Snap for 13025264 from 7eb43dfba9 to mainline-tzdata6-release

Change-Id: I34864d74e9d5352ff509d20d3cf74b56697828b4
2025-02-06 14:22:30 -08:00 · 2025-02-06 14:22:30 -08:00 · 3df8fcd2f0
commit 3df8fcd2f0
parent 3ee82bea64 7eb43dfba9
11 changed files with 29 additions and 38 deletions
--- a/radio/file_contexts
+++ b/radio/file_contexts
@ -3,7 +3,6 @@
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/dmd                                                             u:object_r:dmd_exec:s0
-/vendor/bin/sced                                                            u:object_r:sced_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/modem_logging_control                                           u:object_r:modem_logging_control_exec:s0
 /vendor/bin/modem_ml_svc_sit                                                u:object_r:modem_ml_svc_sit_exec:s0
--- a/radio/modem_svc_sit.te
+++ b/radio/modem_svc_sit.te
@ -48,7 +48,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms;
 allow modem_svc_sit modem_img_file:lnk_file r_file_perms;

 # Allow modem_svc_sit to access socket for UMI
-userdebug_or_eng(`
 allow modem_svc_sit radio_vendor_data_file:sock_file { create write unlink };
-')

--- a/radio/sced.te
+++ b/radio/sced.te
@ -1,25 +0,0 @@
-type sced, domain;
-type sced_exec, vendor_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  init_daemon_domain(sced)
-  typeattribute sced vendor_executes_system_violators;
-
-  hwbinder_use(sced)
-  binder_call(sced, dmd)
-  binder_call(sced, vendor_telephony_silentlogging_app)
-
-  get_prop(sced, hwservicemanager_prop)
-  allow sced self:packet_socket create_socket_perms_no_ioctl;
-
-  allow sced self:capability net_raw;
-  allow sced shell_exec:file rx_file_perms;
-  allow sced tcpdump_exec:file rx_file_perms;
-  allow sced vendor_shell_exec:file x_file_perms;
-  allow sced vendor_slog_file:dir create_dir_perms;
-  allow sced vendor_slog_file:file create_file_perms;
-  allow sced hidl_base_hwservice:hwservice_manager add;
-  allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
-  add_service(sced, hal_vendor_tcpdump_service)
-  binder_call(sced, servicemanager)
-')
--- a/radio/service_contexts
+++ b/radio/service_contexts
@ -3,4 +3,3 @@ com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:lib
 vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default      u:object_r:hal_vendor_radio_external_service:s0
 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0      u:object_r:hal_vendor_modem_logging_service:s0
 vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm1      u:object_r:hal_vendor_modem_logging_service:s0
-vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/sced0    u:object_r:hal_vendor_tcpdump_service:s0
--- a/radio/vendor_telephony_silentlogging_app.te
+++ b/radio/vendor_telephony_silentlogging_app.te
@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms
 allow vendor_telephony_silentlogging_app app_api_service:service_manager find;
 allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_silentlogging_app, dmd)
-binder_call(vendor_telephony_silentlogging_app, sced)
 allow vendor_telephony_silentlogging_app hal_vendor_modem_logging_service:service_manager find;
 binder_call(vendor_telephony_silentlogging_app, servicemanager)

--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@ -11,6 +11,7 @@ hal_camera_default aconfig_storage_metadata_file dir b/383013471
 hal_power_default hal_power_default capability b/350830411
 incidentd incidentd anon_inode b/322917075
 init init capability b/379206528
+insmod-sh kmsg_device chr_file b/388949710
 insmod-sh vendor_edgetpu_debugfs dir b/385858548
 kernel sepolicy_file file b/353418189
 kernel system_bootstrap_lib_file dir b/353418189
@ -27,7 +28,6 @@ priv_app audio_config_prop file b/379245788
 radio audio_config_prop file b/379244519
 ramdump ramdump capability b/369475712
 ramdump_app default_prop file b/386149336
-ramdump_app privapp_data_file lnk_file b/385858779
 servicemanager modem_logging_control binder b/384376420
 shell sysfs_net file b/338347525
 system_suspend sysfs dir b/375563932
--- a/tracking_denials/file.te
+++ b/tracking_denials/file.te
@ -9,6 +9,3 @@ type sysfs_chargelevel, sysfs_type, fs_type;
 # mount FS
 allow proc_vendor_sched proc:filesystem associate;

-# Faceauth
-type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type;
-
--- a/tracking_denials/genfs_contexts
+++ b/tracking_denials/genfs_contexts
@ -90,6 +90,3 @@ genfscon sysfs /devices/virtual/wakeup/wakeup
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0

-# Faceauth
-genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0
-
--- a/tracking_denials/hal_fingerprint_default.te
+++ b/tracking_denials/hal_fingerprint_default.te
@ -0,0 +1,2 @@
+# b/393978045
+dontaudit hal_fingerprint_default default_android_service:service_manager add;
--- a/vendor/hal_fingerprint_debug.te
+++ b/vendor/hal_fingerprint_debug.te
@ -0,0 +1,24 @@
+# SE policies for IFingerprintDebug
+type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type;
+
+userdebug_or_eng(`
+    # Declare domains for the debug host HAL server/client.
+    hal_attribute(fingerprint_debug)
+
+    hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug)
+
+    # Ensure that the server and client can communicate with each other,
+    # bi-directionally (in the case of callbacks from server to client, for
+    # example).
+    binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server)
+    binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client)
+
+    binder_call(hal_fingerprint_debug_server, servicemanager)
+    hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service)
+
+    # Allow all priv-apps to communicate with the fingerprint debug HAL on
+    # userdebug or eng builds.
+    hal_client_domain(priv_app, hal_fingerprint_debug)
+
+    binder_call(priv_app, hal_fingerprint_default)
+')
--- a/vendor/service_contexts
+++ b/vendor/service_contexts
@ -1,4 +1,5 @@
 vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default   u:object_r:hal_fingerprint_service:s0
+com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default   u:object_r:hal_fingerprint_debug_service:s0
 com.google.hardware.pixel.display.IDisplay/default                u:object_r:hal_pixel_display_service:s0
 vendor.google.wireless_charger.IWirelessCharger/default           u:object_r:hal_wireless_charger_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                             u:object_r:hal_uwb_vendor_service:s0