From 20707fd77f77717f7ff43bbe82526c4a59e50680 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Mon, 9 Dec 2024 13:21:14 +0000 Subject: [PATCH 01/20] Add udc sysfs to udc_sysfs fs context Meeded for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Starting at board level api 202504 due to its dependency on aosp/3337514 10956 10956 W android.hardwar: type=1400 audit(0.0:327): avc: denied { read } for name="state" dev="sysfs" ino=84394 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Tokay Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: Iab79eec9a836d70792dfaa64eb24a5c013dc85aa --- vendor/genfs_contexts | 5 +++++ vendor/hal_usb_impl.te | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 1ac8351..7bb4de4 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -499,3 +499,8 @@ genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:obje # Bluetooth genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 + +# USB +starting_at_board_api(202504, ` +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 +') diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index e882d28..aaa9fae 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -30,4 +30,6 @@ allow hal_usb_impl usb_device:dir r_dir_perms; # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; - +starting_at_board_api(202504, ` +allow hal_usb_impl sysfs_udc:file r_file_perms; +') From 41ee821beab31de6479ab4fee69a71a144fd014b Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 13 Dec 2024 14:33:57 +0800 Subject: [PATCH 02/20] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT sepolicy Bug: 383949166 Change-Id: I1d850c23cc01802f2abc4350019b81dda61c8bbd --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f31c57c..95dfb96 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -39,4 +39,5 @@ system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 systemui_app system_data_file dir b/375564360 untrusted_app audio_config_prop file b/379245853 +zygote aconfig_storage_metadata_file dir b/383949166 zygote zygote capability b/379206406 From 13173c755df7af0c40eb2d481376bfaaf009c35a Mon Sep 17 00:00:00 2001 From: timmyli Date: Fri, 13 Dec 2024 21:21:00 +0000 Subject: [PATCH 03/20] Remove hal_camera_default aconfig_storage_metadata_file from bug map Bug: 383013471 Test: manual test to see no avc denial Flag: EXEMPT bug fix Change-Id: I616c416194e17a645e217a5f81d14ae08c4214d3 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 95dfb96..622d78f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,7 +7,6 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 -hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 From 1cc3b8e59b43d6a3a5f7a79d48551251511efe54 Mon Sep 17 00:00:00 2001 From: Jeremy Nei Date: Mon, 16 Dec 2024 05:53:41 +0000 Subject: [PATCH 04/20] display/hwc: Add write access to persist display file. 12-06 21:50:44.540 466 466 W vndbinder:466_2: type=1400 audit(0.0:186): avc: denied { write } for name="factory_c al0.pb" dev="sda1" ino=40 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:persist_display_file:s0 tcla ss=file permissive=0 Bug: 369456857 Test: adb shell displaycolor_service 20000 Flag: EXEMPT not applicable Change-Id: I97a1d8e701d02d37e7d3be80a92d311948863536 --- vendor/hal_graphics_composer_default.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 893a34e..de8b708 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -26,7 +26,7 @@ add_service(hal_graphics_composer_default, hal_pixel_display_service) # allow HWC/libdisplaycolor to read calibration data allow hal_graphics_composer_default mnt_vendor_file:dir search; allow hal_graphics_composer_default persist_file:dir search; -allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:file rw_file_perms; allow hal_graphics_composer_default persist_display_file:dir search; # allow HWC to get/set vendor_display_prop From ee9544c6bb03a52f1f8197bf910893ed92b27c50 Mon Sep 17 00:00:00 2001 From: Timmy Li Date: Mon, 16 Dec 2024 16:32:22 -0800 Subject: [PATCH 05/20] Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Revert submission 30893287-hal_camera_default_ aconfig_storage_metadata_file Reason for revert: b/384580942 Reverted changes: /q/submissionid:30893287-hal_camera_default_+aconfig_storage_metadata_file Change-Id: Ib55a2e4e724c233cfba8bb47bcc84e7f6dcfe087 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 622d78f..95dfb96 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 From 38a097edebdce34d42102fa6ae3fc64dade88194 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Tue, 17 Dec 2024 11:25:45 +0800 Subject: [PATCH 06/20] remove b/378004800 and b/318310869 