From 1ded01dd86a334876a80d657beedc455fb595753 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 25 Sep 2024 12:03:25 +0800 Subject: [PATCH 01/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 369475712 Flag: EXEMPT NDK Change-Id: Ib2752c70f24cd0ea35b13836556dc634d2721413 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 30525de..8ff3aea 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -22,6 +22,7 @@ modem_svc_sit hal_radioext_default process b/368187536 modem_svc_sit hal_radioext_default process b/368188020 modem_svc_sit modem_ml_svc_sit file b/360060680 modem_svc_sit modem_ml_svc_sit file b/360060705 +ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 sctd vendor_persist_config_default_prop file b/309550514 From ad0fc36b80a01b240f974ced90bf2a02ba5fb5c5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Sep 2024 08:39:17 +0000 Subject: [PATCH 02/41] Fix error in systemui when toggling airplane mode avc: denied { read } for name="u:object_r:radio_cdma_ecm_prop:s0" dev="tmpfs" ino=321 scontext=u:r:systemui_app:s0:c3,c257,c512,c768 tcontext=u:object_r:radio_cdma_ecm_prop:s0 tclass=file Bug: 197722115 Bug: 359381748 Test: make selinux_policy Flag: EXEMPT bugfix Change-Id: I56021bacf311c7ce7e7e2f2b44b2078cedc16f1c --- system_ext/private/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index e16625b..71e0cdd 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -20,6 +20,7 @@ get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) get_prop(systemui_app, qemu_hw_prop) set_prop(systemui_app, debug_prop) +get_prop(systemui_app, radio_cdma_ecm_prop) # Allow writing and removing wmshell protolog in /data/misc/wmtrace. userdebug_or_eng(` From a59097a64aaae550f15e3087bd41bed5eac777e2 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Sep 2024 12:39:41 +0000 Subject: [PATCH 03/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 369539751 Test: scanBugreport Bug: 369539798 Bug: 369540515 Flag: EXEMPT NDK Change-Id: Ib294a4c50801ddbd791ff3d05fe332f70bf17283 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8ff3aea..bbc9155 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -22,6 +22,9 @@ modem_svc_sit hal_radioext_default process b/368187536 modem_svc_sit hal_radioext_default process b/368188020 modem_svc_sit modem_ml_svc_sit file b/360060680 modem_svc_sit modem_ml_svc_sit file b/360060705 +modem_svc_sit radio_vendor_data_file sock_file b/369539798 +pixelstats_vendor block_device dir b/369539751 +pixelstats_vendor block_device dir b/369540515 ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 From 81f027f9a1f6524fecd196bd650ffcee56eaf11f Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 13 Sep 2024 00:50:42 +0000 Subject: [PATCH 04/41] modem_svc: update sepolicy for UMI Bug: 357139752 09-12 14:58:18.412 21402 21402 W shared_modem_pl: type=1400 audit(0.0:445): avc: denied { write } for name="modem_svc_socket" dev="dm-53" ino=55074 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=0 Flag: EXEMPT sepolicy change only Change-Id: I0f465e6a3039cc9781142c2b0f3fc433eaa1c9dc --- radio/modem_svc_sit.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 69b6770..d23274c 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -1,3 +1,4 @@ +# Selinux rule for modem_svc_sit daemon type modem_svc_sit, domain; type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(modem_svc_sit) @@ -51,6 +52,6 @@ allow modem_svc_sit modem_img_file:lnk_file r_file_perms; # Allow modem_svc_sit to access socket for UMI userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; + allow modem_svc_sit radio_vendor_data_file:sock_file { create write unlink }; ') From 644a742ac72051068f3af91726b312e598d3f7b4 Mon Sep 17 00:00:00 2001 From: weichinweng Date: Thu, 26 Sep 2024 07:51:52 +0000 Subject: [PATCH 05/41] Remove SELinux error tracing bug Bug: 350830390 Bug: 350830756 Bug: 350830758 Test: None Change-Id: Ib33ceebb66573dbb38c87b120daa481b3756090d --- tracking_denials/bug_map | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bbc9155..21e77b7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,9 +6,6 @@ grilservice_app default_android_service service_manager b/366116096 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 -hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 -hal_bluetooth_btlinux vendor_default_prop property_service b/350830756 -hal_bluetooth_btlinux vendor_default_prop property_service b/350830758 hal_gnss_default vendor_gps_prop file b/318310869 hal_power_default hal_power_default capability b/350830411 hal_wlcservice default_prop file b/350830657 From a0407eaeae673fc1e18269faa524e2fcac13a6c2 Mon Sep 17 00:00:00 2001 From: Feiyu Chen Date: Thu, 26 Sep 2024 19:21:51 +0000 Subject: [PATCH 06/41] Remove b/340369535 hal_audio_default from bug map It's fixed 4 months ago Bug: 340369535 Flag: DOCS_ONLY Change-Id: If4a6f41703686620dd9614a5fbcbf837127c3173 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 30525de..18c0b42 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,8 +3,6 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 grilservice_app default_android_service service_manager b/366116096 -hal_audio_default fwk_stats_service service_manager b/340369535 -hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 hal_bluetooth_btlinux vendor_default_prop property_service b/350830756 From bf729b72661e67ba8ca7eda1eb47181f9eb276b3 Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Fri, 27 Sep 2024 05:10:31 +0000 Subject: [PATCH 07/41] Update SELinux error solution: Ie9f8fc5cce8e62b06931b77aa8cd16a3c9516fb5 Test: NA Bug: 350830879 Flag: EXEMPT bugfix Change-Id: I390af5bde405dc35f2cf37163975a851250c7dd2 Signed-off-by: YiKai Peng --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e8ca26d..7195016 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,8 +6,6 @@ grilservice_app default_android_service service_manager b/366116096 hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 hal_gnss_default vendor_gps_prop file b/318310869 hal_power_default hal_power_default capability b/350830411 -hal_wlcservice default_prop file b/350830657 -hal_wlcservice default_prop file b/350830879 incidentd incidentd anon_inode b/322917075 kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 From ac26d97317bce895532199075a5800a6e51bcbc9 Mon Sep 17 00:00:00 2001 From: Leo Hsieh Date: Wed, 7 Aug 2024 15:23:25 +0800 Subject: [PATCH 08/41] Allow hal_fingerprint_default to access sysfs_aoc_udfps Fix the following avc denial: avc: denied { search } for name="17000000.aoc" dev="sysfs" ino=26962 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1 avc: denied { write } for name="udfps_set_clock_source" dev="sysfs" ino=110484 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1 avc: denied { read } for name="udfps_get_disp_freq" dev="sysfs" ino=110486 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1 avc: denied { write } for name="udfps_set_clock_source" dev="sysfs" ino=109423 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0 Bug: 357976286 Test: Verify fingerprint HAL process can read/write to the sysfs node. Flag: EXEMPT NDK Change-Id: Ia8d6288812ef47dad2018d384f43374da7005a4a --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_fingerprint_default.te | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index b4d0c51..46f792e 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -18,6 +18,7 @@ type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; type sysfs_lhbm, sysfs_type, fs_type; +type sysfs_aoc_udfps, sysfs_type, fs_type; # debugfs type vendor_regmap_debugfs, fs_type, debugfs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d70476c..f5d7758 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -464,6 +464,9 @@ genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:ob genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_set_clock_source u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index b3df80e..d101c16 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -60,3 +60,7 @@ allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perm # Allow fingerprint to rw lhbm files allow hal_fingerprint_default sysfs_lhbm:file rw_file_perms; + +# Allow fingerprint to access sysfs_aoc_udfps +allow hal_fingerprint_default sysfs_aoc:dir search; +allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms; From 693260c96420b7dc925c155ef656f7411f01a3fd Mon Sep 17 00:00:00 2001 From: Yen-Chao Chen Date: Mon, 30 Sep 2024 17:22:02 +0800 Subject: [PATCH 09/41] remove b/350830796 and b/350830680 from bug map Bug: 350830796 Bug: 350830680 Test: build pass Flag: EXEMPT bugfix Change-Id: Ic3c163ce4dd6b97289ec22f97a0c87052b049ea4 Signed-off-by: Yen-Chao Chen --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7195016..2e9ef71 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,5 +26,3 @@ shell sysfs_net file b/338347525 spad spad unix_stream_socket b/309550905 swcnd swcnd unix_stream_socket b/309551062 system_suspend sysfs_touch_gti dir b/350830429 -system_suspend sysfs_touch_gti dir b/350830680 -system_suspend sysfs_touch_gti dir b/350830796 From f39431c3c85d267e83bbad2ae54d1161b6bf9f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 1 Oct 2024 14:48:40 +1000 Subject: [PATCH 10/41] Remove duplicate service entries These entries are defined in the platform policy. Flag: EXEMPT bugfix Bug: 367832910 Test: TH Change-Id: I113222c692b971c698684f762294565b96f8d0cb --- vendor/service_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/service_contexts b/vendor/service_contexts index 38a8cca..b1eee7a 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -2,5 +2,4 @@ vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default u:object_r:hal com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 -android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 com.android.server.modemml.ITFLiteService/default u:object_r:modemml_tflite_service:s0 From f43ae7b44898d9592b1b4cf5c7bae296f5ef1828 Mon Sep 17 00:00:00 2001 From: Mike McTernan Date: Fri, 4 Oct 2024 08:55:27 +0000 Subject: [PATCH 11/41] Revert "sepolicy:tracking_denials: add btlinux vendor_aoc_prop" This reverts commit 55bd5b089dac75e483abf346f9c0b5ee603afd74. Reason for revert: Underlying bug fixed Flag: EXEMPT bug fix Bug: 353262026 Change-Id: Id04ffeb508ea7450449c0934bec646e8f7f1356f --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2e9ef71..e43bba5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,7 +3,6 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 grilservice_app default_android_service service_manager b/366116096 -hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 hal_gnss_default vendor_gps_prop file b/318310869 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 From 3c83ed0f7c7fc276a17014ea089514a8afe3bb50 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 10 Sep 2024 15:56:48 +0000 Subject: [PATCH 12/41] Fix modem_logging_control sepolicy error avc: denied { call } for scontext=u:r:modem_logging_control:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 avc: denied { find } for pid=1124 uid=1000 name=vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0 scontext=u:r:modem_logging_control:s0 tcontext=u:object_r:hal_vendor_modem_logging_service:s0 tclass=service_manager permissive=0 Bug:356025857 Test:Start modem logging correctly Flag: EXEMPT bug fix Change-Id: I0de9622957d7b7b756b178153d63e796bf45e856 --- radio/modem_logging_control.