diff options
author | Xin Li <delphij@google.com> | 2020-08-28 15:41:32 -0700 |
---|---|---|
committer | Xin Li <delphij@google.com> | 2020-08-31 01:39:38 -0700 |
commit | 4c147758e5c530fd514eba4ab74d86fb76cbf1e0 (patch) | |
tree | ceaace345d691aa065787d79c162c251816dc2f2 | |
parent | 1a70434c2241eb690e39b10de059172a6b0b39df (diff) | |
parent | 85326d858077bdb6113234ae461538fd808b9813 (diff) | |
download | bonito-sepolicy-temp_sam_168057903.tar.gz |
Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)temp_sam_168057903
Bug: 166295507
Merged-In: I28245d4abb260213a5817026b242d43755bec936
Change-Id: I0485d15cdc943f39e772b94b02b202909f409805
66 files changed, 187 insertions, 243 deletions
diff --git a/bonito-sepolicy.mk b/bonito-sepolicy.mk index f618b8a3..2c9da473 100644 --- a/bonito-sepolicy.mk +++ b/bonito-sepolicy.mk @@ -1,5 +1,5 @@ -PRODUCT_PUBLIC_SEPOLICY_DIRS := device/google/bonito-sepolicy/public -PRODUCT_PRIVATE_SEPOLICY_DIRS := device/google/bonito-sepolicy/private +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/bonito-sepolicy/public +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/bonito-sepolicy/private # vendors BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/qcom/common @@ -7,3 +7,6 @@ BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/qcom/sdm710 BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/google BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/verizon BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/tracking_denials + +# Pixel-wide policy +BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel diff --git a/private/gsid.te b/private/gsid.te new file mode 100644 index 00000000..b64999d8 --- /dev/null +++ b/private/gsid.te @@ -0,0 +1,2 @@ +# b/151047320 +dontaudit gsid unlabeled:dir search; diff --git a/private/seapp_contexts b/private/seapp_contexts index 57a99dec..58a85b59 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -1,2 +1,5 @@ # Domain for WfcActivation app user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_activation_app levelFrom=all + +# Domain for Sprint Hidden Menu +user=_app isPrivApp=true seinfo=platform name=com.google.android.hiddenmenu domain=sprint_hidden_menu type=app_data_file levelFrom=all diff --git a/private/sprint_hidden_menu.te b/private/sprint_hidden_menu.te new file mode 100644 index 00000000..9eb45e7c --- /dev/null +++ b/private/sprint_hidden_menu.te @@ -0,0 +1,9 @@ +type sprint_hidden_menu, domain, coredomain; + +app_domain(sprint_hidden_menu) +net_domain(sprint_hidden_menu) + +# Services +allow sprint_hidden_menu app_api_service:service_manager find; +allow sprint_hidden_menu qchook_service:service_manager find; +allow sprint_hidden_menu radio_service:service_manager find; diff --git a/tracking_denials/dataservice_app.te b/tracking_denials/dataservice_app.te deleted file mode 100644 index 172a2fcc..00000000 --- a/tracking_denials/dataservice_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149063685 -dontaudit dataservice_app vendor_default_prop:file read; diff --git a/tracking_denials/e2fs.te b/tracking_denials/e2fs.te deleted file mode 100644 index 32cb35ab..00000000 --- a/tracking_denials/e2fs.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149063531 -dontaudit e2fs tmpfs:lnk_file read; diff --git a/tracking_denials/factory_ota_app.te b/tracking_denials/factory_ota_app.te deleted file mode 100644 index 2f0d25cb..00000000 --- a/tracking_denials/factory_ota_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149063707 -dontaudit factory_ota_app gpuservice:binder call; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te index 6b7e70e3..fc00b68e 100644 --- a/tracking_denials/gmscore_app.te +++ b/tracking_denials/gmscore_app.te @@ -1,4 +1,2 @@ -# b/149062700 -dontaudit gmscore_app mnt_vendor_file:dir search; +# b/149063577 dontaudit gmscore_app sysfs_msm_subsys:file read; -dontaudit gmscore_app vendor_firmware_file:filesystem getattr; diff --git a/tracking_denials/hal_bluetooth_default.te b/tracking_denials/hal_bluetooth_default.te deleted file mode 100644 index 8df181f7..00000000 --- a/tracking_denials/hal_bluetooth_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149063293 -dontaudit hal_bluetooth_default self:socket create; diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te deleted file mode 100644 index fbed6b8f..00000000 --- a/tracking_denials/installd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149063192 -dontaudit installd tmpfs:lnk_file read; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 0bd4cdb6..a1e7e77b 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -1,3 +1,2 @@ # b/149063676 dontaudit priv_app sysfs_msm_subsys:file read; -dontaudit priv_app vendor_default_prop:file read; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te new file mode 100644 index 00000000..5d0af0c5 --- /dev/null +++ b/tracking_denials/rild.te @@ -0,0 +1,2 @@ +# b/151804403 +dontaudit rild default_prop:file read; diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te index 314b681c..a75c16fd 100644 --- a/tracking_denials/system_app.te +++ b/tracking_denials/system_app.te @@ -1,4 +1,6 @@ # b/149064421 -dontaudit system_app apk_verity_prop:file read; dontaudit system_app sysfs_msm_subsys:dir search; -dontaudit system_app vendor_default_prop:file read; + +# b/151803074 +dontaudit system_app hal_tui_comm_hwservice:hwservice_manager find; + diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 92bdc7b6..cf361ddc 