Evolution-x-devices/device_google_gs201
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_gs201 synced 2026-01-27 19:18:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'android-14.0.0_r29' into staging/lineage-21_merge-android-14.0.0_r29

Browse Source 
Android 14.0.0 release 29

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZeZWygAKCRDorT+BmrEO
# eD7OAJ432TWMe9grx03PWAXroMGubhrqOQCfa4pJGdaN9YVr/L8ZI6WdQdsjy6U=
# =3gr6
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar  5 01:18:34 2024 EET
# gpg:                using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 2383 signatures in the past
#      2 years.  Encrypted 4 messages in the past 2 years.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78

# By Wilson Sung (13) and others
# Via Automerger Merge Worker (428) and others
* tag 'android-14.0.0_r29': (55 commits)
  sepolicy: add read wlc sysfs permission
  Fix rlsservice sepolicy
  Update SELinux error
  Update SELinux error
  Add Secretkeeper HAL
  gs201: move sepolicy related to bootctrl hal to gs-common
  Removes duplicate hidraw_device type definition.
  Suppress avc error log on debugfs's usb folder.
  Move sg_device related policy
  aoc: add sysfs file entry
  Add Pixel Mapper as a sp-HAL
  dontaudit on dir search for vendor_votable_debugfs
  Removes duplicate hidraw_device type definition.
  Change the MDS to platform app in selinux ap context.
  sensors: Move USF related sepolicy to gs-common.
  Update SELinux error
  Add selinux policy change to allow MDS access Samsung OemRil hal.
  Update SELinux policies for rlsservice
  pixelstats: Add Brownout Detection sepolicy
  Update SELinux error
  ...

 Conflicts:
	sepolicy/gs201-sepolicy.mk
	sepolicy/whitechapel_pro/keys.conf

Change-Id: I9fc4aff3c5cc921195544f85b2c176e50712e7d0
This commit is contained in:
Michael Bestas
2024-03-10 09:21:42 +02:00
parent d1e0a12fdb 8f30c6f2b0
commit 855708aac3
70 changed files with 240 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sepolicy/OWNERS
View File

@@ -1,3 +1,4 @@
include platform/system/sepolicy:/OWNERS
include device/google/gs-common:/sepolicy/OWNERS
adamshih@google.com
rurumihong@google.com

1
sepolicy/gs201-sepolicy.mk
View File

@@ -16,6 +16,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/whitechapel_pro
# unresolved SELinux error log with bug tracking
BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/tracking_denials
PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201/sepolicy/public
PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201/sepolicy/private
# system_ext

16
sepolicy/private/debug_camera_app.te Normal file
View File

@@ -0,0 +1,16 @@
typeattribute debug_camera_app coredomain;
userdebug_or_eng(`
app_domain(debug_camera_app)
net_domain(debug_camera_app)
allow debug_camera_app app_api_service:service_manager find;
allow debug_camera_app audioserver_service:service_manager find;
allow debug_camera_app cameraserver_service:service_manager find;
allow debug_camera_app mediaextractor_service:service_manager find;
allow debug_camera_app mediametrics_service:service_manager find;
allow debug_camera_app mediaserver_service:service_manager find;
# Allows camera app to access the PowerHAL.
hal_client_domain(debug_camera_app, hal_power)
')

17
sepolicy/private/google_camera_app.te Normal file
View File

@@ -0,0 +1,17 @@
typeattribute google_camera_app coredomain;
app_domain(google_camera_app)
net_domain(google_camera_app)
allow google_camera_app app_api_service:service_manager find;
allow google_camera_app audioserver_service:service_manager find;
allow google_camera_app cameraserver_service:service_manager find;
allow google_camera_app mediaextractor_service:service_manager find;
allow google_camera_app mediametrics_service:service_manager find;
allow google_camera_app mediaserver_service:service_manager find;
# Allows camera app to access the PowerHAL.
hal_client_domain(google_camera_app, hal_power)
# Library code may try to access vendor properties, but should be denied
dontaudit google_camera_app vendor_default_prop:file { getattr map open };

11
sepolicy/private/seapp_contexts Normal file
View File

@@ -0,0 +1,11 @@
# Google Camera
user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
# Google Camera Eng
user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all

1
sepolicy/public/debug_camera_app.te Normal file
View File

@@ -0,0 +1 @@
type debug_camera_app, domain;

1
sepolicy/public/google_camera_app.te Normal file
View File

@@ -0,0 +1 @@
type google_camera_app, domain;

