3eaf40aa2161d --- vendor/genfs_contexts | 1 + vendor/hal_usb_impl.te | 1 + 2 files changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 411cc7b9..3234bc2d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -242,6 +242,7 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca9 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 3d89a09f..1fdb63a3 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -20,6 +20,7 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +allow hal_usb_impl sysfs_udc:file r_file_perms; # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; From 66ba3214b8b8025549abde921943327fa183bedc Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Fri, 19 Jul 2024 01:06:09 +0000 Subject: [PATCH 14/32] Revert "Add udc sysfs to udc_sysfs fs context" Revert submission 27445245-339241080 Reason for revert: break husky-next-user (linux) build 12111903 Reverted changes: /q/submissionid:27445245-339241080 Bug: 339241080 Change-Id: If558e5bef47a0e617e4b4997f0ad9c8154b43ee9 --- vendor/genfs_contexts | 1 - vendor/hal_usb_impl.te | 1 - 2 files changed, 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 3234bc2d..411cc7b9 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -242,7 +242,6 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca9 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 1fdb63a3..3d89a09f 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -20,7 +20,6 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; -allow hal_usb_impl sysfs_udc:file r_file_perms; # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; From 1dde3ea2ff33bdf253fbbfb609ec21eaccffeaf4 Mon Sep 17 00:00:00 2001 From: gilliu Date: Thu, 27 Jun 2024 08:14:52 +0000 Subject: [PATCH 15/32] add hal_graphics_composer to access thermal temperature type=1400 audit(0.0:77): avc: denied { search } for name="thermal" dev="tmpfs" ino=1618 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=0 type=1400 audit(0.0:74): avc: denied { search } for name="thermal" dev="sysfs" ino=21594 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 type=1400 audit(0.0:74): avc: denied { read } for name="temp" dev="sysfs" ino=73536 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 type=1400 audit(0.0:74): avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone12/temp" dev="sysfs" ino=73537 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 343141590 Test: check no avc pattern on logcat from test image Flag: NONE add permission Change-Id: I87fce47644b07342d756e7594685eea0dded1926 --- vendor/hal_graphics_composer_default.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 3eed6973..e5d76091 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -42,6 +42,11 @@ allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; allow hal_graphics_composer_default vendor_log_file:dir search; +# allow HWC to access powerstats +allow hal_graphics_composer_default thermal_link_device:dir search; +allow hal_graphics_composer_default sysfs_thermal:dir search; +allow hal_graphics_composer_default sysfs_thermal:file r_file_perms; + # allow HWC to access IStats AIDL allow hal_graphics_composer_default fwk_stats_service:service_manager find; binder_call(hal_graphics_composer_default, system_server); From 4358dc4f7ee0b2aa85e8f2e013089355fd6fed4d Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Tue, 23 Jul 2024 16:32:22 +0800 Subject: [PATCH 16/32] Correct the path of tcpm-source-psy device Bug: 353804370 Flag: EXEMPT bugfix Change-Id: I059a652d13ffdf186fb36edb11ef4c1dc6ac8648 Signed-off-by: Kyle Tso --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ddc44e42..5972f0d4 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -232,7 +232,7 @@ genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-11-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 From 6d6f71b74a93ed80f72cbb70ceaf89676251e3a2 Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Wed, 24 Jul 2024 20:17:20 +0000 Subject: [PATCH 17/32] Revert "trusty: storageproxy: add fs_ready_rw property context" Revert submission 28318041-rw_storage Reason for revert: Droidfood blocking bug b/355163562 Reverted changes: /q/submissionid:28318041-rw_storage Change-Id: I0fa3edda88677966d42576d76616b837a4bbe70b --- legacy/whitechapel_pro/property_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 49b5a138..fa5c9170 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,4 +20,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 -ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 From 7ae91b16509534f11e38d64108a437c6ccff253d Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Wed, 24 Jul 2024 20:17:20 +0000 Subject: [PATCH 18/32] Revert "trusty: storageproxy: add fs_ready_rw property context" Revert submission 28318041-rw_storage Reason for revert: Droidfood blocking bug b/355163562 Reverted changes: /q/submissionid:28318041-rw_storage (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6d6f71b74a93ed80f72cbb70ceaf89676251e3a2) Merged-In: I0fa3edda88677966d42576d76616b837a4bbe70b Change-Id: I0fa3edda88677966d42576d76616b837a4bbe70b --- legacy/whitechapel_pro/property_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 49b5a138..fa5c9170 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,4 +20,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 -ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 From 6e54536670c2a2a78165c783a8f25992dd8346b7 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Date: Wed, 17 Jul 2024 22:13:38 +0000 Subject: [PATCH 19/32] DisplayPort Stats: add sysfs access permission on Zuma devices 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:48): avc: denied { read } for name="fec_dsc_supported" dev="sysfs" ino=71618 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:49): avc: denied { read } for name="fec_dsc_not_supported" dev="sysfs" ino=71619 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:50): avc: denied { read } for name="max_res_other" dev="sysfs" ino=71617 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:51): avc: denied { read } for name="max_res_1366_768" dev="sysfs" ino=71607 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:52): avc: denied { read } for name="max_res_1440_900" dev="sysfs" ino=71608 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:53): avc: denied { read } for name="max_res_1600_900" dev="sysfs" ino=71609 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:54): avc: denied { read } for name="max_res_1920_1080" dev="sysfs" ino=71610 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:55): avc: denied { read } for name="max_res_2560_1080" dev="sysfs" ino=71611 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-24 18:17:43.428 W/pixelstats-vend( 7494): type=1400 audit(0.0:56): avc: denied { read } for name="max_res_2560_1440" dev="sysfs" ino=71612 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 ..... Bug: 343602691 Bug: 317486088 Flag: EXEMPT bugfix Test: Built and flashed, errors are gone. Change-Id: I49d177d2a997698b05f27bd4c448847ed3110e59 --- tracking_denials/bug_map | 1 - vendor/genfs_contexts | 13 +++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 68366199..31734810 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,7 +7,6 @@ incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 -pixelstats_vendor sysfs file b/299553682 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 3234bc2d..e1c970b9 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -96,9 +96,22 @@ genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/fec_dsc_not_supported u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/fec_dsc_supported u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_other u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1366_768 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1440_900 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1600_900 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1920_1080 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_2560_1080 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_2560_1440 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_3440_1440 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_3840_2160 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_5120_2880 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_7680_4320 u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0 From 1a430facffd7142973e71860801250c7e951b1a3 Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Wed, 24 Jul 2024 20:17:20 +0000 Subject: [PATCH 20/32] Revert "trusty: storageproxy: add fs_ready_rw property context" Revert submission 28318041-rw_storage Reason for revert: Droidfood blocking bug b/355163562 Reverted changes: /q/submissionid:28318041-rw_storage (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6d6f71b74a93ed80f72cbb70ceaf89676251e3a2) Merged-In: I0fa3edda88677966d42576d76616b837a4bbe70b Change-Id: I0fa3edda88677966d42576d76616b837a4bbe70b --- legacy/whitechapel_pro/property_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 49b5a138..fa5c9170 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,4 +20,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 -ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 From 08b3cf20a70cb5997bf02c3bf609c549ced39a3b Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Tue, 6 Aug 2024 23:26:43 +0000 Subject: [PATCH 21/32] zuma: update modem_svc sepolicy for UMI Bug: 357139752 Flag: EXEMPT sepolicy [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Change-Id: I7cccb22ef31e88eebae664dcd937553c7ed9428f --- radio/modem_svc_sit.