Sync with device/google/zuma-sepolicy cfa00dfc881e3

Bug: 272725898 Change-Id: I9125ed760c0b4c688cf37720f5d4a744f2484be7
2023-04-11 10:25:55 +00:00 · 2023-04-11 10:25:55 +00:00 · d9e2e6aae9
commit d9e2e6aae9
parent bff99af2da
20 changed files with 43 additions and 53 deletions
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@ -0,0 +1,2 @@
+# b/277300125
+dontaudit vendor_init device_config_configuration_prop:property_service { set };
--- a/radio/hal_radioext_default.te
+++ b/radio/hal_radioext_default.te
@ -19,3 +19,9 @@ allow hal_radioext_default radio_vendor_data_file:file create_file_perms;

 # Bluetooth
 allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+
+# Twoshay
+binder_use(hal_radioext_default)
+allow hal_radioext_default gril_antenna_tuning_service:service_manager find;
+binder_call(hal_radioext_default, gril_antenna_tuning_service)
+binder_call(hal_radioext_default, twoshay)
--- a/radio/keys.conf
+++ b/radio/keys.conf
@ -1,3 +1,3 @@
 [@MDS]
-ALL : device/google/zuma-sepolicy/radio/certs/com_google_mds.x509.pem
+ALL : device/google/zumapro-sepolicy/radio/certs/com_google_mds.x509.pem

--- a/radio/property.te
+++ b/radio/property.te
@ -1,3 +1,4 @@
+# P24 vendor properties
 vendor_internal_prop(vendor_carrier_prop)
 vendor_internal_prop(vendor_cbd_prop)
 vendor_internal_prop(vendor_slog_prop)
@ -9,8 +10,8 @@ vendor_internal_prop(vendor_ssrdump_prop)
 vendor_internal_prop(vendor_wifi_version)
 vendor_internal_prop(vendor_imssvc_prop)
 vendor_internal_prop(vendor_gps_prop)
-vendor_internal_prop(vendor_logger_prop)
 vendor_internal_prop(vendor_tcpdump_log_prop)

 # Telephony debug app
 vendor_internal_prop(vendor_telephony_app_prop)
+
--- a/radio/property_contexts
+++ b/radio/property_contexts
@ -20,7 +20,6 @@ persist.vendor.config.                     u:object_r:vendor_persist_config_defa
 # for logger app
 vendor.pixellogger.                        u:object_r:vendor_logger_prop:s0
 persist.vendor.pixellogger.                u:object_r:vendor_logger_prop:s0
-persist.vendor.verbose_logging_enabled     u:object_r:vendor_logger_prop:s0