0
sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem → sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
View File

7
sepolicy/system_ext/private/con_monitor.te Normal file
View File

@@ -0,0 +1,7 @@
typeattribute con_monitor_app coredomain;
app_domain(con_monitor_app)
set_prop(con_monitor_app, radio_prop)
allow con_monitor_app app_api_service:service_manager find;
allow con_monitor_app radio_service:service_manager find;

2
sepolicy/system_ext/private/file.te Normal file
View File

@@ -0,0 +1,2 @@
type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;

11
sepolicy/system_ext/private/hbmsvmanager_app.te Normal file
View File

@@ -0,0 +1,11 @@
typeattribute hbmsvmanager_app coredomain;
app_domain(hbmsvmanager_app);
allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
# Standard system services
allow hbmsvmanager_app app_api_service:service_manager find;
allow hbmsvmanager_app cameraserver_service:service_manager find;

3
sepolicy/system_ext/private/keys.conf Normal file
View File

@@ -0,0 +1,3 @@
[@UWB]
ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem

27
sepolicy/system_ext/private/mac_permissions.xml Normal file
View File

@@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<policy>
<!--
* A signature is a hex encoded X.509 certificate or a tag defined in
keys.conf and is required for each signer tag.
* A signer tag may contain a seinfo tag and multiple package stanzas.
* A default tag is allowed that can contain policy for all apps not signed with a
previously listed cert. It may not contain any inner package stanzas.
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
represents additional info that each app can use in setting a SELinux security
context on the eventual process.
* When a package is installed the following logic is used to determine what seinfo
value, if any, is assigned.
- All signatures used to sign the app are checked first.
- If a signer stanza has inner package stanzas, those stanza will be checked
to try and match the package name of the app. If the package name matches
then that seinfo tag is used. If no inner package matches then the outer
seinfo tag is assigned.
- The default tag is consulted last if needed.
-->
<!-- google apps key -->
<signer signature="@UWB" >
<seinfo value="uwb" />
</signer>
</policy>

10
sepolicy/system_ext/private/seapp_contexts Normal file
View File

@@ -0,0 +1,10 @@
# Domain for connectivity monitor
user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
# HbmSVManager
user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
# Qorvo UWB system app
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all

12
sepolicy/system_ext/private/uwb_vendor_app.te Normal file
View File

@@ -0,0 +1,12 @@
app_domain(uwb_vendor_app)
not_recovery(`
allow uwb_vendor_app app_api_service:service_manager find;
allow uwb_vendor_app nfc_service:service_manager find;
allow uwb_vendor_app radio_service:service_manager find;
allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
')

2
sepolicy/system_ext/public/con_monitor.te Normal file
View File

@@ -0,0 +1,2 @@
# ConnectivityMonitor app
type con_monitor_app, domain;

1
sepolicy/system_ext/public/hbmsvmanager_app.te Normal file
View File

@@ -0,0 +1 @@
type hbmsvmanager_app, domain;

2
sepolicy/system_ext/public/uwb_vendor_app.te Normal file
View File

@@ -0,0 +1,2 @@
type uwb_vendor_app, domain;

33
sepolicy/tracking_denials/bug_map
View File

@@ -1,24 +1,11 @@
cat_engine_service_app system_app_data_file dir b/238705599
dex2oat privapp_data_file dir b/276386138
hal_contexthub_default fwk_stats_service service_manager b/241714943
hal_face_default traced_producer_socket sock_file b/305600808
hal_power_default hal_power_default capability b/237492146
hal_radioext_default radio_vendor_data_file file b/237093466
incidentd debugfs_wakeup_sources file b/237492091
incidentd incidentd anon_inode b/268147092
init-insmod-sh vendor_ready_prop property_service b/239364360
kernel vendor_charger_debugfs dir b/238571150
kernel vendor_usb_debugfs dir b/227121550
shell adb_keys_file file b/239484612
shell cache_file lnk_file b/239484612
shell init_exec lnk_file b/239484612
shell linkerconfig_file dir b/239484612
shell metadata_file dir b/239484612
shell mirror_data_file dir b/239484612
shell postinstall_mnt_dir dir b/239484612
shell rootfs file b/239484612
shell sscoredump_vendor_data_crashinfo_file dir b/241714944
shell system_dlkm_file dir b/239484612
su modem_img_file filesystem b/240653918
system_app proc_pagetypeinfo file b/275645892
system_server privapp_data_file lnk_file b/276385494
system_server system_userdir_file dir b/282096141
incidentd debugfs_wakeup_sources file b/282626428
incidentd incidentd anon_inode b/282626428
kernel vendor_charger_debugfs dir b/307863370
rild default_prop file b/315720727
rild default_prop file b/315721328
surfaceflinger selinuxfs file b/315104594
vendor_init default_prop file b/315104479
vendor_init default_prop file b/315104803
vendor_init default_prop property_service b/315104803

