Snap for 10453563 from 7f5395ac1db234fb317d489921e488754ba0a4b5 to mainline-extservices-releaseaml_ext_341716000 aml_ext_341620040 aml_ext_341518010 aml_ext_341414010 aml_ext_341317010 aml_ext_341131030 aml_ext_341027030 android14-mainline-extservices-release

Change-Id: Ibaf698cac972b36ad7b88cf4b0c1a49ad3f08541
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-07-07 04:51:26 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-07-07 04:51:26 +0000
commit: c73f8a9e2b5ca3a5c20d44d4bb5545d03ef1ab5d (patch)
tree: 5cefbe9905472b91f48e8438fb586b8ee9d5bed4
parent: 4d5cdbe39eba45bbdcfbf2d52a073620b47b9f07 (diff)
parent: 7f5395ac1db234fb317d489921e488754ba0a4b5 (diff)
download: coral-sepolicy-android14-mainline-extservices-release.tar.gz
26 files changed, 47 insertions, 27 deletions
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 0000000..1075658
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1,16 @@
+dumpstate app_zygote process b/238263963
+dumpstate dumpstate binder b/238953877
+dumpstate system_data_file dir b/238837224
+hal_drm_widevine default_prop file b/238263778
+hal_power_default hal_power_default capability b/238263962
+rfs_access unlabeled dir b/238705225
+shell adb_keys_file file b/238836599
+shell cache_file lnk_file b/238836599
+shell init_exec lnk_file b/238836599
+shell linkerconfig_file dir b/238836599
+shell metadata_file dir b/238836599
+shell mirror_data_file dir b/238836599
+shell persist_file lnk_file b/238836599
+shell postinstall_mnt_dir dir b/238836599
+shell rootfs file b/238836599
+shell system_dlkm_file dir b/238836599
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index 9990775..0000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/187365845
-dontaudit incidentd apex_info_file:file getattr;
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
deleted file mode 100644
index 3878ed5..0000000
--- a/tracking_denials/priv_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/149543179
-dontaudit priv_app sysfs_msm_subsys:file read;
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
deleted file mode 100644
index c073049..0000000
--- a/tracking_denials/system_server.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/149544018
-dontaudit system_server sysfs_msm_subsys:file read;
-# b/149544018
-dontaudit system_server proc_irq:dir search;
diff --git a/tracking_denials/time_daemon.te b/tracking_denials/time_daemon.te
deleted file mode 100644
index a3ab78c..0000000
--- a/tracking_denials/time_daemon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/136426663
-dontaudit time_daemon sysfs_esoc:dir search;
-dontaudit time_daemon sysfs_msm_subsys:dir search;
diff --git a/vendor/google/e2fs.te b/vendor/google/e2fs.te
new file mode 100644
index 0000000..4d2b596
--- /dev/null
+++ b/vendor/google/e2fs.te
@@ -0,0 +1,2 @@
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index 025965d..cfbc2ee 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -41,6 +41,8 @@
 /vendor/bin/init\.radio\.sh                                                           u:object_r:init_radio_exec:s0
 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor                           u:object_r:hal_wifi_ext_exec:s0
 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy                      u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor                                u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor-lazy                           u:object_r:hal_wifi_ext_exec:s0
 /vendor/bin/tcpdump_logger                                                            u:object_r:tcpdump_logger_exec:s0
 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor                   u:object_r:hal_wlc_exec:s0
 /vendor/bin/hw/android\.hardware\.graphics\.composer@2\.4-service-sm8150              u:object_r:hal_graphics_composer_default_exec:s0
diff --git a/vendor/google/fsck.te b/vendor/google/fsck.te
index 1500b5f..7d94ea1 100644
--- a/vendor/google/fsck.te
+++ b/vendor/google/fsck.te
@@ -1 +1,3 @@
 allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te
index f4e7da3..65ec024 100644
--- a/vendor/google/grilservice_app.te
+++ b/vendor/google/grilservice_app.te
@@ -4,6 +4,7 @@ app_domain(grilservice_app)
 
 allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
 allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_service:service_manager find;
 allow grilservice_app app_api_service:service_manager find;
 allow grilservice_app hal_bluetooth_sar_hwservice:hwservice_manager find;
 
diff --git a/vendor/google/hal_face_default.te b/vendor/google/hal_face_default.te
index 67582a5..a55c48f 100644
--- a/vendor/google/hal_face_default.te
+++ b/vendor/google/hal_face_default.te
@@ -37,13 +37,10 @@ allow hal_face_default mnt_vendor_file:dir search;
 allow hal_face_default system_app:fd use;
 
