From ee58427ea3e3955e3678ee0714e9674e59716b02 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Wed, 19 Jun 2024 16:07:50 +0800 Subject: [PATCH 01/50] add permission for rt9471 sysfs Bug: 347914940 Test: adb bugreport Flag: EXEMPT bugfix Change-Id: I155c58d857f676fc3a2ff6c2fe9be6262405c7b9 Signed-off-by: Jack Wu --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 31066c0..8887171 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -29,6 +29,8 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-003b/power_supply genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/registers_dump u:object_r:sysfs_power_dump:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/registers_dump u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 From d44695709cddd3d767117bfdbf298cebc4ee683d Mon Sep 17 00:00:00 2001 From: Daniel Trofimiuk Date: Mon, 27 May 2024 15:28:08 +0000 Subject: [PATCH 02/50] sepolicy: add rules for using aidl from RCS Service allow to find hal_vendor_radio_external_service Enable AIDL for V requirement AVC log in b/281968564#comment208 and go/v-ril-hal-migration Bug: 281968564 Test: telephony function test Flag: EXEMPT HAL interface change Change-Id: I39544e24ebe732e4ebab1044eade998ef534ebf6 Signed-off-by: Daniel Trofimiuk --- radio/vendor_rcs_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/vendor_rcs_app.te b/radio/vendor_rcs_app.te index 37cadef..07d1486 100644 --- a/radio/vendor_rcs_app.te +++ b/radio/vendor_rcs_app.te @@ -5,5 +5,6 @@ net_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; allow vendor_rcs_app radio_service:service_manager find; allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_rcs_app hal_vendor_radio_external_service:service_manager find; binder_call(vendor_rcs_app, rild) From 8dd51f11adcddd1c6b3b5b4d2de8a8821db2f925 Mon Sep 17 00:00:00 2001 From: Sungwoo choi Date: Wed, 24 Apr 2024 15:16:21 +0900 Subject: [PATCH 03/50] sepolicy: declare hal_vendor_radio_external_service Enable AIDL for V requirement AVC log in b/281968564#comment208 and go/v-ril-hal-migration Bug: 281968564 Test: telephony function test Flag: EXEMPT HAL interface change Change-Id: Id523192adf8ab2d60f1778b97274f5357d06707c Signed-off-by: Sungwoo choi --- legacy/zuma/vendor/hal_secure_element_uicc.te | 2 ++ radio/bipchmgr.te | 2 ++ radio/oemrilservice_app.te | 3 +++ radio/radio.te | 2 ++ radio/rild.te | 1 + radio/service.te | 3 ++- radio/service_contexts | 3 ++- radio/vendor_engineermode_app.te | 2 ++ radio/vendor_ims_app.te | 2 ++ radio/vendor_satellite_service.te | 4 +++- radio/vendor_telephony_debug_app.te | 3 +++ 11 files changed, 24 insertions(+), 3 deletions(-) diff --git a/legacy/zuma/vendor/hal_secure_element_uicc.te b/legacy/zuma/vendor/hal_secure_element_uicc.te index 8cd1cb3..96cbf18 100644 --- a/legacy/zuma/vendor/hal_secure_element_uicc.te +++ b/legacy/zuma/vendor/hal_secure_element_uicc.te @@ -10,3 +10,5 @@ crash_dump_fallback(hal_secure_element_uicc) # Allow hal_secure_element_uicc to access rild binder_call(hal_secure_element_uicc, rild); allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; +allow hal_secure_element_uicc hal_vendor_radio_external_service:service_manager find; +binder_call(hal_secure_element_uicc, servicemanager) diff --git a/radio/bipchmgr.te b/radio/bipchmgr.te index 9298e32..3e07f0f 100644 --- a/radio/bipchmgr.te +++ b/radio/bipchmgr.te @@ -7,3 +7,5 @@ get_prop(bipchmgr, hwservicemanager_prop); allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; hwbinder_use(bipchmgr) binder_call(bipchmgr, rild) +allow bipchmgr hal_vendor_radio_external_service:service_manager find; +binder_call(bipchmgr, servicemanager) diff --git a/radio/oemrilservice_app.te b/radio/oemrilservice_app.te index b055dbe..f52e433 100644 --- a/radio/oemrilservice_app.te +++ b/radio/oemrilservice_app.te @@ -7,3 +7,6 @@ allow oemrilservice_app radio_service:service_manager find; binder_call(oemrilservice_app, rild) set_prop(oemrilservice_app, vendor_rild_prop) + +allow oemrilservice_app hal_vendor_radio_external_service:service_manager find; +binder_call(oemrilservice_app, servicemanager) diff --git a/radio/radio.te b/radio/radio.te index 721e018..d50a5e8 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -7,3 +7,5 @@ allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; allow radio aoc_device:chr_file rw_file_perms; allow radio scheduling_policy_service:service_manager find; +allow radio hal_vendor_radio_external_service:service_manager find; +binder_call(radio, servicemanager) diff --git a/radio/rild.te b/radio/rild.te index 535a6b4..80582d9 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -37,6 +37,7 @@ crash_dump_fallback(rild) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) +add_service(rild, hal_vendor_radio_external_service) # Allow rild to access files on modem img. allow rild modem_img_file:dir r_dir_perms; diff --git a/radio/service.te b/radio/service.te index 349e658..112bc09 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,2 +1,3 @@ # Define liboemservice_proxy_service. -type liboemservice_proxy_service, hal_service_type, service_manager_type; \ No newline at end of file +type liboemservice_proxy_service, hal_service_type, service_manager_type; +type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; \ No newline at end of file diff --git a/radio/service_contexts b/radio/service_contexts index d463150..162dd29 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -1,2 +1,3 @@ # DMD oemservice aidl proxy. -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 \ No newline at end of file +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 +vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 \ No newline at end of file diff --git a/radio/vendor_engineermode_app.te b/radio/vendor_engineermode_app.te index d35403a..83baa8b 100644 --- a/radio/vendor_engineermode_app.te +++ b/radio/vendor_engineermode_app.te @@ -5,6 +5,8 @@ binder_call(vendor_engineermode_app, rild) allow vendor_engineermode_app app_api_service:service_manager find; allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_engineermode_app hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_engineermode_app, servicemanager) userdebug_or_eng(` dontaudit vendor_engineermode_app default_prop:file r_file_perms; diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te index b0aba05..187d369 100644 --- a/radio/vendor_ims_app.te +++ b/radio/vendor_ims_app.te @@ -21,3 +21,5 @@ get_prop(vendor_ims_app, vendor_imssvc_prop) userdebug_or_eng(` get_prop(vendor_ims_app, vendor_ims_tiss_prop) ') +allow vendor_ims_app hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_ims_app, servicemanager) diff --git a/radio/vendor_satellite_service.te b/radio/vendor_satellite_service.te index f6a1fa2..392a28c 100644 --- a/radio/vendor_satellite_service.te +++ b/radio/vendor_satellite_service.te @@ -3,4 +3,6 @@ type vendor_satellite_service, domain; app_domain(vendor_satellite_service); allow vendor_satellite_service app_api_service:service_manager find; allow vendor_satellite_service hal_exynos_rild_hwservice:hwservice_manager find; -binder_call(vendor_satellite_service, rild) \ No newline at end of file +binder_call(vendor_satellite_service, rild) +allow vendor_satellite_service hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_satellite_service, servicemanager) \ No newline at end of file diff --git a/radio/vendor_telephony_debug_app.te b/radio/vendor_telephony_debug_app.te index 539fffc..3c10e0b 100644 --- a/radio/vendor_telephony_debug_app.te +++ b/radio/vendor_telephony_debug_app.te @@ -9,6 +9,9 @@ binder_call(vendor_telephony_debug_app, rild) # RIL property set_prop(vendor_telephony_debug_app, vendor_rild_prop) +allow vendor_telephony_debug_app hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_telephony_debug_app, servicemanager) + # Debug property set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) From 5a7d99b4a3d2df87e1002bb8aaaac3603431d7e1 Mon Sep 17 00:00:00 2001 From: Sungwoo choi Date: Fri, 10 Nov 2023 12:22:04 +0900 Subject: [PATCH 04/50] sepolicy: sepolicy for dmd/sced AIDL HAL service declare a type of service hal_vendor_modem_logging_service : for modem logging hal_vendor_tcpdump_service : for tcpdump Enable AIDL for V requirement AVC log in b/281968564#comment208 and go/v-ril-hal-migration Bug: 281968564 Test: telephony function test Flag: EXEMPT HAL interface change Change-Id: I24374cdecd7c811ac80bb1b2670168c9cc15be31 Signed-off-by: Sungwoo choi --- radio/dmd.te | 3 ++- radio/sced.te | 2 ++ radio/service.te | 5 ++++- radio/service_contexts | 5 ++++- radio/vendor_telephony_silentlogging_app.te | 2 ++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/radio/dmd.te b/radio/dmd.te index be820be..7ba947d 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,4 +30,5 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) -binder_call(dmd, liboemservice_proxy_default) +add_service(dmd, hal_vendor_modem_logging_service) +binder_call(dmd, servicemanager) diff --git a/radio/sced.te b/radio/sced.te index 2b08973..b8246f3 100644 --- a/radio/sced.te +++ b/radio/sced.te @@ -20,4 +20,6 @@ userdebug_or_eng(` allow sced vendor_slog_file:file create_file_perms; allow sced hidl_base_hwservice:hwservice_manager add; allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; + add_service(sced, hal_vendor_tcpdump_service) + binder_call(sced, servicemanager) ') diff --git a/radio/service.te b/radio/service.te index 112bc09..0db5b6e 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,3 +1,6 @@ # Define liboemservice_proxy_service. type liboemservice_proxy_service, hal_service_type, service_manager_type; -type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; \ No newline at end of file +type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; + +type hal_vendor_modem_logging_service, hal_service_type, protected_service, service_manager_type; +type hal_vendor_tcpdump_service, hal_service_type, protected_service, service_manager_type; diff --git a/radio/service_contexts b/radio/service_contexts index 162dd29..03cffd0 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -1,3 +1,6 @@ # DMD oemservice aidl proxy. com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 -vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 \ No newline at end of file +vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 +vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0 u:object_r:hal_vendor_modem_logging_service:s0 +vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm1 u:object_r:hal_vendor_modem_logging_service:s0 +vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/sced0 u:object_r:hal_vendor_tcpdump_service:s0 diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te index 583f408..1de0ea7 100644 --- a/radio/vendor_telephony_silentlogging_app.te +++ b/radio/vendor_telephony_silentlogging_app.te @@ -11,6 +11,8 @@ allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) binder_call(vendor_telephony_silentlogging_app, sced) +allow vendor_telephony_silentlogging_app hal_vendor_modem_logging_service:service_manager find; +binder_call(vendor_telephony_silentlogging_app, servicemanager) userdebug_or_eng(` # Silent Logging From def1ba3ef0c68ffd4f0e7277ce7a754b979b1bfa Mon Sep 17 00:00:00 2001 From: Pechetty Sravani Date: Mon, 1 Jul 2024 06:10:59 +0000 Subject: [PATCH 05/50] Revert "sepolicy: sepolicy for dmd/sced AIDL HAL service" Revert submission 27917806-v_hal_migration_phase3 Reason for revert: Droidmonitor created revert due to b/350390759. Will be verifying through ABTD before submission. Reverted changes: /q/submissionid:27917806-v_hal_migration_phase3 Change-Id: I8ce8e60548c03556fb7c28e592d911809399e054 --- radio/dmd.te | 3 +-- radio/sced.te | 2 -- radio/service.te | 5 +---- radio/service_contexts | 5 +---- radio/vendor_telephony_silentlogging_app.te | 2 -- 5 files changed, 3 insertions(+), 14 deletions(-) diff --git a/radio/dmd.te b/radio/dmd.te index 7ba947d..be820be 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,5 +30,4 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) -add_service(dmd, hal_vendor_modem_logging_service) -binder_call(dmd, servicemanager) +binder_call(dmd, liboemservice_proxy_default) diff --git a/radio/sced.te b/radio/sced.te index b8246f3..2b08973 100644 --- a/radio/sced.te +++ b/radio/sced.te @@ -20,6 +20,4 @@ userdebug_or_eng(` allow sced vendor_slog_file:file create_file_perms; allow sced hidl_base_hwservice:hwservice_manager add; allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; - add_service(sced, hal_vendor_tcpdump_service) - binder_call(sced, servicemanager) ') diff --git a/radio/service.te b/radio/service.te index 0db5b6e..112bc09 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,6 +1,3 @@ # Define liboemservice_proxy_service. type liboemservice_proxy_service, hal_service_type, service_manager_type; -type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; - -type hal_vendor_modem_logging_service, hal_service_type, protected_service, service_manager_type; -type hal_vendor_tcpdump_service, hal_service_type, protected_service, service_manager_type; +type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; \ No newline at end of file diff --git a/radio/service_contexts b/radio/service_contexts index 03cffd0..162dd29 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -1,6 +1,3 @@ # DMD oemservice aidl proxy. com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 -vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 -vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0 u:object_r:hal_vendor_modem_logging_service:s0 -vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm1 u:object_r:hal_vendor_modem_logging_service:s0 -vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/sced0 u:object_r:hal_vendor_tcpdump_service:s0 +vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 \ No newline at end of file diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te index 1de0ea7..583f408 100644 --- a/radio/vendor_telephony_silentlogging_app.te +++ b/radio/vendor_telephony_silentlogging_app.te @@ -11,8 +11,6 @@ allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) binder_call(vendor_telephony_silentlogging_app, sced) -allow vendor_telephony_silentlogging_app hal_vendor_modem_logging_service:service_manager find; -binder_call(vendor_telephony_silentlogging_app, servicemanager) userdebug_or_eng(` # Silent Logging From 01d2c24a52e8e332ccbbc8048c7a2d319c29cb8e Mon Sep 17 00:00:00 2001 From: Pechetty Sravani Date: Mon, 1 Jul 2024 06:10:59 +0000 Subject: [PATCH 06/50] Revert "sepolicy: declare hal_vendor_radio_external_service" Revert submission 27917806-v_hal_migration_phase3 Reason for revert: Droidmonitor created revert due to b/350390759. Will be verifying through ABTD before submission. Reverted changes: /q/submissionid:27917806-v_hal_migration_phase3 Change-Id: I58c1591607808e8ab152c759264186411641ecf5 --- legacy/zuma/vendor/hal_secure_element_uicc.te | 2 -- radio/bipchmgr.te | 2 -- radio/oemrilservice_app.te | 3 --- radio/radio.te | 2 -- radio/rild.te | 1 - radio/service.te | 3 +-- radio/service_contexts | 3 +-- radio/vendor_engineermode_app.te | 2 -- radio/vendor_ims_app.te | 2 -- radio/vendor_satellite_service.te | 4 +--- radio/vendor_telephony_debug_app.te | 3 --- 11 files changed, 3 insertions(+), 24 deletions(-) diff --git a/legacy/zuma/vendor/hal_secure_element_uicc.te b/legacy/zuma/vendor/hal_secure_element_uicc.te index 96cbf18..8cd1cb3 100644 --- a/legacy/zuma/vendor/hal_secure_element_uicc.te +++ b/legacy/zuma/vendor/hal_secure_element_uicc.te @@ -10,5 +10,3 @@ crash_dump_fallback(hal_secure_element_uicc) # Allow hal_secure_element_uicc to access rild binder_call(hal_secure_element_uicc, rild); allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; -allow hal_secure_element_uicc hal_vendor_radio_external_service:service_manager find; -binder_call(hal_secure_element_uicc, servicemanager) diff --git a/radio/bipchmgr.te b/radio/bipchmgr.te index 3e07f0f..9298e32 100644 --- a/radio/bipchmgr.te +++ b/radio/bipchmgr.te @@ -7,5 +7,3 @@ get_prop(bipchmgr, hwservicemanager_prop); allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; hwbinder_use(bipchmgr) binder_call(bipchmgr, rild) -allow bipchmgr hal_vendor_radio_external_service:service_manager find; -binder_call(bipchmgr, servicemanager) diff --git a/radio/oemrilservice_app.te b/radio/oemrilservice_app.te index f52e433..b055dbe 100644 --- a/radio/oemrilservice_app.te +++ b/radio/oemrilservice_app.te @@ -7,6 +7,3 @@ allow oemrilservice_app radio_service:service_manager find; binder_call(oemrilservice_app, rild) set_prop(oemrilservice_app, vendor_rild_prop) - -allow oemrilservice_app hal_vendor_radio_external_service:service_manager find; -binder_call(oemrilservice_app, servicemanager) diff --git a/radio/radio.te b/radio/radio.te index d50a5e8..721e018 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -7,5 +7,3 @@ allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; allow radio aoc_device:chr_file rw_file_perms; allow radio scheduling_policy_service:service_manager find; -allow radio hal_vendor_radio_external_service:service_manager find; -binder_call(radio, servicemanager) diff --git a/radio/rild.te b/radio/rild.te index 80582d9..535a6b4 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -37,7 +37,6 @@ crash_dump_fallback(rild) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) -add_service(rild, hal_vendor_radio_external_service) # Allow rild to access files on modem img. allow rild modem_img_file:dir r_dir_perms; diff --git a/radio/service.te b/radio/service.te index 112bc09..349e658 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,3 +1,2 @@ # Define liboemservice_proxy_service. -type liboemservice_proxy_service, hal_service_type, service_manager_type; -type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; \ No newline at end of file +type liboemservice_proxy_service, hal_service_type, service_manager_type; \ No newline at end of file diff --git a/radio/service_contexts b/radio/service_contexts index 162dd29..d463150 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -1,3 +1,2 @@ # DMD oemservice aidl proxy. -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 -vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 \ No newline at end of file +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 \ No newline at end of file diff --git a/radio/vendor_engineermode_app.te b/radio/vendor_engineermode_app.te index 83baa8b..d35403a 100644 --- a/radio/vendor_engineermode_app.te +++ b/radio/vendor_engineermode_app.te @@ -5,8 +5,6 @@ binder_call(vendor_engineermode_app, rild) allow vendor_engineermode_app app_api_service:service_manager find; allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; -allow vendor_engineermode_app hal_vendor_radio_external_service:service_manager find; -binder_call(vendor_engineermode_app, servicemanager) userdebug_or_eng(` dontaudit vendor_engineermode_app default_prop:file r_file_perms; diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te index 187d369..b0aba05 100644 --- a/radio/vendor_ims_app.te +++ b/radio/vendor_ims_app.te @@ -21,5 +21,3 @@ get_prop(vendor_ims_app, vendor_imssvc_prop) userdebug_or_eng(` get_prop(vendor_ims_app, vendor_ims_tiss_prop) ') -allow vendor_ims_app hal_vendor_radio_external_service:service_manager find; -binder_call(vendor_ims_app, servicemanager) diff --git a/radio/vendor_satellite_service.te b/radio/vendor_satellite_service.te index 392a28c..f6a1fa2 100644 --- a/radio/vendor_satellite_service.te +++ b/radio/vendor_satellite_service.te @@ -3,6 +3,4 @@ type vendor_satellite_service, domain; app_domain(vendor_satellite_service); allow vendor_satellite_service app_api_service:service_manager find; allow vendor_satellite_service hal_exynos_rild_hwservice:hwservice_manager find; -binder_call(vendor_satellite_service, rild) -allow vendor_satellite_service hal_vendor_radio_external_service:service_manager find; -binder_call(vendor_satellite_service, servicemanager) \ No newline at end of file +binder_call(vendor_satellite_service, rild) \ No newline at end of file diff --git a/radio/vendor_telephony_debug_app.te b/radio/vendor_telephony_debug_app.te index 3c10e0b..539fffc 100644 --- a/radio/vendor_telephony_debug_app.te +++ b/radio/vendor_telephony_debug_app.te @@ -9,9 +9,6 @@ binder_call(vendor_telephony_debug_app, rild) # RIL property set_prop(vendor_telephony_debug_app, vendor_rild_prop) -allow vendor_telephony_debug_app hal_vendor_radio_external_service:service_manager find; -binder_call(vendor_telephony_debug_app, servicemanager) - # Debug property set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) From fd96edd330937c39536e57a9b49330a4af3a9e42 Mon Sep 17 00:00:00 2001 From: Pechetty Sravani Date: Mon, 1 Jul 2024 06:10:59 +0000 Subject: [PATCH 07/50] Revert "sepolicy: add rules for using aidl from RCS Service" Revert submission 27917806-v_hal_migration_phase3 