2
sepolicy/tracking_denials/dmd.te Normal file
View File

@@ -0,0 +1,2 @@
#b/303391666
dontaudit dmd servicemanager:binder { call };

4
sepolicy/tracking_denials/dumpstate.te
View File

@@ -1,6 +1,2 @@
# b/185723618
dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
# b/237491813
dontaudit dumpstate app_zygote:process { signal };
# b/277155245
dontaudit dumpstate default_android_service:service_manager { find };

2
sepolicy/tracking_denials/hal_drm_widevine.te
View File

@@ -1,2 +0,0 @@
# b/229209076
dontaudit hal_drm_widevine vndbinder_device:chr_file { read };

3
sepolicy/tracking_denials/hal_power_default.te
View File

@@ -1,3 +0,0 @@
# b/237492146
dontaudit hal_power_default hal_power_default:capability { dac_override };
dontaudit hal_power_default hal_power_default:capability { dac_read_search };

7
sepolicy/tracking_denials/hal_thermal_default.te
View File

@@ -1,7 +0,0 @@
# b/205904328
dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind };
dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create };
dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr };
dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read };
dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt };
dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write };

3
sepolicy/tracking_denials/hal_uwb_vendor_default.te
View File

@@ -1,3 +0,0 @@
# b/208721505
dontaudit hal_uwb_vendor_default dumpstate:fd { use };
dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write };

5
sepolicy/tracking_denials/hal_vibrator_default.te
View File

@@ -1,2 +1,3 @@
# b/274727778
dontaudit hal_vibrator_default default_android_service:service_manager { find };
# b/306344298
dontaudit hal_vibrator_default service_manager_type:service_manager find;

2
sepolicy/tracking_denials/incidentd.te
View File

@@ -1,2 +0,0 @@
# b/237492091
dontaudit incidentd debugfs_wakeup_sources:file { read };

2
sepolicy/tracking_denials/kernel.te
View File

@@ -1,2 +0,0 @@
# b/227121550
dontaudit kernel vendor_votable_debugfs:dir search;

4
sepolicy/tracking_denials/servicemanager.te
View File

@@ -1,2 +1,2 @@
# b/214122471
dontaudit servicemanager hal_fingerprint_default:binder { call };
# b/305600595
dontaudit servicemanager hal_thermal_default:binder call;

4
sepolicy/tracking_denials/surfaceflinger.te
View File

@@ -1,4 +0,0 @@
# b/215042694
dontaudit surfaceflinger kernel:process { setsched };
# b/208721808
dontaudit surfaceflinger hal_graphics_composer_default:dir { search };

2
sepolicy/tracking_denials/vendor_init.te
View File

@@ -1,2 +0,0 @@
# b/205656950
dontaudit vendor_init thermal_link_device:file { create };

4
sepolicy/tracking_denials/vndservicemanager.te
View File

@@ -1,4 +0,0 @@
# b/278639040
dontaudit vndservicemanager hal_keymint_citadel:binder { call };
# b/278639040
dontaudit vndservicemanager hal_keymint_citadel:binder { call };

3
sepolicy/whitechapel_pro/cat_engine_service_app.te
View File

@@ -4,5 +4,6 @@ userdebug_or_eng(`
app_domain(cat_engine_service_app)
get_prop(cat_engine_service_app, vendor_rild_prop)
allow cat_engine_service_app app_api_service:service_manager find;
allow cat_engine_service_app system_app_data_file:dir r_dir_perms;
allow cat_engine_service_app system_app_data_file:dir create_dir_perms;
allow cat_engine_service_app system_app_data_file:file create_file_perms;
')

8
sepolicy/whitechapel_pro/con_monitor.te
View File

@@ -1,10 +1,2 @@
# ConnectivityMonitor app
type con_monitor_app, domain, coredomain;
app_domain(con_monitor_app)
set_prop(con_monitor_app, radio_prop)
allow con_monitor_app app_api_service:service_manager find;
allow con_monitor_app radio_service:service_manager find;
allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
allow con_monitor_app radio_vendor_data_file:file create_file_perms;

