From 5a0bb72bf06c955ca84117d98737ec23ccd626c1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 11 Apr 2023 11:29:41 +0800 Subject: Remove obsolete entries Bug: 268147113 Bug: 237491813 Bug: 239484651 Bug: 268566483 Test: adb bugreport Change-Id: Iceafe7e413a3ffe5d342a222f76093c7110639e6 --- tracking_denials/bug_map | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d05de12..4ce15ec 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,12 +1,8 @@ cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -dump_pixel_metrics sysfs file b/268147113 -dumpstate app_zygote process b/237491813 -dumpstate system_data_file dir b/239484651 hal_camera_default boot_status_prop file b/275001783 hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 -hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 -- cgit v1.2.3 From ee611cfb51cbf80e137ae1bcd8ef7d39bba64d73 Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [TSV2] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c..4a23260 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa9..c4f5b09 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 -- cgit v1.2.3 From 96789e18c75ecb716215be8f5cd7e33e45a9d76f Mon Sep 17 00:00:00 2001 From: Zixuan Lan Date: Thu, 4 May 2023 14:25:29 -0700 Subject: remove fixed selinux bug from bug map. TPU permission was fixed to avoid error in hal_camera_defaul.The corresponding bug for tracking should be removed from the bug map. Please see bug for more details. Bug: 275001783 Test: logcat grep for selinux error Change-Id: I7a1bf9fd994187f969b68b9fc3504a5411b0807f --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4ce15ec..a8cafdb 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,7 +1,5 @@ cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -hal_camera_default boot_status_prop file b/275001783 -hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 -- cgit v1.2.3 From c2d912818c9b20f673e74ef38656bbab82ad9a07 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 24 Apr 2023 16:42:56 -0700 Subject: Add chre channel sepolicy entries Bug: 241960170 Test: in-device verification. Change-Id: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7a9672d..902584c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -333,6 +333,8 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -- cgit v1.2.3 From 64111ee561b3c34aed54cf137006eb8aaa81d0aa Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Bug: 276464780 Signed-off-by: Samuel Gosselin (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83712c5243166cafa3a057d5347515e04947cde8) Merged-In: I8c2633b33cef8ca2b55029190fe42bd66b17390f Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f --- whitechapel_pro/genfs_contexts | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c..59d579b 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 -- cgit v1.2.3 From 918335e2a9c1aaad90ec5c70d5e6fbdd787f99bc Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Bug: 276464780 Signed-off-by: Samuel Gosselin (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83712c5243166cafa3a057d5347515e04947cde8) Merged-In: I8c2633b33cef8ca2b55029190fe42bd66b17390f Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f (cherry picked from commit 64111ee561b3c34aed54cf137006eb8aaa81d0aa) --- whitechapel_pro/genfs_contexts | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c..59d579b 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 -- cgit v1.2.3 From 513fa361c8c7af21d4fc7f279ec413044e646d45 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Tue, 20 Jun 2023 07:25:10 +0000 Subject: Create telephony.ril.silent_reset system_ext property for RILD restart RILD listens for changes to this property. If the value changes to 1, RILD will restart itself and set this property back to 0. The TelephonyGoogle app will set this property to 1 when it receives a request from the SCONE app. Since TelephonyGoogle runs in the com.android.phone process, we also need to give the radio domain permission to set the telephony.ril.silent_reset property. Bug: 286476107 Test: manual Change-Id: I689e75f4ebf3f44915bd7f795755f297935e7946 --- system_ext/private/property_contexts | 3 +++ system_ext/public/property.te | 7 +++++++ whitechapel_pro/radio.te | 2 ++ whitechapel_pro/rild.te | 2 ++ 4 files changed, 14 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bd..ffb1793 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8908e48..823acf5 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,2 +1,9 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) + +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 4727846..2864bc9 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 484dda0..534bea1 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; -- cgit v1.2.3 From 4d0eeef36fc29b816ad7aafe8bb10475532c3f64 Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Tue, 27 Jun 2023 08:46:41 +0000 Subject: Revert "Create telephony.ril.silent_reset system_ext property fo..." Revert submission 23736941-tpsr-ril-property Reason for revert: culprit for b/289014054 verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L54800000961620143 Bug: 289014054 Reverted changes: /q/submissionid:23736941-tpsr-ril-property Change-Id: I4fa5b2803392e0db03bb622392f3d4afab6a45ea --- system_ext/private/property_contexts | 3 --- system_ext/public/property.te | 7 ------- whitechapel_pro/radio.te | 2 -- whitechapel_pro/rild.te | 2 -- 4 files changed, 14 deletions(-) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index ffb1793..9f462bd 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,5 +1,2 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool - -# Telephony -telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 823acf5..8908e48 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,9 +1,2 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) - -# Telephony -system_public_prop(telephony_ril_prop) - -userdebug_or_eng(` - set_prop(shell, telephony_ril_prop) -') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 