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -1,2 +1,4 @@ # b/149064109 dontaudit system_server sysfs_msm_subsys:file read; +# b/149064109 +dontaudit system_server proc_irq:dir search; diff --git a/tracking_denials/ueventd.te b/tracking_denials/ueventd.te deleted file mode 100644 index 3eece050..00000000 --- a/tracking_denials/ueventd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149064065 -dontaudit ueventd tmpfs:lnk_file read; diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te new file mode 100644 index 00000000..858fd6f3 --- /dev/null +++ b/tracking_denials/untrusted_app.te @@ -0,0 +1,2 @@ +# b/149063229 +dontaudit untrusted_app sysfs_msm_subsys:dir search; diff --git a/vendor/google/certs/com_google_mds.x509.pem b/vendor/google/certs/com_google_mds.x509.pem new file mode 100644 index 00000000..640c6fb9 --- /dev/null +++ b/vendor/google/certs/com_google_mds.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te index 9db1a5eb..e216ba5d 100644 --- a/vendor/google/citadeld.te +++ b/vendor/google/citadeld.te @@ -1,20 +1,2 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(citadeld) -add_service(citadeld, citadeld_service) - -allow citadeld citadel_device:chr_file rw_file_perms; - -init_daemon_domain(citadeld) - allow citadeld debugfs_ipc:dir search; - -allow citadeld hal_power_stats_default:binder { call transfer }; allow citadeld power_stats_service:service_manager find; - -# Let citadeld find and use statsd. -hwbinder_use(citadeld) -get_prop(citadeld, hwservicemanager_prop) -allow citadeld fwk_stats_hwservice:hwservice_manager find; -binder_call(citadeld, stats_service_server) diff --git a/vendor/google/device.te b/vendor/google/device.te index 5908c53f..8bf9256c 100644 --- a/vendor/google/device.te +++ b/vendor/google/device.te @@ -1,4 +1,3 @@ -type citadel_device, dev_type; type ramoops_device, dev_type; # Mark system_block_devices as super partition block devices for retrofit diff --git a/vendor/google/file.te b/vendor/google/file.te index 7a7d9319..ae65f49b 100644 --- a/vendor/google/file.te +++ b/vendor/google/file.te @@ -5,3 +5,6 @@ type sysfs_display, sysfs_type, fs_type; type sysfs_pixelstats, sysfs_type, fs_type; type persist_battery_file, file_type; type sysfs_chargelevel, sysfs_type, fs_type; + +# RamdumpFS +allow ramdump_vendor_mnt_file self:filesystem associate; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 1663abc9..50807609 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -1,30 +1,21 @@ # dev nodes -/dev/citadel0 u:object_r:citadel_device:s0 /dev/access-kregistry u:object_r:rebootescrow_device:s0 /dev/access-metadata u:object_r:ramoops_device:s0 /dev/access-ramoops u:object_r:ramoops_device:s0 /vendor/bin/hw/android\.hardware\.atrace@1\.0-service.pixel u:object_r:hal_atrace_default_exec:s0 -/vendor/bin/hw/android\.hardware\.authsecret@1\.0-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.1-service-disabled u:object_r:hal_secure_element_default_exec:s0 -/vendor/bin/hw/android\.hardware\.power@1\.3-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/modem_svc u:object_r:modem_svc_exec:s0 /vendor/bin/perfstatsd u:object_r:perfstatsd_exec:s0 /vendor/bin/init\.firstboot\.sh u:object_r:init-firstboot_exec:s0 /vendor/bin/init\.fingerprint\.sh u:object_r:init-fingerprint_exec:s0 -/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0 /vendor/bin/ramoops u:object_r:ramoops_exec:s0 /vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 /vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 /data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0 diff --git a/vendor/google/gmscore_app.te b/vendor/google/gmscore_app.te new file mode 100644 index 00000000..69dd7dad --- /dev/null +++ b/vendor/google/gmscore_app.te @@ -0,0 +1 @@ +dontaudit gmscore_app vendor_firmware_file:filesystem getattr; diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index 729f29bb..a1adeab0 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -3,5 +3,8 @@ type grilservice_app, domain; app_domain(grilservice_app) allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app activity_service:service_manager find; + binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) diff --git a/vendor/google/hal_authsecret_citadel.te b/vendor/google/hal_authsecret_citadel.te deleted file mode 100644 index 029d9572..00000000 --- a/vendor/google/hal_authsecret_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_authsecret_citadel, domain; -type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_authsecret_citadel) -binder_call(hal_authsecret_citadel, citadeld) -allow hal_authsecret_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_authsecret_citadel, hal_authsecret) -init_daemon_domain(hal_authsecret_citadel) diff --git a/vendor/google/hal_confirmationui.te b/vendor/google/hal_confirmationui.te index e6e07b89..1486a282 100644 --- a/vendor/google/hal_confirmationui.te +++ b/vendor/google/hal_confirmationui.te @@ -1,14 +1,3 @@ -allow hal_confirmationui_server tee_device:chr_file rw_file_perms; -allow hal_confirmationui_server ion_device:chr_file r_file_perms; - -allow hal_confirmationui_server hal_tui_comm_hwservice:hwservice_manager find; binder_call(hal_confirmationui_server, hal_tui_comm) - -vndbinder_use(hal_confirmationui_server) -allow hal_confirmationui_server citadeld_service:service_manager find; binder_call(hal_confirmationui_server, citadeld) - -binder_call(hal_confirmationui_server, keystore) - -allow