Evolution-x-devices/device_google_gs201
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_gs201 synced 2026-01-27 14:29:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,561 Commits 5 Branches 0 Tags
4e4effcd1759fac802e40b56ec643b7409477ccd
Commit Graph

1082 Commits

Author SHA1 Message Date
Thiébaud Weksteen
1b64d05d93 Remove duplicate service entries 
These entries are defined in the platform policy.

Flag: EXEMPT bugfix
Bug: 367832910
Test: TH
Change-Id: I9e06b0c95330afa22da324e3669121d4477baa2f
 2024-10-17 02:58:49 +00:00
Nick Kralevich
10dbaa11ca convert-to-ext4-sh.te: use su domain instead am: 588e82af38 am: a37bde70e7 
Original change: https://android-review.googlesource.com/c/device/google/gs201-sepolicy/+/3308857

Change-Id: I37726c7b54dd6ce65828bfb8cbe18f31bd8c7dd7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-10-15 23:25:27 +00:00
Nick Kralevich
588e82af38 convert-to-ext4-sh.te: use su domain instead 
07af2808d5 (b/239632964) added
security policy support for /system_ext/bin/convert_to_ext4.sh.
This shell script converts f2fs filesystems into ext4 filesystems
on debuggable builds (userdebug or eng) only. Ever since 2022,
the security policy for this shell script has been in permissive
mode, meaning no SELinux rules were being enforced.

  # convert-to-ext4-sh.te
  permissive convert-to-ext4-sh;

In the intervening 2 years, there has been no attempt to move
this domain into enforcing mode. And by now, this script has
likely served its purpose, by converting f2fs /persist filesystems
on engineering builds to ext4, and is probably no longer needed.

This change eliminates the use of the unenforced convert-to-ext4-sh
security domain, preferring instead to use the "su" security domain.
Like convert-to-ext4-sh, the su security domain enforces no rules
on debuggable builds, and is equivalent to traditional root on
desktop Linux systems, or running /system/xbin/su. This change
eliminates unnecessary technical complexity, and unblocks other
hardening changes, such as WIP commit
https://android-review.googlesource.com/c/platform/system/sepolicy/+/3308856

Moving from one permissive domain ("convert-to-ext4-sh") to another
permissive domain ("su") should be a no-op from a security and
functionality perspective.

Test: compiles and builds, passes treehugger.
Bug: 239632964
Change-Id: Ifd628310a923926d1a57b568c7703cb857f0871b
 2024-10-15 10:30:19 -07:00
Eileen Lai
f906b69f95 modem_svc: use shared_modem_platform to replace all modem_svc_sit 
Bug: 368257019

Flag: NONE local testing only
Change-Id: Icc258ce297b5e7ea51fa60aa2ffb09ce99b7ef18
 2024-10-14 07:27:41 +00:00
samou
315cc63557 sepolicy: allow dumpstate to execute dump_power 
10-04 19:36:47.308  7141  7141 I android.hardwar: type=1400 audit(0.0:6974): avc:  denied  { execute_no_trans } for  path="/vendor/bin/dump/dump_power" dev="overlay" ino=91 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6975): avc:  denied  { read } for  name="acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6976): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6977): avc:  denied  { search } for  name="acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6978): avc:  denied  { read } for  name="core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6979): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6980): avc:  denied  { getattr } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-04 19:36:47.336  7141  7141 I dump_power: type=1400 audit(0.0:6981): avc:  denied  { read } for  name="time_in_state" dev="sysfs" ino=50604 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:25): avc:  denied  { read } for  name="version" dev="sysfs" ino=62887 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:26): avc:  denied  { read } for  name="version" dev="sysfs" ino=62887 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:27): avc:  denied  { read } for  name="status" dev="sysfs" ino=62888 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:28): avc:  denied  { read } for  name="status" dev="sysfs" ino=62888 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:29): avc:  denied  { read } for  name="fw_rev" dev="sysfs" ino=62915 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:30): avc:  denied  { read } for  name="fw_rev" dev="sysfs" ino=62915 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:29): avc:  denied  { search } for  name="battery" dev="sysfs" ino=63428 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:30): avc:  denied  { search } for  name="10d50000.hsi2c" dev="sysfs" ino=21301 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:31): avc:  denied  { search } for  name="power_supply" dev="sysfs" ino=79013 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:32): avc:  denied  { search } for  name="power_supply" dev="sysfs" ino=79013 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:33): avc:  denied  { search } for  name="10d50000.hsi2c" dev="sysfs" ino=21301 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18792): avc:  denied  { search } for  name="battery" dev="sysfs" ino=63428 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18793): avc:  denied  { read } for  name="uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18794): avc:  denied  { open } for  path="/sys/devices/platform/google,battery/power_supply/battery/uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18795): avc:  denied  { getattr } for  path="/sys/devices/platform/google,battery/power_supply/battery/uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18796): avc:  denied  { search } for  name="8-003c" dev="sysfs" ino=55942 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18797): avc:  denied  { read } for  name="maxfg" dev="sysfs" ino=62568 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18798): avc:  denied  { read } for  name="logbuffer_tcpm" dev="tmpfs" ino=1285 scontext=u:r:dump_power:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18799): avc:  denied  { open } for  path="/dev/logbuffer_tcpm" dev="tmpfs" ino=1285 scontext=u:r:dump_power:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6191): avc:  denied  { search } for  name="mitigation" dev="dm-50" ino=3758 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6192): avc:  denied  { read } for  name="thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6193): avc:  denied  { open } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6194): avc:  denied  { getattr } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6195): avc:  denied  { search } for  name="mitigation" dev="sysfs" ino=85222 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6196): avc:  denied  { read } for  name="last_triggered_count" dev="sysfs" ino=85275 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6197): avc:  denied  { open } for  path="/sys/devices/virtual/pmic/mitigation/last_triggered_count" dev="sysfs" ino=85275 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6198): avc:  denied  { read } for  name="batoilo_count" dev="sysfs" ino=85287 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=file permissive=1
10-04 23:49:14.616  6976  6976 I dump_power: type=1400 audit(0.0:875): avc:  denied  { read } for  name="thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 23:49:14.616  6976  6976 I dump_power: type=1400 audit(0.0:876): avc:  denied  { open } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 23:49:14.616  6976  6976 I dump_power: type=1400 audit(0.0:877): avc:  denied  { getattr } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-05 00:00:44.540  7085  7085 I dump_power: type=1400 audit(0.0:878): avc:  denied  { read } for  name="acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-05 00:00:44.540  7085  7085 I dump_power: type=1400 audit(0.0:879): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-05 00:00:44.540  7085  7085 I dump_power: type=1400 audit(0.0:880): avc:  denied  { search } for  name="acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:881): avc:  denied  { read } for  name="core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:882): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:883): avc:  denied  { getattr } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:884): avc:  denied  { read } for  name="time_in_state" dev="sysfs" ino=45585 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:885): avc:  denied  { open } for  path="/sys/devices/platform/cpupm/cpupm/time_in_state" dev="sysfs" ino=45585 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1