 # Modem
 persist.vendor.modem.                      u:object_r:vendor_modem_prop:s0
@ -57,3 +56,4 @@ persist.vendor.gps.                        u:object_r:vendor_gps_prop:s0
 # Tcpdump_logger
 persist.vendor.tcpdump.log.alwayson        u:object_r:vendor_tcpdump_log_prop:s0
 vendor.tcpdump.                            u:object_r:vendor_tcpdump_log_prop:s0
+
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@ -21,8 +21,6 @@ hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940
 hal_power_default sysfs file b/273638876
 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151
 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151
-hal_thermal_default sysfs file b/272166722
-hal_thermal_default sysfs file b/272166987
 hal_uwb_default debugfs file b/273639365
 incidentd apex_art_data_file file b/272628762
 incidentd incidentd anon_inode b/274374992
@ -49,6 +47,8 @@ untrusted_app default_android_service service_manager b/264599934
 vendor_init device_config_configuration_prop property_service b/267714573
 vendor_init device_config_configuration_prop property_service b/268566481
 vendor_init device_config_configuration_prop property_service b/273143844
+vendor_init device_config_configuration_prop property_service b/275645636
+vendor_init device_config_configuration_prop property_service b/275646003
 vendor_init tee_data_file lnk_file b/267714573
 vendor_init tee_data_file lnk_file b/272166664
 vendor_init vendor_camera_prop property_service b/267714573
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@ -0,0 +1,2 @@
+# b/277155496
+dontaudit dumpstate default_android_service:service_manager { find };
--- a/tracking_denials/gmscore_app.te
+++ b/tracking_denials/gmscore_app.te
@ -1,10 +0,0 @@
-# b/259302023
-dontaudit gmscore_app property_type:file *;
-# b/260365725
-dontaudit gmscore_app property_type:file *;
-# b/260522434
-dontaudit gmscore_app modem_img_file:filesystem { getattr };
-# b/264489521
-userdebug_or_eng(`
-  permissive gmscore_app;
-')
--- a/tracking_denials/google_camera_app.te
+++ b/tracking_denials/google_camera_app.te
@ -1,29 +1,7 @@
-# b/262455755
-dontaudit google_camera_app activity_service:service_manager { find };
-dontaudit google_camera_app cameraserver_service:service_manager { find };
-dontaudit google_camera_app content_capture_service:service_manager { find };
-dontaudit google_camera_app device_state_service:service_manager { find };
-dontaudit google_camera_app edgetpu_app_service:service_manager { find };
-dontaudit google_camera_app edgetpu_device:chr_file { ioctl };
-dontaudit google_camera_app edgetpu_device:chr_file { map };
-dontaudit google_camera_app edgetpu_device:chr_file { read write };
-dontaudit google_camera_app fwk_stats_service:service_manager { find };
-dontaudit google_camera_app game_service:service_manager { find };
-dontaudit google_camera_app mediaserver_service:service_manager { find };
-dontaudit google_camera_app netstats_service:service_manager { find };
-dontaudit google_camera_app sensorservice_service:service_manager { find };
-dontaudit google_camera_app surfaceflinger_service:service_manager { find };
-dontaudit google_camera_app thermal_service:service_manager { find };
 # b/264490031
 userdebug_or_eng(`
  permissive google_camera_app;
-')# b/264483456
-dontaudit google_camera_app backup_service:service_manager { find };
-# b/264600171
-dontaudit google_camera_app audio_service:service_manager { find };
-dontaudit google_camera_app legacy_permission_service:service_manager { find };
-dontaudit google_camera_app permission_checker_service:service_manager { find };
-# b/265220235
-dontaudit google_camera_app virtual_device_service:service_manager { find };
-# b/267843408
-dontaudit google_camera_app device_policy_service:service_manager { find };
+')
+# b/277300017
+dontaudit google_camera_app cameraserver_service:service_manager { find };
+dontaudit google_camera_app mediaserver_service:service_manager { find };
--- a/tracking_denials/hal_radioext_default.te
+++ b/tracking_denials/hal_radioext_default.te
@ -0,0 +1,2 @@
+# b/275646098
+dontaudit hal_radioext_default service_manager_type:service_manager find;
--- a/tracking_denials/logd.te
+++ b/tracking_denials/logd.te
@ -1,7 +0,0 @@
-# b/261105354
-dontaudit logd trusty_log_device:chr_file { open };
-dontaudit logd trusty_log_device:chr_file { read };
-# b/264489639
-userdebug_or_eng(`
-  permissive logd;
-')
--- a/tracking_denials/systemui.te
+++ b/tracking_denials/systemui.te
@ -1,4 +0,0 @@
-# b/264266705
-userdebug_or_eng(`
-    permissive systemui_app;
-')
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -163,5 +163,5 @@
 /dev/dma_heap/farawimg-secure                                               u:object_r:faceauth_heap_device:s0
 /dev/dma_heap/vframe-secure                                                 u:object_r:video_secure_heap_device:s0
 /dev/dma_heap/vscaler-secure                                                u:object_r:video_secure_heap_device:s0
-/dev/dma_heap/vstream-secure                                                u:object_r:video_secure_heap_device:s0
+/dev/dma_heap/vstream-secure                                                u:object_r:dmabuf_system_secure_heap_device:s0
 /dev/uci                                                                    u:object_r:uci_device:s0
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@ -6,3 +6,10 @@ allow google_camera_app gxp_device:chr_file rw_file_perms;

 # Allows camera app to access the PowerHAL.
 hal_client_domain(google_camera_app, hal_power)
+
+# Allow camera app to access the a subset of app services.
+allow google_camera_app app_api_service:service_manager find;
+
+# Allows GCA to access the EdgeTPU device.
+allow google_camera_app edgetpu_app_service:service_manager find;
+allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@ -1,3 +1,4 @@
 allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sysfs_ota:file rw_file_perms;
+allow hal_bootctl_default tee_device:chr_file rw_file_perms;
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@ -14,6 +14,10 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms;
 allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
 allow hal_camera_default edgetpu_vendor_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_vendor_server)
+# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging
+# library has a dependency on edgetpu_app_service, see b/275016466.
+allow hal_camera_default edgetpu_app_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_app_server)

 # Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;
--- a/vendor/logd.te
+++ b/vendor/logd.te
@ -0,0 +1,4 @@
+r_dir_file(logd, logbuffer_device)
+allow logd logbuffer_device:chr_file r_file_perms;
+allow logd trusty_log_device:chr_file r_file_perms;
+
--- a/vendor/property.te
+++ b/vendor/property.te
@ -10,3 +10,4 @@ vendor_internal_prop(vendor_usb_config_prop)

 # Dynamic sensor
 vendor_internal_prop(vendor_dynamic_sensor_prop)
+
--- a/vendor/property_contexts
+++ b/vendor/property_contexts
@ -17,3 +17,4 @@ vendor.usb.                                u:object_r:vendor_usb_config_prop:s0

 # Dynamic sensor
 vendor.dynamic_sensor.                     u:object_r:vendor_dynamic_sensor_prop:s0
+
--- a/vendor/twoshay.te
+++ b/vendor/twoshay.te
@ -1,2 +1,4 @@
 # Allow ITouchContextService callback
 binder_call(twoshay, systemui_app)
+
+binder_call(twoshay, hal_radioext_default)