21
sepolicy/whitechapel_pro/debug_camera_app.te
View File

@@ -1,27 +1,12 @@
type debug_camera_app, domain, coredomain;
userdebug_or_eng(`
app_domain(debug_camera_app)
net_domain(debug_camera_app)
allow debug_camera_app app_api_service:service_manager find;
allow debug_camera_app audioserver_service:service_manager find;
allow debug_camera_app cameraserver_service:service_manager find;
allow debug_camera_app mediaextractor_service:service_manager find;
allow debug_camera_app mediametrics_service:service_manager find;
allow debug_camera_app mediaserver_service:service_manager find;
# Allows camera app to access the GXP device.
# Allows camera app to access the GXP device and properties.
allow debug_camera_app gxp_device:chr_file rw_file_perms;
get_prop(debug_camera_app, vendor_gxp_prop)
# Allows camera app to search for GXP firmware file.
allow debug_camera_app vendor_fw_file:dir search;
# Allows camera app to access the PowerHAL.
hal_client_domain(debug_camera_app, hal_power)
')
userdebug_or_eng(`
# Allows GCA-Eng to find and access the EdgeTPU.
allow debug_camera_app edgetpu_app_service:service_manager find;
allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
')
')

8
sepolicy/whitechapel_pro/device.te
View File

@@ -1,18 +1,14 @@
type sda_block_device, dev_type;
type devinfo_block_device, dev_type;
type modem_block_device, dev_type;
type custom_ab_block_device, dev_type;
type persist_block_device, dev_type;
type efs_block_device, dev_type;
type modem_userdata_block_device, dev_type;
type mfg_data_block_device, dev_type;
type sg_device, dev_type;
type vendor_toe_device, dev_type;
type lwis_device, dev_type;
type logbuffer_device, dev_type;
type rls_device, dev_type;
type fingerprint_device, dev_type;
type gxp_device, dev_type, mlstrustedobject;
type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
type vframe_heap_device, dmabuf_heap_device_type, dev_type;
@@ -24,7 +20,3 @@ type fips_block_device, dev_type;
# SecureElement SPI device
type st54spi_device, dev_type;
type st33spi_device, dev_type;
# Raw HID device
type hidraw_device, dev_type;

2
sepolicy/whitechapel_pro/dumpstate.te
View File

@@ -13,4 +13,4 @@ allow dumpstate modem_efs_file:dir r_dir_perms;
allow dumpstate modem_userdata_file:dir r_dir_perms;
allow dumpstate modem_img_file:dir r_dir_perms;
allow dumpstate fuse:dir search;
allow dumpstate rlsservice:binder call;

1
sepolicy/whitechapel_pro/fastbootd.te
View File

@@ -4,4 +4,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms;
allow fastbootd sda_block_device:blk_file rw_file_perms;
allow fastbootd sysfs_ota:file rw_file_perms;
allow fastbootd st54spi_device:chr_file rw_file_perms;
allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
')

5
sepolicy/whitechapel_pro/file.te
View File

@@ -7,10 +7,7 @@ type vendor_slog_file, file_type, data_file_type;
type updated_wifi_firmware_data_file, file_type, data_file_type;
type vendor_media_data_file, file_type, data_file_type;
type vendor_misc_data_file, file_type, data_file_type;
type sensor_debug_data_file, file_type, data_file_type;
type sensor_reg_data_file, file_type, data_file_type;
type per_boot_file, file_type, data_file_type, core_data_file_type;
type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
type uwb_data_vendor, file_type, data_file_type;
type powerstats_vendor_data_file, file_type, data_file_type;
type vendor_gps_file, file_type, data_file_type;
@@ -30,7 +27,6 @@ type sysfs_em_profile, sysfs_type, fs_type;
# sysfs
type sysfs_chosen, sysfs_type, fs_type;
type sysfs_ota, sysfs_type, fs_type;
type bootdevice_sysdev, dev_type;
type sysfs_fabric, sysfs_type, fs_type;
type sysfs_acpm_stats, sysfs_type, fs_type;
@@ -60,7 +56,6 @@ allow modem_img_file self:filesystem associate;
type persist_battery_file, file_type, vendor_persist_type;
type persist_camera_file, file_type, vendor_persist_type;
type persist_modem_file, file_type, vendor_persist_type;
type persist_sensor_reg_file, file_type, vendor_persist_type;
type persist_ss_file, file_type, vendor_persist_type;
type persist_uwb_file, file_type, vendor_persist_type;
type persist_display_file, file_type, vendor_persist_type;

