diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:36:51 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:36:51 +0000 |
commit | 50878be1f22b9281ec93a5dd0bcd7d0ab359c312 (patch) | |
tree | 5cefbe9905472b91f48e8438fb586b8ee9d5bed4 | |
parent | 3226b069e262fe1287edaa0fd4e3dcfd7d74fdcd (diff) | |
parent | 7f5395ac1db234fb317d489921e488754ba0a4b5 (diff) | |
download | coral-sepolicy-android14-mainline-appsearch-release.tar.gz |
Snap for 10453563 from 7f5395ac1db234fb317d489921e488754ba0a4b5 to mainline-appsearch-releaseaml_ase_341510000aml_ase_341410000aml_ase_341310010aml_ase_341113000aml_ase_340913000android14-mainline-appsearch-release
Change-Id: I8605f7c270ab56d3b8fba0cd2cfbfb0501d2c8ad
26 files changed, 47 insertions, 27 deletions
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..1075658 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,16 @@ +dumpstate app_zygote process b/238263963 +dumpstate dumpstate binder b/238953877 +dumpstate system_data_file dir b/238837224 +hal_drm_widevine default_prop file b/238263778 +hal_power_default hal_power_default capability b/238263962 +rfs_access unlabeled dir b/238705225 +shell adb_keys_file file b/238836599 +shell cache_file lnk_file b/238836599 +shell init_exec lnk_file b/238836599 +shell linkerconfig_file dir b/238836599 +shell metadata_file dir b/238836599 +shell mirror_data_file dir b/238836599 +shell persist_file lnk_file b/238836599 +shell postinstall_mnt_dir dir b/238836599 +shell rootfs file b/238836599 +shell system_dlkm_file dir b/238836599 diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index 9990775..0000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/187365845 -dontaudit incidentd apex_info_file:file getattr; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 3878ed5..0000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/149543179 -dontaudit priv_app sysfs_msm_subsys:file read; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te deleted file mode 100644 index c073049..0000000 --- a/tracking_denials/system_server.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/149544018 -dontaudit system_server sysfs_msm_subsys:file read; -# b/149544018 -dontaudit system_server proc_irq:dir search; diff --git a/tracking_denials/time_daemon.te b/tracking_denials/time_daemon.te deleted file mode 100644 index a3ab78c..0000000 --- a/tracking_denials/time_daemon.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/136426663 -dontaudit time_daemon sysfs_esoc:dir search; -dontaudit time_daemon sysfs_msm_subsys:dir search; diff --git a/vendor/google/e2fs.te b/vendor/google/e2fs.te new file mode 100644 index 0000000..4d2b596 --- /dev/null +++ b/vendor/google/e2fs.te @@ -0,0 +1,2 @@ +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 025965d..cfbc2ee 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -41,6 +41,8 @@ /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.graphics\.composer@2\.4-service-sm8150 u:object_r:hal_graphics_composer_default_exec:s0 diff --git a/vendor/google/fsck.te b/vendor/google/fsck.te index 1500b5f..7d94ea1 100644 --- a/vendor/google/fsck.te +++ b/vendor/google/fsck.te @@ -1 +1,3 @@ allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index f4e7da3..65ec024 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -4,6 +4,7 @@ app_domain(grilservice_app) allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app app_api_service:service_manager find; allow grilservice_app hal_bluetooth_sar_hwservice:hwservice_manager find; diff --git a/vendor/google/hal_face_default.te b/vendor/google/hal_face_default.te index 67582a5..a55c48f 100644 --- a/vendor/google/hal_face_default.te +++ b/vendor/google/hal_face_default.te @@ -37,13 +37,10 @@ allow hal_face_default mnt_vendor_file:dir search; allow hal_face_default system_app:fd use; -# Grant incidentd and FaceDebugService access to the face HAL debug images +# Grant incidentd access to the face HAL debug images userdebug_or_eng(` allow hal_face_default incidentd:fd use; allow hal_face_default incidentd:fifo_file write; - - allow hal_face_default face_debug:fd use; - allow hal_face_default face_debug:fifo_file write; ') get_prop(hal_face_default, camera_config_prop) diff --git a/vendor/google/hal_radioext_default.te b/vendor/google/hal_radioext_default.te index 1d2f6ea..7520880 100644 --- a/vendor/google/hal_radioext_default.te +++ b/vendor/google/hal_radioext_default.te @@ -19,6 +19,7 @@ allow hal_radioext_default self:qipcrtr_socket create_socket_perms_no_ioctl; allowxperm hal_radioext_default self:socket ioctl msm_sock_ipc_ioctls; allow hal_radioext_default hal_wifi_ext_hwservice:hwservice_manager find; +allow hal_radioext_default hal_wifi_ext_service:service_manager find; allow hal_radioext_default hal_wifi_ext:binder call; allow hal_radioext_default hal_bluetooth_sar_hwservice:hwservice_manager find; diff --git a/vendor/google/hal_wifi_ext.te b/vendor/google/hal_wifi_ext.te index 091f211..15fd9a4 100644 --- a/vendor/google/hal_wifi_ext.te +++ b/vendor/google/hal_wifi_ext.te @@ -6,3 +6,4 @@ init_daemon_domain(hal_wifi_ext) # Allow to start the IWifi:wifi_ext service add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice); +add_service(hal_wifi_ext, hal_wifi_ext_service) diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te index bc8b05b..0a6d453 100644 --- a/vendor/google/pixelstats_vendor.te +++ b/vendor/google/pixelstats_vendor.te @@ -20,5 +20,8 @@ r_dir_file(pixelstats_vendor, sysfs_typec_info) allow pixelstats_vendor sysfs_wlc:dir search; # OrientationCollector +# HIDL sensorservice allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; +# AIDL sensorservice +allow pixelstats_vendor fwk_sensor_service:service_manager find; binder_call(pixelstats_vendor, system_server) diff --git a/vendor/google/priv_app.te b/vendor/google/priv_app.te index caa61b7..381d6d4 100644 --- a/vendor/google/priv_app.te +++ b/vendor/google/priv_app.te @@ -1 +1,2 @@ -get_prop(priv_app, vendor_aware_available_prop)