from bugmap Bug: 318310869 Bug: 378004800 Test: no avc denial Flag: EXEMPT clean up bugmap Change-Id: Id4aebb7862309978d30c9e93a24437de27f61e49 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 95dfb96..8e753a4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,8 +8,6 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 hal_camera_default aconfig_storage_metadata_file dir b/383013471 -hal_gnss_default vendor_gps_prop file b/318310869 -hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 From 67452ae3ab58e601eb7e1f55dbd36153b94b4667 Mon Sep 17 00:00:00 2001 From: James Huang Date: Tue, 17 Dec 2024 04:45:04 +0000 Subject: [PATCH 07/20] gps: Remove GNSS SELinux error bug from bug_map Bug: 309550514 Bug: 309550905 Bug: 309551062 Flag: EXEMPT clean up bug_map Test: no avc denial Change-Id: Ie0446e3b93ba26cc9ac35f70c7cd4c1c45ed1cd9 --- tracking_denials/bug_map | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 95dfb96..5d79c75 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -28,12 +28,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 -sctd sctd tcp_socket b/309550514 -sctd swcnd unix_stream_socket b/309550514 -sctd vendor_persist_config_default_prop file b/309550514 shell sysfs_net file b/338347525 -spad spad unix_stream_socket b/309550905 -swcnd swcnd unix_stream_socket b/309551062 system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 From f856a0c782605a17cc09c59026d0d280e180e628 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 18 Dec 2024 11:49:20 +0800 Subject: [PATCH 08/20] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 384376420 Flag: EXEMPT sepolicy Change-Id: Ie204c23c4abbca1c508939fba51e25de63024b20 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5c26b87..62a85d3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,6 +26,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 +servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 From dc2ef84217099a230d35b8627eb76ef516bc862f Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 24 Dec 2024 18:32:17 +0800 Subject: [PATCH 09/20] Update SELinux error. Test: SELinuxUncheckedDenialBootTest Bug: 385858548 Bug: 385858779 Bug: 385829048 Flag: EXEMPT bugfix Change-Id: I50e70778b62a5e6142882e99f73f7f3b4597cfa4 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 62a85d3..a6e5ada 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528 +insmod-sh vendor_edgetpu_debugfs dir b/385858548 kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 @@ -26,6 +27,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 +ramdump_app privapp_data_file lnk_file b/385858779 servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 system_suspend sysfs dir b/375563932 From 47091d3760b2b7b5c9a5aab4d6b47fd5b892e9a0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Dec 2024 08:26:51 +0000 Subject: [PATCH 10/20] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386149336 Flag: EXEMPT update sepolicy Change-Id: Ia6c47df7b264d75e4cbcf68109a9fb447d9c1422 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a6e5ada..bec9065 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -27,6 +27,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 +ramdump_app default_prop file b/386149336 ramdump_app privapp_data_file lnk_file b/385858779 servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 From 86a67d00f3dde4d2ebd6e0cefffe4d0289723262 Mon Sep 17 00:00:00 2001 From: Hung-Yeh Lee Date: Thu, 2 Jan 2025 15:30:13 +0800 Subject: [PATCH 11/20] display: mark dual display related nodes as sysfs_display auditd : type=1400 audit(0.0:8): avc: denied { write } for comm="binder:497_1" name="expected_present_time_ns" dev="sysfs" ino=84293 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 auditd : type=1400 audit(0.0:186): avc: denied { write } for comm="binder:497_6" name="frame_interval_ns" dev="sysfs" ino=84294 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 379245673 Test: reboot and logcat Flag: EXEMPT sepolicy Change-Id: I724e8884770dbdc5569d378f9a2d8e415bdb9ca9 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bec9065..418fa0d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,7 +8,6 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 hal_camera_default aconfig_storage_metadata_file dir b/383013471 -hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528 From 055d2792a171a73938f27cda82e9a99f44fc8a81 Mon Sep 17 00:00:00 2001 From: Terry Huang Date: Thu, 9 Jan 2025 09:15:42 +0800 Subject: [PATCH 12/20] Remove sced sepolicy rule Bug: 381778782 Test: gts pass Flag: EXEMPT bugfix Change-Id: I9ee42b6f9330149bc4b010f9b66eaa2ed5711e64 --- radio/file_contexts | 1 - radio/sced.te | 25 --------------------- radio/service_contexts | 1 - radio/vendor_telephony_silentlogging_app.te | 1 - 4 files changed, 28 deletions(-) delete mode 100644 radio/sced.te diff --git a/radio/file_contexts b/radio/file_contexts index 34e7e8b..9129115 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -3,7 +3,6 @@ /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 diff --git a/radio/sced.te b/radio/sced.te deleted file mode 100644 index b8246f3..0000000 --- a/radio/sced.te +++ /dev/null @@ -1,25 +0,0 @@ -type sced, domain; -type sced_exec, vendor_file_type, exec_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(sced) - typeattribute sced vendor_executes_system_violators; - - hwbinder_use(sced) - binder_call(sced, dmd) - binder_call(sced, vendor_telephony_silentlogging_app) - - get_prop(sced, hwservicemanager_prop) - allow sced self:packet_socket create_socket_perms_no_ioctl; - - allow sced self:capability net_raw; - allow sced shell_exec:file rx_file_perms; - allow sced tcpdump_exec:file rx_file_perms; - allow sced vendor_shell_exec:file x_file_perms; - allow sced vendor_slog_file:dir create_dir_perms; - allow sced vendor_slog_file:file create_file_perms; - allow sced hidl_base_hwservice:hwservice_manager add; - allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; - add_service(sced, hal_vendor_tcpdump_service) - binder_call(sced, servicemanager) -') diff --git a/radio/service_contexts b/radio/service_contexts index 03cffd0..3806fa4 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -3,4 +3,3 @@ com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:lib vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0 u:object_r:hal_vendor_modem_logging_service:s0 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm1 u:object_r:hal_vendor_modem_logging_service:s0 -vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/sced0 u:object_r:hal_vendor_tcpdump_service:s0 diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te index 1de0ea7..4b0bb61 100644 --- a/radio/vendor_telephony_silentlogging_app.te +++ b/radio/vendor_telephony_silentlogging_app.te @@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) -binder_call(vendor_telephony_silentlogging_app, sced) allow vendor_telephony_silentlogging_app hal_vendor_modem_logging_service:service_manager find; binder_call(vendor_telephony_silentlogging_app, servicemanager) From cc502045b75b4c769250b0e4c64b5475bba1ef48 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 10 Jan 2025 03:17:16 +0000 Subject: [PATCH 13/20] zumapro: update selinux to allow UMI on user build Bug: 375335464 [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { write } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Flag: EXEMPT Critical modem system service Change-Id: I43a3e33dc95eee8b06086ac438ce6d4cf038e2f5 --- radio/modem_svc_sit.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index a2fd70a..3cf6727 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -48,7 +48,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; # Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create write unlink }; -') +allow modem_svc_sit radio_vendor_data_file:sock_file { create write unlink }; From ae8b31fc561bd953401ec587fe217c689da0847a Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 10 Jan 2025 10:48:34 +0800 Subject: [PATCH 14/20] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 388949710 Flag: EXEMPT bugfix Change-Id: I04806d6f1e03f81d0f981898dcc668bfc5b2513a --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 418fa0d..ec4a7e1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,6 +11,7 @@ hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528 +insmod-sh kmsg_device chr_file b/388949710 insmod-sh vendor_edgetpu_debugfs dir b/385858548 kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 From ca25298baac5df87e71b6901bfe2446cf54c0f7d Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Tue, 21 Jan 2025 14:18:24 +0800 Subject: [PATCH 15/20] RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Fix it by ag/31334770 and remove the tracking bug number. Bug: 386149336 Flag: EXEMPT bugfix Change-Id: Iaa73666fb731f81302913822aa628669654ef66d --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ec4a7e1..84fb836 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -28,7 +28,6 @@ priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 ramdump_app default_prop file b/386149336 -ramdump_app privapp_data_file lnk_file b/385858779 servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 system_suspend sysfs dir b/375563932 From 