hal_confirmationui_server input_device:chr_file rw_file_perms; -allow hal_confirmationui_server input_device:dir r_dir_perms; +allow hal_confirmationui_server citadeld_service:service_manager find; diff --git a/vendor/google/hal_identity_citadel.te b/vendor/google/hal_identity_citadel.te new file mode 100644 index 00000000..e29310c3 --- /dev/null +++ b/vendor/google/hal_identity_citadel.te @@ -0,0 +1,9 @@ +type hal_identity_citadel, domain; +type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_identity_citadel) +binder_call(hal_identity_citadel, citadeld) +allow hal_identity_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_identity_citadel, hal_identity) +init_daemon_domain(hal_identity_citadel) diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te index ebca378e..55611263 100644 --- a/vendor/google/hal_keymaster_citadel.te +++ b/vendor/google/hal_keymaster_citadel.te @@ -1,12 +1 @@ -type hal_keymaster_citadel, domain; -type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_keymaster_citadel) -binder_call(hal_keymaster_citadel, citadeld) -allow hal_keymaster_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_keymaster_citadel, hal_keymaster) -init_daemon_domain(hal_keymaster_citadel) - get_prop(hal_keymaster_citadel, vendor_tee_listener_prop) -get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop) diff --git a/vendor/google/hal_oemlock_citadel.te b/vendor/google/hal_oemlock_citadel.te deleted file mode 100644 index d3ff7191..00000000 --- a/vendor/google/hal_oemlock_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_oemlock_citadel, domain; -type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_oemlock_citadel) -binder_call(hal_oemlock_citadel, citadeld) -allow hal_oemlock_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_oemlock_citadel, hal_oemlock) -init_daemon_domain(hal_oemlock_citadel) diff --git a/vendor/google/hal_thermal_default.te b/vendor/google/hal_thermal_default.te deleted file mode 100644 index 55073a9f..00000000 --- a/vendor/google/hal_thermal_default.te +++ /dev/null @@ -1,8 +0,0 @@ -allow hal_thermal_default sysfs_thermal:dir r_dir_perms; -allow hal_thermal_default sysfs_thermal:file rw_file_perms; -allow hal_thermal_default proc_stat:file r_file_perms; - -allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - -# read thermal_config -get_prop(hal_thermal_default, vendor_thermal_prop) diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te deleted file mode 100644 index 59914a85..00000000 --- a/vendor/google/hal_weaver_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) -allow hal_weaver_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_weaver_citadel, hal_weaver) -init_daemon_domain(hal_weaver_citadel) diff --git a/vendor/google/init-thermal-logging.sh.te b/vendor/google/init-thermal-logging.sh.te deleted file mode 100644 index 3da540e3..00000000 --- a/vendor/google/init-thermal-logging.sh.te +++ /dev/null @@ -1,10 +0,0 @@ -type init-thermal-logging-sh, domain; -type init-thermal-logging-sh_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init-thermal-logging-sh) - -userdebug_or_eng(` - allow init-thermal-logging-sh vendor_toolbox_exec:file rx_file_perms; - allow init-thermal-logging-sh sysfs_thermal:dir r_dir_perms; - allow init-thermal-logging-sh sysfs_thermal:file r_file_perms; -') diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te deleted file mode 100644 index f96ab15d..00000000 --- a/vendor/google/init_citadel.te +++ /dev/null @@ -1,14 +0,0 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; - -# Shell script exec (toolbox) -allow init_citadel vendor_shell_exec:file r_file_perms; -allow init_citadel vendor_toolbox_exec:file rx_file_perms; -allow init_citadel vendor_file:file rx_file_perms; - -# Citadel communication must be via citadeld -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -init_daemon_domain(init_citadel) diff --git a/vendor/google/keys.conf b/vendor/google/keys.conf index ad143390..a272db89 100644 --- a/vendor/google/keys.conf +++ b/vendor/google/keys.conf @@ -14,3 +14,6 @@ ALL : device/google/bonito-sepolicy/vendor/google/certs/app.x509.pem [@EASEL] ALL : device/google/bonito-sepolicy/vendor/google/certs/easel.x509.pem + +[@MDS] +ALL : device/google/bonito-sepolicy/vendor/google/certs/com_google_mds.x509.pem diff --git a/vendor/google/mac_permissions.xml b/vendor/google/mac_permissions.xml index 401dc836..bfc89deb 100644 --- a/vendor/google/mac_permissions.xml +++ b/vendor/google/mac_permissions.xml @@ -33,4 +33,7 @@ <signer signature="@EASEL" > <seinfo value="easel" /> </signer> + <signer signature="@MDS" > + <seinfo value="mds" /> + </signer> </policy> diff --git a/private/mediaswcodec.te b/vendor/google/mediaswcodec.te index 865b4397..865b4397 100644 --- a/private/mediaswcodec.te +++ b/vendor/google/mediaswcodec.te diff --git a/vendor/qcom/common/modem_diagnostics.te b/vendor/google/modem_diagnostics.te index d27e93c8..d27e93c8 100644 --- a/vendor/qcom/common/modem_diagnostics.te +++ b/vendor/google/modem_diagnostics.te diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te index 7f3e7765..874d894c 100644 --- a/vendor/google/pixelstats_vendor.te +++ b/vendor/google/pixelstats_vendor.te @@ -10,7 +10,7 @@ allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find; binder_call(pixelstats_vendor, pixelstats_system) allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find; -binder_call(pixelstats_vendor, statsd) +binder_call(pixelstats_vendor, stats_service_server) unix_socket_connect(pixelstats_vendor, chre, chre) diff --git a/vendor/google/property_contexts b/vendor/google/property_contexts index e3334327..1d900d15 100644 --- a/vendor/google/property_contexts +++ b/vendor/google/property_contexts @@ -2,14 +2,18 @@ vendor.ramoops. u:object_r:vendor_ramoops_prop:s0 persist.vendor.radio.no_wait_for_card u:object_r:vendor_radio_prop:s0 -vendor.powerhal.rendering u:object_r:power_prop:s0 persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 -ro.vibrator.hal.click.duration u:object_r:vendor_vibrator_prop:s0 -ro.vibrator.hal.tick.duration u:object_r:vendor_vibrator_prop:s0 -ro.vibrator.hal.heavyclick.duration u:object_r:vendor_vibrator_prop:s0 -ro.vibrator.hal.short.voltage u:object_r:vendor_vibrator_prop:s0 -ro.vibrator.hal.long.voltage u:object_r:vendor_vibrator_prop:s0 + +# haptics +ro.vibrator.hal.closeloop.threshold u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.config.dynamic u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.click.duration u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.tick.duration u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.heavyclick.duration u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.short.voltage u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.long.voltage u:object_r:vendor_vibrator_prop:s0 ro.vibrator.hal.long.frequency.shift u:object_r:vendor_vibrator_prop:s0 +ro.vibrator.hal.double_click.duration u:object_r:vendor_vibrator_prop:s0 # battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts index 7ec0c015..49c317f8 100644 --- a/vendor/google/seapp_contexts +++ b/vendor/google/seapp_contexts @@ -2,4 +2,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all # Domain for GoogleCBRS app -user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
\ No newline at end of file +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Domain for modem diagnostic system +user=_app seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user diff --git a/vendor/google/vendor_init.te b/vendor/google/vendor_init.te index 5b0628fe..c5c1a0f3 100644 --- a/vendor/google/vendor_init.te +++ b/vendor/google/vendor_init.te @@ -3,10 +3,6 @@ get_prop(vendor_init, vendor_radio_sku_prop) set_prop(vendor_init, vendor_build_type_prop) -# To allow set pixel mm_event tracing -allow vendor_init debugfs_tracing_instances:dir create_dir_perms; -allow vendor_init debugfs_tracing_instances:file w_file_perms; - # Allow vendor_init to set property of logpersistd_logging_prop userdebug_or_eng(` set_prop(vendor_init, logpersistd_logging_prop) diff --git a/vendor/google/vndservice.te b/vendor/google/vndservice.te index 2518809d..3ad0227c 100644 --- a/vendor/google/vndservice.te +++ b/vendor/google/vndservice.te @@ -1,2 +1 @@ -type citadeld_service, vndservice_manager_type; type perfstatsd_service, vndservice_manager_type; diff --git a/vendor/google/vndservice_contexts b/vendor/google/vndservice_contexts index b7d8a72e..32ecbbd6 100644 --- a/vendor/google/vndservice_contexts +++ b/vendor/google/vndservice_contexts @@ -1,2 +1 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 perfstatsd_pri u:object_r:perfstatsd_service:s0 diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te deleted file mode 100644 index c9586c88..00000000 --- a/vendor/google/wait_for_strongbox.te +++ /dev/null @@ -1,9 +0,0 @@ -# wait_for_strongbox service -type wait_for_strongbox, domain; -type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(wait_for_strongbox) - -hal_client_domain(wait_for_strongbox, hal_keymaster) - -allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
\ No newline at end of file diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 434b5c09..60f13736 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -8,7 +8,6 @@ type dsp_device, dev_type; type easel_device, dev_type, mlstrustedobject; type gpt_block_device, dev_type; type ipa_dev, dev_type; -type latency_device, dev_type; type modem_block_device, dev_type; type persist_block_device, dev_type; type qsee_ipc_irq_spss_device, dev_type; diff --git a/vendor/qcom/common/dumpstate.te b/vendor/qcom/common/dumpstate.te index 06a2a749..8f5ea5eb 100644 --- a/vendor/qcom/common/dumpstate.te +++ b/vendor/qcom/common/dumpstate.te @@ -1,3 +1,4 @@ +dump_hal(hal_telephony) dump_hal(hal_thermal) dump_hal(hal_power) dump_hal(hal_power_stats) @@ -20,5 +21,4 @@ allow dumpstate debugfs_mmc:dir search; allow dumpstate vendor_firmware_file:dir getattr; allow dumpstate vendor_firmware_file:filesystem getattr; -dontaudit dumpstate misc_logd_file:dir read; dontaudit dumpstate kernel:system module_request; diff --git a/vendor/qcom/common/factory_ota_app.te b/vendor/qcom/common/factory_ota_app.te deleted file mode 100644 index 5f2268bb..00000000 --- a/vendor/qcom/common/factory_ota_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type factory_ota_app, domain, coredomain; - -app_domain(factory_ota_app) -net_domain(factory_ota_app) - -# Write to /data/ota_package for OTA packages. -allow factory_ota_app ota_package_file:dir rw_dir_perms; -allow factory_ota_app ota_package_file:file create_file_perms; - -# Properties -get_prop(factory_ota_app, factory_ota_prop); -set_prop(factory_ota_app, exported_system_prop); - -# Services -allow factory_ota_app app_api_service:service_manager find; -binder_call(factory_ota_app, update_engine) # Allow Factory OTA to call Update Engine -binder_call(update_engine, factory_ota_app) # Allow Update Engine to call the Factory OTA callback -allow factory_ota_app update_engine_service:service_manager find; -allow factory_ota_app nfc_service:service_manager find; -allow factory_ota_app radio_service:service_manager find; - -# b/133124196 For suppress the GPU service seploicy error log which Factory OTA does not need it. -dontaudit factory_ota_app gpu_service:service_manager find; - diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index ae8cd890..23853c94 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -65,7 +65,6 @@ type ims_socket, file_type; type ipacm_socket, file_type; type cnd_socket, file_type; type chre_socket, file_type; -type pps_socket, file_type; type location_socket, file_type; type diag_socket, file_type, mlstrustedobject; @@ -94,6 +93,7 @@ type nfc_vendor_data_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject; type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject; type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; type wifidump_vendor_data_file, file_type, data_file_type; type modem_dump_file, file_type, data_file_type; type sensors_vendor_data_file, file_type, data_file_type; @@ -111,6 +111,7 @@ type bt_firmware_file, fs_type, contextmount_type; type vendor_tui_data_file, file_type, data_file_type; type wifi_vendor_log_data_file, file_type, data_file_type; + type hal_neuralnetworks_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 1d5e543b..b2730448 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -9,7 +9,6 @@ /dev/ipa u:object_r:ipa_dev:s0 /dev/wwan_ioctl u:object_r:ipa_dev:s0 /dev/ipaNatTable u:object_r:ipa_dev:s0 -/dev/cpu_dma_latency u:object_r:latency_device:s0 /dev/rmnet_ctrl.* u:object_r:rmnet_device:s0 /dev/at_.* u:object_r:at_device:s0 /dev/video([0-9])+ u:object_r:video_device:s0 @@ -61,7 +60,6 @@ /dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0 /dev/socket/netmgr(/.*)? u:object_r:netmgrd_socket:s0 /data/vendor/netmgr/recovery(/.*)? u:object_r:netmgr_recovery_data_file:s0 -/dev/socket/pps u:object_r:pps_socket:s0 /dev/socket/location(/.*)? u:object_r:location_socket:s0 /dev/nq-nci u:object_r:nfc_device:s0 /dev/ttyHS0 u:object_r:hci_attach_dev:s0 @@ -78,6 +76,12 @@ # Block devices for the drive that holds the xbl_a and xbl_b partitions. /dev/block/sd[bc]1? u:object_r:xbl_block_device:s0 +################################### +# ramdumpfs files +# +/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 +/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 + # Block device for hal_bootctl /dev/block/sde u:object_r:boot_block_device:s0 @@ -124,11 +128,11 @@ /vendor/bin/cnd u:object_r:cnd_exec:s0 /vendor/bin/easelmanagerd u:object_r:easel_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.1-service\.bonito u:object_r:hal_usb_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/time_daemon u:object_r:time_daemon_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 +/vendor/bin/init\.edge_sense\.sh u:object_r:init-edge_sense-sh_exec:s0 /vendor/bin/init\.qcom\.devstart\.sh u:object_r:init-qcom-devstart-sh_exec:s0 /vendor/bin/init\.qcom\.ipastart\.sh u:object_r:init-qcom-ipastart-sh_exec:s0 /vendor/bin/init\.qcom\.wlan\.sh u:object_r:init-qcom-wlan-sh_exec:s0 @@ -141,10 +145,8 @@ /vendor/bin/grep u:object_r:vendor_grep_exec:s0 /vendor/bin/wifi_sniffer u:object_r:wifi_sniffer_exec:s0 -/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service-bonito u:object_r:hal_confirmationui_default_exec:s0 /vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 -/vendor/bin/hw/android\.hardware\.vibrator@1\.2-service\.bonito u:object_r:hal_vibrator_default_exec:s0 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /vendor/bin/hw/android\.hardware\.gnss@1\.1-service-qti u:object_r:hal_gnss_qti_exec:s0 diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts index 8d2be749..aa41aaba 100644 --- a/vendor/qcom/common/genfs_contexts +++ b/vendor/qcom/common/genfs_contexts @@ -33,7 +33,6 @@ genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_write_cnt u:o genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0 genfscon sysfs /class/uio u:object_r:sysfs_uio:s0 genfscon sysfs /devices/platform/soc/894000.i2c u:object_r:sysfs_msm_subsys:s0 genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0 @@ -57,7 +56,6 @@ genfscon sysfs /devices/platform/soc/8300000.qcom,turing genfscon sysfs /devices/platform/soc/0.qcom,rmtfs_sharedmem u:object_r:sysfs_rmtfs:s0 genfscon sysfs /devices/platform/soc/soc:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/virtual/wahoo_laser u:object_r:sysfs_laser:s0 genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/soc/17d41000.qcom,cpucc/17d41000.qcom,cpucc:qcom,limits-dcvs@0 u:object_r:sysfs_thermal:s0 @@ -100,6 +98,7 @@ genfscon sysfs /power/system_sleep/stats u:object genfscon debugfs /kgsl/proc u:object_r:debugfs_kgsl:s0 genfscon debugfs /clk/debug_suspend u:object_r:debugfs_clk:s0 +genfscon debugfs /wlan u:object_r:debugfs_wlan:s0 genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 genfscon debugfs /mnh_sm u:object_r:debugfs_easel:s0 diff --git a/vendor/qcom/common/hal_dumpstate_impl.te b/vendor/qcom/common/hal_dumpstate_impl.te index 5e14f08b..18d92549 100644 --- a/vendor/qcom/common/hal_dumpstate_impl.te +++ b/vendor/qcom/common/hal_dumpstate_impl.te @@ -29,13 +29,18 @@ userdebug_or_eng(` #Dump perfstatsd allow hal_dumpstate_impl perfstatsd_exec:file rx_file_perms; allow hal_dumpstate_impl