Reason for revert: Droidmonitor created revert due to b/350390759. Will be verifying through ABTD before submission. Reverted changes: /q/submissionid:27917806-v_hal_migration_phase3 Change-Id: I6a91a1caee3f4e506d3dd2cfad48ceaa07731409 --- radio/vendor_rcs_app.te | 1 - 1 file changed, 1 deletion(-) diff --git a/radio/vendor_rcs_app.te b/radio/vendor_rcs_app.te index 07d1486..37cadef 100644 --- a/radio/vendor_rcs_app.te +++ b/radio/vendor_rcs_app.te @@ -5,6 +5,5 @@ net_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; allow vendor_rcs_app radio_service:service_manager find; allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; -allow vendor_rcs_app hal_vendor_radio_external_service:service_manager find; binder_call(vendor_rcs_app, rild) From 1a213269f8a4ec70705e9e4d2c1af7ab0650460d Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Mon, 1 Jul 2024 06:46:27 +0000 Subject: [PATCH 08/50] Revert^2 "sepolicy: add rules for using aidl from RCS Service" Enable AIDL for V requirement AVC log in b/281968564#comment208 and go/v-ril-hal-migration Forrest build result in go/v-ril-hal-migration Bug: 281968564 Test: telephony function test Flag: EXEMPT HAL interface change fd96edd330937c39536e57a9b49330a4af3a9e42 Change-Id: Iab4e71a06e28fd10ae0a636b9dd38b346309f193 --- radio/vendor_rcs_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/vendor_rcs_app.te b/radio/vendor_rcs_app.te index 37cadef..07d1486 100644 --- a/radio/vendor_rcs_app.te +++ b/radio/vendor_rcs_app.te @@ -5,5 +5,6 @@ net_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; allow vendor_rcs_app radio_service:service_manager find; allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_rcs_app hal_vendor_radio_external_service:service_manager find; binder_call(vendor_rcs_app, rild) From 3950f529e1ce00584b09ee36f103f4d0b5df9b96 Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Mon, 1 Jul 2024 06:46:27 +0000 Subject: [PATCH 09/50] Revert^2 "sepolicy: declare hal_vendor_radio_external_service" Enable AIDL for V requirement AVC log in b/281968564#comment208 and go/v-ril-hal-migration Forrest build result in go/v-ril-hal-migration Bug: 281968564 Test: telephony function test Flag: EXEMPT HAL interface change 01d2c24a52e8e332ccbbc8048c7a2d319c29cb8e Change-Id: I7ed8d164b90cb035535f27d076f4ed1f2656d623 --- legacy/zuma/vendor/hal_secure_element_uicc.te | 2 ++ radio/bipchmgr.te | 2 ++ radio/oemrilservice_app.te | 3 +++ radio/radio.te | 2 ++ radio/rild.te | 1 + radio/service.te | 3 ++- radio/service_contexts | 3 ++- radio/vendor_engineermode_app.te | 2 ++ radio/vendor_ims_app.te | 2 ++ radio/vendor_satellite_service.te | 4 +++- radio/vendor_telephony_debug_app.te | 3 +++ 11 files changed, 24 insertions(+), 3 deletions(-) diff --git a/legacy/zuma/vendor/hal_secure_element_uicc.te b/legacy/zuma/vendor/hal_secure_element_uicc.te index 8cd1cb3..96cbf18 100644 --- a/legacy/zuma/vendor/hal_secure_element_uicc.te +++ b/legacy/zuma/vendor/hal_secure_element_uicc.te @@ -10,3 +10,5 @@ crash_dump_fallback(hal_secure_element_uicc) # Allow hal_secure_element_uicc to access rild binder_call(hal_secure_element_uicc, rild); allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; +allow hal_secure_element_uicc hal_vendor_radio_external_service:service_manager find; +binder_call(hal_secure_element_uicc, servicemanager) diff --git a/radio/bipchmgr.te b/radio/bipchmgr.te index 9298e32..3e07f0f 100644 --- a/radio/bipchmgr.te +++ b/radio/bipchmgr.te @@ -7,3 +7,5 @@ get_prop(bipchmgr, hwservicemanager_prop); allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; hwbinder_use(bipchmgr) binder_call(bipchmgr, rild) +allow bipchmgr hal_vendor_radio_external_service:service_manager find; +binder_call(bipchmgr, servicemanager) diff --git a/radio/oemrilservice_app.te b/radio/oemrilservice_app.te index b055dbe..f52e433 100644 --- a/radio/oemrilservice_app.te +++ b/radio/oemrilservice_app.te @@ -7,3 +7,6 @@ allow oemrilservice_app radio_service:service_manager find; binder_call(oemrilservice_app, rild) set_prop(oemrilservice_app, vendor_rild_prop) + +allow oemrilservice_app hal_vendor_radio_external_service:service_manager find; +binder_call(oemrilservice_app, servicemanager) diff --git a/radio/radio.te b/radio/radio.te index 721e018..d50a5e8 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -7,3 +7,5 @@ allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; allow radio aoc_device:chr_file rw_file_perms; allow radio scheduling_policy_service:service_manager find; +allow radio hal_vendor_radio_external_service:service_manager find; +binder_call(radio, servicemanager) diff --git a/radio/rild.te b/radio/rild.te index 535a6b4..80582d9 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -37,6 +37,7 @@ crash_dump_fallback(rild) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) +add_service(rild, hal_vendor_radio_external_service) # Allow rild to access files on modem img. allow rild modem_img_file:dir r_dir_perms; diff --git a/radio/service.te b/radio/service.te index 349e658..112bc09 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,2 +1,3 @@ # Define liboemservice_proxy_service. -type liboemservice_proxy_service, hal_service_type, service_manager_type; \ No newline at end of file +type liboemservice_proxy_service, hal_service_type, service_manager_type; +type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; \ No newline at end of file diff --git a/radio/service_contexts b/radio/service_contexts index d463150..162dd29 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -1,2 +1,3 @@ # DMD oemservice aidl proxy. -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 \ No newline at end of file +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 +vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 \ No newline at end of file diff --git a/radio/vendor_engineermode_app.te b/radio/vendor_engineermode_app.te index d35403a..83baa8b 100644 --- a/radio/vendor_engineermode_app.te +++ b/radio/vendor_engineermode_app.te @@ -5,6 +5,8 @@ binder_call(vendor_engineermode_app, rild) allow vendor_engineermode_app app_api_service:service_manager find; allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_engineermode_app hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_engineermode_app, servicemanager) userdebug_or_eng(` dontaudit vendor_engineermode_app default_prop:file r_file_perms; diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te index b0aba05..187d369 100644 --- a/radio/vendor_ims_app.te +++ b/radio/vendor_ims_app.te @@ -21,3 +21,5 @@ get_prop(vendor_ims_app, vendor_imssvc_prop) userdebug_or_eng(` get_prop(vendor_ims_app, vendor_ims_tiss_prop) ') +allow vendor_ims_app hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_ims_app, servicemanager) diff --git a/radio/vendor_satellite_service.te b/radio/vendor_satellite_service.te index f6a1fa2..392a28c 100644 --- a/radio/vendor_satellite_service.te +++ b/radio/vendor_satellite_service.te @@ -3,4 +3,6 @@ type vendor_satellite_service, domain; app_domain(vendor_satellite_service); allow vendor_satellite_service app_api_service:service_manager find; allow vendor_satellite_service hal_exynos_rild_hwservice:hwservice_manager find; -binder_call(vendor_satellite_service, rild) \ No newline at end of file +binder_call(vendor_satellite_service, rild) +allow vendor_satellite_service hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_satellite_service, servicemanager) \ No newline at end of file diff --git a/radio/vendor_telephony_debug_app.te b/radio/vendor_telephony_debug_app.te index 539fffc..3c10e0b 100644 --- a/radio/vendor_telephony_debug_app.te +++ b/radio/vendor_telephony_debug_app.te @@ -9,6 +9,9 @@ binder_call(vendor_telephony_debug_app, rild) # RIL property set_prop(vendor_telephony_debug_app, vendor_rild_prop) +allow vendor_telephony_debug_app hal_vendor_radio_external_service:service_manager find; +binder_call(vendor_telephony_debug_app, servicemanager) + # Debug property set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) From 45cf6e8e26ecdf1748a45df39ffc8e2ec1e0587a Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Mon, 1 Jul 2024 06:46:27 +0000 Subject: [PATCH 10/50] Revert^2 "sepolicy: sepolicy for dmd/sced AIDL HAL service" Enable AIDL for V requirement AVC log in b/281968564#comment208 and go/v-ril-hal-migration Forrest build result in go/v-ril-hal-migration Bug: 281968564 Test: telephony function test Flag: EXEMPT HAL interface change def1ba3ef0c68ffd4f0e7277ce7a754b979b1bfa Change-Id: If2c811627e6c85220a965d248a87e81a3a193dd0 --- radio/dmd.te | 3 ++- radio/sced.te | 2 ++ radio/service.te | 5 ++++- radio/service_contexts | 5 ++++- radio/vendor_telephony_silentlogging_app.te | 2 ++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/radio/dmd.te b/radio/dmd.te index be820be..7ba947d 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,4 +30,5 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) -binder_call(dmd, liboemservice_proxy_default) +add_service(dmd, hal_vendor_modem_logging_service) +binder_call(dmd, servicemanager) diff --git a/radio/sced.te b/radio/sced.te index 2b08973..b8246f3 100644 --- a/radio/sced.te +++ b/radio/sced.te @@ -20,4 +20,6 @@ userdebug_or_eng(` allow sced vendor_slog_file:file create_file_perms; allow sced hidl_base_hwservice:hwservice_manager add; allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; + add_service(sced, hal_vendor_tcpdump_service) + binder_call(sced, servicemanager) ') diff --git a/radio/service.te b/radio/service.te index 112bc09..0db5b6e 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,3 +1,6 @@ # Define liboemservice_proxy_service. type liboemservice_proxy_service, hal_service_type, service_manager_type; -type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; \ No newline at end of file +type hal_vendor_radio_external_service, hal_service_type, protected_service, service_manager_type; + +type hal_vendor_modem_logging_service, hal_service_type, protected_service, service_manager_type; +type hal_vendor_tcpdump_service, hal_service_type, protected_service, service_manager_type; diff --git a/radio/service_contexts b/radio/service_contexts index 162dd29..03cffd0 100644 --- a/radio/service_contexts +++ b/radio/service_contexts @@ -1,3 +1,6 @@ # DMD oemservice aidl proxy. com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 -vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 \ No newline at end of file +vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default u:object_r:hal_vendor_radio_external_service:s0 +vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm0 u:object_r:hal_vendor_modem_logging_service:s0 +vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/dm1 u:object_r:hal_vendor_modem_logging_service:s0 +vendor.samsung_slsi.telephony.hardware.oemservice.IOemService/sced0 u:object_r:hal_vendor_tcpdump_service:s0 diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te index 583f408..1de0ea7 100644 --- a/radio/vendor_telephony_silentlogging_app.te +++ b/radio/vendor_telephony_silentlogging_app.te @@ -11,6 +11,8 @@ allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) binder_call(vendor_telephony_silentlogging_app, sced) +allow vendor_telephony_silentlogging_app hal_vendor_modem_logging_service:service_manager find; +binder_call(vendor_telephony_silentlogging_app, servicemanager) userdebug_or_eng(` # Silent Logging From 8a2f931739828185c099d3be71f381fed0b6bd9c Mon Sep 17 00:00:00 2001 From: Madhav Iyengar Date: Tue, 2 Jul 2024 00:24:06 +0000 Subject: [PATCH 11/50] Extend ag/28090723 to zumapro. ag/28090723 missed giving the bthal access to AoC version for zumapro devices as well as zuma devices. This fixes that. Bug: 349661931 Flag: com.android.bluetooth.hal.flags.pixel_bt_aoc_offload_efw_xport Test: bthal on zumapro can read AoC version property Change-Id: Iec6558630f7cbac7dc83bd621a9d8dbcd9bed000 --- legacy/zuma/vendor/hal_bluetooth_btlinux.