17
sepolicy/whitechapel_pro/file_contexts
View File

@@ -20,9 +20,9 @@
/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0
/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0
/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0
/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0
/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0
@@ -36,7 +36,6 @@
/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0
/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0
/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0
/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0
/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0
/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0
@@ -46,10 +45,14 @@
/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0
/vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0
/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0
# Vendor Firmwares
/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
# Gralloc
/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0
# Vendor libraries
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0
@@ -62,8 +65,6 @@
/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0
# Graphics
/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0
@@ -104,6 +105,7 @@
/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0
/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0
/dev/logbuffer_bd u:object_r:logbuffer_device:s0
/dev/logbuffer_cpif u:object_r:logbuffer_device:s0
/dev/logbuffer_pcie0 u:object_r:logbuffer_device:s0
/dev/logbuffer_pcie1 u:object_r:logbuffer_device:s0
/dev/bbd_pwrstat u:object_r:power_stats_device:s0
@@ -145,7 +147,6 @@
/dev/gxp u:object_r:gxp_device:s0
/dev/dit2 u:object_r:vendor_toe_device:s0
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
/dev/sg1 u:object_r:sg_device:s0
/dev/st21nfc u:object_r:nfc_device:s0
/dev/st54spi u:object_r:st54spi_device:s0
/dev/st33spi u:object_r:st33spi_device:s0
@@ -206,8 +207,6 @@
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0
/data/per_boot(/.*)? u:object_r:per_boot_file:s0
/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0
/dev/maxfg_history u:object_r:battery_history_device:s0
/dev/battery_history u:object_r:battery_history_device:s0
@@ -217,7 +216,6 @@
/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0
/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0
/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
@@ -227,6 +225,3 @@
/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0
/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0
/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0
# Raw HID device
/dev/hidraw[0-9]* u:object_r:hidraw_device:s0

21
sepolicy/whitechapel_pro/genfs_contexts
View File

@@ -346,6 +346,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-c
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
@@ -360,6 +367,8 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wir
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0
@@ -468,6 +477,18 @@ genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:ob
genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0
# GPS
genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0

20
sepolicy/whitechapel_pro/google_camera_app.te
View File

@@ -1,26 +1,10 @@
type google_camera_app, domain, coredomain;
app_domain(google_camera_app)
net_domain(google_camera_app)
allow google_camera_app app_api_service:service_manager find;
allow google_camera_app audioserver_service:service_manager find;
allow google_camera_app cameraserver_service:service_manager find;
allow google_camera_app mediaextractor_service:service_manager find;
allow google_camera_app mediametrics_service:service_manager find;
allow google_camera_app mediaserver_service:service_manager find;
# Allows camera app to access the GXP device.
# Allows camera app to access the GXP device and properties.
allow google_camera_app gxp_device:chr_file rw_file_perms;
get_prop(google_camera_app, vendor_gxp_prop)
# Allows camera app to search for GXP firmware file.
allow google_camera_app vendor_fw_file:dir search;
# Allows camera app to access the PowerHAL.
hal_client_domain(google_camera_app, hal_power)
# Allows GCA to find and access the EdgeTPU.
allow google_camera_app edgetpu_app_service:service_manager find;
allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
# Library code may try to access vendor properties, but should be denied
dontaudit google_camera_app vendor_default_prop:file { getattr map open };

9
sepolicy/whitechapel_pro/gxp_logging.te
View File

@@ -1,9 +0,0 @@
type gxp_logging, domain;
type gxp_logging_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(gxp_logging)
# The logging service accesses /dev/gxp
allow gxp_logging gxp_device:chr_file rw_file_perms;
# Allow gxp tracing service to send packets to Perfetto
userdebug_or_eng(`perfetto_producer(gxp_logging)')

3
sepolicy/whitechapel_pro/hal_bootctl_default.te
View File

@@ -1,3 +0,0 @@
allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
allow hal_bootctl_default sysfs_ota:file rw_file_perms;

