diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:59:55 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:59:55 +0000 |
| commit | aaa44969facaa09ae0c25fb7e32a7ef58ae49189 (patch) | |
| tree | 0a704bca83406f86f9cb22038ffc61494e4e8c5d | |
| parent | 881892a85cde729819b76df37479ffc9e2eaa431 (diff) | |
| parent | a677e6db05d45d2552df173b28116048f2523c0d (diff) | |
| download | sunfish-sepolicy-android14-mainline-permission-release.tar.gz | |
Snap for 10453563 from a677e6db05d45d2552df173b28116048f2523c0d to mainline-permission-releaseaml_per_341711000aml_per_341614000aml_per_341510010aml_per_341410020aml_per_341311000aml_per_341110020aml_per_341110010aml_per_341011100aml_per_341011020aml_per_340916010android14-mainline-permission-release
Change-Id: I39c77583eb85957d3942db3595b813420d64ff83
| -rw-r--r-- | tracking_denials/bug_map | 6 | ||||
| -rw-r--r-- | tracking_denials/incidentd.te | 2 | ||||
| -rw-r--r-- | tracking_denials/netmgrd.te | 2 | ||||
| -rw-r--r-- | tracking_denials/platform_app.te | 2 | ||||
| -rw-r--r-- | vendor/google/bug_map | 3 | ||||
| -rw-r--r-- | vendor/google/chre.te | 4 | ||||
| -rw-r--r-- | vendor/google/e2fs.te | 2 | ||||
| -rw-r--r-- | vendor/google/file_contexts | 2 | ||||
| -rw-r--r-- | vendor/google/fsck.te | 2 | ||||
| -rw-r--r-- | vendor/google/grilservice_app.te | 1 | ||||
| -rw-r--r-- | vendor/google/hal_radioext_default.te | 1 | ||||
| -rw-r--r-- | vendor/google/hal_wifi_ext.te | 1 | ||||
| -rw-r--r-- | vendor/google/service.te | 3 | ||||
| -rw-r--r-- | vendor/google/service_contexts | 1 | ||||
| -rw-r--r-- | vendor/google/ssr_detector.te | 3 | ||||
| -rw-r--r-- | vendor/google/su.te | 2 | ||||
| -rw-r--r-- | vendor/qcom/common/device.te | 1 | ||||
| -rw-r--r-- | vendor/qcom/common/file_contexts | 2 | ||||
| -rw-r--r-- | vendor/qcom/common/service.te | 2 | ||||
| -rw-r--r-- | vendor/st/file_contexts | 2 |
20 files changed, 30 insertions, 14 deletions
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..54c9cbd --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,6 @@ +dumpstate app_zygote process b/238263561 +hal_drm_widevine default_prop file b/238263762 +netutils_wrapper netutils_wrapper capability b/239887215 +shell qemu_sf_lcd_density_prop file b/238837292 +untrusted_app app_data_file dir b/238954121 +vendor_per_mgr hal_gnss_qti binder b/239887289 diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index 79a8d61..0000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/187253611 -dontaudit incidentd apex_info_file:file getattr; diff --git a/tracking_denials/netmgrd.te b/tracking_denials/netmgrd.te deleted file mode 100644 index b7cb0fe..0000000 --- a/tracking_denials/netmgrd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/183070459 -dontaudit netmgrd vendor_default_prop:property_service set; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index df7e700..e69de29 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,2 +0,0 @@ -# b/162700611 -dontaudit platform_app default_android_hwservice:hwservice_manager find; diff --git a/vendor/google/bug_map b/vendor/google/bug_map index acb3f80..ed89df6 100644 --- a/vendor/google/bug_map +++ b/vendor/google/bug_map @@ -10,6 +10,3 @@ shell debugfs file b/175106535 shell device_config_runtime_native_boot_prop file b/175106535 shell sysfs file b/175106535 tee tee capability2 b/156045688 -mediaswcodec gpu_device chr_file b/194313013 -mediaswcodec sysfs_msm_subsys dir b/194313013 -mediaserver sysfs_msm_subsys dir b/194313013 diff --git a/vendor/google/chre.te b/vendor/google/chre.te index 74b59d3..5d99155 100644 --- a/vendor/google/chre.te +++ b/vendor/google/chre.te @@ -10,3 +10,7 @@ wakelock_use(chre) # To communicate with ST HAL hal_client_domain(chre, hal_audio) + +# Allow CHRE host to talk to the stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) diff --git a/vendor/google/e2fs.te b/vendor/google/e2fs.te new file mode 100644 index 0000000..4d2b596 --- /dev/null +++ b/vendor/google/e2fs.te @@ -0,0 +1,2 @@ +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 0030286..95ee1fc 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -34,6 +34,8 @@ /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.0-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android.hardware.graphics.composer@2.1-service