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/legacy/zuma/vendor/hal_bluetooth_btlinux.te b/legacy/zuma/vendor/hal_bluetooth_btlinux.te index c496ea0..cb0e55a 100644 --- a/legacy/zuma/vendor/hal_bluetooth_btlinux.te +++ b/legacy/zuma/vendor/hal_bluetooth_btlinux.te @@ -7,3 +7,6 @@ allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) + +# Allow access for AoC properties. +get_prop(hal_bluetooth_btlinux, vendor_aoc_prop) From 8b0c2f2379d1c416109e845b055766c75ad39b06 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 3 Jul 2024 01:56:07 +0000 Subject: [PATCH 12/50] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 350830429 Bug: 350830390 Test: scanBugreport Bug: 350830756 Bug: 350830411 Bug: 350830657 Bug: 350830132 Bug: 350830796 Test: scanAvcDeniedLogRightAfterReboot Bug: 350830879 Bug: 350830475 Bug: 350830680 Bug: 350830758 Change-Id: Id961fa8d79caea0bca4770beab722a4e1933f879 --- tracking_denials/bug_map | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a07f071..c13f5bf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,11 +4,22 @@ dumpstate image_processing_hal binder b/322916328 dumpstate image_processing_server binder b/322916328 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 +hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 +hal_bluetooth_btlinux vendor_default_prop property_service b/350830756 +hal_bluetooth_btlinux vendor_default_prop property_service b/350830758 hal_gnss_default vendor_gps_prop file b/318310869 +hal_power_default hal_power_default capability b/350830411 +hal_wlcservice default_prop file b/350830657 +hal_wlcservice default_prop file b/350830879 incidentd incidentd anon_inode b/322917075 +pixelstats_vendor sysfs file b/350830132 +pixelstats_vendor sysfs file b/350830475 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 sctd vendor_persist_config_default_prop file b/309550514 +shell sysfs_net file b/338347525 spad spad unix_stream_socket b/309550905 swcnd swcnd unix_stream_socket b/309551062 -shell sysfs_net file b/338347525 +system_suspend sysfs_touch_gti dir b/350830429 +system_suspend sysfs_touch_gti dir b/350830680 +system_suspend sysfs_touch_gti dir b/350830796 From b3d863d5520308d2af21042b38075f321349f159 Mon Sep 17 00:00:00 2001 From: Jeremy DeHaan Date: Wed, 12 Jun 2024 16:33:59 -0700 Subject: [PATCH 13/50] Allow HWC to access frame_rate node Flag: EXEMPT bugfix Bug: 346461765 Change-Id: Id7b3195e76cdce3e612eb9c9d177af24145e70a2 Signed-off-by: Jeremy DeHaan --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8887171..dca9d03 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -377,6 +377,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_rate_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_option u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 @@ -390,7 +391,6 @@ genfscon sysfs /devices/platform/hdcp/hdcp1_success_count genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0 - # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 From d5304a11449e1fdf9faf17dfee955b5c40fbb8be Mon Sep 17 00:00:00 2001 From: Jeremy DeHaan Date: Wed, 12 Jun 2024 16:33:59 -0700 Subject: [PATCH 14/50] Allow HWC to access frame_rate node Flag: EXEMPT bugfix Bug: 346461765 Change-Id: Id7b3195e76cdce3e612eb9c9d177af24145e70a2 Signed-off-by: Jeremy DeHaan (cherry picked from commit b3d863d5520308d2af21042b38075f321349f159) --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 343474f..9e58d07 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -364,6 +364,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_rate_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_option u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 @@ -377,7 +378,6 @@ genfscon sysfs /devices/platform/hdcp/hdcp1_success_count genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0 - # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 From d6b8239e73a40a036daaf7f7f152f4c4ba02f709 Mon Sep 17 00:00:00 2001 From: Vishvam Mazumdar Date: Tue, 4 Jun 2024 18:22:19 +0000 Subject: [PATCH 15/50] Add SELinux policy to allow CPU Idle Histogram Stats in dumpstate. This change is to allow the CPU Idle Histogram Stats to be dumped in bugreports so that there is more insight into the idle behavior of devices in the field. Test: build/flash Test: adb bugreport Bug: 344908619 Flag: EXEMPT bugfix Change-Id: If19b9471cf91ddc6e16347e7a4ea18d3298783d5 Signed-off-by: Vishvam Mazumdar --- vendor/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 31066c0..dc09ffb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -462,3 +462,7 @@ genfscon sysfs /devices/platform/ete7 u:object_r:sysfs_devices_cs_etm:s0 # Privacy LED genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:object_r:sysfs_leds:s0 + +# CPU +genfscon sysfs /kernel/metrics/cpuidle_histogram/cpuidle_histogram u:object_r:sysfs_cpu:s0 +genfscon sysfs /kernel/metrics/cpuidle_histogram/cpucluster_histogram u:object_r:sysfs_cpu:s0 From 44db75e814da384927c76ee484f9ef01c691090d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Wed, 10 Jul 2024 22:20:52 +0000 Subject: [PATCH 16/50] Delete sepolicy for legacy VR services. None of the zumapro devices include these services. Bug: 234559097 Test: presubmit Flag: EXEMPT dead code removal Change-Id: Iad24884869a1abd5daed60ef032b3f6c016aaf2d --- system_ext/private/systemui_app.te | 1 - 1 file changed, 1 deletion(-) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 32bc9cf..c5d011d 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -10,7 +10,6 @@ allow systemui_app mediaserver_service:service_manager find; allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; -allow systemui_app vr_manager_service:service_manager find; allow systemui_app statsmanager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; From 3240bd79ed9f912b53d24a51677d0acc50770fdd Mon Sep 17 00:00:00 2001 From: Liana Kazanova Date: Thu, 11 Jul 2024 20:56:16 +0000 Subject: [PATCH 17/50] Revert "Delete sepolicy for legacy VR services." This reverts commit 44db75e814da384927c76ee484f9ef01c691090d. Reason for revert: Droidmonitor created revert due to b/352465601. Will be verifying through ABTD before submission Change-Id: I47918f16fbc5745758abf906017c68ef95a708f4 --- system_ext/private/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index c5d011d..32bc9cf 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -10,6 +10,7 @@ allow systemui_app mediaserver_service:service_manager find; allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; allow systemui_app statsmanager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; From 6d465a909902e51ff7bd170200664ae070c7eea6 Mon Sep 17 00:00:00 2001 From: Cheng Gu Date: Mon, 15 Jul 2024 04:56:47 +0000 Subject: [PATCH 18/50] Update tracking_denials/bug_map. Removes denial tracking of b/322916328. Fix: 322916328 Test: none Flag: EXEMPT bugfix Change-Id: Ib16f0897f3a438fe147a0919897163407b857443 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c13f5bf..33b31d8 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,7 +1,5 @@ dump_display sysfs file b/322917055 -dumpstate image_processing_hal binder b/322916328 -dumpstate image_processing_server binder b/322916328 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 From a03bdd961ab930c10d96139bc82a8ef0b3e66f31 Mon Sep 17 00:00:00 2001 From: Mike McTernan Date: Mon, 15 Jul 2024 10:41:49 +0100 Subject: [PATCH 19/50] trusty: storageproxy: add fs_ready_rw property context Flag: EXEMPT bug fix Bug: 350362101 Test: ABTD Change-Id: I6c5f4a550b00f4a2de03e6313448a4918ac4a425 --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index c3402ac..975f856 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -11,6 +11,7 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 +ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 # Camera vendor.camera. u:object_r:vendor_camera_prop:s0 From 0df50bf1827bff508310846823742b8ed77658b1 Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Thu, 11 Jul 2024 17:03:12 +0000 Subject: [PATCH 20/50] allow power hal to access vendor_mm files I auditd : type=1400 audit(0.0:79): avc: denied { write } for comm="NodeLooperThrea" name="vendor_mm" dev="sysfs" ino=56518 scontext=u:r:hal_power_default:s0 tcontext=u:object_r:sysfs_vendor_mm:s0 tclass=dir permissive=0 Bug: 351708752 Test: check avc error Flag: EXEMPT adding avc rule Change-Id: Ibcc22d3157c0108dfc879b906fd500e13628d293 Signed-off-by: Martin Liu --- legacy/zuma/vendor/hal_power_default.