3
sepolicy/whitechapel_pro/hal_camera_default.te
View File

@@ -28,9 +28,6 @@ binder_call(hal_camera_default, edgetpu_vendor_server)
allow hal_camera_default edgetpu_app_service:service_manager find;
binder_call(hal_camera_default, edgetpu_app_server)
# Allow the camera hal to access the GXP device.
allow hal_camera_default gxp_device:chr_file rw_file_perms;
# Allow access to data files used by the camera HAL
allow hal_camera_default mnt_vendor_file:dir search;
allow hal_camera_default persist_file:dir search;

1
sepolicy/whitechapel_pro/hal_health_default.te
View File

@@ -18,3 +18,4 @@ allow hal_health_default sysfs_batteryinfo:file w_file_perms;
allow hal_health_default sysfs_thermal:dir search;
allow hal_health_default sysfs_thermal:file w_file_perms;
allow hal_health_default thermal_link_device:dir search;
allow hal_health_default sysfs_wlc:file r_file_perms;

74
sepolicy/whitechapel_pro/hal_sensors_default.te
View File

@@ -2,15 +2,14 @@
# USF sensor HAL SELinux type enforcements.
#
# Allow access to the AoC communication driver.
allow hal_sensors_default aoc_device:chr_file rw_file_perms;
# Allow reading of camera persist files.
r_dir_file(hal_sensors_default, persist_camera_file)
# Allow access to CHRE socket to connect to nanoapps.
allow hal_sensors_default chre:unix_stream_socket connectto;
allow hal_sensors_default chre_socket:sock_file write;
# Allow access to the files of CDT information.
r_dir_file(hal_sensors_default, sysfs_chosen)
# Allow create thread to watch AOC's device.
allow hal_sensors_default device:dir r_dir_perms;
# Allow display_info_service access to the backlight driver.
allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
# Allow access for dynamic sensor properties.
get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
@@ -18,70 +17,11 @@ get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
# Allow access to raw HID devices for dynamic sensors.
allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
# Allow SensorSuez to connect AIDL stats.
allow hal_sensors_default fwk_stats_service:service_manager find;
# Allow reading of sensor registry persist files and camera persist files.
allow hal_sensors_default mnt_vendor_file:dir search;
allow hal_sensors_default persist_file:dir search;
allow hal_sensors_default persist_file:file r_file_perms;
allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms;
allow hal_sensors_default persist_sensor_reg_file:file r_file_perms;
r_dir_file(hal_sensors_default, persist_camera_file)
# Allow creation and writing of sensor registry data files.
allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
userdebug_or_eng(`
# Allow creation and writing of sensor debug data files.
allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
')
# Allow access to the display info for ALS.
allow hal_sensors_default sysfs_display:file rw_file_perms;
# Allow access to the sysfs_aoc.
allow hal_sensors_default sysfs_aoc:dir search;
allow hal_sensors_default sysfs_aoc:file r_file_perms;
# Allow access for AoC properties.
get_prop(hal_sensors_default, vendor_aoc_prop)
# Allow sensor HAL to read AoC dumpstate.
allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
# to synchronize the AP and AoC clock timestamps.
allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms;
# Allow access to the files of CDT information.
allow hal_sensors_default sysfs_chosen:dir search;
allow hal_sensors_default sysfs_chosen:file r_file_perms;
# Allow access to sensor service for sensor_listener.
binder_call(hal_sensors_default, system_server);
# Allow sensor HAL to reset AOC.
allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
# Allow sensor HAL to read AoC dumpstate.
allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
# Allow sensor HAL to access the display service HAL
allow hal_sensors_default hal_pixel_display_service:service_manager find;
# Allow display_info_service access to the backlight driver.
allow hal_sensors_default sysfs_leds:dir search;
allow hal_sensors_default sysfs_leds:file r_file_perms;
# Allow sensor HAL to access the graphics composer.
binder_call(hal_sensors_default, hal_graphics_composer_default);
# Allow display_info_service access to the backlight driver.
allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
binder_call(hal_sensors_default, hal_graphics_composer_default)
# Allow access to the power supply files for MagCC.
r_dir_file(hal_sensors_default, sysfs_batteryinfo)
allow hal_sensors_default sysfs_wlc:dir r_dir_perms;

4
sepolicy/whitechapel_pro/hal_usb_impl.te
View File

@@ -29,3 +29,7 @@ allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;
allow hal_usb_impl device:dir r_dir_perms;
allow hal_usb_impl usb_device:chr_file rw_file_perms;
allow hal_usb_impl usb_device:dir r_dir_perms;
# For monitoring usb sysfs attributes
allow hal_usb_impl sysfs_wakeup:dir search;
allow hal_usb_impl sysfs_wakeup:file r_file_perms;

