From 98620c3b106b705364954588111b70ade8f1fee6 Mon Sep 17 00:00:00 2001 From: Woody Lin Date: Fri, 1 Sep 2023 10:11:34 +0800 Subject: [PATCH] Add vendor_sjtag_lock_state_prop and init-check_ap_pd_auth-sh 1. Add init-check_ap_pd_auth-sh for the vendor daemon script `/vendor/bin/init.check_ap_pd_auth.sh`. 2. Add policy for properties `ro.vendor.sjtag_{ap,gsa}_is_unlocked` for init, init-check_ap_pd_auth-sh and ssr_detector to access them. SjtagService: type=1400 audit(0.0:1005): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1006): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1007): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1008): avc: denied { write } for name="property_service" dev="tmpfs" ino=446 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 SjtagService: type=1400 audit(0.0:1009): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 Bug: 298314432 Change-Id: Ib5dbcc50e266e33797626280504ea9e2cdc9f942 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/init-check_ap_pd_auth-sh.te | 14 ++++++++++++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 4 ++++ whitechapel_pro/ssr_detector.te | 2 ++ 5 files changed, 24 insertions(+) create mode 100644 whitechapel_pro/init-check_ap_pd_auth-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 91662c8b..75f8ccc1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/init-check_ap_pd_auth-sh.te b/whitechapel_pro/init-check_ap_pd_auth-sh.te new file mode 100644 index 00000000..bcd855c2 --- /dev/null +++ b/whitechapel_pro/init-check_ap_pd_auth-sh.te @@ -0,0 +1,14 @@ +type init-check_ap_pd_auth-sh, domain; +type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(init-check_ap_pd_auth-sh) + + set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop) + + allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms; + allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms; + + allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms; + allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms; +') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..559511a0 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# SJTAG lock state +vendor_internal_prop(vendor_sjtag_lock_state_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..0ff833e8 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,7 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# SJTAG lock state +ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 +ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 2caf6d77..a93d5bdb 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -13,11 +13,13 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app proc_vendor_sched:dir search; allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; + allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; ') get_prop(ssr_detector_app, vendor_ssrdump_prop)