u:object_r:hal_graphics_composer_default_exec:s0 diff --git a/vendor/google/fsck.te b/vendor/google/fsck.te index 1500b5f..7d94ea1 100644 --- a/vendor/google/fsck.te +++ b/vendor/google/fsck.te @@ -1 +1,3 @@ allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index 4c8d81e..b41c009 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -5,6 +5,7 @@ app_domain(grilservice_app) allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app app_api_service:service_manager find; binder_call(grilservice_app, hal_bluetooth_default) binder_call(grilservice_app, hal_radioext_default) diff --git a/vendor/google/hal_radioext_default.te b/vendor/google/hal_radioext_default.te index 03d17e2..1a6ac35 100644 --- a/vendor/google/hal_radioext_default.te +++ b/vendor/google/hal_radioext_default.te @@ -19,6 +19,7 @@ allow hal_radioext_default self:qipcrtr_socket create_socket_perms_no_ioctl; allowxperm hal_radioext_default self:socket ioctl msm_sock_ipc_ioctls; allow hal_radioext_default hal_wifi_ext_hwservice:hwservice_manager find; +allow hal_radioext_default hal_wifi_ext_service:service_manager find; allow hal_radioext_default hal_wifi_ext:binder call; allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/vendor/google/hal_wifi_ext.te b/vendor/google/hal_wifi_ext.te index 55ea19e..061b71b 100644 --- a/vendor/google/hal_wifi_ext.te +++ b/vendor/google/hal_wifi_ext.te @@ -6,6 +6,7 @@ init_daemon_domain(hal_wifi_ext) # Allow to start the IWifi:wifi_ext service add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice); +add_service(hal_wifi_ext, hal_wifi_ext_service) # Allow wifi hal access to LOWI allow hal_wifi_ext location:unix_stream_socket connectto; diff --git a/vendor/google/service.te b/vendor/google/service.te index 9c935e9..5b191cc 100644 --- a/vendor/google/service.te +++ b/vendor/google/service.te @@ -1 +1,2 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_wifi_ext_service, service_manager_type, hal_service_type; diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts index 4bac73b..7b84ac7 100644 --- a/vendor/google/service_contexts +++ b/vendor/google/service_contexts @@ -1,2 +1,3 @@ android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +vendor.google.wifi_ext.IWifiExt/default u:object_r:hal_wifi_ext_service:s0 diff --git a/vendor/google/ssr_detector.te b/vendor/google/ssr_detector.te index 49f1754..8a0bbe3 100644 --- a/vendor/google/ssr_detector.te +++ b/vendor/google/ssr_detector.te @@ -15,7 +15,8 @@ get_prop(ssr_detector_app, vendor_wifi_version) get_prop(ssr_detector_app, public_vendor_system_prop) # ssr_detector app's data type is system_app_data_file. -allow ssr_detector_app system_app_data_file:dir { getattr search }; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app cgroup:file w_file_perms; diff --git a/vendor/google/su.te b/vendor/google/su.te new file mode 100644 index 0000000..917c2b3 --- /dev/null +++ b/vendor/google/su.te @@ -0,0 +1,2 @@ +# Ignore access to firmware_file (may be triggered by tradefed). +dontaudit su firmware_file:filesystem *; diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 211d3d4..a85f073 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -48,7 +48,6 @@ type system_health_monitor_device, dev_type; type qbt1000_device, dev_type; type avtimer_device, dev_type; type at_device, dev_type; -type bt_device, dev_type; type wlan_device, dev_type; type rawdump_block_device, dev_type; type custom_ab_block_device, dev_type; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index a360e5a..9f29f95 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -53,6 +53,8 @@ /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.clearkey u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index cb00941..1854107 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,4 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; -type hal_telephony_service, service_manager_type, vendor_service, protected_service; +type hal_telephony_service, service_manager_type, hal_service_type, protected_service; diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts index eddf11d..dfdfa5d 100644 --- a/vendor/st/file_contexts +++ b/vendor/st/file_contexts @@ -1,6 +1,6 @@ ################################### # vendor binaries -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0 |