5
sepolicy/whitechapel_pro/hal_wireless_charger.te
View File

@@ -1,2 +1,7 @@
type hal_wireless_charger, domain;
type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
r_dir_file(hal_wireless_charger, sysfs_wlc)
allow hal_wireless_charger sysfs_wlc:dir search;
allow hal_wireless_charger sysfs_wlc:file rw_file_perms;

12
sepolicy/whitechapel_pro/hbmsvmanager_app.te
View File

@@ -1,14 +1,2 @@
type hbmsvmanager_app, domain, coredomain;
app_domain(hbmsvmanager_app);
allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
binder_call(hbmsvmanager_app, hal_graphics_composer_default)
# Standard system services
allow hbmsvmanager_app app_api_service:service_manager find;
allow hbmsvmanager_app cameraserver_service:service_manager find;

14
sepolicy/whitechapel_pro/init-check_ap_pd_auth-sh.te Normal file
View File

@@ -0,0 +1,14 @@
type init-check_ap_pd_auth-sh, domain;
type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type;
userdebug_or_eng(`
init_daemon_domain(init-check_ap_pd_auth-sh)
set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop)
allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms;
allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms;
allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms;
allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms;
')

2
sepolicy/whitechapel_pro/kernel.te
View File

@@ -11,3 +11,5 @@ allow kernel self:perf_event cpu;
dontaudit kernel vendor_battery_debugfs:dir search;
dontaudit kernel vendor_maxfg_debugfs:dir { search };
dontaudit kernel vendor_regmap_debugfs:dir search;
dontaudit kernel vendor_votable_debugfs:dir search;
dontaudit kernel vendor_usb_debugfs:dir search;

3
sepolicy/whitechapel_pro/keys.conf
View File

@@ -4,9 +4,6 @@ ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/app.x509.pem
[@MDS]
ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
[@UWB]
ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
[@EUICCSUPPORTPIXEL]
ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem

3
sepolicy/whitechapel_pro/mac_permissions.xml
View File

@@ -27,9 +27,6 @@
<signer signature="@MDS" >
<seinfo value="mds" />
</signer>
<signer signature="@UWB" >
<seinfo value="uwb" />
</signer>
<signer signature="@EUICCSUPPORTPIXEL" >
<seinfo value="EuiccSupportPixel" />
</signer>

3
sepolicy/whitechapel_pro/modem_diagnostic_app.te
View File

@@ -9,6 +9,9 @@ allow modem_diagnostic_app radio_service:service_manager find;
userdebug_or_eng(`
hal_client_domain(modem_diagnostic_app, hal_power_stats);
allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find;
binder_call(modem_diagnostic_app, rild)
binder_call(modem_diagnostic_app, dmd)
set_prop(modem_diagnostic_app, vendor_cbd_prop)

3
sepolicy/whitechapel_pro/pixelstats_vendor.te
View File

@@ -33,6 +33,9 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms;
# BCL
allow pixelstats_vendor sysfs_bcl:dir search;
allow pixelstats_vendor sysfs_bcl:file r_file_perms;
allow pixelstats_vendor mitigation_vendor_data_file:dir search;
allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms;
get_prop(pixelstats_vendor, vendor_brownout_reason_prop);
# PCIe statistics
allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search;

4
sepolicy/whitechapel_pro/property.te
View File

@@ -42,5 +42,5 @@ vendor_internal_prop(vendor_trusty_storage_prop)
# Mali Integration
vendor_restricted_prop(vendor_arm_runtime_option_prop)
# ArmNN
vendor_internal_prop(vendor_armnn_config_prop)
# SJTAG lock state
vendor_internal_prop(vendor_sjtag_lock_state_prop)

6
sepolicy/whitechapel_pro/property_contexts
View File

@@ -83,7 +83,6 @@ vendor.gps. u:object_r:vendor_gps_prop:s0
persist.vendor.gps. u:object_r:vendor_gps_prop:s0
# Fingerprint
persist.vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
vendor.gf. u:object_r:vendor_fingerprint_prop:s0
@@ -107,5 +106,6 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop
# Mali GPU driver configuration and debug options
vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix
# ArmNN configuration
ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix
# SJTAG lock state
ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0
ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0