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 6733a264..2b348743 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -44,4 +44,9 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') From e24c2a826576fbcbc04d82d6cfdb4dd947ed6496 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 15 Aug 2024 08:54:17 +0000 Subject: [PATCH 22/32] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 360060606 Test: scanBugreport Bug: 360060992 Bug: 359428180 Test: scanAvcDeniedLogRightAfterReboot Bug: 360060606 Bug: 359428180 Flag: EXEMPT bugFix Change-Id: I3dfb16fdb309f01f543c826b155fc774b76faade --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 31734810..9483e859 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,8 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 +modem_svc_sit modem_ml_svc_sit file b/360060606 +modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 @@ -17,4 +19,5 @@ vendor_init default_prop file b/315104803 vendor_init default_prop file b/323087197 vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 +vendor_init default_prop property_service b/359428180 vendor_init vendor_volte_mif_off property_service b/316816642 From c65310129077f0a40154948e4925befc87f9e168 Mon Sep 17 00:00:00 2001 From: "Priyanka Advani (xWF)" Date: Thu, 15 Aug 2024 16:14:44 +0000 Subject: [PATCH 23/32] Revert "zuma: update modem_svc sepolicy for UMI" Revert submission 28762313 Reason for revert: Droidmonitor created revert due to b/360059249. Reverted changes: /q/submissionid:28762313 Change-Id: I88cd8603351f5c5e1a546872f4f3aa1cae75dcd5 --- radio/modem_svc_sit.te | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 2b348743..6733a264 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -44,9 +44,4 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; - -# Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From 515a102ac8e359739e6a9922ceec086da9c3fc17 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Thu, 15 Aug 2024 19:25:28 +0000 Subject: [PATCH 24/32] Revert^2 "zuma: update modem_svc sepolicy for UMI" c65310129077f0a40154948e4925befc87f9e168 Change-Id: Ib1d18e33b87f03ee52bcbdff129c6d56b8a63a61 --- radio/modem_svc_sit.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 6733a264..2b348743 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -44,4 +44,9 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') From 5bf0b2bd07cfa11a17946d2f41286def6bab775c Mon Sep 17 00:00:00 2001 From: attis Date: Wed, 21 Aug 2024 17:08:49 +0800 Subject: [PATCH 25/32] Label sysfs node power_mode as sysfs_display. Label power_mode to sysfs_panel to let it be allowed in dumpstate. avc log: 08-20 20:24:11.292 9339 9339 W dump_display: type=1400 audit(0.0:2372): avc: denied { read } for name="power_mode" dev="sysfs" ino=85501 scontext=u:r:dump_display:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Test: ls -Z, adb bugreport. Flag: EXEMPT bugfix Bug: 358505990 Change-Id: I7b6051de3e8f1b2813c681a176266fe3c7518991 Signed-off-by: attis --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f43bce14..4384177d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -85,6 +85,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rat genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctrl u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 From 371f678632b6b155cb2261e2bccbf1eb098af104 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Mon, 22 Jul 2024 23:00:02 +0000 Subject: [PATCH 26/32] Revert^2 "Add udc sysfs to udc_sysfs fs context" This reverts commit 66ba3214b8b8025549abde921943327fa183bedc. Reason for revert: fix breakage in next build with build-time flag in selinux policy. Fixed the following audit logs: [ 285.983545] type=1400 audit(1724270284.724:31): avc: denied { read } for comm="android.hardwar" name="state" dev="sysfs" ino=85740 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Shiba trunk_staging and next builds Flag: build.RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED Change-Id: Ie4979f408a5bca0bb9b9762048ab716ddeeb4d2f --- vendor/genfs_contexts | 3 +++ vendor/hal_usb_impl.te | 3 +++ 2 files changed, 6 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f43bce14..78f6cee2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -255,6 +255,9 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca9 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +is_flag_enabled(RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED, ` +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 +') genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 3d89a09f..7c320b65 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -20,6 +20,9 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +is_flag_enabled(RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED, ` +allow hal_usb_impl sysfs_udc:file r_file_perms; +') # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; From 432980a32335276d4a83c8543e16da3596c544ec Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 23 Aug 2024 09:41:38 +0000 Subject: [PATCH 27/32] Update SELinux error Test: scanBugreport Bug: 361725982 Bug: 359428180 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428180 Flag: EXEMPT bugFix Change-Id: I7e3ce34fdc02932250bcbd71e0a8864cfffaadff --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9483e859..c96da4a5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,5 @@ +dump_modem sscoredump_vendor_data_coredump_file dir b/361725982 +dump_modem sscoredump_vendor_data_logcat_file dir b/361725982 dumpstate app_zygote process b/288049050 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_radioext_default radio_vendor_data_file file b/312590044 From a73414799e77782b1f0dccb481a04e1669eef087 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 