\ No newline at end of file +get_prop(priv_app, vendor_aware_available_prop) +dontaudit priv_app sysfs_msm_subsys:file r_file_perms; diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts index 22a72f2..d65c4e7 100644 --- a/vendor/google/seapp_contexts +++ b/vendor/google/seapp_contexts @@ -17,9 +17,6 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # Domain for GoogleCBRS app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Domain for FaceDebugService -user=_app seinfo=platform name=com.google.android.facedebug domain=face_debug type=app_data_file levelFrom=all - # Domain for Touch app user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user diff --git a/vendor/google/service.te b/vendor/google/service.te index 9c935e9..5b191cc 100644 --- a/vendor/google/service.te +++ b/vendor/google/service.te @@ -1 +1,2 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_wifi_ext_service, service_manager_type, hal_service_type; diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts index 4bac73b..7b84ac7 100644 --- a/vendor/google/service_contexts +++ b/vendor/google/service_contexts @@ -1,2 +1,3 @@ android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +vendor.google.wifi_ext.IWifiExt/default u:object_r:hal_wifi_ext_service:s0 diff --git a/vendor/google/system_server.te b/vendor/google/system_server.te index 2adcf05..d199b58 100644 --- a/vendor/google/system_server.te +++ b/vendor/google/system_server.te @@ -1,2 +1,3 @@ # pixelstats_vendor/OrientationCollector binder_call(system_server, pixelstats_vendor) +dontaudit system_server sysfs_msm_subsys:file r_file_perms; diff --git a/vendor/qcom/common/chre.te b/vendor/qcom/common/chre.te index 5a90e95..fd89c5a 100644 --- a/vendor/qcom/common/chre.te +++ b/vendor/qcom/common/chre.te @@ -14,3 +14,7 @@ wakelock_use(chre) # To communicate with ST HAL hal_client_domain(chre, hal_audio) + +# Allow CHRE host to talk to the stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index a57eb41..ab45ca5 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -128,9 +128,6 @@ type avtimer_device, dev_type; #define AT device type at_device, dev_type; -#define Bluetooth device -type bt_device, dev_type; - #define Wlan device type wlan_device, dev_type; diff --git a/vendor/qcom/common/hal_drm_clearkey.te b/vendor/qcom/common/hal_drm_clearkey.te index 013705a..8267db8 100644 --- a/vendor/qcom/common/hal_drm_clearkey.te +++ b/vendor/qcom/common/hal_drm_clearkey.te @@ -7,5 +7,5 @@ hal_server_domain(hal_drm_clearkey, hal_drm) vndbinder_use(hal_drm_clearkey); -allow hal_drm_clearkey { appdomain -isolated_app }:fd use; +allow hal_drm_clearkey { appdomain -isolated_app_all }:fd use; allow hal_drm_clearkey hal_allocator_server:fd use; diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te index 2f8fbdd..40f431a 100644 --- a/vendor/qcom/common/hal_drm_widevine.te +++ b/vendor/qcom/common/hal_drm_widevine.te @@ -10,6 +10,6 @@ allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find; binder_call(hal_drm_widevine, hal_graphics_composer_default) -allow hal_drm_widevine { appdomain -isolated_app }:fd use; +allow hal_drm_widevine { appdomain -isolated_app_all }:fd use; allow hal_drm_widevine qce_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te index 99c44a6..105e80f 100644 --- a/vendor/qcom/common/rfs_access.te +++ b/vendor/qcom/common/rfs_access.te @@ -21,3 +21,4 @@ r_dir_file(rfs_access, vendor_firmware_file); wakelock_use(rfs_access) dontaudit rfs_access self:capability { dac_override dac_read_search }; +dontaudit rfs_access unlabeled:dir create_dir_perms; diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te index 5f57a89..5051b65 100644 --- a/vendor/qcom/common/sensors.te +++ b/vendor/qcom/common/sensors.te @@ -52,3 +52,6 @@ wakelock_use(sensors) allow sensors sensors_vendor_data_file:dir rw_dir_perms; allow sensors sensors_vendor_data_file:file create_file_perms; + +# Mutes the read unmounted files errors +dontaudit sensors unlabeled:file r_file_perms; diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index 310c5a0..1854107 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,4 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; -type hal_telephony_service, service_manager_type, vendor_service, protected_service;
\ No newline at end of file +type hal_telephony_service, service_manager_type, hal_service_type, protected_service; diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts index eddf11d..dfdfa5d 100644 --- a/vendor/st/file_contexts +++ b/vendor/st/file_contexts @@ -1,6 +1,6 @@ ################################### # vendor binaries -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0 |