2864bc9..4727846 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,5 +1,3 @@ -set_prop(radio, telephony_ril_prop) - allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 534bea1..484dda0 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,8 +6,6 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) -set_prop(rild, telephony_ril_prop) - allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; -- cgit v1.2.3 From 1a52c8b95207975246ef3b373257d1e61350a42e Mon Sep 17 00:00:00 2001 From: Patty Huang Date: Wed, 28 Jun 2023 22:22:30 +0800 Subject: Allow bthal to access vendor bluetooth folder Bug:289055382 Test: enable vendor debug log and check the vendor snoop log contain the vendor log Change-Id: I89164330998d7fbea45dab65931c2a3db22a4c92 --- whitechapel_pro/bluetooth.te | 3 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_bluetooth_btlinux.te | 5 +++++ 4 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 whitechapel_pro/hal_bluetooth_btlinux.te diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index 3795e29..aff0e1a 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,5 +1,2 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; allow bluetooth proc_vendor_sched:file w_file_perms; - -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a23260..0038103 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -68,6 +68,9 @@ type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; +# BT +type vendor_bt_data_file, file_type, data_file_type; + # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b09..35f991b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -211,6 +211,7 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_bluetooth_btlinux.te b/whitechapel_pro/hal_bluetooth_btlinux.te new file mode 100644 index 0000000..dc74629 --- /dev/null +++ b/whitechapel_pro/hal_bluetooth_btlinux.te @@ -0,0 +1,5 @@ +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; + +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; -- cgit v1.2.3 From 41ed8e83ea86b2670d4c192fb716140dcdd1029f Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Wed, 5 Jul 2023 09:45:56 +0000 Subject: Revert "Allow bthal to access vendor bluetooth folder" Revert submission 23844270-P22-vendor-log-udc-qpr Reason for revert: causes selinux tests to fail b/289989584 go/abtd: https://android-build.googleplex.com/builds/abtd/run/L37600000961782595 Bug:289989584 Reverted changes: /q/submissionid:23844270-P22-vendor-log-udc-qpr Change-Id: I4e9ccf17050702a6405c549340e7fe97eba0eb65 --- whitechapel_pro/bluetooth.te | 3 +++ whitechapel_pro/file.te | 3 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_bluetooth_btlinux.te | 5 ----- 4 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 whitechapel_pro/hal_bluetooth_btlinux.te diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index aff0e1a..3795e29 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,2 +1,5 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; allow bluetooth proc_vendor_sched:file w_file_perms; + +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 0038103..4a23260 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -68,9 +68,6 @@ type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; -# BT -type vendor_bt_data_file, file_type, data_file_type; - # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 35f991b..c4f5b09 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -211,7 +211,6 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 -/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_bluetooth_btlinux.te b/whitechapel_pro/hal_bluetooth_btlinux.te deleted file mode 100644 index dc74629..0000000 --- a/whitechapel_pro/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; - -allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; -allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; -- cgit v1.2.3 From d02a8eef29706ad803726ed635cd3cb4a11dcc1b Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Wed, 28 Jun 2023 06:16:30 +0000 Subject: Revert "Revert "Create telephony.ril.silent_reset system_ext pro..." Revert submission 23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Reason for revert: The root cause is missing property definition in gs101-sepolicy. This CL can be merged safely. Verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L48900000961646046 Reverted changes: /q/submissionid:23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Bug: 286476107 Change-Id: Ia80e4400ff555a637c42193cab3e3acf72bc36a2 --- system_ext/private/property_contexts | 3 +++ system_ext/public/property.te | 7 +++++++ whitechapel_pro/radio.te | 2 ++ whitechapel_pro/rild.te | 2 ++ 4 files changed, 14 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bd..ffb1793 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8908e48..823acf5 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,2 +1,9 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) + +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 4727846..2864bc9 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 484dda0..534bea1 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; -- cgit v1.2.3 From d45ff39442710d2a679e5132efeaef4c65128891 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Tue, 11 Jul 2023 17:49:27 -0700 Subject: Introduce CameraServices seinfo tag for PixelCameraServices Bug: 287069860 Test: m && flashall && check against 'avc: denied' errors Change-Id: I41b435ae0a34fe9c797b9316887c4b56091a26a5 --- whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea..bff9add 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c..7627b9d 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + -- cgit v1.2.3 From c420cef154a02c8de5ad05fa09fb6175b2203089 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 19 Jul 2023 01:15:07 +0000 Subject: Revert "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24056607-pixel-camera-services-extensions-sepolicy Reason for revert: build breakage on git_main-without-vendor Reverted changes: /q/submissionid:24056607-pixel-camera-services-extensions-sepolicy Change-Id: I9869874507230f59ac3b8cdc2538e4f223216b45 --- whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- 2 files changed, 6 deletions(-) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index bff9add..54130ea 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,6 +15,3 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem - -[@CAMERASERVICES] -ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 7627b9d..b57e61c 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,7 +39,4 @@ - - - -- cgit v1.2.3 From 34bda7b2b8cd7fa3acf60f5b25aaea1baa568898 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Wed, 19 Jul 2023 02:47:43 +0000 Subject: Revert^2 "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Reason for revert: Relanding the original topic after copying the certificates under `device/google` for `without-vendor` branches Reverted changes: /q/submissionid:24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Bug: 287069860 Test: m && flashall Change-Id: I5326b61822d367beaff0ac97a34708d306c60007 --- ...om_google_android_apps_camera_services.x509.pem | 30 ++++++++++++++++++++++ whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ 3 files changed, 36 insertions(+) create mode 100644 whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem b/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem new file mode 100644 index 0000000..7b8c5b2 --- /dev/null +++ b/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU +MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n +bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz +MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N +b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G +A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP +1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR +UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5 +4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL +jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8 +pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0 +VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3 +A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO +sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV +eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO +nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI +hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5 +YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm +FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr +njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI +hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e +JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3 +IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA +V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H +r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F +DB17LhMLl0GxX9j1 +-----END CERTIFICATE----- diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea..0999938 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c..7627b9d 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + -- cgit v1.2.3 From 3054cb6eecdab0a574b1fb5a896626368519f292 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 25 Jul 2023 13:12:32 +0000 Subject: SELinux: fix the wakeup avc denials Fix the wakeup avc denials in a more common place Bug: 292076108 Change-Id: I52627f19cb0fec3dd0851d21d0608048ebc7d45d Signed-off-by: Ken Yang --- whitechapel_pro/genfs_contexts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 57f0237..c57ea3e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -307,6 +307,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 @@ -321,6 +328,8 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wir genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 -- cgit v1.2.3 From da30985fa54b3441422952a7466626237a37644b Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 15:09:58 +0900 Subject: Move coredomain policies to system_ext/product Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 Merged-In: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 --- gs201-sepolicy.mk | 1 + private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 14 ++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel_pro/con_monitor.te | 8 -------- whitechapel_pro/debug_camera_app.te | 15 --------------- whitechapel_pro/google_camera_app.te | 14 -------------- whitechapel_pro/hbmsvmanager_app.te | 12 ------------ whitechapel_pro/seapp_contexts | 18 ------------------ 16 files changed, 70 insertions(+), 67 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 664b851..2c5da1f 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private # system_ext diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 0000000..c14637b --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 0000000..dc7ee28 --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,14 @@ +typeattribute google_camera_app coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 0000000..bfe5a54 --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 0000000..6f49768 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 0000000..c93038c --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 0000000..c68ec1f --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 0000000..6f5ff7a --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 0000000..25318ff --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 0000000..6a4d1da --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 0000000..4fcf2bd --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te index 8695cca..32c2056 100644 --- a/whitechapel_pro/con_monitor.te +++ b/whitechapel_pro/con_monitor.te @@ -1,10 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 5342fb7..add4b9e 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -1,24 +1,9 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow debug_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; - - # Allows camera app