4 Sep 2024 00:03:41 +0800 Subject: [PATCH 28/32] storage: move storage related device type to common folder Bug: 364225000 Test: forrest build Change-Id: I60597a3ad6f674b93267f41b3a27fdee6e923e59 Signed-off-by: Randall Huang --- radio/device.te | 4 ++-- vendor/device.te | 4 ++-- vendor/file_contexts | 1 - vendor/ufs_firmware_update.te | 5 ++--- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/radio/device.te b/radio/device.te index f3df48ae..5d2afca4 100644 --- a/radio/device.te +++ b/radio/device.te @@ -1,4 +1,4 @@ +# radio type modem_block_device, dev_type; type vendor_gnss_device, dev_type; -type modem_userdata_block_device, dev_type; -type efs_block_device, dev_type; + diff --git a/vendor/device.te b/vendor/device.te index 6ed4db3d..bbaa4c53 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,8 +1,7 @@ -type persist_block_device, dev_type; +# Block Devices type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; type mfg_data_block_device, dev_type; -type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; @@ -17,3 +16,4 @@ type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + diff --git a/vendor/file_contexts b/vendor/file_contexts index d1a77738..444e96d8 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -22,7 +22,6 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 -/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 diff --git a/vendor/ufs_firmware_update.te b/vendor/ufs_firmware_update.te index 04e532e2..8fbb5d17 100644 --- a/vendor/ufs_firmware_update.te +++ b/vendor/ufs_firmware_update.te @@ -1,6 +1,4 @@ -type ufs_firmware_update, domain; -type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; - +# ufs ffu userdebug_or_eng(` init_daemon_domain(ufs_firmware_update) @@ -10,3 +8,4 @@ userdebug_or_eng(` allow ufs_firmware_update sysfs:dir r_dir_perms; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; ') + From 4bb5ee37965fc8a68018cca66f3b004c9b4cc907 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 12 Sep 2024 14:24:47 +0800 Subject: [PATCH 29/32] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 366116488 Test: scanBugreport Bug: 359428180 Bug: 364446415 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428180 Flag: EXEMPT NDK Change-Id: I0c808f3c6aa441c0bfad23e0d8d2f0b987d09ed7 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c96da4a5..5701267b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,12 +8,14 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 +modem_svc_sit hal_radioext_default process b/364446415 modem_svc_sit modem_ml_svc_sit file b/360060606 modem_svc_sit modem_ml_svc_sit file b/360060992 mtectrl unlabeled dir b/264483752 shell sysfs_net file b/330081782 ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 +system_server vendor_default_prop file b/366116488 system_suspend sysfs_batteryinfo dir b/317316633 system_suspend sysfs_touch_gti dir b/350832258 vendor_init default_prop file b/315104235 From 9ba73f1d79ba7d51e069ce1cd991dd5dc06598e7 Mon Sep 17 00:00:00 2001 From: Prochin Wang Date: Thu, 12 Sep 2024 05:03:43 +0000 Subject: [PATCH 30/32] Change vendor_fingerprint_prop to vendor_restricted_prop This is to allow the fingerprint HAL to access the property. Bug: 366105474 Flag: build.RELEASE_PIXEL_BOOST_DATALAYER_PSA_ENABLED Test: mm Change-Id: I021c004ca0153d2995fae6b3d6208d6cd6c799ef --- vendor/property.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/property.te b/vendor/property.te index 8ef51a8c..bc411325 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,5 +1,5 @@ # Fingerprint -vendor_internal_prop(vendor_fingerprint_prop) +vendor_restricted_prop(vendor_fingerprint_prop) # Battery vendor_internal_prop(vendor_battery_defender_prop) From 438d6d7c70e88484b47858b59f8763f11a706370 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 18 Sep 2024 18:01:58 +0800 Subject: [PATCH 31/32] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 367943515 Test: scanBugreport Bug: 359428180 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428180 Flag: EXEMPT NDK Change-Id: I06481594dae66cb89f8b3ac8be6d254760771f61 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5701267b..48bf2b9d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ dumpstate app_zygote process b/288049050 hal_bluetooth_btlinux vendor_default_prop property_service b/350832030 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 +hal_vibrator_default default_android_service service_manager b/367943515 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 From f03cc7ce1cf77ba7e893f91dde50240d34d780ca Mon Sep 17 00:00:00 2001 From: Tej Singh Date: Fri, 20 Sep 2024 21:39:59 -0700 Subject: [PATCH 32/32] Make android.framework.stats-v2-ndk app reachable For libedgetpu Test: TH Bug: 354763040 Flag: EXEMPT bugfix Change-Id: I1c2fb12e09ffe8083d6b14b0ee5aa957e031ddf3 --- legacy/whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 184c9977..dc98d477 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -14,6 +14,7 @@ /vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V2-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0