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_logging_control.te b/radio/modem_logging_control.te index 7392297..6e6c2a3 100644 --- a/radio/modem_logging_control.te +++ b/radio/modem_logging_control.te @@ -1,3 +1,4 @@ +# for modem_logging_control domain type modem_logging_control, domain; type modem_logging_control_exec, vendor_file_type, exec_type, file_type; @@ -5,6 +6,7 @@ init_daemon_domain(modem_logging_control) hwbinder_use(modem_logging_control) binder_call(modem_logging_control, dmd) +binder_call(modem_logging_control, servicemanager) allow modem_logging_control radio_device:chr_file rw_file_perms; allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; @@ -12,6 +14,7 @@ allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; allow modem_logging_control radio_vendor_data_file:file create_file_perms; allow modem_logging_control vendor_slog_file:dir create_dir_perms; allow modem_logging_control vendor_slog_file:file create_file_perms; +allow modem_logging_control hal_vendor_modem_logging_service:service_manager find; set_prop(modem_logging_control, vendor_modem_prop) get_prop(modem_logging_control, hwservicemanager_prop) From 537bf14fe6427da8babfafd1bb5fa847af6ad591 Mon Sep 17 00:00:00 2001 From: chenkris Date: Mon, 7 Oct 2024 06:29:25 +0000 Subject: [PATCH 13/41] add selinux permission for fps_touch_handler wakeup Fix the following avc denial: avc: denied { read } for name="wakeup96" dev="sysfs" ino=101698 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 371877715 Test: ls -lZ /sys/devices/platform/odm//odm:fps_touch_handler/wakeup Flag: EXEMPT NDK Change-Id: I9aff36eaaec914c7a9b4939353fe88f5c0565799 --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f5d7758..0f4531f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -148,6 +148,8 @@ genfscon sysfs /devices/platform/sound-aoc/wakeup genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/gnssif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 From c5a7f8cc0de7dd3c7837e7116e2eb1720aa3c152 Mon Sep 17 00:00:00 2001 From: cwkao Date: Wed, 2 Oct 2024 19:48:09 +0800 Subject: [PATCH 14/41] Add SELiunx for camera debug app (propsetter) Add the following avc denial: ``` 10-02 19:55:46.156 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=activity scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.258 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=netstats scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.263 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=content_capture scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.267 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=gpu scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.267 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=activity_task scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.416 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=voiceinteraction scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.417 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=autofill scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.425 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=sensitive_content_protection_service scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1 10-02 19:55:46.427 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=performance_hint scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1 10-02 19:55:48.156 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=audio scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1 10-02 19:55:53.869 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=textservices scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:textservices_service:s0 tclass=service_manager permissive=1 ``` Bug: 370472903 Test: locally on komodo Flag: EXEMPT NDK Change-Id: Ia1a8b42697e790f27a5da9aaa1f7c83fddf2a365 --- vendor/camera_propsetter_app.te | 22 +++++++++++++++++++ ...roid_apps_camera_tools_propsetter.x509.pem | 17 ++++++++++++++ vendor/keys.conf | 2 ++ vendor/mac_permissions.xml | 3 +++ vendor/seapp_contexts | 2 ++ 5 files changed, 46 insertions(+) create mode 100644 vendor/camera_propsetter_app.te create mode 100644 vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem diff --git a/vendor/camera_propsetter_app.te b/vendor/camera_propsetter_app.te new file mode 100644 index 0000000..be40d7a --- /dev/null +++ b/vendor/camera_propsetter_app.te @@ -0,0 +1,22 @@ +# Camera Debug Tool at google3/java/com/google/android/apps/camera/tools/propsetter/ + +type camera_propsetter_app, domain; + +userdebug_or_eng(` + app_domain(camera_propsetter_app) + net_domain(camera_propsetter_app) + + allow camera_propsetter_app activity_service:service_manager find; + allow camera_propsetter_app activity_task_service:service_manager find; + allow camera_propsetter_app autofill_service:service_manager find; + allow camera_propsetter_app audio_service:service_manager find; + allow camera_propsetter_app content_capture_service:service_manager find; + allow camera_propsetter_app gpu_service:service_manager find; + allow camera_propsetter_app hint_service:service_manager find; + allow camera_propsetter_app netstats_service:service_manager find; + allow camera_propsetter_app sensitive_content_protection_service:service_manager find; + allow camera_propsetter_app textservices_service:service_manager find; + allow camera_propsetter_app voiceinteraction_service:service_manager find; + + set_prop(camera_propsetter_app, vendor_camera_prop) +') diff --git a/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem b/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem new file mode 100644 index 0000000..011a9ec --- /dev/null +++ b/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx +EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw +NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO +OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR ++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb ++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg +UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX +TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj +rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB +TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK +pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY +DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG +ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4 +rscXTxYEf4Tqovc= +-----END CERTIFICATE----- diff --git a/vendor/keys.conf b/vendor/keys.conf index 3ffa695..15d7596 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -1,3 +1,5 @@ [@EUICCSUPPORTPIXEL] ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem +[@CAMERAPROPSETTER] +ALL : device/google/zumapro-sepolicy/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index 0eab982..03409ee 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -24,4 +24,7 @@ + + + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 4116372..363e753 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,3 +1,5 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# Camera propsetter app +user=_app seinfo=CameraPropsetter name=com.google.android.apps.camera.tools.propsetter domain=camera_propsetter_app type=app_data_file levelFrom=all From 7c85388222527502feed84135425ac67a99f02e1 Mon Sep 17 00:00:00 2001 From: Pawan Wagh Date: Wed, 25 Sep 2024 20:03:10 +0000 Subject: [PATCH 15/41] Copy 16KB developer option sepolicy to zumapro avc denials from logs: [ 51.554757][ T453] type=1400 audit(1728080571.804:3): avc: denied { write } for comm="copy_efs_files_" path="/dev/kmsg_debug" dev="tmpfs" ino=6 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 [ 51.582401][ T453] type=1400 audit(1728080571.808:4): avc: denied { ioctl } for comm="copy_efs_files_" path="/dev/kmsg_debug" dev="tmpfs" ino=6 ioctlcmd=0x5401 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 [ 51.618078][ T453] type=1400 audit(1728080571.808:5): avc: denied { execute_no_trans } for comm="copy_efs_files_" path="/vendor/bin/toybox_vendor" dev="dm-10" ino=382 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 [ 51.642465][ T453] type=1400 audit(1728080571.812:6): avc: denied { getattr } for comm="mkdir" path="/dev/kmsg_debug" dev="tmpfs" ino=6 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 [ 51.664388][ T453] type=1400 audit(1728080571.812:7): avc: denied { getattr } for comm="mkdir" path="/data/vendor/copied" dev="dm-57" ino=7569664 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 51.664405][ T453] type=1400 audit(1728080571.820:8): avc: denied { search } for comm="copy_efs_files_" name="copied" dev="dm-57" ino=7569664 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 51.664429][ T453] type=1400 audit(1728080571.832:9): avc: denied { write } for comm="mkdir" name="copied" dev="dm-57" ino=7569664 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 51.664448][ T453] type=1400 audit(1728080571.832:10): avc: denied { add_name } for comm="mkdir" name="efs.img" scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 51.717024][ T453] type=1400 audit(1728080571.832:11): avc: denied { create } for comm="mkdir" name="efs.img" scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 51.786594][ T453] type=1400 audit(1728080571.836:12): avc: denied { execute_no_trans } for comm="copy_efs_files_" path="/vendor/bin/fsck.f2fs" dev="dm-10" ino=134 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1 [ 51.819515][ T453] type=1400 audit(1728080571.840:13): avc: denied { search } for comm="dump.f2fs" name="bootstrap" dev="dm-6" ino=1828 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:system_bootstrap_lib_file:s0 tclass=dir permissive=1 [ 51.841747][ T453] type=1400 audit(1728080571.840:14): avc: denied { read } for comm="dump.f2fs" name="libc.so" dev="dm-6" ino=1831 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:system_bootstrap_lib_file:s0 tclass=file permissive=1 [ 51.863729][ T453] type=1400 audit(1728080571.840:15): avc: denied { open } for comm="dump.f2fs" path="/system/lib64/bootstrap/libc.so" dev="dm-6" ino=1831 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:system_bootstrap_lib_file:s0 tclass=file permissive=1 [ 51.887882][ T453] type=1400 audit(1728080571.840:16): avc: denied { getattr } for comm="dump.f2fs" path="/system/lib64/bootstrap/libc.so" dev="dm-6" ino=1831 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:system_bootstrap_lib_file:s0 tclass=file permissive=1 [ 51.912170][ T453] type=1400 audit(1728080571.840:17): avc: denied { map } for comm="dump.f2fs" path="/system/lib64/bootstrap/libc.so" dev="dm-6" ino=1831 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:system_bootstrap_lib_file:s0 tclass=file permissive=1 [ 51.944437][ T453] type=1400 audit(1728080571.840:18): avc: denied { execute } for comm="dump.f2fs" path="/system/lib64/bootstrap/libdl.so" dev="dm-6" ino=1833 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:system_bootstrap_lib_file:s0 tclass=file permissive=1 [ 51.979656][ T453] type=1400 audit(1728080571.848:19): avc: denied { search } for comm="dump.f2fs" name="block" dev="tmpfs" ino=12 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 [ 52.009905][ T453] type=1400 audit(1728080571.848:20): avc: denied { getattr } for comm="dump.f2fs" path="/dev/block/sda5" dev="tmpfs" ino=1294 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 [ 52.039894][ T453] type=1400 audit(1728080571.848:21): avc: denied { search } for comm="dump.f2fs" name="0:0:0:0" dev="sysfs" ino=64449 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 [ 52.075681][ T453] type=1400 audit(1728080571.848:22): avc: denied { getattr } for comm="dump.f2fs" path="/sys/devices/platform/13200000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda5/partition" dev="sysfs" ino=66405 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 [ 52.110042][ T453] type=1400 audit(1728080571.848:23): avc: denied { read } for comm="dump.f2fs" name="zoned" dev="sysfs" ino=66240 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 [ 52.151878][ T453] type=1400 audit(1728080571.848:24): avc: denied { open } for comm="dump.f2fs" path="/sys/devices/platform/13200000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=66240 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 [ 52.185339][ T453] type=1400 audit(1728080571.848:25): avc: denied { read write } for comm="dump.f2fs" name="sda5" dev="tmpfs" ino=1294 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 [ 52.225138][ T453] type=1400 audit(1728080571.848:26): avc: denied { open } for comm="dump.f2fs" path="/dev/block/sda5" dev="tmpfs" ino=1294 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 [ 52.225150][ T453] type=1400 audit(1728080571.848:27): avc: denied { ioctl } for comm="dump.f2fs" path="/dev/block/sda5" dev="tmpfs" ino=1294 ioctlcmd=0x1268 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 [ 52.225160][ T453] type=1400 audit(1728080571.848:28): avc: denied { create } for comm="dump.f2fs" name="nv_normal.bin" scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=file permissive=1 [ 52.225170][ T453] type=1400 audit(1728080571.848:29): avc: denied { read write open } for comm="dump.f2fs" path="/data/vendor/copied/efs.img/nv_normal.bin" dev="dm-57" ino=7569677 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=file permissive=1 [ 52.225184][ T453] type=1400 audit(1728080571.852:30): avc: denied { relabelfrom } for comm="dump.f2fs" name="nv_normal.bin" dev="dm-57" ino=7569677 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=file permissive=1 [ 52.225198][ T453] type=1400 audit(1728080571.852:31): avc: denied { relabelto } for comm="dump.f2fs" name="nv_normal.bin" dev="dm-57" ino=7569677 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=file permissive=1 [ 52.225213][ T453] type=1400 audit(1728080571.852:32): avc: denied { write } for comm="dump.f2fs" name="nv_normal.bin" dev="dm-57" ino=7569677 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=file permissive=1 [ 52.225227][ T453] type=1400 audit(1728080571.852:33): avc: denied { setattr } for comm="dump.f2fs" name="nv_normal.bin" dev="dm-57" ino=7569677 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=file permissive=1 [ 52.225240][ T453] type=1400 audit(1728080571.852:34): avc: denied { chown } for comm="dump.f2fs" capability=0 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:r:copy_efs_files_to_data:s0 tclass=capability permissive=1 [ 52.264424][ T453] type=1400 audit(1728080571.852:35): avc: denied { relabelfrom } for comm="dump.f2fs" name="efs.img" dev="dm-57" ino=7569676 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 52.310613][ T453] type=1400 audit(1728080571.852:36): avc: denied { relabelto } for comm="dump.f2fs" name="efs.img" dev="dm-57" ino=7569676 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 52.356910][ T453] type=1400 audit(1728080571.852:37): avc: denied { search } for comm="dump.f2fs" name="efs.img" dev="dm-57" ino=7569676 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 52.402344][ T453] type=1400 audit(1728080571.852:38): avc: denied { setattr } for comm="dump.f2fs" name="efs.img" dev="dm-57" ino=7569676 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 52.446523][ T453] type=1400 audit(1728080571.868:39): avc: denied { write } for comm="dump.f2fs" path="/dev/kmsg_debug" dev="tmpfs" ino=6 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 [ 52.481694][ T453] type=1400 audit(1728080571.876:40): avc: denied { remove_name } for comm="mv" name="efs.img" dev="dm-57" ino=7569676 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 52.534169][ T453] type=1400 audit(1728080571.876:41): avc: denied { rename } for comm="mv" name="efs.img" dev="dm-57" ino=7569676 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 52.552872][ T453] type=1400 audit(1728080571.892:42): avc: denied { read } for comm="fsync" name="copied" dev="dm-57" ino=7569664 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 52.586267][ T453] type=1400 audit(1728080571.892:43): avc: denied { fowner } for comm="fsync" capability=3 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:r:copy_efs_files_to_data:s0 tclass=capability permissive=1 [ 52.586291][ T453] type=1400 audit(1728080571.892:44): avc: denied { open } for comm="fsync" path="/data/vendor/copied" dev="dm-57" ino=7569664 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir permissive=1 [ 52.636388][ T453] type=1400 audit(1728080572.012:45): avc: denied { getattr } for comm="dump.f2fs" path="/dev/block/sda7" dev="tmpfs" ino=1141 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 [ 52.657184][ T453] type=1400 audit(1728080572.012:46): avc: denied { read write } for comm="dump.f2fs" name="sda7" dev="tmpfs" ino=1141 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 [ 52.676513][ T453] type=1400 audit(1728080572.012:47): avc: denied { open } for comm="dump.f2fs" path="/dev/block/sda7" dev="tmpfs" ino=1141 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 [ 52.704304][ T453] type=1400 audit(1728080572.012:48): avc: denied { ioctl } for comm="dump.f2fs" path="/dev/block/sda7" dev="tmpfs" ino=1141 ioctlcmd=0x1268 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 [ 52.732919][ T453] type=1400 audit(1728080572.016:49): avc: denied { relabelto } for comm="dump.f2fs" name="dds.bin" dev="dm-57" ino=7569688 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=file permissive=1 [ 52.767434][ T453] type=1400 audit(1728080572.016:50): avc: denied { write } for comm="dump.f2fs" name="dds.bin" dev="dm-57" ino=7569688 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=file permissive=1 [ 52.805716][ T453] type=1400 audit(1728080572.016:51): avc: denied { setattr } for comm="dump.f2fs" name="dds.bin" dev="dm-57" ino=7569688 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=file permissive=1 [ 53.034704][ T453] type=1400 audit(1728080572.016:52): avc: denied { relabelto } for comm="dump.f2fs" name="replay" dev="dm-57" ino=7569687 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 53.066603][ T453] type=1400 audit(1728080572.016:53): avc: denied { search } for comm="dump.f2fs" name="replay" dev="dm-57" ino=7569687 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 53.066613][ T453] type=1400 audit(1728080572.016:54): avc: denied { setattr } for comm="dump.f2fs" name="replay" dev="dm-57" ino=7569687 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 53.066624][ T453] type=1400 audit(1728080572.020:55): avc: denied { rename } for comm="mv" name="modem_userdata.img" dev="dm-57" ino=7569686 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 53.066649][ T453] type=1400 audit(1728080572.088:56): avc: denied { getattr } for comm="dump.f2fs" path="/dev/block/sda1" dev="tmpfs" ino=1382 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=1 [ 53.100566][ T453] type=1400 audit(1728080572.088:57): avc: denied { read write } for comm="dump.f2fs" name="sda1" dev="tmpfs" ino=1382 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=1 [ 53.100577][ T453] type=1400 audit(1728080572.088:58): avc: denied { open } for comm="dump.f2fs" path="/dev/block/sda1" dev="tmpfs" ino=1382 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=1 [ 53.170745][ T453] type=1400 audit(1728080572.088:59): avc: denied { ioctl } for comm="dump.f2fs" path="/dev/block/sda1" dev="tmpfs" ino=1382 ioctlcmd=0x1268 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=1 [ 53.170754][ T453] type=1400 audit(1728080572.092:60): avc: denied { relabelto } for comm="dump.f2fs" name="defender_charger_time" dev="dm-57" ino=7569692 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=1 [ 53.170765][ T453] type=1400 audit(1728080572.092:61): avc: denied { write } for comm="dump.f2fs" name="defender_charger_time" dev="dm-57" ino=7569692 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=1 [ 53.170775][ T453] type=1400 audit(1728080572.092:62): avc: denied { setattr } for comm="dump.f2fs" name="defender_charger_time" dev="dm-57" ino=7569692 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=1 [ 53.170785][ T453] type=1400 audit(1728080572.092:63): avc: denied { relabelto } for comm="dump.f2fs" name="battery" dev="dm-57" ino=7569691 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=1 [ 53.170797][ T453] type=1400 audit(1728080572.092:64): avc: denied { search } for comm="dump.f2fs" name="battery" dev="dm-57" ino=7569691 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=1 [ 53.170811][ T453] type=1400 audit(1728080572.092:65): avc: denied { setattr } for comm="dump.f2fs" name="battery" dev="dm-57" ino=7569691 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=1 [ 53.170825][ T453] type=1400 audit(1728080572.092:66): avc: denied { relabelto } for comm="dump.f2fs" name="touch" dev="dm-57" ino=7569694 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 [ 53.170839][ T453] type=1400 audit(1728080572.092:67): avc: denied { search } for comm="dump.f2fs" name="touch" dev="dm-57" ino=7569694 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 [ 53.207440][ T453] type=1400 