From 35b65db88fb6adbcefc9c9b5fad325eea066750b Mon Sep 17 00:00:00 2001 From: Julius Snipes Date: Tue, 8 Oct 2024 21:00:17 +0000 Subject: [PATCH 01/34] logger_app: allow logger_app to access persist.vendor.tcpdump.capture.len for logger_app Bug: 330812097 Flag: EXEMPT sepolicy change only Test: Confirm no selinux denial for persist.vendor.tcpdump.capture.len Change-Id: Iff208dc590e923b413647725354d6650745ba7a1 --- radio/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/property_contexts b/radio/property_contexts index 549c745..218e970 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -60,6 +60,7 @@ vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Tcpdump_logger +persist.vendor.tcpdump.capture.len u:object_r:vendor_tcpdump_log_prop:s0 persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 From d03f77df69dbaf8af68507d0966eb5090af2ed47 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 5 Nov 2024 13:24:05 +0800 Subject: [PATCH 02/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 377412254 Flag: EXEMPT NDK Change-Id: I1345afdb481e9f84f2dd5fe745ebf594cbc33c66 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b71e89c..214c220 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -19,6 +19,9 @@ modem_svc_sit radio_vendor_data_file sock_file b/369539798 pixelstats_vendor block_device dir b/369539751 pixelstats_vendor block_device dir b/369540515 pixelstats_vendor sysfs file b/375564818 +platform_app vendor_fw_file dir b/377412254 +platform_app vendor_modem_prop property_service b/377412254 +platform_app vendor_rild_prop file b/377412254 ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 From 31d6e2222059e305af1c43a090d01bb4c2615c93 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 7 Nov 2024 10:26:35 +0800 Subject: [PATCH 03/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 377787445 Flag: EXEMPT NDK Change-Id: I96db3485005cdaed405c8d117b1d50b5f29b533f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 214c220..a77ab22 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,7 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 +dumpstate system_data_file dir b/377787445 grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 From 2fe912350e9988cc14ee3f5c17709282023171b2 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 8 Nov 2024 11:35:17 +0800 Subject: [PATCH 04/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 378004800 Flag: EXEMPT NDK Change-Id: I5cdb5950053f291969b660758a3eac4deda3995c --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a77ab22..7f1d53e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ dumpstate system_data_file dir b/377787445 grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 +hal_gnss_pixel vendor_gps_file file b/378004800 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 kernel sepolicy_file file b/353418189 From f8891af46e3b64d63d2db668203fe2355a5a44c9 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Mon, 11 Nov 2024 17:06:26 +0000 Subject: [PATCH 05/34] sepolicy: add label for logbuffer - Add logbuffer_device label for ln8411, dc_mains, dual_batt - Remove from tracking_deniel Bug: 377895720 Flag: EXEMPT bugfix Change-Id: Ia542c089bcf0eb6bb4ea3e026d43937390720b22 Signed-off-by: Spade Lee --- tracking_denials/file_contexts | 5 ----- vendor/file_contexts | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tracking_denials/file_contexts b/tracking_denials/file_contexts index 3a629b2..cf16b0a 100644 --- a/tracking_denials/file_contexts +++ b/tracking_denials/file_contexts @@ -9,12 +9,7 @@ /vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Devices -/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 -/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index c7fd912..f3a4316 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -67,6 +67,7 @@ /dev/logbuffer_maxfg_secondary u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_secondary_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_dual_batt u:object_r:logbuffer_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 @@ -128,6 +129,8 @@ /dev/logbuffer_rtx u:object_r:logbuffer_device:s0 /dev/logbuffer_max77779fg u:object_r:logbuffer_device:s0 /dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 +/dev/logbuffer_dc_mains u:object_r:logbuffer_device:s0 /dev/logbuffer_cpm u:object_r:logbuffer_device:s0 /dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/logbuffer_max77779fg_monitor