aml_tz6_351400020 (13155446,com.google.android.go.tzdata6,com.google.android.tzdata6)

-----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ9i73wAKCRDorT+BmrEO eDQqAJwOfnHwIxPnJDkuy1MpIWivJQV1GgCfe/G3XeQ0POPhttv8TZHn/Ff0sqo= =2IgK -----END PGP SIGNATURE----- gpgsig -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgPpdpjxPACTIhnlvYz0GM4BR7FJ +rYv3jMbfxNKD3JvcAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQLpPxk4tGVse7ZnGf5txBVHXgfM/xdZT4gf36LUHNjGKTNBXIMsKbcHedH2YOAVGLp 55mHQgTaS2qFR2ZsKcpgo= -----END SSH SIGNATURE----- Merge tag 'aml_tz6_351400020' into staging/lineage-23.0_merge-aml_tz6_351400020 aml_tz6_351400020 (13155446,com.google.android.go.tzdata6,com.google.android.tzdata6) # -----BEGIN PGP SIGNATURE----- # # iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ9i73wAKCRDorT+BmrEO # eDQqAJwOfnHwIxPnJDkuy1MpIWivJQV1GgCfe/G3XeQ0POPhttv8TZHn/Ff0sqo= # =2IgK # -----END PGP SIGNATURE----- # gpg: Signature made Tue Mar 18 02:18:39 2025 EET # gpg: using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78 # gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [ultimate] # By Nina Chen (5) and others # Via Android Build Coastguard Worker (9) and others * tag 'aml_tz6_351400020': Update SELinux error Add IFingerprintDebug service context and Overlay permissions Revert "Add IFingerprintDebug service context and Overlay permissions." Add IFingerprintDebug service context and Overlay permissions. Consolidate SELinux for faceauth_rawimage RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Update SELinux error zumapro: update selinux to allow UMI on user build Remove sced sepolicy rule display: mark dual display related nodes as sysfs_display Update SELinux error Update SELinux error. Update SELinux error gps: Remove GNSS SELinux error bug from bug_map remove b/378004800 and b/318310869 from bugmap Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." display/hwc: Add write access to persist display file. Remove hal_camera_default aconfig_storage_metadata_file from bug map Update SELinux error Add udc sysfs to udc_sysfs fs context Change-Id: I8d6fe8bb8bbeda4b8f5f8be48a01199d2648f90d
2025-06-23 05:15:03 +03:00 · 2025-06-23 05:15:03 +03:00 · 17152067e6
commit 17152067e6
parent 2572fa9c4d 3df8fcd2f0
14 changed files with 42 additions and 47 deletions
--- a/sepolicy/radio/file_contexts
+++ b/sepolicy/radio/file_contexts
@ -3,7 +3,6 @@
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/dmd                                                             u:object_r:dmd_exec:s0
 /vendor/bin/sced                                                            u:object_r:sced_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/modem_logging_control                                           u:object_r:modem_logging_control_exec:s0
 /vendor/bin/modem_ml_svc_sit                                                u:object_r:modem_ml_svc_sit_exec:s0
--- a/sepolicy/radio/modem_svc_sit.te
+++ b/sepolicy/radio/modem_svc_sit.te
@ -48,7 +48,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms;
 allow modem_svc_sit modem_img_file:lnk_file r_file_perms;
 # Allow modem_svc_sit to access socket for UMI
 userdebug_or_eng(`
 allow modem_svc_sit radio_vendor_data_file:sock_file { create write unlink };
 ')
--- a/sepolicy/radio/sced.te
+++ b/sepolicy/radio/sced.te
@ -1,25 +0,0 @@
 type sced, domain;
 type sced_exec, vendor_file_type, exec_type, file_type;
 userdebug_or_eng(`
  init_daemon_domain(sced)
  typeattribute sced vendor_executes_system_violators;
  hwbinder_use(sced)
  binder_call(sced, dmd)
  binder_call(sced, vendor_telephony_silentlogging_app)
  get_prop(sced, hwservicemanager_prop)
  allow sced self:packet_socket create_socket_perms_no_ioctl;
  allow sced self:capability net_raw;
  allow sced shell_exec:file rx_file_perms;
  allow sced tcpdump_exec:file rx_file_perms;
  allow sced vendor_shell_exec:file x_file_perms;
  allow sced vendor_slog_file:dir create_dir_perms;
  allow sced vendor_slog_file:file create_file_perms;
  allow sced hidl_base_hwservice:hwservice_manager add;
  allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
  add_service(sced, hal_vendor_tcpdump_service)
  binder_call(sced, servicemanager)
 ')
--- a/sepolicy/radio/service_contexts
+++ b/sepolicy/radio/service_contexts
@ -3,4 +3,3 @@ com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:lib
 vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default      u:object_r:hal_vendor_radio_external_service:s0
 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0      u:object_r:hal_vendor_modem_logging_service:s0
 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm1      u:object_r:hal_vendor_modem_logging_service:s0
 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/sced0    u:object_r:hal_vendor_tcpdump_service:s0
--- a/sepolicy/radio/vendor_telephony_silentlogging_app.te
+++ b/sepolicy/radio/vendor_telephony_silentlogging_app.te
@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms
 allow vendor_telephony_silentlogging_app app_api_service:service_manager find;
 allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_silentlogging_app, dmd)
 binder_call(vendor_telephony_silentlogging_app, sced)
 allow vendor_telephony_silentlogging_app hal_vendor_modem_logging_service:service_manager find;
 binder_call(vendor_telephony_silentlogging_app, servicemanager)
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@ -8,12 +8,11 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726331