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/legacy/zuma/vendor/hal_power_default.te b/legacy/zuma/vendor/hal_power_default.te index bb86aad..4cf7821 100644 --- a/legacy/zuma/vendor/hal_power_default.te +++ b/legacy/zuma/vendor/hal_power_default.te @@ -4,4 +4,5 @@ allow hal_power_default sysfs_camera:file rw_file_perms; allow hal_power_default sysfs_em_profile:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_trusty:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop); \ No newline at end of file +set_prop(hal_power_default, vendor_camera_prop); +allow hal_power_default sysfs_vendor_mm:file rw_file_perms; From 55bd5b089dac75e483abf346f9c0b5ee603afd74 Mon Sep 17 00:00:00 2001 From: Mike McTernan Date: Mon, 15 Jul 2024 16:20:36 +0100 Subject: [PATCH 21/50] sepolicy:tracking_denials: add btlinux vendor_aoc_prop Flag: EXEMPT bug fix Bug: 353262026 Test: ABTD Change-Id: I28a9e49eab75087aa424af1fd2cc5ead28285a2b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 33b31d8..1ef48e4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,6 +5,7 @@ hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 hal_bluetooth_btlinux vendor_default_prop property_service b/350830756 hal_bluetooth_btlinux vendor_default_prop property_service b/350830758 +hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 hal_gnss_default vendor_gps_prop file b/318310869 hal_power_default hal_power_default capability b/350830411 hal_wlcservice default_prop file b/350830657 From c7854c06ea72fc5c6c383ad250527c2bd3cc9ad7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 16 Jul 2024 06:04:09 +0000 Subject: [PATCH 22/50] Update SELinux error Test: scanBugreport Bug: 353418158 Test: scanAvcDeniedLogRightAfterReboot Bug: 353418189 Flag: EXEMPT bugfix Change-Id: I5ce38640b68ca64749b07fd04d79e444d82ce206 --- tracking_denials/bug_map | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 33b31d8..1aa95ac 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,6 @@ dump_display sysfs file b/322917055 +dump_power battery_history_device chr_file b/353418158 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 @@ -10,6 +11,10 @@ hal_power_default hal_power_default capability b/350830411 hal_wlcservice default_prop file b/350830657 hal_wlcservice default_prop file b/350830879 incidentd incidentd anon_inode b/322917075 +kernel sepolicy_file file b/353418189 +kernel system_bootstrap_lib_file dir b/353418189 +kernel system_bootstrap_lib_file file b/353418189 +kernel system_dlkm_file dir b/353418189 pixelstats_vendor sysfs file b/350830132 pixelstats_vendor sysfs file b/350830475 sctd sctd tcp_socket b/309550514 From d1ad140faf06f0ff60219f4645687a25f99f59d9 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Fri, 12 Jul 2024 01:14:10 +0000 Subject: [PATCH 23/50] Add xhci-hcd-exynos.7 wakeup paths for suspend service Bug: 334189230 Test: verified on device Change-Id: I0adcbe0bb1aff8ff4442c16bb733603ad8c012cf Signed-off-by: Roy Luo --- vendor/genfs_contexts | 3 +++ vendor/hal_usb_impl.te | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dca9d03..2a2859c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -103,6 +103,9 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/power_supply/dc-m genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-006e/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.7.auto/usb1 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.7.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.7.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.8.auto/usb1 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.8.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.8.auto/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 2ec4888..e882d28 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -26,3 +26,8 @@ allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; allow hal_usb_impl device:dir r_dir_perms; allow hal_usb_impl usb_device:chr_file rw_file_perms; allow hal_usb_impl usb_device:dir r_dir_perms; + +# For monitoring usb sysfs attributes +allow hal_usb_impl sysfs_wakeup:dir search; +allow hal_usb_impl sysfs_wakeup:file r_file_perms; + From 5ca93e9b6ce3f0f5737929c73e8eb854752e6d31 Mon Sep 17 00:00:00 2001 From: Munikrishna Date: Fri, 12 Jul 2024 07:27:16 +0000 Subject: [PATCH 24/50] sepolicy: add rules for using aidl from GRIL Service allow to find hal_vendor_radio_external_service Enable AIDL for V requirement AVC log in b/352465089#comment1 Flag: EXEMPT HAL interface change Bug: 341750446 Test: Physical device with atest GoogleRilServiceUnitTests Test: Physical device VoLTE,VoWiFi Call with handover verification on HIDL and AIDL. Test: Physical device RIL crash, modem crash HIDL/AIDL VoLTE,VoWiFi verification. Change-Id: I800a69d9fed026c340c2b3b935feac0e0eb38c1d --- radio/grilservice_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index cb4eec8..1b4f054 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -12,6 +12,7 @@ allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; allow grilservice_app radio_vendor_data_file:dir create_dir_perms; allow grilservice_app radio_vendor_data_file:file create_file_perms; allow grilservice_app gril_antenna_tuning_service:service_manager find; +allow grilservice_app hal_vendor_radio_external_service:service_manager find; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) From 27b55923fba964984ab8d5c12e5da9d26e1d07e5 Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Fri, 2 Feb 2024 16:39:32 +0000 Subject: [PATCH 25/50] Add the selinux policy to allow the gril get/set vendor log properties. avc logs: 2024-07-17 06:00:41.024 8674-8674 binder:8674_1 com.google.android.grilservice W type=1400 audit(0.0:96): avc: denied { read } for name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=416 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 app=com.google.android.grilservice 2024-07-17 06:00:41.024 8674-8674 binder:8674_1 com.google.android.grilservice W type=1400 audit(0.0:97): avc: denied { read } for name="u:object_r:vendor_modem_prop:s0" dev="tmpfs" ino=418 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=file permissive=0 app=com.google.android.grilservice 2024-07-17 06:00:49.592 8674-8674 binder:8674_1 com.google.android.grilservice W type=1400 audit(0.0:99): avc: denied { write } for name="property_service" dev="tmpfs" ino=861 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 app=com.google.android.grilservice 2024-07-17 16:46:54.748 1-1 /system/bin/init init I type=1107 audit(0.0:103): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.verbose_logging_enabled pid=2152 uid=10238 gid=10238 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_logger_prop:s0 tclass=property_service permissive=1' 2024-07-17 16:49:33.256 1-1 /system/bin/init init I type=1107 audit(0.0:116): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.modem.extensive_logging_enabled pid=2152 uid=10238 gid=10238 scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=property_service permissive=1' Bug: 293947661 Change-Id: I4c7076c9b948c8bf99a71445b4632dcd0bcb3b0b --- radio/grilservice_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index cb4eec8..9db6c2b 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -22,3 +22,6 @@ hal_client_domain(grilservice_app, hal_power_stats) allow grilservice_app sysfs_irq:dir r_dir_perms; allow grilservice_app sysfs_irq:file r_file_perms; get_prop(grilservice_app, telephony_modemtype_prop) +# Set modem logging properties +set_prop(grilservice_app, vendor_logger_prop) +set_prop(grilservice_app, vendor_modem_prop) From 8d61b53a501590ee3fb003945342792bd1ed1558 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Wed, 17 Jul 2024 09:40:21 +0000 Subject: [PATCH 26/50] sepolicy: removes dump_power tracking denial avc: denied { read } for name="maxfg_history" dev="tmpfs" ino=1144 scontext=u:r:dump_power:s0 tcontext=u:object_r:battery_history_device:s0 tclass=chr_file permissive=0 Bug: 353418158 Test: atest-dev com.google.android.selinux.pts.SELinuxTest#scanBugreport => PASS Flag: EXEMPT bugfix Change-Id: Ie71eb273915eca6b38281a5f7a8a2b8a6bdcf4c8 Signed-off-by: Spade Lee --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f896307..aedcabd 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,5 @@ dump_display sysfs file b/322917055 -dump_power battery_history_device chr_file b/353418158 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 From 4c189644a959c5ed8d4271198c7c3f892f76a0af Mon Sep 17 00:00:00 2001 From: gilliu Date: Wed, 5 Jun 2024 04:00:36 +0000 Subject: [PATCH 27/50] add hal_graphics_composer to access thermal temperature type=1400 audit(0.0:77): avc: denied { search } for name="thermal" dev="tmpfs" ino=1618 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=0 type=1400 audit(0.0:74): avc: denied { search } for name="thermal" dev="sysfs" ino=21594 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 type=1400 audit(0.0:74): avc: denied { read } for name="temp" dev="sysfs" ino=73536 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 type=1400 audit(0.0:74): avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone12/temp" dev="sysfs" ino=73537 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 340846691 Test: check no avc pattern on logcat from test image Flag: NONE add permission Change-Id: I0f327b98e32627e00be4cc0d0a99be39d1ec3bf2 --- vendor/hal_graphics_composer_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 39dc7ee..893a34e 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -44,6 +44,9 @@ allow hal_graphics_composer_default vendor_log_file:dir search; # allow HWC to access powerstats allow hal_graphics_composer_default hal_power_stats_vendor_service:service_manager find; +allow hal_graphics_composer_default thermal_link_device:dir search; +allow hal_graphics_composer_default sysfs_thermal:dir search; +allow hal_graphics_composer_default sysfs_thermal:file r_file_perms; binder_call(hal_graphics_composer_default, hal_power_stats_default) # allow HWC to access IStats AIDL From c4ee95638ef373f13e883dbc7e68250fc0cd5d49 Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Wed, 24 Jul 2024 20:17:20 +0000 Subject: [PATCH 28/50] Revert "trusty: storageproxy: add fs_ready_rw property context" Revert submission 28318041-rw_storage Reason for revert: Droidfood blocking bug b/355163562 Reverted changes: /q/submissionid:28318041-rw_storage Change-Id: I288409c06c81b9e4be8f5af40f0afdc37e7f091e --- vendor/property_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/property_contexts b/vendor/property_contexts index 975f856..c3402ac 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -11,7 +11,6 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 -ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 # Camera vendor.camera. u:object_r:vendor_camera_prop:s0 From dd5b70f3782636faee3354c4ee6604ee1989d9d7 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Date: Mon, 8 Jul 2024 22:24:03 +0000 Subject: [PATCH 29/50] DisplayPort Stats: add sysfs access permission on Zumapro devices 07-25 14:13:16.736 5784 5784 W pixelstats-vend: type=1400 