Flag: EXEMPT refactor
Bug: 364989823
Change-Id: Ie4637b1295975c716f50333ad6635b9694a624b8
Signed-off-by: samou <samou@google.com>
 2024-10-04 16:07:07 +00:00
Tej Singh
077e59c64f Make android.framework.stats-v2-ndk app reachable 
For libedgetpu

Test: TH
Bug: 354763040
Flag: EXEMPT bugfix
Change-Id: If78bc951a9a4cfc223d01970ca6819fe2b5c6335
 2024-09-20 21:34:56 -07:00
Prochin Wang
a5eb284c4a Change vendor_fingerprint_prop to vendor_restricted_prop 
This is to allow the fingerprint HAL to access the property.

Bug: 366105474
Flag: build.RELEASE_PIXEL_BOOST_DATALAYER_PSA_ENABLED
Test: mm
Change-Id: I5b07acfd7599b099997d46b297e1f7400a9fe478
 2024-09-16 01:45:44 +00:00
Vic Huang
bd7fbe9a02 [BT] Define vendor_bluetooth_prop 
avc:  denied  { set } for property=persist.vendor.service.bdroid.bdaddr pid=860 uid=1002 gid=1002 scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0

Bug: 359428216
Test: Forest build
Flag: EXEMPT N/A
Change-Id: I1aeb04e32620b2815db02f34ee40eae94deeed3c
 2024-09-09 05:47:01 +00:00
Randall Huang
b67284dc2f storage: move storage related device type to common folder 
Bug: 364225000
Test: forrest build
Change-Id: Iaed5b07a1d9823ebf3c7210921784d81bf6207a5
Signed-off-by: Randall Huang <huangrandall@google.com>
 2024-09-04 10:44:13 +08:00
Randall Huang
5e8b0722d0 Storage: label ufs firmware upgrade script 
Bug: 361093041
Test: local build
Change-Id: I312d071ecaaedb09b54976e6b3bfe05e7bc6cdea
Signed-off-by: Randall Huang <huangrandall@google.com>
 2024-09-02 22:22:44 +00:00
attis
150634f087 Label sysfs node power_mode as sysfs_display. 
Label power_mode to sysfs_panel to let it be allowed in dumpstate.

avc log:
08-26 13:07:49.660 12467 12467 W dump_display: type=1400 audit(0.0:19): avc:  denied  { read } for  name="power_mode" dev="sysfs" ino=89753 scontext=u:r:dump_display:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 bug=b/350831939

Test: ls -Z, adb bugreport.
Flag: EXEMPT bugfix
Bug: 358505990
Change-Id: I9feeb2a8270f89d214f7d765893364d0e73f7d39
Signed-off-by: attis <attis@google.com>
 2024-09-02 04:54:13 +00:00
samou
a8d35041b3 sepolicy: gs201: fix bm selinux 
- add odpm scale value path
- add gpu cur_freq