u:object_r:logbuffer_device:s0 From 30306a34b5211e6c45253ab5f9837108a9b088b0 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Wed, 13 Nov 2024 20:34:41 +0000 Subject: [PATCH 06/34] shamp: remove fixed bug from bugmap Bug: 360060705 Flag: NONE clean up bugmap Change-Id: I7d71aefa766e870e8bccb100ed5ad796dbbab36b --- tracking_denials/bug_map | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7f1d53e..863e2be 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -13,10 +13,6 @@ kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 kernel system_dlkm_file dir b/353418189 -modem_svc_sit hal_radioext_default process b/368187536 -modem_svc_sit hal_radioext_default process b/368188020 -modem_svc_sit modem_ml_svc_sit file b/360060680 -modem_svc_sit modem_ml_svc_sit file b/360060705 modem_svc_sit radio_vendor_data_file sock_file b/369539798 pixelstats_vendor block_device dir b/369539751 pixelstats_vendor block_device dir b/369540515 From 233610e6a445401859b47343943d122c129b23c9 Mon Sep 17 00:00:00 2001 From: Joen Chen Date: Thu, 14 Nov 2024 06:10:09 +0000 Subject: [PATCH 07/34] correct frame_interval_ns and expected_present_time_ns naming Bug: 378992900 Flag: EXEMPT bugfix Test: scrolling/rotate phone and check if there is error log Change-Id: I927a490cb25b3d3f69bed4d62da80b66de1ad430 --- vendor/genfs_contexts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 0f4531f..ba380bc 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -372,8 +372,8 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctr genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_option u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_rate_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_interval u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/expected_present_time u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_interval_ns u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/expected_present_time_ns u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 From 351ceac512c6c605c1f1f3082b1c07252f92d198 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 11:43:43 +0800 Subject: [PATCH 08/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379206528 Bug: 379206406 Flag: EXEMPT NDK Change-Id: I82ca7cb985e9fd755dba5d29139a2b9a9f638f9a --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 863e2be..2c7a6f0 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,6 +9,7 @@ hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 +init init capability b/379206528 kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 @@ -31,3 +32,4 @@ system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 systemui_app system_data_file dir b/375564360 +zygote zygote capability b/379206406 From 9faa3999eff2b4ee400b8c46f4efae2be0561538 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 15 Nov 2024 18:28:30 +0800 Subject: [PATCH 09/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 379245474 Bug: 379245673 Bug: 379245788 Bug: 379244519 Bug: 379245853 Flag: EXEMPT NDK Change-Id: Ic1c8e73773ed71eea7be46187231fde6b5283e8a --- tracking_denials/bug_map | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2c7a6f0..5b18d9c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ +bluetooth audio_config_prop file b/379245474 dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 @@ -7,6 +8,7 @@ grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 +hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528 @@ -21,6 +23,8 @@ pixelstats_vendor sysfs file b/375564818 platform_app vendor_fw_file dir b/377412254 platform_app vendor_modem_prop property_service b/377412254 platform_app vendor_rild_prop file b/377412254 +priv_app audio_config_prop file b/379245788 +radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 @@ -32,4 +36,5 @@ system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 systemui_app system_data_file dir b/375564360 +untrusted_app audio_config_prop file b/379245853 zygote zygote capability b/379206406 From 78eaa18cf3ed523c7784e190d52fecbfc20beeb9 Mon Sep 17 00:00:00 2001 From: Boon Jun Date: Tue, 12 Nov 2024 07:42:20 +0000 Subject: [PATCH 10/34] Support access to radioext service over AIDL 11-13 17:08:24.418 396 396 E SELinux : avc: denied { find } for pid=15273 uid=1000 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hal_radio_ext_service:s0 tclass=service_manager permissive=0 Bug: 377991853 Bug: 371878208 Test: Open camera & observe