audit(1728080572.092:68): avc: denied { setattr } for comm="dump.f2fs" name="touch" dev="dm-57" ino=7569694 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 [ 53.262539][ T453] type=1400 audit(1728080572.092:69): avc: denied { create } for comm="dump.f2fs" name="0" scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=lnk_file permissive=1 [ 53.291111][ T453] type=1400 audit(1728080572.092:70): avc: denied { relabelfrom } for comm="dump.f2fs" name="0" dev="dm-57" ino=7569696 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=lnk_file permissive=1 [ 53.314133][ T453] type=1400 audit(1728080572.092:71): avc: denied { relabelto } for comm="dump.f2fs" name="0" dev="dm-57" ino=7569696 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:tee_data_file:s0 tclass=lnk_file permissive=1 [ 53.351258][ T453] type=1400 audit(1728080572.092:72): avc: denied { setattr } for comm="dump.f2fs" name="0" dev="dm-57" ino=7569696 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:tee_data_file:s0 tclass=lnk_file permissive=1 [ 53.418367][ T453] type=1400 audit(1728080572.092:73): avc: denied { chown } for comm="dump.f2fs" capability=0 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:r:copy_efs_files_to_data:s0 tclass=capability permissive=1 [ 53.461321][ T453] type=1400 audit(1728080572.092:74): avc: denied { relabelto } for comm="dump.f2fs" name="nsp" dev="dm-57" ino=7569697 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file permissive=1 [ 53.467294][ T453] type=1400 audit(1728080572.092:75): avc: denied { write } for comm="dump.f2fs" name="nsp" dev="dm-57" ino=7569697 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file permissive=1 [ 53.484014][ T453] type=1400 audit(1728080572.092:76): avc: denied { setattr } for comm="dump.f2fs" name="nsp" dev="dm-57" ino=7569697 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file permissive=1 [ 53.510185][ T453] type=1400 audit(1728080572.092:77): avc: denied { relabelto } for comm="dump.f2fs" name="ss" dev="dm-57" ino=7569695 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=dir permissive=1 [ 53.527739][ T453] type=1400 audit(1728080572.092:78): avc: denied { search } for comm="dump.f2fs" name="ss" dev="dm-57" ino=7569695 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=dir permissive=1 [ 53.544592][ T453] type=1400 audit(1728080572.092:79): avc: denied { sys_admin } for comm="dump.f2fs" capability=21 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:r:copy_efs_files_to_data:s0 tclass=capability permissive=1 [ 53.589553][ T453] type=1400 audit(1728080572.092:80): avc: denied { setattr } for comm="dump.f2fs" name="ss" dev="dm-57" ino=7569695 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=dir permissive=1 [ 53.660501][ T453] type=1400 audit(1728080572.092:81): avc: denied { relabelto } for comm="dump.f2fs" name="qti_fp" dev="dm-57" ino=7569698 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_fingerprint_file:s0 tclass=dir permissive=1 [ 53.706160][ T453] type=1400 audit(1728080572.092:82): avc: denied { search } for comm="dump.f2fs" name="qti_fp" dev="dm-57" ino=7569698 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_fingerprint_file:s0 tclass=dir permissive=1 [ 53.750214][ T453] type=1400 audit(1728080572.092:83): avc: denied { setattr } for comm="dump.f2fs" name="qti_fp" dev="dm-57" ino=7569698 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_fingerprint_file:s0 tclass=dir permissive=1 [ 53.792724][ T453] type=1400 audit(1728080572.092:84): avc: denied { relabelto } for comm="dump.f2fs" name="cs40l26.cal" dev="dm-57" ino=7569700 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_haptics_file:s0 tclass=file permissive=1 [ 53.833755][ T453] type=1400 audit(1728080572.092:85): avc: denied { write } for comm="dump.f2fs" name="cs40l26.cal" dev="dm-57" ino=7569700 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_haptics_file:s0 tclass=file permissive=1 [ 53.866130][ T453] type=1400 audit(1728080572.092:86): avc: denied { setattr } for comm="dump.f2fs" name="cs40l26.cal" dev="dm-57" ino=7569700 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_haptics_file:s0 tclass=file permissive=1 [ 53.933950][ T453] type=1400 audit(1728080572.092:87): avc: denied { relabelto } for comm="dump.f2fs" name="haptics" dev="dm-57" ino=7569699 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_haptics_file:s0 tclass=dir permissive=1 [ 53.977389][ T453] type=1400 audit(1728080572.092:88): avc: denied { search } for comm="dump.f2fs" name="haptics" dev="dm-57" ino=7569699 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_haptics_file:s0 tclass=dir permissive=1 [ 54.007088][ T453] type=1400 audit(1728080572.092:89): avc: denied { setattr } for comm="dump.f2fs" name="haptics" dev="dm-57" ino=7569699 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_haptics_file:s0 tclass=dir permissive=1 [ 54.049913][ T453] type=1400 audit(1728080572.092:90): avc: denied { relabelto } for comm="dump.f2fs" name=".station_record" dev="dm-57" ino=7569701 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=file permissive=1 [ 54.102692][ T453] type=1400 audit(1728080572.092:91): avc: denied { write } for comm="dump.f2fs" name=".station_record" dev="dm-57" ino=7569701 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=file permissive=1 [ 54.144176][ T453] type=1400 audit(1728080572.092:92): avc: denied { setattr } for comm="dump.f2fs" name=".station_record" dev="dm-57" ino=7569701 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=file permissive=1 [ 54.187937][ T453] type=1400 audit(1728080572.092:93): avc: denied { relabelto } for comm="dump.f2fs" name="icm45631_accel_fac_cal.reg" dev="dm-57" ino=7569704 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_sensor_reg_file:s0 tclass=file permissive=1 [ 54.219942][ T453] type=1400 audit(1728080572.092:94): avc: denied { write } for comm="dump.f2fs" name="icm45631_accel_fac_cal.reg" dev="dm-57" ino=7569704 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_sensor_reg_file:s0 tclass=file permissive=1 [ 54.287284][ T453] type=1400 audit(1728080572.092:95): avc: denied { setattr } for comm="dump.f2fs" name="icm45631_accel_fac_cal.reg" dev="dm-57" ino=7569704 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_sensor_reg_file:s0 tclass=file permissive=1 [ 54.332099][ T453] type=1400 audit(1728080572.092:96): avc: denied { relabelto } for comm="dump.f2fs" name="registry" dev="dm-57" ino=7569703 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_sensor_reg_file:s0 tclass=dir permissive=1 [ 54.364108][ T453] type=1400 audit(1728080572.092:97): avc: denied { search } for comm="dump.f2fs" name="registry" dev="dm-57" ino=7569703 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_sensor_reg_file:s0 tclass=dir permissive=1 [ 54.411041][ T453] type=1400 audit(1728080572.092:98): avc: denied { setattr } for comm="dump.f2fs" name="registry" dev="dm-57" ino=7569703 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_sensor_reg_file:s0 tclass=dir permissive=1 [ 54.411050][ T453] type=1400 audit(1728080572.096:99): avc: denied { relabelto } for comm="dump.f2fs" name="djinn-boitata_PDAF_Hbin_OTP.txt" dev="dm-57" ino=7569726 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_camera_file:s0 tclass=file permissive=1 [ 54.411061][ T453] type=1400 audit(1728080572.096:100): avc: denied { write } for comm="dump.f2fs" name="djinn-boitata_PDAF_Hbin_OTP.txt" dev="dm-57" ino=7569726 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_camera_file:s0 tclass=file permissive=1 [ 54.411075][ T453] type=1400 audit(1728080572.096:101): avc: denied { setattr } for comm="dump.f2fs" name="djinn-boitata_PDAF_Hbin_OTP.txt" dev="dm-57" ino=7569726 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_camera_file:s0 tclass=file permissive=1 [ 54.411089][ T453] type=1400 audit(1728080572.096:102): avc: denied { create } for comm="dump.f2fs" name="djinn-boitata_PDAF_Vbin_OTP.txt" scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=file permissive=1 [ 54.411103][ T453] type=1400 audit(1728080572.096:103): avc: denied { read write open } for comm="dump.f2fs" path="/data/vendor/copied/persist.img/camera/OTP_calibration/djinn-boitata_PDAF_Vbin_OTP.txt" dev="dm-57" ino=7569727 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=file permissive=1 [ 54.411118][ T453] type=1400 audit(1728080572.096:104): avc: denied { relabelfrom } for comm="dump.f2fs" name="djinn-boitata_PDAF_Vbin_OTP.txt" dev="dm-57" ino=7569727 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=file permissive=1 [ 54.411130][ T453] type=1400 audit(1728080572.096:105): avc: denied { relabelto } for comm="dump.f2fs" name="OTP_calibration" dev="dm-57" ino=7569725 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_camera_file:s0 tclass=dir permissive=1 [ 54.411139][ T453] type=1400 audit(1728080572.096:106): avc: denied { search } for comm="dump.f2fs" name="OTP_calibration" dev="dm-57" ino=7569725 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_camera_file:s0 tclass=dir permissive=1 [ 54.411148][ T453] type=1400 audit(1728080572.096:107): avc: denied { setattr } for comm="dump.f2fs" name="OTP_calibration" dev="dm-57" ino=7569725 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_camera_file:s0 tclass=dir permissive=1 [ 54.411157][ T453] type=1400 audit(1728080572.100:108): avc: denied { relabelto } for comm="dump.f2fs" name="speaker.cal" dev="dm-57" ino=7569760 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_audio_file:s0 tclass=file permissive=1 [ 54.411171][ T453] type=1400 audit(1728080572.100:109): avc: denied { write } for comm="dump.f2fs" name="speaker.cal" dev="dm-57" ino=7569760 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_audio_file:s0 tclass=file permissive=1 [ 54.411180][ T453] type=1400 audit(1728080572.100:110): avc: denied { setattr } for comm="dump.f2fs" name="speaker.cal" dev="dm-57" ino=7569760 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_audio_file:s0 tclass=file permissive=1 [ 54.411189][ T453] type=1400 audit(1728080572.100:111): avc: denied { relabelto } for comm="dump.f2fs" name="audio" dev="dm-57" ino=7569759 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_audio_file:s0 tclass=dir permissive=1 [ 54.411198][ T453] type=1400 audit(1728080572.100:112): avc: denied { search } for comm="dump.f2fs" name="audio" dev="dm-57" ino=7569759 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_audio_file:s0 tclass=dir permissive=1 [ 54.411207][ T453] type=1400 audit(1728080572.100:113): avc: denied { setattr } for comm="dump.f2fs" name="audio" dev="dm-57" ino=7569759 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_audio_file:s0 tclass=dir permissive=1 [ 54.411216][ T453] type=1400 audit(1728080572.100:114): avc: denied { relabelto } for