perfstatsd_service:service_manager find; - vndbinder_use(hal_dumpstate_impl) binder_call(hal_dumpstate_impl, perfstatsd) # Dump sensors log allow hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms; allow hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms; ') + +# Citadel communication must be via citadeld +vndbinder_use(hal_dumpstate_impl) +binder_call(hal_dumpstate_impl, citadeld) +allow hal_dumpstate_impl citadeld_service:service_manager find; + allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms; allow hal_dumpstate_impl modem_dump_file:file create_file_perms; allow hal_dumpstate_impl radio_vendor_data_file:dir r_dir_perms; @@ -80,6 +85,7 @@ allow hal_dumpstate_impl sysfs_mmc:file r_file_perms; allow hal_dumpstate_impl proc_stat:file r_file_perms; allow hal_dumpstate_impl proc_f2fs:dir r_dir_perms; allow hal_dumpstate_impl proc_f2fs:file r_file_perms; +allow hal_dumpstate_impl block_device:dir r_dir_perms; # Access to files for dumping allow hal_dumpstate_impl sysfs:dir r_dir_perms; diff --git a/vendor/qcom/common/hal_nfc_default.te b/vendor/qcom/common/hal_nfc_default.te index 081430da..8e40bfbe 100644 --- a/vendor/qcom/common/hal_nfc_default.te +++ b/vendor/qcom/common/hal_nfc_default.te @@ -8,5 +8,5 @@ allow hal_nfc_default nxpese_hwservice:hwservice_manager find; add_hwservice(hal_nfc_default, nxpnfc_hwservice) get_prop(hal_nfc_default, vendor_nfc_prop) -get_prop(hal_nfc_default, factory_ota_prop) -set_prop(hal_nfc_default, factory_ota_prop) +get_prop(hal_nfc_default, sota_prop) +set_prop(hal_nfc_default, sota_prop) diff --git a/vendor/qcom/common/hal_power_default.te b/vendor/qcom/common/hal_power_default.te index 4fd6779d..f410a81a 100644 --- a/vendor/qcom/common/hal_power_default.te +++ b/vendor/qcom/common/hal_power_default.te @@ -4,8 +4,6 @@ allow hal_power_default sysfs_graphics:file r_file_perms; # To do powerhint on nodes defined in powerhint.json allow hal_power_default sysfs_msm_subsys:dir search; allow hal_power_default sysfs_msm_subsys:file rw_file_perms; -allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; -allow hal_power_default latency_device:chr_file rw_file_perms; allow hal_power_default cgroup:dir search; allow hal_power_default cgroup:file rw_file_perms; allow hal_power_default debugfs_sched_features:file rw_file_perms; @@ -14,6 +12,3 @@ allow hal_power_default proc_sysctl_schedboost:file rw_file_perms; # Allow power hal to talk to mm-pp-daemon to control display lpm allow hal_power_default mm-pp-daemon:unix_stream_socket connectto; allow hal_power_default pps_socket:sock_file write; - -# To get/set powerhal state property -set_prop(hal_power_default, power_prop) diff --git a/vendor/qcom/common/hal_wifi_ext.te b/vendor/qcom/common/hal_wifi_ext.te index ea1e0278..6f30755b 100644 --- a/vendor/qcom/common/hal_wifi_ext.te +++ b/vendor/qcom/common/hal_wifi_ext.te @@ -14,6 +14,9 @@ r_dir_file(hal_wifi_ext, proc_wifi_dbg) # Write wlan driver/fw version into property set_prop(hal_wifi_ext, vendor_wifi_version) +# Allow wifi_ext to report callbacks to gril-service app +allow hal_wifi_ext grilservice_app:binder call; + dontaudit hal_wifi_ext kernel:system module_request; dontaudit hal_wifi_ext self:capability sys_module; diff --git a/vendor/qcom/common/ims.te b/vendor/qcom/common/ims.te index c8aea1e9..740690d7 100644 --- a/vendor/qcom/common/ims.te +++ b/vendor/qcom/common/ims.te @@ -7,6 +7,7 @@ net_domain(ims) get_prop(ims, hwservicemanager_prop) set_prop(ims, ims_prop) set_prop(ims, ctl_vendor_imsrcsservice_prop) +get_prop(ims, cnd_prop) unix_socket_connect(ims, netmgrd, netmgrd) @@ -42,3 +43,5 @@ allow ims hal_cne_hwservice:hwservice_manager find; binder_call(ims, cnd) dontaudit ims kernel:system module_request; + +dontaudit ims diag_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/init-devstart-sh.te b/vendor/qcom/common/init-devstart-sh.te index 85993a40..57ea5d2c 100644 --- a/vendor/qcom/common/init-devstart-sh.te +++ b/vendor/qcom/common/init-devstart-sh.te @@ -5,13 +5,14 @@ init_daemon_domain(init-qcom-devstart-sh) allow init-qcom-devstart-sh vendor_shell_exec:file rx_file_perms; allow init-qcom-devstart-sh vendor_toolbox_exec:file rx_file_perms; +allow init-qcom-devstart-sh vendor_grep_exec:file rx_file_perms; +allow init-qcom-devstart-sh init-edge_sense-sh_exec:file rx_file_perms; -# execute grep -allow init-qcom-devstart-sh vendor_file:file rx_file_perms; +domain_auto_trans(init-qcom-devstart-sh, init-edge_sense-sh_exec, init-edge_sense-sh) # Set the vendor.qcom.devup property set_prop(init-qcom-devstart-sh, vendor_device_prop) -# Set the sys.adsp.firmware.version property. +# Set the vendor.sys.adsp.firmware.version property. set_prop(init-qcom-devstart-sh, public_vendor_system_prop) # Set boot_adsp and boot_slpi to 1 @@ -19,21 +20,3 @@ allow init-qcom-devstart-sh sysfs_msm_subsys:file w_file_perms; # Support for battery defender allow init-qcom-devstart-sh sysfs_chargelevel:file rw_file_perms; - -# Initialize Edge Sense. -# See b/67205273. -allow init-qcom-devstart-sh sysfs:dir r_dir_perms; -allow init-qcom-devstart-sh sysfs_pinctrl:dir r_dir_perms; -allow init-qcom-devstart-sh sysfs_pinctrl:file rw_file_perms; -allow init-qcom-devstart-sh sysfs_gpio_export:file w_file_perms; -allow init-qcom-devstart-sh sysfs_soc:dir r_dir_perms; -allow init-qcom-devstart-sh sysfs_soc:file r_file_perms; -allow init-qcom-devstart-sh sysfs_msm_subsys:dir r_dir_perms; -allow init-qcom-devstart-sh