74b634ca5a10af9146e7f2da9594069c0f42f247 Mon Sep 17 00:00:00 2001 From: Ilya Matyukhin Date: Thu, 23 Jan 2025 19:16:19 +0000 Subject: [PATCH 16/20] Consolidate SELinux for faceauth_rawimage Per go/pixel-defrag, moves all related configuration from this board-specific directory to a feature-specific directory: "vendor/google_devices/gs-common/proprietary/biometrics/face/" + "sepolicy/rawimage_heap" Bug: 337889186 Bug: 391648492 Test: adb logcat | egrep "avc:\s+denied" Flag: EXEMPT refactor Change-Id: I2c5201f3693251d7322f8f5ef202e66134c764e1 --- tracking_denials/file.te | 3 --- tracking_denials/genfs_contexts | 3 --- 2 files changed, 6 deletions(-) diff --git a/tracking_denials/file.te b/tracking_denials/file.te index 6a2f6b2..c7efcfb 100644 --- a/tracking_denials/file.te +++ b/tracking_denials/file.te @@ -9,6 +9,3 @@ type sysfs_chargelevel, sysfs_type, fs_type; # mount FS allow proc_vendor_sched proc:filesystem associate; -# Faceauth -type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type; - diff --git a/tracking_denials/genfs_contexts b/tracking_denials/genfs_contexts index b28f508..0f032d2 100644 --- a/tracking_denials/genfs_contexts +++ b/tracking_denials/genfs_contexts @@ -90,6 +90,3 @@ genfscon sysfs /devices/virtual/wakeup/wakeup genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 -# Faceauth -genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0 - From a7bb762dc5fc4588ec877f6cde60e1931d5da5f3 Mon Sep 17 00:00:00 2001 From: Albert Chen Date: Thu, 14 Nov 2024 00:50:25 +0000 Subject: [PATCH 17/20] Add IFingerprintDebug service context and Overlay permissions. avc: denied { add } for pid=2023 uid=1000 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 avc: denied { find } for pid=5125 uid=10181 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay avc: denied { transfer } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay avc: denied { call } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=binder permissive=1 Test: Verify above avc denials no longer seen. Bug: 332777935 Bug: 388112743 Flag: EXEMPT SEPolicy change. Change-Id: I5cedc00c3be03f5ee1b6e1168917fccc9538421e --- vendor/hal_fingerprint_debug.te | 27 +++++++++++++++++++++++++++ vendor/service_contexts | 1 + 2 files changed, 28 insertions(+) create mode 100644 vendor/hal_fingerprint_debug.te diff --git a/vendor/hal_fingerprint_debug.te b/vendor/hal_fingerprint_debug.te new file mode 100644 index 0000000..d8cb4bc --- /dev/null +++ b/vendor/hal_fingerprint_debug.te @@ -0,0 +1,27 @@ +# SE policies for IFingerprintDebug +userdebug_or_eng(` + type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type; + + # Declare domains for the debug host HAL server/client. + hal_attribute(fingerprint_debug) + + hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug) + + # Ensure that the server and client can communicate with each other, + # bi-directionally (in the case of callbacks from server to client, for + # example). + binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server) + binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client) + + binder_call(hal_fingerprint_debug_server, servicemanager) + hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service) + + # Declare a domain for the debug application (Overlay). + type fingerprint_debug_app, domain; + + # Allow all priv-apps to communicate with the fingerprint debug HAL on + # userdebug or eng builds. + hal_client_domain(priv_app, hal_fingerprint_debug) + + binder_call(priv_app, hal_fingerprint_default) +') diff --git a/vendor/service_contexts b/vendor/service_contexts index c50b46f..b889a00 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -1,4 +1,5 @@ vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default u:object_r:hal_fingerprint_service:s0 +com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default u:object_r:hal_fingerprint_debug_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 From 2cea35ed07849f55b66caca8fb5fd90fc73b3128 Mon Sep 17 00:00:00 2001 From: Andrew Chant Date: Wed, 29 Jan 2025 19:29:58 -0800 Subject: [PATCH 18/20] Revert "Add IFingerprintDebug service context and Overlay permissions." This reverts commit a7bb762dc5fc4588ec877f6cde60e1931d5da5f3. Reason for revert: likely breaking user build Bug: 393226459 Change-Id: Iffa1b112852dbb99e521c7a546ff591a0a58375a --- vendor/hal_fingerprint_debug.te | 27 --------------------------- vendor/service_contexts | 1 - 2 files changed, 28 deletions(-) delete mode 100644 vendor/hal_fingerprint_debug.te diff --git a/vendor/hal_fingerprint_debug.te b/vendor/hal_fingerprint_debug.te deleted file mode 100644 