connection to radio Flag: EXEMPT bugfix Change-Id: I1c53381f2aef1def44f7a717a9998acc826fe6aa --- vendor/hal_camera_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 4ff601b..379e1be 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -74,6 +74,7 @@ allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +allow hal_camera_default hal_radio_ext_service:service_manager find; # Allows camera HAL to access the hw_jpeg /dev/video12. allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; From 7e11c79345bdba9418756bb3a89864b06230783b Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Thu, 21 Nov 2024 07:58:55 +0000 Subject: [PATCH 11/34] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Change-Id: I92d9a64c339f2b99e1fdc531145a950c3428dd82 Flag: NONE local testing only --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zumapro-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index 42086a3..34e7e8b 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,7 +10,6 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index d23274c..a2fd70a 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, vendor_logger_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index 4edddb2..3112db3 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zumapro BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 62f34d8794f403d9f2a87bf92c7a984ad591df1e Mon Sep 17 00:00:00 2001 From: "Liana Kazanova (xWF)" Date: Thu, 21 Nov 2024 17:53:56 +0000 Subject: [PATCH 12/34] Revert "modem_svc: move shared_modem_platform related sepolicy t..." Revert submission 30519089-move_modem_sepolicy Reason for revert: DroidMonitor: Potential culprit for http://b/380274930 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Reverted changes: /q/submissionid:30519089-move_modem_sepolicy Change-Id: I74d37465d49e31c84d5e51bb0f020988a41b66ab --- radio/file_contexts | 1 + radio/modem_svc_sit.te | 3 +++ zumapro-sepolicy.mk | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/radio/file_contexts b/radio/file_contexts index 34e7e8b..42086a3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,6 +10,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index a2fd70a..d23274c 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,6 +38,9 @@ get_prop(modem_svc_sit, vendor_logger_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) +# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) + # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index 3112db3..4edddb2 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zumapro BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor -BOARD_VENDOR_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking From 0d60be5645165650e4c305391e4f9569a1881fc6 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 26 Nov 2024 11:38:18 +0800 Subject: [PATCH 13/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 380989493 Flag: EXEMPT NDK Change-Id: Iffaff71c72b03d58d2abcbe44007c2be469050bd --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5b18d9c..b74db38 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,6 @@ bluetooth audio_config_prop file b/379245474 +bpfloader fs_bpf dir b/380989493 dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 From ec3dae0ee35d05f60b1da0c67b860efdf6cf671d Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Fri, 22 Nov 2024 17:45:07 +0000 Subject: [PATCH 14/34] Update the PMS app seinfo for the certification change. Bug: 375656221 Flag: EXEMPT selinux app context change. Change-Id: If9bd9a3818b2f117cf26a13c2ae6940b53963b92 --- .../com_google_android_modem_pms.x509.pem | 29 +++++++++++++++++++ radio/keys.conf | 3 ++ radio/mac_permissions.xml | 3 ++ radio/seapp_contexts | 2 +- 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 radio/certs/com_google_android_modem_pms.x509.pem diff --git a/radio/certs/com_google_android_modem_pms.x509.pem b/radio/certs/com_google_android_modem_pms.x509.pem new file mode 100644 index 0000000..27b5f75 --- /dev/null +++ b/radio/certs/com_google_android_modem_pms.