audit(0.0:21): avc: denied { read } for name="fec_dsc_supported" dev="sysfs" ino=82516 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-25 14:13:16.736 5784 5784 W pixelstats-vend: type=1400 audit(0.0:22): avc: denied { read } for name="fec_dsc_not_supported" dev="sysfs" ino=82517 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-25 14:13:16.736 5784 5784 W pixelstats-vend: type=1400 audit(0.0:23): avc: denied { read } for name="max_res_other" dev="sysfs" ino=82515 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 07-25 14:13:16.736 5784 5784 W pixelstats-vend: type=1400 audit(0.0:24): avc: denied { read } for name="max_res_1366_768" dev="sysfs" ino=82505 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 343602691 Bug: 317486088 Flag: EXEMPT bugfix Test: Android built and flashed and error is gone Change-Id: I594536581ea468d40c9153bdc1bdd6b1ab7282fd --- tracking_denials/bug_map | 2 -- vendor/genfs_contexts | 13 +++++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f896307..de2e5d1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -16,8 +16,6 @@ kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 kernel system_dlkm_file dir b/353418189 -pixelstats_vendor sysfs file b/350830132 -pixelstats_vendor sysfs file b/350830475 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 sctd vendor_persist_config_default_prop file b/309550514 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 697c24f..2ecd039 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -384,9 +384,22 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_rate genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/fec_dsc_not_supported u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/fec_dsc_supported u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_other u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1366_768 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1440_900 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1600_900 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_1920_1080 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_2560_1080 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_2560_1440 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_3440_1440 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_3840_2160 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_5120_2880 u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/max_res_7680_4320 u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0 From cb18bb48d55097c0fd86d2be6055528c2a82a926 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Mon, 5 Aug 2024 13:12:19 +0200 Subject: [PATCH 30/50] trusty: Allow linking/read tdp and td Background: * storageproxyd needs to be able to create and read symlinks associated with TDP and TD. 08-07 08:13:44.868 750 750 W binder:750_2: type=1400 audit(0.0:18): avc: denied { create } for name="0" scontext=u:r:tee:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=lnk_file permissive=0 08-07 07:35:19.396 755 755 W binder:755_2: type=1400 audit(0.0:7): avc: denied { read } for name="0" dev="sda1" ino=15 scontext=u:r:tee:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=lnk_file permissive=0 08-07 08:34:24.956 742 742 W binder:742_2: type=1400 audit(0.0:8): avc: denied { read } for name="persist" dev="dm-52" ino=406 scontext=u:r:tee:s0 tcontext=u:object_r:tee_data_file:s0 tclass=lnk_file permissive=0 Flag: EXEMPT resource only update Bug: 357815590 Test: Tested by purging device and verifying fresh device Change-Id: Ib239534bfb28d05de14095e84961ff0f84cde68d Signed-off-by: Donnie Pollitz --- vendor/tee.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/tee.te b/vendor/tee.te index 0a6139b..a4153be 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -1,3 +1,4 @@ allow tee tee_persist_block_device:blk_file rw_file_perms; allow tee tee_userdata_block_device:blk_file rw_file_perms; -allow tee tee_data_file:lnk_file create; +allow tee tee_data_file:lnk_file { create read }; +allow tee persist_ss_file:lnk_file { create read }; From 2ce93afc02241fc483b1c2079b1df01b3442438e Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Fri, 9 Aug 2024 19:44:33 +0000 Subject: [PATCH 31/50] Grant the MDS assess the OemRil service AIDL interface. avc deny: avc: denied { find } for pid=12125 uid=10269 name=vendor.samsung_slsi.telephony.hardware.radioExternal.IOemSlsiRadioExternal/default scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:hal_vendor_radio_external_service:s0 tclass=service_manager permissive=0 2024-08-09 19:48:22.634 12125-12138 ServiceManager com.google.mds E Bug: 357488411 Change-Id: I0d1381a7f63679880cdeffe5fe982007691d86fe --- radio/modem_diagnostic_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 03e3af6..60835a5 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -11,6 +11,7 @@ userdebug_or_eng(` hal_client_domain(modem_diagnostic_app, hal_power_stats); + allow modem_diagnostic_app hal_vendor_radio_external_service:service_manager find; allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; binder_call(modem_diagnostic_app, rild) From e8d646b5e66a445a59f3af36c93c72d2da79398b Mon Sep 17 00:00:00 2001 From: Joen Chen Date: Thu, 18 Jul 2024 00:23:55 +0000 Subject: [PATCH 32/50] Label frame_interval and expected_present_time as sysfs_display Bug: 330392550 Flag: EXEMPT bugfix Test: Check the files label by "adb shell ls -Z" Change-Id: Iaf8a32671bce035f5c82bd1b34b81c433638ac39 --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 2ecd039..945b928 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -370,6 +370,8 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctr genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_option u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_rate_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_interval u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/expected_present_time u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 From 99c09bbbba8ce725f52d0c6132447d0d0163aa55 Mon Sep 17 00:00:00 2001 From: attis Date: Fri, 9 Aug 2024 14:25:44 +0800 Subject: [PATCH 33/50] Label sysfs node power_mode as sysfs_display. Label power_mode to sysfs_panel to let it be allowed in dumpstate. avc log: 08-07 18:44:42.192 21635 21635 W dump_display: type=1400 audit(0.0:30): avc: denied { read } for name="power_mode" dev="sysfs" ino=83607 scontext=u:r:dump_display:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 bug=b/322917055 Test: ls -Z, adb bugreport. Flag: EXEMPT bugfix Bug: 358505990 Change-Id: I4aa8c13e7fb875e67457a15ea32caaf2ce422039 Signed-off-by: attis --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 2ecd039..35bc49a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -381,6 +381,7 @@ genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_rate_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_option u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 From 89db879e0a236b971baabbc5b78458d086f90e79 Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Tue, 13 Aug 2024 09:56:12 +0000 Subject: [PATCH 34/50] fix bipchmgr sepolicy 08-13 17:12:29.544 410 410 I auditd : type=1400 audit(0.0:4): avc: denied { call } for comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:bipchmgr:s0 tclass=binder permissive=0 Bug: 359428163 Change-Id: I49d9b02b0913b36a1cea7cf05ff2b61bee1d551f Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT bugfix --- radio/bipchmgr.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/bipchmgr.te b/radio/bipchmgr.te index 3e07f0f..46809e4 100644 --- a/radio/bipchmgr.te +++ b/radio/bipchmgr.te @@ -9,3 +9,4 @@ hwbinder_use(bipchmgr) binder_call(bipchmgr, rild) allow bipchmgr hal_vendor_radio_external_service:service_manager find; binder_call(bipchmgr, servicemanager) +binder_use(bipchmgr) From c765607120d42b01c47e3eeb3df4f0b1e2593a26 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Tue, 6 Aug 2024 23:18:41 +0000 Subject: [PATCH 35/50] modem_svc: update sepolicy for UMI Bug: 357139752 [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Flag: EXEMPT sepolicy Change-Id: Ifb8acf20628b5c4c72c1c429216dcfac9d0eda27 --- radio/modem_svc_sit.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 0bc59bd..69b6770 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -48,3 +48,9 @@ perfetto_producer(modem_svc_sit) allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') + From 36d0a8ffc8a5f16038278dda6ebf2cb8493411e8 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 15 Aug 2024 08:53:47 +0000 Subject: [PATCH 36/50] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 360060705 Test: scanBugreport Bug: 360060680 Test: scanAvcDeniedLogRightAfterReboot Bug: 360060705 Flag: EXEMPT bugFix Change-Id: Ia71aabae1c8bb6ad8b6d9cbeb925821c2612e116 --- tracking_denials/bug_map | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index fada0fd..fbc9d7b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,10 +2,10 @@ dump_display sysfs file b/322917055 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 +hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 hal_bluetooth_btlinux vendor_default_prop property_service b/350830390 hal_bluetooth_btlinux vendor_default_prop property_service b/350830756 hal_bluetooth_btlinux vendor_default_prop property_service b/350830758 -hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 hal_gnss_default vendor_gps_prop file b/318310869 hal_power_default hal_power_default capability b/350830411 hal_wlcservice default_prop file b/350830657 @@ -15,6 +15,8 @@ kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 kernel system_dlkm_file dir b/353418189 +modem_svc_sit modem_ml_svc_sit file b/360060680 +modem_svc_sit modem_ml_svc_sit file b/360060705 sctd sctd tcp_socket b/309550514 sctd swcnd unix_stream_socket b/309550514 sctd vendor_persist_config_default_prop file b/309550514 From 4cc3948d5281d28d6df1552de43dadf206c07647 Mon Sep 17 00:00:00 2001 From: "Priyanka Advani (xWF)" Date: Thu, 15 Aug 2024 16:14:44 +0000 Subject: [PATCH 37/50] Revert "modem_svc: update sepolicy for UMI" Revert submission 28762313 Reason for revert: Droidmonitor created revert due to b/360059249. Reverted changes: /q/submissionid:28762313 Change-Id: I6f4407caef36b9d86f9f5246900eb30b45504da3 --- radio/modem_svc_sit.