index d8cb4bc..0000000 --- a/vendor/hal_fingerprint_debug.te +++ /dev/null @@ -1,27 +0,0 @@ -# SE policies for IFingerprintDebug -userdebug_or_eng(` - type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type; - - # Declare domains for the debug host HAL server/client. - hal_attribute(fingerprint_debug) - - hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug) - - # Ensure that the server and client can communicate with each other, - # bi-directionally (in the case of callbacks from server to client, for - # example). - binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server) - binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client) - - binder_call(hal_fingerprint_debug_server, servicemanager) - hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service) - - # Declare a domain for the debug application (Overlay). - type fingerprint_debug_app, domain; - - # Allow all priv-apps to communicate with the fingerprint debug HAL on - # userdebug or eng builds. - hal_client_domain(priv_app, hal_fingerprint_debug) - - binder_call(priv_app, hal_fingerprint_default) -') diff --git a/vendor/service_contexts b/vendor/service_contexts index b889a00..c50b46f 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -1,5 +1,4 @@ vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default u:object_r:hal_fingerprint_service:s0 -com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default u:object_r:hal_fingerprint_debug_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 From 2299ef16efbe434391d0fd3e0ee85904dc9e78b2 Mon Sep 17 00:00:00 2001 From: Albert Chen Date: Thu, 30 Jan 2025 19:37:44 +0000 Subject: [PATCH 19/20] Add IFingerprintDebug service context and Overlay permissions avc: denied { add } for pid=2023 uid=1000 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 avc: denied { find } for pid=5125 uid=10181 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay avc: denied { transfer } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay avc: denied { call } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=binder permissive=1 Test: Compile for userdebug and user. Verify above avc denials no longer seen. Bug: 332777935 Bug: 388112743 Flag: EXEMPT SEPolicy change. Change-Id: Ibc879badca5ff745671e3a7050ba70cadb8ac92e --- vendor/hal_fingerprint_debug.te | 24 ++++++++++++++++++++++++ vendor/service_contexts | 1 + 2 files changed, 25 insertions(+) create mode 100644 vendor/hal_fingerprint_debug.te diff --git a/vendor/hal_fingerprint_debug.te b/vendor/hal_fingerprint_debug.te new file mode 100644 index 0000000..8b8e330 --- /dev/null +++ b/vendor/hal_fingerprint_debug.te @@ -0,0 +1,24 @@ +# SE policies for IFingerprintDebug +type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type; + +userdebug_or_eng(` + # Declare domains for the debug host HAL server/client. + hal_attribute(fingerprint_debug) + + hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug) + + # Ensure that the server and client can communicate with each other, + # bi-directionally (in the case of callbacks from server to client, for + # example). + binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server) + binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client) + + binder_call(hal_fingerprint_debug_server, servicemanager) + hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service) + + # Allow all priv-apps to communicate with the fingerprint debug HAL on + # userdebug or eng builds. + hal_client_domain(priv_app, hal_fingerprint_debug) + + binder_call(priv_app, hal_fingerprint_default) +') diff --git a/vendor/service_contexts b/vendor/service_contexts index c50b46f..b889a00 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -1,4 +1,5 @@ vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default u:object_r:hal_fingerprint_service:s0 +com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default u:object_r:hal_fingerprint_debug_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 From c17830992f8002b114647bb3d632f3c6abbce944 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 3 Feb 2025 14:33:04 +0800 Subject: [PATCH 20/20] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 393978045 Flag: EXEMPT bugfix Change-Id: Ia9ac79924046d5d5897733db12b98eb20273387c --- tracking_denials/hal_fingerprint_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_fingerprint_default.te diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 0000000..e475e68 --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,2 @@ +# b/393978045 +dontaudit hal_fingerprint_default default_android_service:service_manager add;