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF9DCCA9ygAwIBAgIUdblfv7oNBrd5Bh3HcvmyFOTotxowDQYJKoZIhvcNAQELBQAwgYkxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDElMCMGA1UEAwwcY29tX2dvb2ds +ZV9hbmRyb2lkX21vZGVtX3BtczAgFw0yNDA4MTkxODEwMjdaGA8yMDU0MDgxOTE4MTAyN1owgYkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3 +MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDElMCMGA1UEAwwcY29tX2dv +b2dsZV9hbmRyb2lkX21vZGVtX3BtczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALe5 +J/LkcvdP1z2FUDUBW2V37s4FyMe8d5a7YEkji7hC5l/W9nCnLVplhqxAD6fU10T3W8xKvbxyfu4I +MvNJvzxlgzTNUJkVa+cbYDfnJd4lboF0NdJFIpYxNVFC1us96qcEwxEUWN0evamqawOUv7S4cwA4 +mwsh5zZcOL5217ytSO+88tvXIongGZXyhHN4iTbd2//R23Ia4s39zNVlEMcgExWBRyn1PEcO3LBn +4/SK/jnYRdZrHjKK1qkeTMYPu21NqcBJISAdjDbwnHuBjQp+hbd4XY3QROJM6LJ4J34PpbskyvIy +tU1VShZ+CV2P3RSkTk1L0K4IqHa3OzD4EtRvARHmggjieokWOIKfyklYRE1e/C4XbhNbj08cD2hR +orFNF2inbVpUVfBa3MJyOLTitnU9bTkprO1C63xXoXfSocbEgtSSl94PJjDVrpB8JiAjnrGUItSS +2+pW5J5pxREFMPxp7fOCOFoiD/gHgOJjHNWEPFdSWLcEe4trrAPLexbfBmtVFJ4lLXhzg1ERxEJJ +QriZ4FoAtB6XSILDJgXxe6xtoJ0fZDxp0FWaTIU2rRR/OOjjPEGzrSzfZjgeIj512qhaYiqfwSQ4 +i6cTEz1+UY/u9sFeW2N884VAWi1ZIx1kzYMUisAeehJXzlJFB+q0qinaoCwyFRcOOK144E8RAgMB +AAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFCpkoCKwoSargw1pVZUVLuoKSQOdMB8GA1Ud +IwQYMBaAFCpkoCKwoSargw1pVZUVLuoKSQOdMA0GCSqGSIb3DQEBCwUAA4ICAQCRmyU23cp/ysn+ +ndfZekfNZJmktrY9W7WZ2kKuH0w/L/Y2HO9fg4HKHzfElJeSBgt7z3DkQ8exaCHdwGo4Inu8Yyjp +NgS0Zhfsa/yyORpvu5m62KFhT2x3gDKSTdPlP1z6pi3ADt3XtUOHoVgakM0YhRPvS/5epJOH5lgE +ONCExGiUUD5S7vgabda4R7jBmsDcIh9fsER9IQrlP1IN4auqbKfpVOd3yxNMcfg5WN+QvBA3lh3E ++hsQb1/SCUhOoXIzs7hfiy6hLMQx0wg/s2Zdc5h/8eQAgLhm0aELfq5Bm4IR6uxArwLkaBO4sEh0 +I+7eTNR/Z0fu5V6H1zdRupoZmXjlgqR6t9eAwxHqQfHJzUASBCmrXfnXDG4kdwiZz8dDCXvNxahS +YM7PB3gozD3mc/NGs6qjv/11Bu3gSaoXFPBDWxCJ99SPU1yp6e/pLqfqzQ1raijJWehqZudBU3vR +1VVN9Iw0KP3/RpT1fLJqoXMK/QUjQF/JURGDhLZqPqx+RNGGlhWYx/j0LJNFJMMwusTCd9l5DtiK +eGjXj6Z9zde1wrqKDjrY+kHWNwHeoDjX8MrQb36KzkJNFIY8eHS7tki0ATTgeBsfmiDusWpSJu2Q +9pnrCJYpoS3IXDwiDTf/6l41Bl1VLDZZm/K0mzALzynTrqhut310/RB+wUD2nw== +-----END CERTIFICATE----- diff --git a/radio/keys.conf b/radio/keys.conf index 45db97d..baa99df 100644 --- a/radio/keys.conf +++ b/radio/keys.conf @@ -1,3 +1,6 @@ [@MDS] ALL : device/google/zumapro-sepolicy/radio/certs/com_google_mds.x509.pem +[@PMS] +ALL : device/google/zumapro-sepolicy/radio/certs/com_google_android_modem_pms.x509.pem + diff --git a/radio/mac_permissions.xml b/radio/mac_permissions.xml index 4b997c2..47bdf39 100644 --- a/radio/mac_permissions.xml +++ b/radio/mac_permissions.xml @@ -24,4 +24,7 @@ + + + diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 7ed10c6..eec8a5e 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -34,4 +34,4 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ user=_app isPrivApp=true seinfo=platform name=com.samsung.slsi.telephony.satelliteservice domain=vendor_satellite_service levelFrom=all # Domain for pixel_modem_app -user=_app isPrivApp=true seinfo=platform name=com.google.android.modem.pms domain=pixel_modem_app levelFrom=all +user=_app isPrivApp=true seinfo=pms name=com.google.android.modem.pms domain=pixel_modem_app levelFrom=all From 100436811e70aab6bfc03e37bf67782b3a9b3a5d Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 28 Nov 2024 10:56:02 +0800 Subject: [PATCH 15/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 381327278 Flag: EXEMPT sepolicy Change-Id: I359cc10c3a6f5bd5b20c4b1022f39f40484aa950 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b74db38..257ef83 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ +aconfigd apex_info_file file b/381327278 bluetooth audio_config_prop file b/379245474 bpfloader fs_bpf dir b/380989493 dump_display sysfs file b/322917055 From 57bf47fc5cef973da7b270777ce47d9fae4a5208 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Fri, 29 Nov 2024 12:41:11 +0800 Subject: [PATCH 16/34] add permission for hl7132 sysfs Bug: 381457533 Test: adb bugreport Flag: EXEMPT bugfix Change-Id: I640957b4834e35f0c3aa9d3cd789865eff019dd3 Signed-off-by: Jack Wu --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ba380bc..d8b9f20 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -31,6 +31,8 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/registers_dump genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/registers_dump u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-005e/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-005e/registers_dump u:object_r:sysfs_power_dump:s0 genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 From afb2839d6ec1fbffe77aa9b37a17c3f3a90411a2 Mon Sep 17 00:00:00 2001 From: Rohan Narayanan Date: Tue, 3 Dec 2024 17:52:20 -0800 Subject: [PATCH 17/34] Add hal_shared_modem_platform to modem_diagnostic_app.te This is needed to access the modem platform HAL. FLAG: EXEMPT