comm="dump.f2fs" name="factory_cal0.pb" dev="dm-57" ino=7569764 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_display_file:s0 tclass=file permissive=1 [ 54.411225][ T453] type=1400 audit(1728080572.100:115): avc: denied { write } for comm="dump.f2fs" name="factory_cal0.pb" dev="dm-57" ino=7569764 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_display_file:s0 tclass=file permissive=1 [ 54.411234][ T453] type=1400 audit(1728080572.100:116): avc: denied { setattr } for comm="dump.f2fs" name="factory_cal0.pb" dev="dm-57" ino=7569764 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_display_file:s0 tclass=file permissive=1 [ 54.411243][ T453] type=1400 audit(1728080572.100:117): avc: denied { relabelto } for comm="dump.f2fs" name="display" dev="dm-57" ino=7569763 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_display_file:s0 tclass=dir permissive=1 [ 54.411252][ T453] type=1400 audit(1728080572.100:118): avc: denied { search } for comm="dump.f2fs" name="display" dev="dm-57" ino=7569763 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_display_file:s0 tclass=dir permissive=1 [ 54.411262][ T453] type=1400 audit(1728080572.100:119): avc: denied { setattr } for comm="dump.f2fs" name="display" dev="dm-57" ino=7569763 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_display_file:s0 tclass=dir permissive=1 [ 54.411274][ T453] type=1400 audit(1728080572.120:120): avc: denied { rename } for comm="mv" name="persist.img" dev="dm-57" ino=7569690 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 [ 54.411286][ T453] type=1400 audit(1728080572.132:121): avc: denied { fowner } for comm="fsync" capability=3 scontext=u:r:copy_efs_files_to_data:s0 tcontext=u:r:copy_efs_files_to_data:s0 tclass=capability permissive=1 [ 58.572689][ T453] type=1400 audit(1728080578.820:122): avc: denied { signull } for comm="shared_modem_pl" scontext=u:r:modem_svc_sit:s0 tcontext=u:r:hal_radioext_default:s0 tclass=process permissive=1 bug=b/368187536 [ 58.735984][ T453] type=1400 audit(1728080578.984:123): avc: denied { sendto } for comm="binder:1143_2" path="/dev/socket/statsdw" scontext=u:r:modem_ml_svc_sit:s0 tcontext=u:r:statsd:s0 tclass=unix_dgram_socket permissive=1 [ 58.844813][ T453] type=1400 audit(1728080579.092:124): avc: denied { sendto } for comm="binder:1143_2" path="/dev/socket/statsdw" scontext=u:r:modem_ml_svc_sit:s0 tcontext=u:r:statsd:s0 tclass=unix_dgram_socket permissive=1 [ 86.597962][ T453] type=1400 audit(1728080606.848:455): avc: granted { read } for comm="rkstack.process" name="psched" dev="proc" ino=4026532082 scontext=u:r:network_stack:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 86.616310][ T453] type=1400 audit(1728080606.848:456): avc: granted { read open } for comm="rkstack.process" path="/proc/2394/net/psched" dev="proc" ino=4026532082 scontext=u:r:network_stack:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 86.645641][ T453] type=1400 audit(1728080606.848:457): avc: granted { getattr } for comm="rkstack.process" path="/proc/2394/net/psched" dev="proc" ino=4026532082 scontext=u:r:network_stack:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 91.030419][ T453] type=1400 audit(1728080611.268:458): avc: denied { open } for comm="ogle.android.as" path="/proc/version" dev="proc" ino=4026532093 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1 app=com.google.android.as [ 91.171034][ T453] type=1400 audit(1728080611.268:459): avc: denied { getattr } for comm="ogle.android.as" path="/proc/version" dev="proc" ino=4026532093 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1 app=com.google.android.as [ 91.348507][ T453] type=1400 audit(1728080611.368:460): avc: denied { create } for comm="init" name="iostats" scontext=u:r:vendor_init:s0 tcontext=u:object_r:rootdisk_sysdev:s0 tclass=file permissive=1 [ 91.556216][ T453] type=1400 audit(1728080611.784:461): avc: denied { create } for comm="HeapTaskDaemon" name="PersistentBackgroundCameraServices.2450.tmp" scontext=u:r:vendor_pbcs_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1 [ 91.591920][ T453] type=1400 audit(1728080611.784:462): avc: denied { open } for comm="HeapTaskDaemon" path="/data/user/0/com.google.pixel.camera.services/cache/oat_primary/arm64/PersistentBackgroundCameraServices.2450.tmp" dev="dm-57" ino=11961224 scontext=u:r:vendor_pbcs_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1 [ 91.610505][ T453] type=1400 audit(1728080611.824:463): avc: denied { add_name } for comm="HeapTaskDaemon" name="SecureElement.2505.tmp" scontext=u:r:secure_element:s0:c44,c260,c512,c768 tcontext=u:object_r:system_data_file:s0:c44,c260,c512,c768 tclass=dir permissive=1 [ 91.615399][ T453] type=1400 audit(1728080611.824:464): avc: denied { create } for comm="HeapTaskDaemon" name="SecureElement.2505.tmp" scontext=u:r:secure_element:s0:c44,c260,c512,c768 tcontext=u:object_r:system_data_file:s0:c44,c260,c512,c768 tclass=file permissive=1 [ 91.668729][ T453] type=1400 audit(1728080611.824:465): avc: denied { write open } for comm="HeapTaskDaemon" path="/data/user/0/com.android.se/cache/oat_primary/arm64/SecureElement.2505.tmp" dev="dm-57" ino=11961765 scontext=u:r:secure_element:s0:c44,c260,c512,c768 tcontext=u:object_r:system_data_file:s0:c44,c260,c512,c768 tclass=file permissive=1 [ 91.668788][ T453] type=1400 audit(1728080611.836:466): avc: denied { rename } for comm="HeapTaskDaemon" name="PersistentBackgroundCameraServices.2450.tmp" dev="dm-57" ino=11961224 scontext=u:r:vendor_pbcs_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1 [ 92.928109][ T453] type=1400 audit(1728080613.172:471): avc: granted { execute } for comm="id.apps.tachyon" path="/data/data/com.google.android.apps.tachyon/app_lib/libjingle_peerconnection_so.so" dev="dm-57" ino=11976916 scontext=u:r:untrusted_app:s0:c201,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c201,c256,c512,c768 tclass=file app=com.google.android.apps.tachyon [ 98.286553][ T453] type=1400 audit(1728080618.536:472): avc: granted { read } for comm="NetworkMonitor/" name="psched" dev="proc" ino=4026532082 scontext=u:r:network_stack:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 98.288073][ T453] type=1400 audit(1728080618.536:473): avc: granted { read open } for comm="NetworkMonitor/" path="/proc/2394/net/psched" dev="proc" ino=4026532082 scontext=u:r:network_stack:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 98.817428][ T453] type=1400 audit(1728080618.536:474): avc: granted { getattr } for comm="NetworkMonitor/" path="/proc/2394/net/psched" dev="proc" ino=4026532082 scontext=u:r:network_stack:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 98.821639][ T453] type=1400 audit(1728080619.040:475): avc: denied { read } for comm=424720546872656164202332 name="/" dev="sda10" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=1 app=com.google.android.googlequicksearchbox [ 99.279860][ T453] type=1400 audit(1728080619.040:476): avc: denied { open } for comm=424720546872656164202332 path="/metadata" dev="sda10" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=1 app=com.google.android.googlequicksearchbox [ 99.285144][ T453] type=1400 audit(1728080619.040:477): avc: denied { getattr } for comm=424720546872656164202332 path="/metadata" dev="sda10" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=1 app=com.google.android.googlequicksearchbox 10-04 15:23:52.880 5118 5118 I IntentService[D: type=1400 audit(0.0:1275): avc: denied { setattr } for name="omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:52.880 5118 5118 I IntentService[D: type=1400 audit(0.0:1276): avc: denied { append } for name="omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:52.880 5118 5118 I IntentService[D: type=1400 audit(0.0:1277): avc: denied { open } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 10-04 15:23:55.096 5118 5118 I IntentService[D: type=1400 audit(0.0:1291): avc: denied { search } for name="radio" dev="dm-57" ino=7569419 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service 10-04 15:23:55.096 5118 5118 I IntentService[D: type=1400 audit(0.0:1292): avc: denied { getattr } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:55.620 5118 5118 I IntentService[D: type=1400 audit(0.0:1297): avc: denied { getattr } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:55.620 5118 5118 I IntentService[D: type=1400 audit(0.0:1298): avc: denied { setattr } for name="omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:55.620 5118 5118 I IntentService[D: type=1400 audit(0.0:1299): avc: denied { append } for name="omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:55.620 5118 5118 I IntentService[D: type=1400 audit(0.0:1300): avc: denied { open } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-57" ino=7569652 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service 10-04 15:23:55.956 5118 5118 I IntentService[D: type=1400 audit(0.0:1301): avc: denied { search } for name="radio" dev="dm-57" ino=7569419 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service Test: atest Enable16KbTest Flag: build.RELEASE_GOOGLE_CAIMAN_16K_DEVELOPER_OPTION Bug: 347108593 Change-Id: I67929732c9b23081f3608ac5da413adda81b6c44 --- radio/copy_efs_files_to_data.te | 56 +++++++++++++++++++++++++++++++++ radio/file.te | 1 + radio/file_contexts | 2 ++ vendor/property.te | 3 ++ vendor/property_contexts | 3 ++ vendor/vendor_init.te | 3 ++ 6 files changed, 68 insertions(+) create mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te new file mode 100644 index 0000000..865662a --- /dev/null +++ b/radio/copy_efs_files_to_data.te @@ -0,0 +1,56 @@ +# necessary permissions to copy efs to be used in 16KB mode +type copy_efs_files_to_data, domain; +type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(copy_efs_files_to_data); + +# Allow creating files on /data/vendor/copied +allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; +allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; +allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; + +# Allow execute binaries from /vendor/bin +allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; +allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; + +# Allow execute /vendor/bin/dump.f2fs +allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans }; + +# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs +allow copy_efs_files_to_data block_device:dir search; +allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms; + +# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist +allow copy_efs_files_to_data modem_efs_file:dir getattr; +allow copy_efs_files_to_data modem_userdata_file:dir getattr; +allow copy_efs_files_to_data persist_file:dir getattr; + +allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms; +allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms; + +# dump.f2fs