 
-# Grant incidentd and FaceDebugService access to the face HAL debug images
+# Grant incidentd access to the face HAL debug images
 userdebug_or_eng(`
   allow hal_face_default incidentd:fd use;
   allow hal_face_default incidentd:fifo_file write;
-
-  allow hal_face_default face_debug:fd use;
-  allow hal_face_default face_debug:fifo_file write;
 ')
 
 get_prop(hal_face_default, camera_config_prop)
diff --git a/vendor/google/hal_radioext_default.te b/vendor/google/hal_radioext_default.te
index 1d2f6ea..7520880 100644
--- a/vendor/google/hal_radioext_default.te
+++ b/vendor/google/hal_radioext_default.te
@@ -19,6 +19,7 @@ allow hal_radioext_default self:qipcrtr_socket create_socket_perms_no_ioctl;
 allowxperm hal_radioext_default self:socket ioctl msm_sock_ipc_ioctls;
 
 allow hal_radioext_default hal_wifi_ext_hwservice:hwservice_manager find;
+allow hal_radioext_default hal_wifi_ext_service:service_manager find;
 allow hal_radioext_default hal_wifi_ext:binder call;
 
 allow hal_radioext_default hal_bluetooth_sar_hwservice:hwservice_manager find;
diff --git a/vendor/google/hal_wifi_ext.te b/vendor/google/hal_wifi_ext.te
index 091f211..15fd9a4 100644
--- a/vendor/google/hal_wifi_ext.te
+++ b/vendor/google/hal_wifi_ext.te
@@ -6,3 +6,4 @@ init_daemon_domain(hal_wifi_ext)
 
 # Allow to start the IWifi:wifi_ext service
 add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice);
+add_service(hal_wifi_ext, hal_wifi_ext_service)
diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te
index bc8b05b..0a6d453 100644
--- a/vendor/google/pixelstats_vendor.te
+++ b/vendor/google/pixelstats_vendor.te
@@ -20,5 +20,8 @@ r_dir_file(pixelstats_vendor, sysfs_typec_info)
 allow pixelstats_vendor sysfs_wlc:dir search;
 
 # OrientationCollector
+# HIDL sensorservice
 allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow pixelstats_vendor fwk_sensor_service:service_manager find;
 binder_call(pixelstats_vendor, system_server)
diff --git a/vendor/google/priv_app.te b/vendor/google/priv_app.te
index caa61b7..381d6d4 100644
--- a/vendor/google/priv_app.te
+++ b/vendor/google/priv_app.te
@@ -1 +1,2 @@
-get_prop(priv_app, vendor_aware_available_prop)
-\ No newline at end of file
+get_prop(priv_app, vendor_aware_available_prop)
+dontaudit priv_app sysfs_msm_subsys:file r_file_perms;
diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts
index 22a72f2..d65c4e7 100644
--- a/vendor/google/seapp_contexts
+++ b/vendor/google/seapp_contexts
@@ -17,9 +17,6 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app
 # Domain for GoogleCBRS app
 user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
 
-# Domain for FaceDebugService
-user=_app seinfo=platform name=com.google.android.facedebug domain=face_debug type=app_data_file levelFrom=all
-
 # Domain for Touch app
 user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user
 
diff --git a/vendor/google/service.te b/vendor/google/service.te
index 9c935e9..5b191cc 100644
--- a/vendor/google/service.te
+++ b/vendor/google/service.te
@@ -1 +1,2 @@
-type hal_pixel_display_service, service_manager_type, vendor_service;
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type hal_wifi_ext_service, service_manager_type, hal_service_type;
diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts
index 4bac73b..7b84ac7 100644
--- a/vendor/google/service_contexts
+++ b/vendor/google/service_contexts
@@ -1,2 +1,3 @@
 android.hardware.drm.IDrmFactory/widevine    u:object_r:hal_drm_service:s0
 com.google.hardware.pixel.display.IDisplay/default                            u:object_r:hal_pixel_display_service:s0
+vendor.google.wifi_ext.IWifiExt/default                                       u:object_r:hal_wifi_ext_service:s0
diff --git a/vendor/google/system_server.te b/vendor/google/system_server.te
index 2adcf05..d199b58 100644
--- a/vendor/google/system_server.te
+++ b/vendor/google/system_server.te
@@ -1,2 +1,3 @@
 # pixelstats_vendor/OrientationCollector
 binder_call(system_server, pixelstats_vendor)
+dontaudit system_server sysfs_msm_subsys:file r_file_perms;
diff --git a/vendor/qcom/common/chre.te b/vendor/qcom/common/chre.te
index 5a90e95..fd89c5a 100644
--- a/vendor/qcom/common/chre.te
+++ b/vendor/qcom/common/chre.te
@@ -14,3 +14,7 @@ wakelock_use(chre)
 