to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) ') userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index d73cd3d..572d1d6 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,23 +1,9 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b705809..bbedea8 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,14 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e228..8ff78b8 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -27,15 +27,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user @@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all -- cgit v1.2.3 From 5e75eaa1a5c084207b561ef982623320c851e14d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: Move uwb to system_ext Bug: 290766628 Test: Boot-to-home, no uwb related avc error Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- system_ext/private/certs/com_qorvo_uwb.x509.pem | 29 +++++++++++++++++++++++++ system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/private/uwb_vendor_app.te | 12 ++++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/certs/com_qorvo_uwb.x509.pem | 29 ------------------------- whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 ---- whitechapel_pro/uwb_vendor_app.te | 12 +--------- 13 files changed, 81 insertions(+), 51 deletions(-) create mode 100644 system_ext/private/certs/com_qorvo_uwb.x509.pem create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te delete mode 100644 whitechapel_pro/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 0000000..0e7c9ed --- /dev/null +++ b/system_ext/private/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 0000000..9344be7 --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 0000000..c2228db --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 0000000..51af79f --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ff..82f4347 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 0000000..3ae5ecd --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 0000000..6824e4e --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem deleted file mode 100644 index 0e7c9ed..0000000 --- a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ -BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw -EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv -X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR -BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds -ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa -IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW -fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ -KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW -BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s -ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X -QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG -gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj -RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn -iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU -EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ -KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t -fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z -0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe -cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 -6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg -NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY -ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp -BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh -NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz -lHV8gmlwBAuAx9ITcTJr ------END CERTIFICATE----- diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a23260..fb4bad8 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea..2a7a6d5 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c..e9031e5 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b8..dcaaf66 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e..cc5a9de 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; -- cgit v1.2.3 From e39998954f1318a78d20ae0a2aa90cc355165efe Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Thu, 14 Sep 2023 13:45:26 +0800 Subject: gs201: ufs_firmware_update: add scsi directory permission Bug: 273305600 Test: run ufs ffu flow Change-Id: I36715c1b3500da64863db4cbec08c037df74d3e6 Signed-off-by: Leo Liou --- whitechapel_pro/ufs_firmware_update.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/ufs_firmware_update.te b/whitechapel_pro/ufs_firmware_update.te index 53ceba5..f33c2da 100644 --- a/whitechapel_pro/ufs_firmware_update.te +++ b/whitechapel_pro/ufs_firmware_update.te @@ -7,4 +7,5 @@ allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; allow ufs_firmware_update block_device:dir r_dir_perms; allow ufs_firmware_update fips_block_device:blk_file rw_file_perms; allow ufs_firmware_update sysfs:dir r_dir_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:dir search; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; -- cgit v1.2.3 From b256bc86c018c0df39374d55056af1efa745e895 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Thu, 28 Sep 2023 15:22:58 +0000 Subject: Grant the MDS access to the IPowerStats hal service. ref logs: 09-06 10:07:18.006 536 536 I auditd : avc: denied { find } for pid=22543 uid=10225 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 09-06 10:07:18.010 22543 22543 I auditd : type=1400 audit(0.0:65): avc: denied { call } for comm="pool-4-thread-1" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 app=com.google.mds Test: Tested with MDS app and the MDS can get IPowerStats binder and call the interface. Bug: 297250368 Change-Id: I54b6b93179987b9db23d5327711338553906134c --- whitechapel_pro/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 8c4a0ca..b5cce03 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -7,6 +7,8 @@ allow modem_diagnostic_app app_api_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` + hal_client_domain(modem_diagnostic_app, hal_power_stats); + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop) -- cgit v1.2.3