2
sepolicy/whitechapel_pro/rild.te
View File

@@ -43,4 +43,6 @@ allow rild modem_img_file:lnk_file r_file_perms;
# Allow rild to ptrace for memory leak detection
userdebug_or_eng(`
allow rild self:process ptrace;
binder_call(rild, modem_diagnostic_app)
')

6
sepolicy/whitechapel_pro/rlsservice.te
View File

@@ -16,6 +16,8 @@ allow rlsservice mnt_vendor_file:dir search;
allow rlsservice rls_device:chr_file rw_file_perms;
binder_call(rlsservice, hal_camera_default)
binder_call(rlsservice, servicemanager)
# Allow access to display backlight information
allow rlsservice sysfs_leds:dir search;
@@ -30,3 +32,7 @@ allow rlsservice apex_info_file:file r_file_perms;
# Allow read camera property
get_prop(rlsservice, vendor_camera_prop);
# Allow rlsservice bugreport generation
allow rlsservice dumpstate:fd use;
allow rlsservice dumpstate:fifo_file write;

23
sepolicy/whitechapel_pro/seapp_contexts
View File

@@ -27,43 +27,22 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag
# Domain for omadm
user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
# HbmSVManager
user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
# grilservice
user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
# Domain for connectivity monitor
user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
# Modem Diagnostic System
user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
# CBRS setup app
user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
# Qorvo UWB system app
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
# Domain for EuiccSupportPixel
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
# Sub System Ramdump
user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
# Google Camera
user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
# Google Camera Eng
user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
# Domain for CatEngineService
user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all

2
sepolicy/whitechapel_pro/service.te
View File

@@ -3,3 +3,5 @@ type hal_uwb_vendor_service, service_manager_type, hal_service_type;
# WLC
type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
type rls_service, service_manager_type;

2
sepolicy/whitechapel_pro/service_contexts
View File

@@ -2,3 +2,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_
hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0
vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
rlsservice u:object_r:rls_service:s0

2
sepolicy/whitechapel_pro/ssr_detector.te
View File

@@ -13,11 +13,13 @@ userdebug_or_eng(`
allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
get_prop(ssr_detector_app, vendor_aoc_prop)
set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop)
allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
allow ssr_detector_app proc_vendor_sched:dir search;
allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
allow ssr_detector_app cgroup:file write;
allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans;
')
get_prop(ssr_detector_app, vendor_ssrdump_prop)

14
sepolicy/whitechapel_pro/te_macros
View File

@@ -1,14 +0,0 @@
#
# USF SELinux type enforcement macros.
#
#
# usf_low_latency_transport(domain)
#
# Allows domain use of the USF low latency transport.
#
define(`usf_low_latency_transport', `
allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
hal_client_domain($1, hal_graphics_allocator)
')

1
sepolicy/whitechapel_pro/tee.te
View File

@@ -7,7 +7,6 @@ allow tee persist_file:dir r_dir_perms;
allow tee mnt_vendor_file:dir r_dir_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:lnk_file r_file_perms;
allow tee sg_device:chr_file rw_file_perms;
# Allow storageproxyd access to gsi_public_metadata_file
read_fstab(tee)

12
sepolicy/whitechapel_pro/uwb_vendor_app.te
View File

@@ -1,18 +1,8 @@
type uwb_vendor_app, domain;
app_domain(uwb_vendor_app)
not_recovery(`
hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
allow uwb_vendor_app app_api_service:service_manager find;
allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
allow uwb_vendor_app nfc_service:service_manager find;
allow uwb_vendor_app radio_service:service_manager find;
allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
allow hal_uwb_vendor_default self:global_capability_class_set sys_nice;
allow hal_uwb_vendor_default kernel:process setsched;

3
sepolicy/whitechapel_pro/vendor_init.te
View File

@@ -41,6 +41,3 @@ allow vendor_init tee_data_file:lnk_file read;
# Mali
set_prop(vendor_init, vendor_arm_runtime_option_prop)
# ArmNN
set_prop(vendor_init, vendor_armnn_config_prop)

1
sepolicy/whitechapel_pro/vndservice.te
View File

@@ -1,3 +1,2 @@
type rls_service, vndservice_manager_type;
type vendor_surfaceflinger_vndservice, vndservice_manager_type;
type eco_service, vndservice_manager_type;

1
sepolicy/whitechapel_pro/vndservice_contexts
View File

@@ -1,3 +1,2 @@
rlsservice u:object_r:rls_service:s0
Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0
media.ecoservice u:object_r:eco_service:s0