sysfs_msm_subsys:file r_file_perms; -allow init-qcom-devstart-sh sysfs_scsi_devices_0000:file r_file_perms; -allow init-qcom-devstart-sh sysfs_pixelstats:file r_file_perms; -# Ignore permissions used but not needed. -dontaudit init-qcom-devstart-sh sysfs:file { create getattr }; -dontaudit init-qcom-devstart-sh sysfs_type:dir { read write }; -dontaudit init-qcom-devstart-sh sysfs_graphics:file getattr; -dontaudit init-qcom-devstart-sh sysfs_devices_block:file getattr; diff --git a/vendor/qcom/common/init-edge_sense-sh.te b/vendor/qcom/common/init-edge_sense-sh.te new file mode 100644 index 00000000..da258144 --- /dev/null +++ b/vendor/qcom/common/init-edge_sense-sh.te @@ -0,0 +1,25 @@ +type init-edge_sense-sh, domain; +type init-edge_sense-sh_exec, exec_type, vendor_file_type, file_type; + +allow init-edge_sense-sh init-qcom-devstart-sh:fd use; +allow init-edge_sense-sh vendor_toolbox_exec:file rx_file_perms; + +# Initialize Edge Sense. +# See b/67205273. +allow init-edge_sense-sh sysfs:dir r_dir_perms; +allow init-edge_sense-sh sysfs_pinctrl:dir r_dir_perms; +allow init-edge_sense-sh sysfs_pinctrl:file rw_file_perms; +allow init-edge_sense-sh sysfs_gpio_export:file w_file_perms; +allow init-edge_sense-sh sysfs_soc:dir r_dir_perms; +allow init-edge_sense-sh sysfs_soc:file r_file_perms; +allow init-edge_sense-sh sysfs_msm_subsys:dir r_dir_perms; +allow init-edge_sense-sh sysfs_msm_subsys:file r_file_perms; +allow init-edge_sense-sh sysfs_scsi_devices_0000:file r_file_perms; +allow init-edge_sense-sh sysfs_pixelstats:file r_file_perms; +# Ignore permissions used but not needed. +dontaudit init-edge_sense-sh sysfs:file { create getattr }; +dontaudit init-edge_sense-sh sysfs_type:dir { read write }; +dontaudit init-edge_sense-sh sysfs_graphics:file getattr; +dontaudit init-edge_sense-sh sysfs_devices_block:file getattr; +dontaudit init-edge_sense-sh sysfs_pstore:file getattr; +dontaudit init-edge_sense-sh sysfs_chargelevel:file getattr; diff --git a/vendor/qcom/common/omadm.te b/vendor/qcom/common/omadm.te new file mode 100644 index 00000000..dadb4d96 --- /dev/null +++ b/vendor/qcom/common/omadm.te @@ -0,0 +1,10 @@ +# OMADM app +type omadm_app, domain; + +app_domain(omadm_app) +net_domain(omadm_app) + +allow omadm_app app_api_service:service_manager find; +allow omadm_app radio_vendor_data_file:dir rw_dir_perms; +allow omadm_app radio_vendor_data_file:file create_file_perms; +allow omadm_app radio_service:service_manager find; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index 785493ff..aaf00644 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -1,6 +1,5 @@ vendor_restricted_prop(vendor_camera_prop) vendor_restricted_prop(cnd_prop) -vendor_restricted_prop(factory_ota_prop) vendor_restricted_prop(ims_prop) vendor_internal_prop(vendor_ramdump_prop) vendor_restricted_prop(public_vendor_default_prop) @@ -8,11 +7,9 @@ vendor_internal_prop(public_vendor_system_prop) vendor_restricted_prop(vendor_ssr_prop) vendor_internal_prop(vendor_cnss_diag_prop) vendor_restricted_prop(vendor_tee_listener_prop) -vendor_internal_prop(vendor_thermal_prop) vendor_internal_prop(vendor_modem_diag_prop) vendor_internal_prop(vendor_usb_prop) vendor_internal_prop(vendor_time_prop) -vendor_internal_prop(power_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(per_mgr_state_prop) vendor_public_prop(vendor_bluetooth_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 73a37f4b..4683587e 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -2,9 +2,7 @@ vendor.debug.camera. u:object_r:vendor_camera_prop:s0 persist.vendor.camera. u:object_r:vendor_camera_prop:s0 persist.camera. u:object_r:vendor_camera_prop:s0 persist.vendor.sys.cnd u:object_r:cnd_prop:s0 -ro.boot.sota u:object_r:factory_ota_prop:s0 -persist.factoryota.reboot u:object_r:exported_system_prop:s0 -persist.vendor.radio.bootwithlpm u:object_r:vendor_radio_prop:s0 +persist.vendor.cne.logging.qxdm u:object_r:cnd_prop:s0 vendor.ims. u:object_r:ims_prop:s0 persist.vendor.ims. u:object_r:ims_prop:s0 persist.net.doxlat u:object_r:vendor_net_radio_prop:s0 @@ -14,10 +12,6 @@ ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 persist.vendor.sys.cnss. u:object_r:vendor_cnss_diag_prop:s0 vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 -vendor.thermal.vr_mode u:object_r:vendor_thermal_prop:s0 -vendor.thermal.hw_mode u:object_r:vendor_thermal_prop:s0 -ctl.vendor.thermal-engine u:object_r:vendor_thermal_prop:s0 -vendor.thermal.config u:object_r:vendor_thermal_prop:s0 persist.vendor.sys.modem.diag. u:object_r:vendor_modem_diag_prop:s0 vendor.sys.modem.diag. u:object_r:vendor_modem_diag_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 @@ -26,17 +20,13 @@ ro.vendor.ril. u:object_r:radio_prop:s0 vendor.qcom.time.set u:object_r:vendor_time_prop:s0 vendor.usb. u:object_r:vendor_usb_prop:s0 persist.vendor.usb. u:object_r:vendor_usb_prop:s0 -vendor.powerhal.state u:object_r:power_prop:s0 -vendor.powerhal.audio u:object_r:power_prop:s0 -vendor.powerhal.lpm u:object_r:power_prop:s0 -vendor.powerhal.init u:object_r:power_prop:s0 vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 vendor.peripheral. u:object_r:per_mgr_state_prop:s0 vendor.ese.debug_enabled u:object_r:vendor_secure_element_prop:s0 vendor.qcom.devup u:object_r:vendor_device_prop:s0 vendor.all.modules.ready u:object_r:vendor_device_prop:s0 -sys.adsp.firmware.version u:object_r:public_vendor_system_prop:s0 +vendor.sys.adsp.firmware.version