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 69b6770..0bc59bd 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -48,9 +48,3 @@ perfetto_producer(modem_svc_sit) allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; - -# Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') - From 5e80ce8f29e3657cb6c42c6771139ec974c265ea Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Thu, 15 Aug 2024 19:25:28 +0000 Subject: [PATCH 38/50] Revert^2 "modem_svc: update sepolicy for UMI" 4cc3948d5281d28d6df1552de43dadf206c07647 Change-Id: I54b2b463cc98b900eb3c82d8af65efb4e3b43365 --- radio/modem_svc_sit.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 0bc59bd..69b6770 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -48,3 +48,9 @@ perfetto_producer(modem_svc_sit) allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') + From 4599e2be4457386acc69e072b0b258273af861b4 Mon Sep 17 00:00:00 2001 From: Nattharat Jariyanuntanaet Date: Wed, 21 Aug 2024 06:13:21 +0000 Subject: [PATCH 39/50] Update sepolicy for nfc antenna selftest values Allow persist.vendor.nfc.antenna. to be vendor public values for the NFC companion app to access avc: denied { read } for name="u:object_r:vendor_nfc_antenna_prop:s0" dev="tmpfs" ino=414 scontext=u:r:untrusted_app:s0:c79,c257,c512,c768 tcontext=u:object_r:vendor_nfc_antenna_prop:s0 tclass=file permissive=0 app=com.google.android.apps.internal.nfcassistancetool Bug: 361050657 Test: m selinux_policy Flag: NONE add permission Change-Id: I0e7c3580e4df332fa3d14c939eb5e588f7600601 --- legacy/zuma/vendor/hal_nfc_default.te | 4 +++- tracking_denials/property.te | 1 + vendor/property_contexts | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/legacy/zuma/vendor/hal_nfc_default.te b/legacy/zuma/vendor/hal_nfc_default.te index d71d9e2..dbf6c93 100644 --- a/legacy/zuma/vendor/hal_nfc_default.te +++ b/legacy/zuma/vendor/hal_nfc_default.te @@ -1,5 +1,7 @@ # HAL NFC property -get_prop(hal_nfc_default, vendor_nfc_prop) +set_prop(hal_nfc_default, vendor_nfc_prop) +set_prop(hal_nfc_default, vendor_nfc_antenna_prop) +get_prop(untrusted_app, vendor_nfc_antenna_prop) # SecureElement property set_prop(hal_nfc_default, vendor_secure_element_prop) diff --git a/tracking_denials/property.te b/tracking_denials/property.te index c1a95d6..1ce323c 100644 --- a/tracking_denials/property.te +++ b/tracking_denials/property.te @@ -1,6 +1,7 @@ # b/314065301 vendor_internal_prop(vendor_nfc_prop) +vendor_restricted_prop(vendor_nfc_antenna_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_display_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index c3402ac..8625439 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -5,6 +5,10 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 +persist.vendor.nfc.antenna. u:object_r:vendor_nfc_antenna_prop:s0 + # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 From b5d284c3b5359c4ea1f75ff3d8600fe029766a0b Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 23 Aug 2024 09:41:16 +0000 Subject: [PATCH 40/50] Update SELinux error Test: scanBugreport Bug: 361726331 Flag: EXEMPT bugFix Change-Id: Ib42816834dbb8258d5528a1c885a9a0945fe82d1 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index fbc9d7b..84dbb44 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,7 @@ dump_display sysfs file b/322917055 +dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 +dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 From dbc540c147f067111c8c843c4642e95295f9d6a7 Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 28 Aug 2024 09:22:57 +0000 Subject: [PATCH 41/50] Allow fingerprint to access sysfs_lhbm Fix following avc denail: android.hardwar: type=1400 audit(0.0:17): avc: denied { write } for name="local_hbm_delay_frames" dev="sysfs" ino=83619 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_lhbm:s0 tclass=file permissive=0 Bug: 362149568 Test: enroll and authenticate fingerprint Change-Id: I8c4b18b39fa5c391e9773c7780afe9e0de16e2a9 --- vendor/file.te | 1 + vendor/genfs_contexts | 1 + vendor/hal_fingerprint_default.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index cbe1e35..b4d0c51 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -17,6 +17,7 @@ type sysfs_write_leds, sysfs_type, fs_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; +type sysfs_lhbm, sysfs_type, fs_type; # debugfs type vendor_regmap_debugfs, fs_type, debugfs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 945b928..8797f57 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -408,6 +408,7 @@ genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count genfscon sysfs /devices/platform/hdcp/hdcp1_success_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/local_hbm_delay_frames u:object_r:sysfs_lhbm:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index 11f478a..b3df80e 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -1,3 +1,4 @@ +# SE policies for fingerprint allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; allow hal_fingerprint_default tee_device:chr_file rw_file_perms; allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; @@ -56,3 +57,6 @@ allow hal_fingerprint_default persist_fingerprint_file:file create_file_perms; # TODO: b/297562630 - remove unecessary permissions once not needed allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms; allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms; + +# Allow fingerprint to rw lhbm files +allow hal_fingerprint_default sysfs_lhbm:file rw_file_perms; From d5626145f3022c8f4bf5af62292426254cf1ac28 Mon Sep 17 00:00:00 2001 From: Neo Yu Date: Fri, 16 Aug 2024 09:36:39 +0800 Subject: [PATCH 42/50] Move sepolicy about hal_radioext_default to gs-common Bug: 363665676 Test: verify with test roms Flag: EXEMPT sepolicy refactor Change-Id: I618742012138123329ae47c05c958e77f5573956 --- legacy/zuma/vendor/hal_radioext_default.te | 1 - legacy/zuma/vendor/twoshay.te | 2 -- radio/file_contexts | 1 - radio/grilservice_app.te | 2 +- radio/hal_radioext_default.te | 24 ---------------------- radio/hwservice_contexts | 3 --- tracking_denials/hal_radioext_default.te | 2 -- vendor/hal_camera_default.te | 2 +- 8 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 legacy/zuma/vendor/hal_radioext_default.te delete mode 100644 radio/hal_radioext_default.te delete mode 100644 tracking_denials/hal_radioext_default.te diff --git a/legacy/zuma/vendor/hal_radioext_default.te b/legacy/zuma/vendor/hal_radioext_default.te deleted file mode 100644 index d67f9e8..0000000 --- a/legacy/zuma/vendor/hal_radioext_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_radioext_default sysfs_display:file rw_file_perms; diff --git a/legacy/zuma/vendor/twoshay.te b/legacy/zuma/vendor/twoshay.te index 219619a..09cc98e 100644 --- a/legacy/zuma/vendor/twoshay.te +++ b/legacy/zuma/vendor/twoshay.te @@ -1,4 +1,2 @@ # Allow ITouchContextService callback binder_call(twoshay, systemui_app) - -binder_call(twoshay, hal_radioext_default) diff --git a/radio/file_contexts b/radio/file_contexts index 4c25199..5a2653c 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -9,7 +9,6 @@ /vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index cfc71e3..1765d1f 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -1,3 +1,4 @@ +# for grilservice_app domain type grilservice_app, domain; app_domain(grilservice_app) @@ -14,7 +15,6 @@ allow grilservice_app radio_vendor_data_file:file create_file_perms; allow grilservice_app gril_antenna_tuning_service:service_manager find; allow grilservice_app hal_vendor_radio_external_service:service_manager find; binder_call(grilservice_app, hal_bluetooth_btlinux) -binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te deleted file mode 100644 index c978ffe..0000000 --- a/radio/hal_radioext_default.te +++ /dev/null @@ -1,24 +0,0 @@ -type hal_radioext_default, domain; -type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_radioext_default) - -hwbinder_use(hal_radioext_default) -get_prop(hal_radioext_default, hwservicemanager_prop) -get_prop(hal_radioext_default, telephony_modemtype_prop) -set_prop(hal_radioext_default, vendor_gril_prop) -add_hwservice(hal_radioext_default, hal_radioext_hwservice) - -binder_call(hal_radioext_default, servicemanager) -binder_call(hal_radioext_default, grilservice_app) -binder_call(hal_radioext_default, hal_bluetooth_btlinux) - -# RW /dev/oem_ipc0 -allow hal_radioext_default radio_device:chr_file rw_file_perms; - -# RW MIPI Freq files -allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; -allow hal_radioext_default radio_vendor_data_file:file create_file_perms; - -# Bluetooth -allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; -allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find; diff --git a/radio/hwservice_contexts b/radio/hwservice_contexts index 6453a56..f89299c 100644 --- a/radio/hwservice_contexts +++ b/radio/hwservice_contexts @@ -3,6 +3,3 @@ vendor.samsung_slsi.telephony.hardware.oemservice::IOemService # rild HAL vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 - -# GRIL HAL -vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index 7ea2914..0000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/315105050 -dontaudit hal_radioext_default radio_vendor_data_file:file { ioctl }; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 4072cd3..4ff601b 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -1,3 +1,4 @@ +# for hal_camera_default service allow hal_camera_default self:global_capability_class_set sys_nice; allow hal_camera_default kernel:process setsched; @@ -73,7 +74,6 @@ allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; -binder_call(hal_camera_default, hal_radioext_default); # Allows camera HAL to access the hw_jpeg /dev/video12. allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; From 21194d2dc3d737c00d115c252ff0efff778c08d7 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 4 Sep 2024 00:04:30 +0800 Subject: [PATCH 43/50] storage: move storage related device type to common folder Bug: 364225000 Test: forrest build Change-Id: I3fb2a9a46d00ac27931ee8c1ad7b3ceef0920cdb Signed-off-by: Randall Huang --- legacy/zuma/vendor/device.te | 4 ++-- legacy/zuma/vendor/ufs_firmware_update.te | 5 ++--- radio/device.te | 4 ++-- vendor/file_contexts | 1 - 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/legacy/zuma/vendor/device.te b/legacy/zuma/vendor/device.te index 80bf3f0..dce1d92 100644 --- a/legacy/zuma/vendor/device.te +++ b/legacy/zuma/vendor/device.te @@ -1,7 +1,6 @@ -type persist_block_device, dev_type; +# device.te type custom_ab_block_device, dev_type; type mfg_data_block_device, dev_type; -type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type fingerprint_device, dev_type; type