need to restore file permissions after dumping +# files from an f2fs image +allow copy_efs_files_to_data self:capability chown; +allow copy_efs_files_to_data self:capability fowner; + +allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; + +allow copy_efs_files_to_data system_bootstrap_lib_file:dir search; + +# Should not write to any block devices. Only read from block device +# and dump files to /data/vendor/copied +dontaudit copy_efs_files_to_data dev_type:blk_file write; +# Setting xattr requires sys_admin +dontaudit copy_efs_files_to_data self:capability sys_admin; +# dump.f2fs would attempt to restore selinux on dumped files, but we +# will use restorecon to do the job. +dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_efs_file:file relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto; diff --git a/radio/file.te b/radio/file.te index a79dfcc..7745a6e 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,5 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; +type modem_efs_image_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type sysfs_gps, sysfs_type, fs_type; diff --git a/radio/file_contexts b/radio/file_contexts index 5a2653c..42086a3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -22,6 +23,7 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/property.te b/vendor/property.te index 3f61bea..12a9d49 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -18,3 +18,6 @@ vendor_internal_prop(vendor_battery_defender_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# This prop will be set to "mounted" after /mnt/vendor/persist mounts +vendor_internal_prop(vendor_persist_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 8625439..d34fa99 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -36,3 +36,6 @@ ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.powerstats.entity_name u:object_r:vendor_display_prop:s0 exact string ro.vendor.secondarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string + +# For checking if persist partition is mounted +ro.vendor.persist.status u:object_r:vendor_persist_prop:s0 exact string diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 7a8ec91..9738e63 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -8,3 +8,6 @@ userdebug_or_eng(` set_prop(vendor_init, vendor_imssvc_prop) ') +# Allow vendor_init to read ro.vendor.persist.status +# to process init.rc actions +set_prop(vendor_init, vendor_persist_prop) From 0e859b87a101bb2cf7d4987ff44b15ae1e766b47 Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 16 Oct 2024 05:57:38 +0000 Subject: [PATCH 16/41] Allow fingerprint HAL to access IGoodixFingerprintDaemon Fix the following avc denial: E SELinux : avc: denied { add } for pid=6578 uid=1000 name=vendor.goodix.hardware.biometrics.fingerprint.IGoodixFingerprintDaemon/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 Flag: EXEMPT NDK Bug: 368993793 Test: Tested fingerprint under enforcing mode Change-Id: Iafed80d22d40e98cb0811ca84051066360f3dff8 --- vendor/service_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/service_contexts b/vendor/service_contexts index 38a8cca..78ef5c9 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -4,3 +4,4 @@ vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 com.android.server.modemml.ITFLiteService/default u:object_r:modemml_tflite_service:s0 +vendor.goodix.hardware.biometrics.fingerprint.IGoodixFingerprintDaemon/default u:object_r:hal_fingerprint_service:s0 From f1471f5d65e10089f44fe136d54e73f4ba018770 Mon Sep 17 00:00:00 2001 From: cwkao Date: Thu, 24 Oct 2024 00:52:36 +0800 Subject: [PATCH 17/41] Share same seinfo between propsetter app and GCA. Bug: 375117470 Test: locally on komodo, the app functions as expected. Flag: EXEMPT NDK Change-Id: I60a6047835b23137391e3bd6edcfd1fb418a3e19 --- ...ndroid_apps_camera_tools_propsetter.x509.pem | 17 ----------------- vendor/keys.conf | 3 --- vendor/mac_permissions.xml | 3 --- vendor/seapp_contexts | 2 +- 4 files changed, 1 insertion(+), 24 deletions(-) delete mode 100644 vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem diff --git a/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem b/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem deleted file mode 100644 index 011a9ec..0000000 --- a/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx -EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw -NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE -ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO -OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR -+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb -+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg -UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX -TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj -rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB -TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK -pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY -DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG -ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4 -rscXTxYEf4Tqovc= ------END CERTIFICATE----- diff --git a/vendor/keys.conf b/vendor/keys.conf index 15d7596..fac7f2b 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -1,5 +1,2 @@ [@EUICCSUPPORTPIXEL] ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem - -[@CAMERAPROPSETTER] -ALL : device/google/zumapro-sepolicy/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index 03409ee..0eab982 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -24,7 +24,4 @@ - - - diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 363e753..83802e7 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -2,4 +2,4 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all # Camera propsetter app -user=_app seinfo=CameraPropsetter name=com.google.android.apps.camera.tools.propsetter domain=camera_propsetter_app type=app_data_file levelFrom=all +user=_app seinfo=CameraEng name=com.google.android.apps.camera.tools.propsetter domain=camera_propsetter_app type=app_data_file levelFrom=all From dde398712478fcd6847fa38f09df884b129d3b67 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 25 Oct 2024 17:10:00 +0800 Subject: [PATCH 18/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 375564898 Bug: 375564818 Bug: 375563932 Bug: 375564360 Bug: 375521075 Flag: EXEMPT NDK Change-Id: I582e58598cf0c89de4b9aa904c84cbb065eba36b --- tracking_denials/bug_map | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e43bba5..b71e89c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,6 +3,7 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 grilservice_app default_android_service service_manager b/366116096 +grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 @@ -17,6 +18,7 @@ modem_svc_sit modem_ml_svc_sit file b/360060705 modem_svc_sit radio_vendor_data_file sock_file b/369539798 pixelstats_vendor block_device dir b/369539751 pixelstats_vendor block_device dir b/369540515 +pixelstats_vendor sysfs file b/375564818 ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 @@ -24,4 +26,7 @@ sctd vendor_persist_config_default_prop file b/309550514 shell sysfs_net file b/338347525 spad spad unix_stream_socket b/309550905 swcnd swcnd unix_stream_socket b/309551062 +system_suspend sysfs dir b/375563932 +system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 +systemui_app system_data_file dir b/375564360 From 35b65db88fb6adbcefc9c9b5fad325eea066750b Mon Sep 17 00:00:00 2001 From: Julius Snipes Date: Tue, 8 Oct 2024 21:00:17 +0000 Subject: [PATCH 19/41] logger_app: allow logger_app to access persist.vendor.tcpdump.capture.len for logger_app Bug: 330812097 Flag: EXEMPT sepolicy change only Test: Confirm no selinux denial for persist.vendor.tcpdump.capture.len Change-Id: Iff208dc590e923b413647725354d6650745ba7a1 --- radio/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/property_contexts b/radio/property_contexts index 549c745..218e970 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -60,6 +60,7 @@ vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Tcpdump_logger +persist.vendor.tcpdump.capture.len u:object_r:vendor_tcpdump_log_prop:s0 persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 From d03f77df69dbaf8af68507d0966eb5090af2ed47 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 5 Nov 2024 13:24:05 +0800 Subject: [PATCH 20/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 377412254 Flag: EXEMPT NDK Change-Id: I1345afdb481e9f84f2dd5fe745ebf594cbc33c66 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b71e89c..214c220 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -19,6 +19,9 @@ modem_svc_sit radio_vendor_data_file sock_file b/369539798 pixelstats_vendor block_device dir b/369539751 pixelstats_vendor block_device dir b/369540515 pixelstats_vendor sysfs file b/375564818 +platform_app vendor_fw_file dir b/377412254 +platform_app vendor_modem_prop property_service b/377412254 +platform_app vendor_rild_prop file b/377412254 ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 From 31d6e2222059e305af1c43a090d01bb4c2615c93 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 7 Nov 2024 10:26:35 +0800 Subject: [PATCH 21/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 377787445 Flag: EXEMPT NDK Change-Id: I96db3485005cdaed405c8d117b1d50b5f29b533f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 214c220..a77ab22 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,7 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 +dumpstate system_data_file dir b/377787445 grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 From 2fe912350e9988cc14ee3f5c17709282023171b2 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 8 Nov 2024 11:35:17 +0800 Subject: [PATCH 22/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 378004800 Flag: EXEMPT NDK Change-Id: I5cdb5950053f291969b660758a3eac4deda3995c --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a77ab22..7f1d53e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ dumpstate system_data_file dir b/377787445 grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 +hal_gnss_pixel vendor_gps_file file b/378004800 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 kernel sepolicy_file file b/353418189 From f8891af46e3b64d63d2db668203fe2355a5a44c9 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Mon, 11 Nov 2024 17:06:26 +0000 Subject: [PATCH 23/41] sepolicy: add label for logbuffer - Add logbuffer_device label for ln8411, dc_mains, dual_batt - Remove from tracking_deniel Bug: 377895720 Flag: EXEMPT bugfix Change-Id: Ia542c089bcf0eb6bb4ea3e026d43937390720b22 Signed-off-by: Spade Lee --- tracking_denials/file_contexts | 5 ----- vendor/file_contexts | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tracking_denials/file_contexts b/tracking_denials/file_contexts index 3a629b2..cf16b0a 