 # To communicate with ST HAL
 hal_client_domain(chre, hal_audio)
+
+# Allow CHRE host to talk to the stats service
+allow chre fwk_stats_service:service_manager find;
+binder_call(chre, stats_service_server)
diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te
index a57eb41..ab45ca5 100644
--- a/vendor/qcom/common/device.te
+++ b/vendor/qcom/common/device.te
@@ -128,9 +128,6 @@ type avtimer_device, dev_type;
 #define AT device
 type at_device, dev_type;
 
-#define Bluetooth device
-type bt_device, dev_type;
-
 #define Wlan device
 type wlan_device, dev_type;
 
diff --git a/vendor/qcom/common/hal_drm_clearkey.te b/vendor/qcom/common/hal_drm_clearkey.te
index 013705a..8267db8 100644
--- a/vendor/qcom/common/hal_drm_clearkey.te
+++ b/vendor/qcom/common/hal_drm_clearkey.te
@@ -7,5 +7,5 @@ hal_server_domain(hal_drm_clearkey, hal_drm)
 
 vndbinder_use(hal_drm_clearkey);
 
-allow hal_drm_clearkey { appdomain -isolated_app }:fd use;
+allow hal_drm_clearkey { appdomain -isolated_app_all }:fd use;
 allow hal_drm_clearkey hal_allocator_server:fd use;
diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te
index 2f8fbdd..40f431a 100644
--- a/vendor/qcom/common/hal_drm_widevine.te
+++ b/vendor/qcom/common/hal_drm_widevine.te
@@ -10,6 +10,6 @@ allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
 allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find;
 binder_call(hal_drm_widevine, hal_graphics_composer_default)
 
-allow hal_drm_widevine { appdomain -isolated_app }:fd use;
+allow hal_drm_widevine { appdomain -isolated_app_all }:fd use;
 
 allow hal_drm_widevine qce_device:chr_file rw_file_perms;
diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te
index 99c44a6..105e80f 100644
--- a/vendor/qcom/common/rfs_access.te
+++ b/vendor/qcom/common/rfs_access.te
@@ -21,3 +21,4 @@ r_dir_file(rfs_access, vendor_firmware_file);
 wakelock_use(rfs_access)
 
 dontaudit rfs_access self:capability { dac_override dac_read_search };
+dontaudit rfs_access unlabeled:dir create_dir_perms;
diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te
index 5f57a89..5051b65 100644
--- a/vendor/qcom/common/sensors.te
+++ b/vendor/qcom/common/sensors.te
@@ -52,3 +52,6 @@ wakelock_use(sensors)
 
 allow sensors sensors_vendor_data_file:dir rw_dir_perms;
 allow sensors sensors_vendor_data_file:file create_file_perms;
+
+# Mutes the read unmounted files errors
+dontaudit sensors unlabeled:file r_file_perms;
diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te
index 310c5a0..1854107 100644
--- a/vendor/qcom/common/service.te
+++ b/vendor/qcom/common/service.te
@@ -4,4 +4,4 @@ type imsrcs_service,              service_manager_type;
 type improve_touch_service,       service_manager_type;
 type gba_auth_service,            service_manager_type;
 type qtitetherservice_service,    service_manager_type;
-type hal_telephony_service,       service_manager_type, vendor_service, protected_service;
-\ No newline at end of file
+type hal_telephony_service,       service_manager_type, hal_service_type, protected_service;
diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts
index eddf11d..dfdfa5d 100644
--- a/vendor/st/file_contexts
+++ b/vendor/st/file_contexts
@@ -1,6 +1,6 @@
 ###################################
 # vendor binaries
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service\.st     u:object_r:hal_secure_element_default_exec:s0
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-07-07 04:51:26 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-07-07 04:51:26 +0000
commit	c73f8a9e2b5ca3a5c20d44d4bb5545d03ef1ab5d (patch)
tree	5cefbe9905472b91f48e8438fb586b8ee9d5bed4
parent	4d5cdbe39eba45bbdcfbf2d52a073620b47b9f07 (diff)
parent	7f5395ac1db234fb317d489921e488754ba0a4b5 (diff)
download	coral-sepolicy-android14-mainline-extservices-release.tar.gz