u:object_r:public_vendor_system_prop:s0 ctl.vendor.imsrcsservice u:object_r:ctl_vendor_imsrcsservice_prop:s0 persist.vendor.usb.config u:object_r:vendor_usb_config_prop:s0 vendor.usb.config u:object_r:vendor_usb_config_prop:s0 @@ -177,10 +167,12 @@ persist.vendor.radio.simlock.list u:object_r:vendor_radio_prop:s0 persist.vendor.radio.manual_nw_rej_ct u:object_r:vendor_radio_prop:s0 ro.radio.log_loc u:object_r:vendor_radio_prop:s0 ro.radio.log_prefix u:object_r:vendor_radio_prop:s0 +vendor.radio.sim_num.switch u:object_r:vendor_radio_prop:s0 # vendor_bluetooth_prop persist.vendor.bluetooth.a4wp u:object_r:vendor_bluetooth_prop:s0 persist.vendor.bluetooth.csoc.cnt u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.bluetooth.diag_enabled u:object_r:vendor_bluetooth_prop:s0 persist.vendor.service.bdroid.fwsnoop u:object_r:vendor_bluetooth_prop:s0 persist.vendor.service.bdroid.sibs u:object_r:vendor_bluetooth_prop:s0 persist.vendor.service.bdroid.snooplog u:object_r:vendor_bluetooth_prop:s0 diff --git a/vendor/qcom/common/ramdump.te b/vendor/qcom/common/ramdump.te index 5748f95e..7b2e786c 100644 --- a/vendor/qcom/common/ramdump.te +++ b/vendor/qcom/common/ramdump.te @@ -34,4 +34,11 @@ userdebug_or_eng(` get_prop(ramdump, hwservicemanager_prop) allow ramdump fwk_stats_hwservice:hwservice_manager find; binder_call(ramdump, stats_service_server) + + # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump. + allow ramdump fuse:filesystem relabelfrom; + allow ramdump fuse_device:chr_file rw_file_perms; + allow ramdump mnt_vendor_file:dir r_dir_perms; + allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton }; + allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto }; ') diff --git a/vendor/qcom/common/ramdump_app.te b/vendor/qcom/common/ramdump_app.te index 49d15dcd..38cf2f48 100644 --- a/vendor/qcom/common/ramdump_app.te +++ b/vendor/qcom/common/ramdump_app.te @@ -13,4 +13,9 @@ userdebug_or_eng(` set_prop(ramdump_app, vendor_ramdump_prop); get_prop(system_app, vendor_ssr_prop) get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; ') diff --git a/vendor/qcom/common/rild.te b/vendor/qcom/common/rild.te index 9c854edd..1f469b5b 100644 --- a/vendor/qcom/common/rild.te +++ b/vendor/qcom/common/rild.te @@ -30,7 +30,7 @@ userdebug_or_eng(` allow rild radio_vendor_data_file:dir rw_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; -get_prop(rild, factory_ota_prop) +get_prop(rild, sota_prop) set_prop(rild, vendor_radio_prop) # Allow vendor native process to read the proc file of xt_qtaguid diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index 1059b293..f3c98c70 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -15,9 +15,6 @@ user=_app seinfo=tango name=com.google.tango.* domain=tango_core type=app_data_f # A fallback in case tango_core is missing something critical that untrusted_app provides user=_app seinfo=tango name=com.google.tango:app domain=untrusted_app type=app_data_file levelFrom=user -# Factory OTA -user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all - # Hardware Info Collection user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user @@ -33,8 +30,8 @@ user=_app seinfo=easel name=com.google.android.imaging.easel.service domain=ease #Domain for connectivity monitor user=_app seinfo=platform isPrivApp=true name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# Domain for modem diagnostic system -user=_app seinfo=google name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +#Domain for omadm +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.qualcomm.qti.services.secureui* domain=secure_ui_service_app levelFrom=all diff --git a/vendor/qcom/common/time_daemon.te b/vendor/qcom/common/time_daemon.te index f96f8b5f..d97cdbb0 100644 --- a/vendor/qcom/common/time_daemon.te +++ b/vendor/qcom/common/time_daemon.te @@ -30,4 +30,6 @@ allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls; get_prop(time_daemon, vendor_time_service_prop); dontaudit time_daemon kernel:system module_request; + +# b/68864350 dontaudit time_daemon unlabeled:dir search; diff --git a/vendor/qcom/common/vendor_init.te b/vendor/qcom/common/vendor_init.te index f710a7da..e5c5bbe2 100644 --- a/vendor/qcom/common/vendor_init.te +++ b/vendor/qcom/common/vendor_init.te @@ -15,12 +15,10 @@ userdebug_or_eng(` ') set_prop(vendor_init, vendor_camera_prop) -set_prop(vendor_init, factory_ota_prop) -set_prop(vendor_init, power_prop) +set_prop(vendor_init, vendor_power_prop) set_prop(vendor_init, public_vendor_default_prop) set_prop(vendor_init, vendor_bluetooth_prop) set_prop(vendor_init, vendor_modem_diag_prop) -set_prop(vendor_init, vendor_thermal_prop) set_prop(vendor_init, vendor_radio_prop) set_prop(vendor_init, vendor_nfc_prop) set_prop(vendor_init, vendor_display_prop) diff --git a/vendor/qcom/sdm710/file_contexts b/vendor/qcom/sdm710/file_contexts index 7b2e0bf7..418fd3db 100644 --- a/vendor/qcom/sdm710/file_contexts +++ b/vendor/qcom/sdm710/file_contexts @@ -53,7 +53,7 @@ ################################# # libs /vendor/lib(64)?/hw/gralloc\.sdm710\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/vulkan\.sdm710\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.adreno\.so u:object_r:same_process_hal_file:s0 #Android NN Driver -/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-qti u:object_r:hal_neuralnetworks_default_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:hal_neuralnetworks_default_exec:s0 |