100644 --- a/tracking_denials/file_contexts +++ b/tracking_denials/file_contexts @@ -9,12 +9,7 @@ /vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Devices -/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 -/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index c7fd912..f3a4316 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -67,6 +67,7 @@ /dev/logbuffer_maxfg_secondary u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_secondary_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_dual_batt u:object_r:logbuffer_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 @@ -128,6 +129,8 @@ /dev/logbuffer_rtx u:object_r:logbuffer_device:s0 /dev/logbuffer_max77779fg u:object_r:logbuffer_device:s0 /dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 +/dev/logbuffer_dc_mains u:object_r:logbuffer_device:s0 /dev/logbuffer_cpm u:object_r:logbuffer_device:s0 /dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/logbuffer_max77779fg_monitor u:object_r:logbuffer_device:s0 From 30306a34b5211e6c45253ab5f9837108a9b088b0 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Wed, 13 Nov 2024 20:34:41 +0000 Subject: [PATCH 24/41] shamp: remove fixed bug from bugmap Bug: 360060705 Flag: NONE clean up bugmap Change-Id: I7d71aefa766e870e8bccb100ed5ad796dbbab36b --- tracking_denials/bug_map | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7f1d53e..863e2be 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -13,10 +13,6 @@ kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 kernel system_dlkm_file dir b/353418189 -modem_svc_sit hal_radioext_default process b/368187536 -modem_svc_sit hal_radioext_default process b/368188020 -modem_svc_sit modem_ml_svc_sit file b/360060680 -modem_svc_sit modem_ml_svc_sit file b/360060705 modem_svc_sit radio_vendor_data_file sock_file b/369539798 pixelstats_vendor block_device dir b/369539751 pixelstats_vendor block_device dir b/369540515 From 233610e6a445401859b47343943d122c129b23c9 Mon Sep 17 00:00:00 2001 From: Joen Chen Date: Thu, 14 Nov 2024 06:10:09 +0000 Subject: [PATCH 25/41] correct frame_interval_ns and expected_present_time_ns naming Bug: 378992900 Flag: EXEMPT bugfix Test: scrolling/rotate phone and check if there is error log Change-Id: I927a490cb25b3d3f69bed4d62da80b66de1ad430 --- vendor/genfs_contexts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 0f4531f..ba380bc 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -372,8 +372,8 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctr genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_option u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_rate_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_interval u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/expected_present_time u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_interval_ns u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/expected_present_time_ns u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 From 351ceac512c6c605c1f1f3082b1c07252f92d198 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 11:43:43 +0800 Subject: [PATCH 26/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379206528 Bug: 379206406 Flag: EXEMPT NDK Change-Id: I82ca7cb985e9fd755dba5d29139a2b9a9f638f9a --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 863e2be..2c7a6f0 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,6 +9,7 @@ hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 +init init capability b/379206528 kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 @@ -31,3 +32,4 @@ system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 systemui_app system_data_file dir b/375564360 +zygote zygote capability b/379206406 From 9faa3999eff2b4ee400b8c46f4efae2be0561538 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 18:28:30 +0800 Subject: [PATCH 27/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379245474 Bug: 379245673 Bug: 379245788 Bug: 379244519 Bug: 379245853 Flag: EXEMPT NDK Change-Id: Ic1c8e73773ed71eea7be46187231fde6b5283e8a --- tracking_denials/bug_map | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2c7a6f0..5b18d9c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ +bluetooth audio_config_prop file b/379245474 dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 @@ -7,6 +8,7 @@ grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 +hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528 @@ -21,6 +23,8 @@ pixelstats_vendor sysfs file b/375564818 platform_app vendor_fw_file dir b/377412254 platform_app vendor_modem_prop property_service b/377412254 platform_app vendor_rild_prop file b/377412254 +priv_app audio_config_prop file b/379245788 +radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 @@ -32,4 +36,5 @@ system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 systemui_app system_data_file dir b/375564360 +untrusted_app audio_config_prop file b/379245853 zygote zygote capability b/379206406 From 78eaa18cf3ed523c7784e190d52fecbfc20beeb9 Mon Sep 17 00:00:00 2001 From: Boon Jun Date: Tue, 12 Nov 2024 07:42:20 +0000 Subject: [PATCH 28/41] Support access to radioext service over AIDL 11-13 17:08:24.418 396 396 E SELinux : avc: denied { find } for pid=15273 uid=1000 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hal_radio_ext_service:s0 tclass=service_manager permissive=0 Bug: 377991853 Bug: 371878208 Test: Open camera & observe connection to radio Flag: EXEMPT bugfix Change-Id: I1c53381f2aef1def44f7a717a9998acc826fe6aa --- vendor/hal_camera_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 4ff601b..379e1be 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -74,6 +74,7 @@ allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +allow hal_camera_default hal_radio_ext_service:service_manager find; # Allows camera HAL to access the hw_jpeg /dev/video12. allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; From 7e11c79345bdba9418756bb3a89864b06230783b Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Thu, 21 Nov 2024 07:58:55 +0000 Subject: [PATCH 29/41] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Change-Id: I92d9a64c339f2b99e1fdc531145a950c3428dd82 Flag: NONE local testing only --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zumapro-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index 42086a3..34e7e8b 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,7 +10,6 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index d23274c..a2fd70a 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, vendor_logger_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index 4edddb2..3112db3 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zumapro BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 62f34d8794f403d9f2a87bf92c7a984ad591df1e Mon Sep 17 00:00:00 2001 From: "Liana Kazanova (xWF)" Date: Thu, 21 Nov 2024 17:53:56 +0000 Subject: [PATCH 30/41] Revert "modem_svc: move shared_modem_platform related sepolicy t..." Revert submission 30519089-move_modem_sepolicy Reason for revert: DroidMonitor: Potential culprit for http://b/380274930 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Reverted changes: /q/submissionid:30519089-move_modem_sepolicy Change-Id: I74d37465d49e31c84d5e51bb0f020988a41b66ab --- radio/file_contexts | 1 + radio/modem_svc_sit.te | 3 +++ zumapro-sepolicy.mk | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/radio/file_contexts b/radio/file_contexts index 34e7e8b..42086a3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,6 +10,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index a2fd70a..d23274c 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,6 +38,9 @@ get_prop(modem_svc_sit, vendor_logger_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) +# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) + # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index 3112db3..4edddb2 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zumapro BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor -BOARD_VENDOR_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 0d60be5645165650e4c305391e4f9569a1881fc6 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 26 Nov 2024 11:38:18 +0800 Subject: [PATCH 31/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 380989493 Flag: EXEMPT NDK Change-Id: Iffaff71c72b03d58d2abcbe44007c2be469050bd --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5b18d9c..b74db38 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,6 @@ bluetooth audio_config_prop file b/379245474 +bpfloader fs_bpf dir b/380989493 dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 From ec3dae0ee35d05f60b1da0c67b860efdf6cf671d Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Fri, 22 Nov 2024 17:45:07 +0000 Subject: [PATCH 32/41] Update the PMS app seinfo for the certification change. Bug: 375656221 Flag: EXEMPT selinux app context change. Change-Id: If9bd9a3818b2f117cf26a13c2ae6940b53963b92 --- .../com_google_android_modem_pms.x509.pem | 29 +++++++++++++++++++ radio/keys.conf | 3 ++ radio/mac_permissions.xml | 3 ++ radio/seapp_contexts | 2 +- 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 radio/certs/com_google_android_modem_pms.x509.pem diff --git a/radio/certs/com_google_android_modem_pms.x509.pem b/radio/certs/com_google_android_modem_pms.x509.pem new file mode 100644 index 0000000..27b5f75 --- /dev/null +++ b/radio/certs/com_google_android_modem_pms.