HAL interface change Test: manual testing of selinux Bug: 351024952 Change-Id: I95fc6b997e08ae46089ed90a1060c23274f6cd58 --- radio/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 60835a5..fb0bfea 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -1,3 +1,4 @@ +# Selinux rule for ModemDiagnosticService (MDS) app type modem_diagnostic_app, domain; app_domain(modem_diagnostic_app) @@ -10,6 +11,7 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_modem_state:file r_file_perms; hal_client_domain(modem_diagnostic_app, hal_power_stats); + hal_client_domain(modem_diagnostic_app, hal_shared_modem_platform); allow modem_diagnostic_app hal_vendor_radio_external_service:service_manager find; allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; From c22f8701699b36e2c49f763aeaf303d37ef03033 Mon Sep 17 00:00:00 2001 From: Jeremy Nei Date: Tue, 26 Nov 2024 07:41:05 +0000 Subject: [PATCH 18/34] port display sysfs access Adds color_data access to sysfs_display Bug: 369456857 Test: adb shell displaycolor_service 20000 Flag: EXEMPT N/A Change-Id: Id2a00d138daad44d7135d5bd5652b128c1c63e46 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ba380bc..ea79abf 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -379,6 +379,7 @@ genfscon sysfs /devices/platform/19470000.drmdecon/hibernation genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/color_data u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 From a9b6884b3a0321f4bd576aba9ec44acc3598e368 Mon Sep 17 00:00:00 2001 From: jonerlin Date: Tue, 26 Nov 2024 06:59:59 +0000 Subject: [PATCH 19/34] allow hal_bluetooth_btlinux write sysfs file 12-04 19:32:23.040000 1002 784 784 I auditd : type=1400 audit(0.0:30): avc: denied { write } for comm="binder:784_2" name="uart_dbg" dev="sysfs" ino=60136 scontext=u:r:hal_bluetooth_btlinux:s0 tcontext=u:object_r:sysfs_bt_uart:s0 tclass=file permissive=0 12-04 19:32:23.040000 1002 784 784 W binder:784_2: type=1400 audit(0.0:30): avc: denied { write } for name="uart_dbg" dev="sysfs" ino=60136 scontext=u:r:hal_bluetooth_btlinux:s0 tcontext=u:object_r:sysfs_bt_uart:s0 tclass=file permissive=0 Bug: 376774204 Test: v2/pixel-pts/release/bootstress/1200counts/suspend-resume Flag: EXEMPT project configuration patch Change-Id: I6c1a28d0e5e22b03b088d64d550fd475d796ae67 --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_bluetooth_btlinux.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 46f792e..9c90033 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -61,6 +61,7 @@ type chre_socket, file_type; # BT type vendor_bt_data_file, file_type, data_file_type; +type sysfs_bt_uart, sysfs_type, fs_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 0f4531f..1de2c8e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -493,3 +493,6 @@ genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:obje # CPU genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 + +# Bluetooth +genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 65e037d..272c372 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -1 +1,4 @@ +# Allow triggering uart skip suspend +allow hal_bluetooth_btlinux sysfs_bt_uart:file w_file_perms; + allow hal_bluetooth_btlinux vendor_bt_data_file:sock_file create_file_perms; From 30570259fe8c6aa6274c2a81e27874b80ee89cf2 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 5 Dec 2024 10:49:00 +0800 Subject: [PATCH 20/34] Update SELinux error Flag: EXEMPT sepolicy Test: SELinuxUncheckedDenialBootTest Bug: 382362300 Bug: 366116096 Change-Id: I8cf6742ded1f3b90b46909ee0ac47c9f33258466 --- tracking_denials/bluetooth.te | 2 ++ tracking_denials/bug_map | 1 - tracking_denials/grilservice_app.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 tracking_denials/bluetooth.te diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te new file mode 100644 index 0000000..3136980 --- /dev/null +++ b/tracking_denials/bluetooth.te @@ -0,0 +1,2 @@ +# b/382362300 +dontaudit bluetooth default_android_service:service_manager { find }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 257ef83..149d961 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 -grilservice_app default_android_service service_manager b/366116096 grilservice_app twoshay binder b/375564898 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te index c4dc75e..4ebeba8 100644 --- a/tracking_denials/grilservice_app.te +++ b/tracking_denials/grilservice_app.te @@ -1,2 +1,4 @@ # b/312069580 