 dumpstate system_data_file dir b/377787445
 grilservice_app twoshay binder b/375564898
 hal_camera_default aconfig_storage_metadata_file dir b/383013471
 hal_gnss_default vendor_gps_prop file b/318310869
 hal_gnss_pixel vendor_gps_file file b/378004800
 hal_graphics_composer_default sysfs file b/379245673
 hal_power_default hal_power_default capability b/350830411
 incidentd incidentd anon_inode b/322917075
 init init capability b/379206528
 insmod-sh kmsg_device chr_file b/388949710
 insmod-sh vendor_edgetpu_debugfs dir b/385858548
 kernel sepolicy_file file b/353418189
 kernel system_bootstrap_lib_file dir b/353418189
 kernel system_bootstrap_lib_file file b/353418189
@ -28,15 +27,13 @@ platform_app vendor_rild_prop file b/377412254
 priv_app audio_config_prop file b/379245788
 radio audio_config_prop file b/379244519
 ramdump ramdump capability b/369475712
-sctd sctd tcp_socket b/309550514
+ramdump_app default_prop file b/386149336
-sctd swcnd unix_stream_socket b/309550514
+servicemanager modem_logging_control binder b/384376420
 sctd vendor_persist_config_default_prop file b/309550514
 shell sysfs_net file b/338347525
 spad spad unix_stream_socket b/309550905
 swcnd swcnd unix_stream_socket b/309551062
 system_suspend sysfs dir b/375563932
 system_suspend sysfs_touch dir b/375563932
 system_suspend sysfs_touch_gti dir b/350830429
 systemui_app system_data_file dir b/375564360
 untrusted_app audio_config_prop file b/379245853
 zygote aconfig_storage_metadata_file dir b/383949166
 zygote zygote capability b/379206406
--- a/sepolicy/tracking_denials/file.te
+++ b/sepolicy/tracking_denials/file.te
@ -9,6 +9,3 @@ type sysfs_chargelevel, sysfs_type, fs_type;
 # mount FS
 allow proc_vendor_sched proc:filesystem associate;
 # Faceauth
 type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type;
--- a/sepolicy/tracking_denials/genfs_contexts
+++ b/sepolicy/tracking_denials/genfs_contexts
@ -90,6 +90,3 @@ genfscon sysfs /devices/virtual/wakeup/wakeup
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 # Faceauth
 genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0
--- a/sepolicy/tracking_denials/hal_fingerprint_default.te
+++ b/sepolicy/tracking_denials/hal_fingerprint_default.te
@ -0,0 +1,2 @@
 # b/393978045
 dontaudit hal_fingerprint_default default_android_service:service_manager add;
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@ -499,3 +499,8 @@ genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram     u:obje
 # Bluetooth
 genfscon sysfs /devices/platform/155d0000.serial/uart_dbg     u:object_r:sysfs_bt_uart:s0
 # USB
 starting_at_board_api(202504, `
 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state   u:object_r:sysfs_udc:s0
 ')
--- a/sepolicy/vendor/hal_fingerprint_debug.te
+++ b/sepolicy/vendor/hal_fingerprint_debug.te
@ -0,0 +1,24 @@
 # SE policies for IFingerprintDebug
 type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type;
 userdebug_or_eng(`
    # Declare domains for the debug host HAL server/client.
    hal_attribute(fingerprint_debug)
    hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug)
    # Ensure that the server and client can communicate with each other,
    # bi-directionally (in the case of callbacks from server to client, for
    # example).
    binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server)
    binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client)
    binder_call(hal_fingerprint_debug_server, servicemanager)
    hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service)
    # Allow all priv-apps to communicate with the fingerprint debug HAL on
    # userdebug or eng builds.
    hal_client_domain(priv_app, hal_fingerprint_debug)
    binder_call(priv_app, hal_fingerprint_default)
 ')
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@ -26,7 +26,7 @@ add_service(hal_graphics_composer_default, hal_pixel_display_service)
 # allow HWC/libdisplaycolor to read calibration data
 allow hal_graphics_composer_default mnt_vendor_file:dir search;
 allow hal_graphics_composer_default persist_file:dir search;
-allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+allow hal_graphics_composer_default persist_display_file:file rw_file_perms;
 allow hal_graphics_composer_default persist_display_file:dir search;
 # allow HWC to get/set vendor_display_prop
--- a/sepolicy/vendor/hal_usb_impl.te
+++ b/sepolicy/vendor/hal_usb_impl.te
@ -30,4 +30,6 @@ allow hal_usb_impl usb_device:dir r_dir_perms;
 # For monitoring usb sysfs attributes
 allow hal_usb_impl sysfs_wakeup:dir search;
 allow hal_usb_impl sysfs_wakeup:file r_file_perms;
-
+starting_at_board_api(202504, `
 allow hal_usb_impl sysfs_udc:file r_file_perms;
 ')
--- a/sepolicy/vendor/service_contexts
+++ b/sepolicy/vendor/service_contexts
@ -1,4 +1,5 @@
 vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default   u:object_r:hal_fingerprint_service:s0
 com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default   u:object_r:hal_fingerprint_debug_service:s0
 com.google.hardware.pixel.display.IDisplay/default                u:object_r:hal_pixel_display_service:s0
 vendor.google.wireless_charger.IWirelessCharger/default           u:object_r:hal_wireless_charger_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                             u:object_r:hal_uwb_vendor_service:s0
		`@ -0,0 +1,2 @@`
							`# b/393978045`
							`dontaudit hal_fingerprint_default default_android_service:service_manager add;`