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF9DCCA9ygAwIBAgIUdblfv7oNBrd5Bh3HcvmyFOTotxowDQYJKoZIhvcNAQELBQAwgYkxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDElMCMGA1UEAwwcY29tX2dvb2ds +ZV9hbmRyb2lkX21vZGVtX3BtczAgFw0yNDA4MTkxODEwMjdaGA8yMDU0MDgxOTE4MTAyN1owgYkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3 +MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDElMCMGA1UEAwwcY29tX2dv +b2dsZV9hbmRyb2lkX21vZGVtX3BtczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALe5 +J/LkcvdP1z2FUDUBW2V37s4FyMe8d5a7YEkji7hC5l/W9nCnLVplhqxAD6fU10T3W8xKvbxyfu4I +MvNJvzxlgzTNUJkVa+cbYDfnJd4lboF0NdJFIpYxNVFC1us96qcEwxEUWN0evamqawOUv7S4cwA4 +mwsh5zZcOL5217ytSO+88tvXIongGZXyhHN4iTbd2//R23Ia4s39zNVlEMcgExWBRyn1PEcO3LBn +4/SK/jnYRdZrHjKK1qkeTMYPu21NqcBJISAdjDbwnHuBjQp+hbd4XY3QROJM6LJ4J34PpbskyvIy +tU1VShZ+CV2P3RSkTk1L0K4IqHa3OzD4EtRvARHmggjieokWOIKfyklYRE1e/C4XbhNbj08cD2hR +orFNF2inbVpUVfBa3MJyOLTitnU9bTkprO1C63xXoXfSocbEgtSSl94PJjDVrpB8JiAjnrGUItSS +2+pW5J5pxREFMPxp7fOCOFoiD/gHgOJjHNWEPFdSWLcEe4trrAPLexbfBmtVFJ4lLXhzg1ERxEJJ +QriZ4FoAtB6XSILDJgXxe6xtoJ0fZDxp0FWaTIU2rRR/OOjjPEGzrSzfZjgeIj512qhaYiqfwSQ4 +i6cTEz1+UY/u9sFeW2N884VAWi1ZIx1kzYMUisAeehJXzlJFB+q0qinaoCwyFRcOOK144E8RAgMB +AAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFCpkoCKwoSargw1pVZUVLuoKSQOdMB8GA1Ud +IwQYMBaAFCpkoCKwoSargw1pVZUVLuoKSQOdMA0GCSqGSIb3DQEBCwUAA4ICAQCRmyU23cp/ysn+ +ndfZekfNZJmktrY9W7WZ2kKuH0w/L/Y2HO9fg4HKHzfElJeSBgt7z3DkQ8exaCHdwGo4Inu8Yyjp +NgS0Zhfsa/yyORpvu5m62KFhT2x3gDKSTdPlP1z6pi3ADt3XtUOHoVgakM0YhRPvS/5epJOH5lgE +ONCExGiUUD5S7vgabda4R7jBmsDcIh9fsER9IQrlP1IN4auqbKfpVOd3yxNMcfg5WN+QvBA3lh3E ++hsQb1/SCUhOoXIzs7hfiy6hLMQx0wg/s2Zdc5h/8eQAgLhm0aELfq5Bm4IR6uxArwLkaBO4sEh0 +I+7eTNR/Z0fu5V6H1zdRupoZmXjlgqR6t9eAwxHqQfHJzUASBCmrXfnXDG4kdwiZz8dDCXvNxahS +YM7PB3gozD3mc/NGs6qjv/11Bu3gSaoXFPBDWxCJ99SPU1yp6e/pLqfqzQ1raijJWehqZudBU3vR +1VVN9Iw0KP3/RpT1fLJqoXMK/QUjQF/JURGDhLZqPqx+RNGGlhWYx/j0LJNFJMMwusTCd9l5DtiK +eGjXj6Z9zde1wrqKDjrY+kHWNwHeoDjX8MrQb36KzkJNFIY8eHS7tki0ATTgeBsfmiDusWpSJu2Q +9pnrCJYpoS3IXDwiDTf/6l41Bl1VLDZZm/K0mzALzynTrqhut310/RB+wUD2nw== +-----END CERTIFICATE----- diff --git a/radio/keys.conf b/radio/keys.conf index 45db97d..baa99df 100644 --- a/radio/keys.conf +++ b/radio/keys.conf @@ -1,3 +1,6 @@ [@MDS] ALL : device/google/zumapro-sepolicy/radio/certs/com_google_mds.x509.pem +[@PMS] +ALL : device/google/zumapro-sepolicy/radio/certs/com_google_android_modem_pms.x509.pem + diff --git a/radio/mac_permissions.xml b/radio/mac_permissions.xml index 4b997c2..47bdf39 100644 --- a/radio/mac_permissions.xml +++ b/radio/mac_permissions.xml @@ -24,4 +24,7 @@ + + + diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 7ed10c6..eec8a5e 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -34,4 +34,4 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ user=_app isPrivApp=true seinfo=platform name=com.samsung.slsi.telephony.satelliteservice domain=vendor_satellite_service levelFrom=all # Domain for pixel_modem_app -user=_app isPrivApp=true seinfo=platform name=com.google.android.modem.pms domain=pixel_modem_app levelFrom=all +user=_app isPrivApp=true seinfo=pms name=com.google.android.modem.pms domain=pixel_modem_app levelFrom=all From 100436811e70aab6bfc03e37bf67782b3a9b3a5d Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 28 Nov 2024 10:56:02 +0800 Subject: [PATCH 33/41] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 381327278 Flag: EXEMPT sepolicy Change-Id: I359cc10c3a6f5bd5b20c4b1022f39f40484aa950 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b74db38..257ef83 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ +aconfigd apex_info_file file b/381327278 bluetooth audio_config_prop file b/379245474 bpfloader fs_bpf dir b/380989493 dump_display sysfs file b/322917055 From 57bf47fc5cef973da7b270777ce47d9fae4a5208 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Fri, 29 Nov 2024 12:41:11 +0800 Subject: [PATCH 34/41] add permission for hl7132 sysfs Bug: 381457533 Test: adb bugreport Flag: EXEMPT bugfix Change-Id: I640957b4834e35f0c3aa9d3cd789865eff019dd3 Signed-off-by: Jack Wu --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ba380bc..d8b9f20 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -31,6 +31,8 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/registers_dump genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/registers_dump u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-005e/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-005e/registers_dump u:object_r:sysfs_power_dump:s0 genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 From afb2839d6ec1fbffe77aa9b37a17c3f3a90411a2 Mon Sep 17 00:00:00 2001 From: Rohan Narayanan Date: Tue, 3 Dec 2024 17:52:20 -0800 Subject: [PATCH 35/41] Add hal_shared_modem_platform to modem_diagnostic_app.te This is needed to access the modem platform HAL. FLAG: EXEMPT HAL interface change Test: manual testing of selinux Bug: 351024952 Change-Id: I95fc6b997e08ae46089ed90a1060c23274f6cd58 --- radio/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 60835a5..fb0bfea 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -1,3 +1,4 @@ +# Selinux rule for ModemDiagnosticService (MDS) app type modem_diagnostic_app, domain; app_domain(modem_diagnostic_app) @@ -10,6 +11,7 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_modem_state:file r_file_perms; hal_client_domain(modem_diagnostic_app, hal_power_stats); + hal_client_domain(modem_diagnostic_app, hal_shared_modem_platform); allow modem_diagnostic_app hal_vendor_radio_external_service:service_manager find; allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; From c22f8701699b36e2c49f763aeaf303d37ef03033 Mon Sep 17 00:00:00 2001 From: Jeremy Nei Date: Tue, 26 Nov 2024 07:41:05 +0000 Subject: [PATCH 36/41] port display sysfs access Adds color_data access to sysfs_display Bug: 369456857 Test: adb shell displaycolor_service 20000 Flag: EXEMPT N/A Change-Id: Id2a00d138daad44d7135d5bd5652b128c1c63e46 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ba380bc..ea79abf 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -379,6 +379,7 @@ genfscon sysfs /devices/platform/19470000.drmdecon/hibernation genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/color_data u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 From a9b6884b3a0321f4bd576aba9ec44acc3598e368 Mon Sep 17 00:00:00 2001 From: jonerlin Date: Tue, 26 Nov 2024 06:59:59 +0000 Subject: [PATCH 37/41] allow hal_bluetooth_btlinux write sysfs file 12-04 19:32:23.040000 1002 784 784 I auditd : type=1400 audit(0.0:30): avc: denied { write } for comm="binder:784_2" name="uart_dbg" dev="sysfs" ino=60136 scontext=u:r:hal_bluetooth_btlinux:s0 tcontext=u:object_r:sysfs_bt_uart:s0 tclass=file permissive=0 12-04 19:32:23.040000 1002 784 784 W binder:784_2: type=1400 audit(0.0:30): avc: denied { write } for name="uart_dbg" dev="sysfs" ino=60136 scontext=u:r:hal_bluetooth_btlinux:s0 tcontext=u:object_r:sysfs_bt_uart:s0 tclass=file permissive=0 Bug: 376774204 Test: v2/pixel-pts/release/bootstress/1200counts/suspend-resume Flag: EXEMPT project configuration patch Change-Id: I6c1a28d0e5e22b03b088d64d550fd475d796ae67 --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_bluetooth_btlinux.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 46f792e..9c90033 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -61,6 +61,7 @@ type chre_socket, file_type; # BT type vendor_bt_data_file, file_type, data_file_type; +type sysfs_bt_uart, sysfs_type, fs_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 0f4531f..1de2c8e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -493,3 +493,6 @@ genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:obje # CPU genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 + +# Bluetooth +genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 65e037d..272c372 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -1 +1,4 @@ +# Allow triggering uart skip suspend +allow hal_bluetooth_btlinux sysfs_bt_uart:file w_file_perms; + allow hal_bluetooth_btlinux vendor_bt_data_file:sock_file create_file_perms; From 30570259fe8c6aa6274c2a81e27874b80ee89cf2 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 5 Dec 2024 10:49:00 +0800 Subject: [PATCH 38/41] Update SELinux error Flag: EXEMPT sepolicy Test: SELinuxUncheckedDenialBootTest Bug: 382362300 Bug: 366116096 Change-Id: I8cf6742ded1f3b90b46909ee0ac47c9f33258466 --- tracking_denials/bluetooth.te | 2 ++ tracking_denials/bug_map | 1 - tracking_denials/grilservice_app.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 tracking_denials/bluetooth.te diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te new file mode 100644 index 0000000..3136980 --- /dev/null +++ b/tracking_denials/bluetooth.te @@ -0,0 +1,2 @@ +# b/382362300 +dontaudit bluetooth default_android_service:service_manager { find }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 257ef83..149d961 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 -grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te index c4dc75e..4ebeba8 100644 --- a/tracking_denials/grilservice_app.te +++ b/tracking_denials/grilservice_app.te @@ -1,2 +1,4 @@ # b/312069580 dontaudit grilservice_app hal_bluetooth_coexistence_service:service_manager { find }; +# b/366116096 +dontaudit grilservice_app default_android_service:service_manager { find }; From 1e5b6fb9ebcc802fd23458b10cd3bfc1dcb873c3 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Fri, 6 Dec 2024 04:07:23 +0000 Subject: [PATCH 39/41] Allow tachyon service to make binder calls to GCA This permission is needed for tachyon service to call callbacks. AVC Error seen when tachyon tries accessing GCA: 12-02 11:40:03.212 6987 6987 W com.google.edge: type=1400 audit(0.0:17): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0 12-03 07:12:26.424 4166 4166 W com.google.edge: type=1400 audit(0.0:254): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0 Bug: 381787911 Flag: EXEMPT updates device sepolicy only Change-Id: Iaa61d70cdffb75024c497482f4c0a6cab493bec3 --- vendor/debug_camera_app.te | 6 +++++- vendor/google_camera_app.te | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index ddc4337..6c8a549 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,4 +1,8 @@ +# File containing sepolicies for GCA-Eng & GCA-Next. userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; -') \ No newline at end of file + + # Allows tachyon_service to communicate with GCA-Eng via binder. + binder_call(edgetpu_tachyon_server, debug_camera_app); +') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index c572c26..5c4c6f0 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -8,3 +8,6 @@ allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map } # Allows GCA to access the hw_jpeg /dev/video12. allow google_camera_app hw_jpg_device:chr_file rw_file_perms; + +# Allows tachyon service to communicate with google_camera_app via binder. +binder_call(edgetpu_tachyon_server, google_camera_app); From 862fbd7fe0e47903dd7ad0aac2c6680f0c0fbb17 Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Fri, 6 Dec 2024 12:58:34 +0000 Subject: [PATCH 40/41] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Change-Id: I9b69d1754f718faac51e89bb10c3a2ba604d2bae Flag: NONE local testing only --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zumapro-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index 42086a3..34e7e8b 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,7 +10,6 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index d23274c..a2fd70a 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, vendor_logger_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index 4edddb2..3112db3 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zumapro BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking From db19f527d7bd467acf038c926a34f8815cb37c04 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 9 Dec 2024 11:43:18 +0800 Subject: [PATCH 41/41] Update SELinux error copy bug_map entry from zuma Test: SELinuxUncheckedDenialBootTest Bug: 383013471 Flag: EXEMPT sepolicy Change-Id: I514eb622b02f13b23aa3f9fe9c699b856a196c00 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 149d961..f31c57c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673