dontaudit grilservice_app hal_bluetooth_coexistence_service:service_manager { find }; +# b/366116096 +dontaudit grilservice_app default_android_service:service_manager { find }; From 1e5b6fb9ebcc802fd23458b10cd3bfc1dcb873c3 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Fri, 6 Dec 2024 04:07:23 +0000 Subject: [PATCH 21/34] Allow tachyon service to make binder calls to GCA This permission is needed for tachyon service to call callbacks. AVC Error seen when tachyon tries accessing GCA: 12-02 11:40:03.212 6987 6987 W com.google.edge: type=1400 audit(0.0:17): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0 12-03 07:12:26.424 4166 4166 W com.google.edge: type=1400 audit(0.0:254): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0 Bug: 381787911 Flag: EXEMPT updates device sepolicy only Change-Id: Iaa61d70cdffb75024c497482f4c0a6cab493bec3 --- vendor/debug_camera_app.te | 6 +++++- vendor/google_camera_app.te | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index ddc4337..6c8a549 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,4 +1,8 @@ +# File containing sepolicies for GCA-Eng & GCA-Next. userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; -') \ No newline at end of file + + # Allows tachyon_service to communicate with GCA-Eng via binder. + binder_call(edgetpu_tachyon_server, debug_camera_app); +') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index c572c26..5c4c6f0 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -8,3 +8,6 @@ allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map } # Allows GCA to access the hw_jpeg /dev/video12. allow google_camera_app hw_jpg_device:chr_file rw_file_perms; + +# Allows tachyon service to communicate with google_camera_app via binder. +binder_call(edgetpu_tachyon_server, google_camera_app); From 862fbd7fe0e47903dd7ad0aac2c6680f0c0fbb17 Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Fri, 6 Dec 2024 12:58:34 +0000 Subject: [PATCH 22/34] modem_svc: move shared_modem_platform related sepolicy to gs-common Bug: 372400955 Change-Id: I9b69d1754f718faac51e89bb10c3a2ba604d2bae Flag: NONE local testing only --- radio/file_contexts | 1 - radio/modem_svc_sit.te | 3 --- zumapro-sepolicy.mk | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/file_contexts b/radio/file_contexts index 42086a3..34e7e8b 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,7 +10,6 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 -/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index d23274c..a2fd70a 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -38,9 +38,6 @@ get_prop(modem_svc_sit, vendor_logger_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) -# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. -hal_server_domain(modem_svc_sit, hal_shared_modem_platform) - # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index 4edddb2..3112db3 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -1,6 +1,6 @@ # sepolicy that are shared among devices using zumapro BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor -BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +BOARD_VENDOR_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking From db19f527d7bd467acf038c926a34f8815cb37c04 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 9 Dec 2024 11:43:18 +0800 Subject: [PATCH 23/34] Update SELinux error copy bug_map entry from zuma Test: SELinuxUncheckedDenialBootTest Bug: 383013471 Flag: EXEMPT sepolicy Change-Id: I514eb622b02f13b23aa3f9fe9c699b856a196c00 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 149d961..f31c57c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 From 20707fd77f77717f7ff43bbe82526c4a59e50680 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Mon, 9 Dec 2024 13:21:14 +0000 Subject: [PATCH 24/34] Add udc sysfs to udc_sysfs fs context Meeded for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Starting at board level api 202504 due to its dependency on aosp/3337514 10956 10956 W android.hardwar: type=1400 audit(0.0:327): avc: denied { read } for name="state" dev="sysfs" ino=84394 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Tokay Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: Iab79eec9a836d70792dfaa64eb24a5c013dc85aa --- vendor/genfs_contexts | 5 +++++ vendor/hal_usb_impl.te | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 1ac8351..7bb4de4 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -499,3 +499,8 @@ genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:obje # Bluetooth genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 + +# USB +starting_at_board_api(202504, ` +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 +') diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index e882d28..aaa9fae 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -30,4 +30,6 @@ allow hal_usb_impl usb_device:dir r_dir_perms; # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; - +starting_at_board_api(202504, ` +allow hal_usb_impl sysfs_udc:file r_file_perms; +') From 41ee821beab31de6479ab4fee69a71a144fd014b Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 13 Dec 2024 14:33:57 +0800 Subject: [PATCH 25/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT sepolicy Bug: 383949166 Change-Id: I1d850c23cc01802f2abc4350019b81dda61c8bbd --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f31c57c..95dfb96 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -39,4 +39,5 @@ system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 systemui_app system_data_file dir b/375564360 untrusted_app audio_config_prop file b/379245853 +zygote aconfig_storage_metadata_file dir b/383949166 zygote zygote capability b/379206406 From 13173c755df7af0c40eb2d481376bfaaf009c35a Mon Sep 17 00:00:00 2001 From: timmyli Date: Fri, 13 Dec 2024 21:21:00 +0000 Subject: [PATCH 26/34] Remove hal_camera_default aconfig_storage_metadata_file from bug map Bug: 383013471 Test: manual test to see no avc denial Flag: EXEMPT bug fix Change-Id: I616c416194e17a645e217a5f81d14ae08c4214d3 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 95dfb96..622d78f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,7 +7,6 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 -hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 From 1cc3b8e59b43d6a3a5f7a79d48551251511efe54 Mon Sep 17 00:00:00 2001 From: Jeremy Nei Date: Mon, 16 Dec 2024 05:53:41 +0000 Subject: [PATCH 27/34] display/hwc: Add write access to persist display file. 12-06 21:50:44.540 466 466 W vndbinder:466_2: type=1400 audit(0.0:186): avc: denied { write } for name="factory_c al0.pb" dev="sda1" ino=40 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:persist_display_file:s0 tcla ss=file permissive=0 Bug: 369456857 Test: adb shell displaycolor_service 20000 Flag: EXEMPT not applicable Change-Id: I97a1d8e701d02d37e7d3be80a92d311948863536 --- vendor/hal_graphics_composer_default.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 893a34e..de8b708 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -26,7 +26,7 @@ add_service(hal_graphics_composer_default, hal_pixel_display_service) # allow HWC/libdisplaycolor to read calibration data allow hal_graphics_composer_default mnt_vendor_file:dir search; allow hal_graphics_composer_default persist_file:dir search; -allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:file rw_file_perms; allow hal_graphics_composer_default persist_display_file:dir search; # allow HWC to get/set vendor_display_prop From ee9544c6bb03a52f1f8197bf910893ed92b27c50 Mon Sep 17 00:00:00 2001 From: Timmy Li Date: Mon, 16 Dec 2024 16:32:22 -0800 Subject: [PATCH 28/34] Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Revert submission 30893287-hal_camera_default_ aconfig_storage_metadata_file Reason for revert: b/384580942 Reverted changes: /q/submissionid:30893287-hal_camera_default_+aconfig_storage_metadata_file Change-Id: Ib55a2e4e724c233cfba8bb47bcc84e7f6dcfe087 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 622d78f..95dfb96 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 +hal_camera_default aconfig_storage_metadata_file dir b/383013471 hal_gnss_default vendor_gps_prop file b/318310869 hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 From 38a097edebdce34d42102fa6ae3fc64dade88194 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Tue, 17 Dec 2024 11:25:45 +0800 Subject: [PATCH 29/34] remove b/378004800 and b/318310869 from bugmap Bug: 318310869 Bug: 378004800 Test: no avc denial Flag: EXEMPT clean up bugmap Change-Id: Id4aebb7862309978d30c9e93a24437de27f61e49 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 95dfb96..8e753a4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,8 +8,6 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 hal_camera_default aconfig_storage_metadata_file dir b/383013471 -hal_gnss_default vendor_gps_prop file