uci_device, dev_type; @@ -15,3 +14,4 @@ type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + diff --git a/legacy/zuma/vendor/ufs_firmware_update.te b/legacy/zuma/vendor/ufs_firmware_update.te index 04e532e..8fbb5d1 100644 --- a/legacy/zuma/vendor/ufs_firmware_update.te +++ b/legacy/zuma/vendor/ufs_firmware_update.te @@ -1,6 +1,4 @@ -type ufs_firmware_update, domain; -type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; - +# ufs ffu userdebug_or_eng(` init_daemon_domain(ufs_firmware_update) @@ -10,3 +8,4 @@ userdebug_or_eng(` allow ufs_firmware_update sysfs:dir r_dir_perms; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; ') + diff --git a/radio/device.te b/radio/device.te index 2f1aff7..f2b5dc1 100644 --- a/radio/device.te +++ b/radio/device.te @@ -1,3 +1,3 @@ +# radio type modem_block_device, dev_type; -type modem_userdata_block_device, dev_type; -type efs_block_device, dev_type; + diff --git a/vendor/file_contexts b/vendor/file_contexts index 8af27f9..65fa3b0 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -22,7 +22,6 @@ /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 -/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/hw/qfp-daemon u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 From 88ed5f562fb8940867e9b4f2b39454232e288b2c Mon Sep 17 00:00:00 2001 From: Ben Murdoch Date: Tue, 3 Sep 2024 12:39:30 +0000 Subject: [PATCH 44/50] Allow systemui_app to set 'debug.tracing.desktop_mode_visible_tasks' system property See also: Iad8dc7a66765856ee7affb707f2dba6c1bbfbf49 Bug: 363893429 Flag: EXEMPT, SEPolicy Test: Verified on device. Change-Id: I6c68f97a7d42e635cadd2380cce7c64e812c1ffd --- system_ext/private/systemui_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 32bc9cf..e16625b 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -1,3 +1,4 @@ +# SEPolicy for System UI typeattribute systemui_app coredomain; app_domain(systemui_app) allow systemui_app app_api_service:service_manager find; @@ -26,3 +27,4 @@ userdebug_or_eng(` allow systemui_app wm_trace_data_file:file create_file_perms; ') +set_prop(systemui_app, debug_tracing_desktop_mode_visible_tasks_prop) From 42fee8809a1c0450e5f1c2dd89a96b3a56908e3e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 3 Sep 2024 03:29:10 +0000 Subject: [PATCH 45/50] Move euiccpixel_app to vendor Bug: 312143882 Test: make selinux_policy Flag: EXEMPT sepolicy refactor Change-Id: I0f6ac76860c90b8022a85cafb80350a708d278c1 --- legacy/zuma/vendor/device.te | 4 --- tracking_denials/keys.conf | 2 -- tracking_denials/mac_permissions.xml | 3 --- tracking_denials/seapp_contexts | 3 --- .../certs/EuiccSupportPixel.x509.pem | 0 vendor/device.te | 4 +++ .../zuma/vendor => vendor}/euiccpixel_app.te | 3 ++- vendor/keys.conf | 3 +++ vendor/mac_permissions.xml | 27 +++++++++++++++++++ vendor/seapp_contexts | 3 +++ 10 files changed, 39 insertions(+), 13 deletions(-) rename {tracking_denials => vendor}/certs/EuiccSupportPixel.x509.pem (100%) rename {legacy/zuma/vendor => vendor}/euiccpixel_app.te (90%) create mode 100644 vendor/keys.conf create mode 100644 vendor/mac_permissions.xml create mode 100644 vendor/seapp_contexts diff --git a/legacy/zuma/vendor/device.te b/legacy/zuma/vendor/device.te index dce1d92..6ea01d9 100644 --- a/legacy/zuma/vendor/device.te +++ b/legacy/zuma/vendor/device.te @@ -11,7 +11,3 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type; type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; - -# SecureElement SPI device -type st54spi_device, dev_type; - diff --git a/tracking_denials/keys.conf b/tracking_denials/keys.conf index 56f6721..e450fcb 100644 --- a/tracking_denials/keys.conf +++ b/tracking_denials/keys.conf @@ -10,5 +10,3 @@ ALL : device/google/zumapro-sepolicy/tracking_denials/certs/camera_fishfood.x509 [@CAMERASERVICES] ALL : device/google/zumapro-sepolicy/tracking_denials/certs/com_google_android_apps_camera_services.x509.pem -[@EUICCSUPPORTPIXEL] -ALL : device/google/zumapro-sepolicy/tracking_denials/certs/EuiccSupportPixel.x509.pem diff --git a/tracking_denials/mac_permissions.xml b/tracking_denials/mac_permissions.xml index c0c0cc9..48536b9 100644 --- a/tracking_denials/mac_permissions.xml +++ b/tracking_denials/mac_permissions.xml @@ -33,7 +33,4 @@ - - - diff --git a/tracking_denials/seapp_contexts b/tracking_denials/seapp_contexts index 74fea00..961c13c 100644 --- a/tracking_denials/seapp_contexts +++ b/tracking_denials/seapp_contexts @@ -1,6 +1,3 @@ -# Domain for EuiccSupportPixel -user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all diff --git a/tracking_denials/certs/EuiccSupportPixel.x509.pem b/vendor/certs/EuiccSupportPixel.x509.pem similarity index 100% rename from tracking_denials/certs/EuiccSupportPixel.x509.pem rename to vendor/certs/EuiccSupportPixel.x509.pem diff --git a/vendor/device.te b/vendor/device.te index 10aff49..9712743 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,4 +1,8 @@ +# Device types type lwis_device, dev_type; type tee_persist_block_device, dev_type; type tee_userdata_block_device, dev_type; type hw_jpg_device, dev_type, mlstrustedobject; + +# SecureElement SPI device +type st54spi_device, dev_type; diff --git a/legacy/zuma/vendor/euiccpixel_app.te b/vendor/euiccpixel_app.te similarity index 90% rename from legacy/zuma/vendor/euiccpixel_app.te rename to vendor/euiccpixel_app.te index 0e4d65b..bc7c842 100644 --- a/legacy/zuma/vendor/euiccpixel_app.te +++ b/vendor/euiccpixel_app.te @@ -1,3 +1,4 @@ +# Euiccpixel_app type euiccpixel_app, domain; app_domain(euiccpixel_app) @@ -18,4 +19,4 @@ userdebug_or_eng(` ') # b/265286368 framework UI rendering properties -dontaudit euiccpixel_app default_prop:file { read }; \ No newline at end of file +dontaudit euiccpixel_app default_prop:file { read }; diff --git a/vendor/keys.conf b/vendor/keys.conf new file mode 100644 index 0000000..3ffa695 --- /dev/null +++ b/vendor/keys.conf @@ -0,0 +1,3 @@ +[@EUICCSUPPORTPIXEL] +ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem + diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml new file mode 100644 index 0000000..0eab982 --- /dev/null +++ b/vendor/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts new file mode 100644 index 0000000..4116372 --- /dev/null +++ b/vendor/seapp_contexts @@ -0,0 +1,3 @@ +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + From 2c4cebf4d5a2bdb5e3295cc54575efeba9acb7d6 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 12 Sep 2024 14:24:29 +0800 Subject: [PATCH 46/50] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 366116096 Change-Id: I202f9031b89dbfbbce9d7fda6f8f50120df1698f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 84dbb44..b857fe9 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,7 @@ dump_display sysfs file b/322917055 dump_modem sscoredump_vendor_data_coredump_file dir b/361726331 dump_modem sscoredump_vendor_data_logcat_file dir b/361726331 +grilservice_app default_android_service service_manager b/366116096 hal_audio_default fwk_stats_service service_manager b/340369535 hal_audio_default traced_producer_socket sock_file b/340369535 hal_bluetooth_btlinux vendor_aoc_prop file b/353262026 From 90453768c7aa3f97e6138e6c0c4ce554331b2e46 Mon Sep 17 00:00:00 2001 From: Prochin Wang Date: Mon, 16 Sep 2024 02:12:26 +0000 Subject: [PATCH 47/50] Change vendor_fingerprint_prop to vendor_restricted_prop This is to allow the fingerprint HAL to access the property. Bug: 366105474 Flag: build.RELEASE_PIXEL_BOOST_DATALAYER_PSA_ENABLED Test: mm Change-Id: Iba81a714af741edabdb587d8e5f9d6060dd133c5 --- vendor/property.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/property.te b/vendor/property.te index 344e8c9..3f61bea 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,3 +1,4 @@ +# Vendor property vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) @@ -10,7 +11,7 @@ vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_trusty_storage_prop) # Fingerprint -vendor_internal_prop(vendor_fingerprint_prop) +vendor_restricted_prop(vendor_fingerprint_prop) # Battery vendor_internal_prop(vendor_battery_defender_prop) From 2a4cb7b0a38a2db19b37d7b9f4b0d221f423347e Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 19 Sep 2024 12:05:32 +0800 Subject: [PATCH 48/50] Update SELinux error Test: scanBugreport Bug: 368188020 Test: scanAvcDeniedLogRightAfterReboot Bug: 368187536 Flag: EXEMPT NDK Change-Id: I0cb8cf650332bf2d518871f87c2175a4f3a20678 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b857fe9..30525de 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -18,6 +18,8 @@ kernel sepolicy_file file b/353418189 kernel system_bootstrap_lib_file dir b/353418189 kernel system_bootstrap_lib_file file b/353418189 kernel system_dlkm_file dir b/353418189 +modem_svc_sit hal_radioext_default process b/368187536 +modem_svc_sit hal_radioext_default process b/368188020 modem_svc_sit modem_ml_svc_sit file b/360060680 modem_svc_sit modem_ml_svc_sit file b/360060705 sctd sctd tcp_socket b/309550514 From ab3bd433f8e88c692f208c894b4e870d8de20aa2 Mon Sep 17 00:00:00 2001 From: chenkris Date: Fri, 20 Sep 2024 06:17:43 +0000 Subject: [PATCH 49/50] Allow fingerprint to access /dev/fth_fd Fix the following avc denial: avc: denied { open } for path="/dev/fth_fd" dev="tmpfs" ino=1575 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 Bug: 368517769 Test: enroll and authenticate fingerprint. Change-Id: I46e59d0fb4526586ce6e95e1d715b22e08b4347d --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 65fa3b0..615b925 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -161,6 +161,7 @@ /dev/qbt_ipc u:object_r:fingerprint_device:s0 /dev/qbt_fd u:object_r:fingerprint_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/fth_fd u:object_r:fingerprint_device:s0 /dev/video12 u:object_r:hw_jpg_device:s0 # Data From 0507349a4b91d16b96a0e04241863dd3278ad98f Mon Sep 17 00:00:00 2001 From: Tej Singh Date: Fri, 20 Sep 2024 21:41:23 -0700 Subject: [PATCH 50/50] Make android.framework.stats-v2-ndk app reachable For libedgetpu Test: TH Bug: 354763040 Flag: EXEMPT bugfix Change-Id: Id4f43ba150bd476426ace22c7d866ee87d5777a0 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 615b925..c7fd912 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -38,6 +38,7 @@ /vendor/lib64/libhwjpeg\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/android\.frameworks\.stats-V2-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 /vendor/lib64/libgpudataproducer\.so u:object_r:same_process_hal_file:s0