b/318310869 -hal_gnss_pixel vendor_gps_file file b/378004800 hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 From 67452ae3ab58e601eb7e1f55dbd36153b94b4667 Mon Sep 17 00:00:00 2001 From: James Huang Date: Tue, 17 Dec 2024 04:45:04 +0000 Subject: [PATCH 30/34] gps: Remove GNSS SELinux error bug from bug_map Bug: 309550514 Bug: 309550905 Bug: 309551062 Flag: EXEMPT clean up bug_map Test: no avc denial Change-Id: Ie0446e3b93ba26cc9ac35f70c7cd4c1c45ed1cd9 --- tracking_denials/bug_map | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 95dfb96..5d79c75 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -28,12 +28,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 -sctd sctd tcp_socket b/309550514 -sctd swcnd unix_stream_socket b/309550514 -sctd vendor_persist_config_default_prop file b/309550514 shell sysfs_net file b/338347525 -spad spad unix_stream_socket b/309550905 -swcnd swcnd unix_stream_socket b/309551062 system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 system_suspend sysfs_touch_gti dir b/350830429 From f856a0c782605a17cc09c59026d0d280e180e628 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 18 Dec 2024 11:49:20 +0800 Subject: [PATCH 31/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 384376420 Flag: EXEMPT sepolicy Change-Id: Ie204c23c4abbca1c508939fba51e25de63024b20 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5c26b87..62a85d3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,6 +26,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 +servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 system_suspend sysfs dir b/375563932 system_suspend sysfs_touch dir b/375563932 From dc2ef84217099a230d35b8627eb76ef516bc862f Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 24 Dec 2024 18:32:17 +0800 Subject: [PATCH 32/34] Update SELinux error. Test: SELinuxUncheckedDenialBootTest Bug: 385858548 Bug: 385858779 Bug: 385829048 Flag: EXEMPT bugfix Change-Id: I50e70778b62a5e6142882e99f73f7f3b4597cfa4 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 62a85d3..a6e5ada 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528 +insmod-sh vendor_edgetpu_debugfs dir b/385858548 kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 @@ -26,6 +27,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 +ramdump_app privapp_data_file lnk_file b/385858779 servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 system_suspend sysfs dir b/375563932 From 47091d3760b2b7b5c9a5aab4d6b47fd5b892e9a0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Dec 2024 08:26:51 +0000 Subject: [PATCH 33/34] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386149336 Flag: EXEMPT update sepolicy Change-Id: Ia6c47df7b264d75e4cbcf68109a9fb447d9c1422 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a6e5ada..bec9065 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -27,6 +27,7 @@ platform_app vendor_rild_prop file b/377412254 priv_app audio_config_prop file b/379245788 radio audio_config_prop file b/379244519 ramdump ramdump capability b/369475712 +ramdump_app default_prop file b/386149336 ramdump_app privapp_data_file lnk_file b/385858779 servicemanager modem_logging_control binder b/384376420 shell sysfs_net file b/338347525 From 86a67d00f3dde4d2ebd6e0cefffe4d0289723262 Mon Sep 17 00:00:00 2001 From: Hung-Yeh Lee Date: Thu, 2 Jan 2025 15:30:13 +0800 Subject: [PATCH 34/34] display: mark dual display related nodes as sysfs_display auditd : type=1400 audit(0.0:8): avc: denied { write } for comm="binder:497_1" name="expected_present_time_ns" dev="sysfs" ino=84293 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 auditd : type=1400 audit(0.0:186): avc: denied { write } for comm="binder:497_6" name="frame_interval_ns" dev="sysfs" ino=84294 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 379245673 Test: reboot and logcat Flag: EXEMPT sepolicy Change-Id: I724e8884770dbdc5569d378f9a2d8e415bdb9ca9 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bec9065..418fa0d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,7 +8,6 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 dumpstate system_data_file dir b/377787445 grilservice_app twoshay binder b/375564898 hal_camera_default aconfig_storage_metadata_file dir b/383013471 -hal_graphics_composer_default sysfs file b/379245673 hal_power_default hal_power_default capability b/350830411 incidentd incidentd anon_inode b/322917075 init init capability b/379206528