Flag: EXEMPT refactor
Bug: 349935208
Change-Id: Ie053ead11eae4abdd0a30f74117d9c3e00eedf53
Signed-off-by: samou <samou@google.com>
 2024-08-23 10:58:20 +00:00
samou
5e0dca971a sepolicy: remove dump_power_gs201.sh 
Flag: EXEMPT refactor
Bug: 349935208
Change-Id: I3c0f48d00d312ef19677fe5ef9f080f063408667
Signed-off-by: samou <samou@google.com>
 2024-08-23 10:58:20 +00:00
Xiaofan Jiang
e8d359e8d4 Revert "Revert "gs201: update shared_modem_platform sepolicy for..." 
Revert submission 28822848-revert-28762313-SAYUORWKVG

Reason for revert: issue identify and fix is ready

Reverted changes: /q/submissionid:28822848-revert-28762313-SAYUORWKVG

Change-Id: Iae3ca282426fca573b4c42355e1b46eaa74d3c58
 2024-08-15 19:25:28 +00:00
Priyanka Advani (xWF)
e1a2549168 Revert "gs201: update shared_modem_platform sepolicy for UMI" 
Revert submission 28762313

Reason for revert: Droidmonitor created revert due to b/360059249.

Reverted changes: /q/submissionid:28762313

Change-Id: I0fc3d7d99b999eedf7e3948afb58fd962045f1e1
 2024-08-15 18:30:25 +00:00
Xiaofan Jiang
b958dd13ad gs201: update shared_modem_platform sepolicy for UMI 
Bug: 357139752

Flag: EXEMPT sepolicy

[   68.189198] type=1400 audit(1722986580.568:59): avc:  denied  { unlink } for  comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1
[   68.189448] type=1400 audit(1722986580.568:60): avc:  denied  { create } for  comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1

Change-Id: I0bbef83a3915e4c0e284296bc5b59e0ce6cf6f15
 2024-08-15 04:01:03 +00:00
Kevin Ying
3c082cdefd Allow camera HAL to access power_state sysfs 
08-03 01:41:34.444   791   791 W TaskPool: type=1400 audit(0.0:178): avc:  denied  { read } for  name="power_state" dev="sysfs" ino=86770 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 339690296
Test: Open camera under SELinux enforcing mode, no display avc error
Flag: EXEMPT resource update only
Change-Id: Ic0f2d149cbcd8a3da5035f6d2788b4548523bbd6
Signed-off-by: Kevin Ying <kevinying@google.com>
 2024-08-09 17:40:00 +00:00
Wilson Sung
3e1197bafb Add kernel vendor_fw_file dir read permission 
07-31 05:35:39.208 885 885 W binder:885_5: type=1400 audit(0.0:125): avc: denied { read } for name="firmware" dev="dm-7" ino=48 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_fw_file:s0 tclass=dir

Fix: 356530883
Flag: EXEMPT bugfix
Change-Id: I1bb8fcfc952c69c991fd978a617eb92558817267
 2024-08-02 09:18:50 +00:00
Daniel Chapin
e825da7d84 Revert "trusty: storageproxy: add fs_ready_rw property context" 
Revert submission 28318041-rw_storage

Reason for revert: Droidfood blocking bug b/355163562

Reverted changes: /q/submissionid:28318041-rw_storage

Change-Id: Ifa22c1551e75dd5161a19c5fb5cb372fe669921c
 2024-07-24 20:17:20 +00:00
Mike McTernan
27df5480c4 trusty: storageproxy: add fs_ready_rw property context 
Flag: EXEMPT bug fix
Bug: 350362101
Test: ABTD
Change-Id: I2d6d1ab8dbd60c21a16cadc26c5e4d5d290df42d
 2024-07-23 10:02:20 +00:00
Carl Tsai
e1d272f6c9 Add to allocate a security context for panel_pwr_vreg 
type=1400 audit(1719903781.812:18): avc:  denied  { read } for  comm="dump_display" name="panel_pwr_vreg" dev="sysfs" ino=87631 scontext=u:r:dump_display:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 350831939
Test: run pts -m PtsSELinuxTestCases -t com.google.android.selinux.pts.SELinuxTest#scanBugreport to check the test is Pass
Flag: EXEMPT bugfix
Change-Id: Ib03479bece87f26f48d6998dfd9b2dd84d439204
 2024-07-16 08:02:09 +00:00
Aaron Tsai
b05833237c Add permission for setting gril property 
05-22 18:00:40.443   948   948 I auditd  : type=1400 audit(0.0:854): avc:  denied  { write } for  comm="radioext@1.0-se" name="property_service" dev="tmpfs" ino=851 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Bug: 343012301
Bug: 203824024
Test: manual test
Flag: EXEMPT bugfix
Change-Id: Ie873e186d3eda618ba832164d9c9713b410977d2
 2024-07-05 08:05:01 +00:00
Chaitanya Cheemala
9d3f39622c Revert "SELinux: fix avc denials" 
This reverts commit d1fe9f8f80.

Reason for revert: Likely culprit for b/340511525  - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.

Change-Id: I65790202886298f9862d68d65cf794e67db5a878
 2024-05-14 15:07:58 +00:00
Ken Yang
d1fe9f8f80 SELinux: fix avc denials 
Bug: 338332877
Change-Id: I5fb0a73cdc0d276ec14e55906c9bbd9c6875c786
Signed-off-by: Ken Yang <yangken@google.com>
 2024-05-14 05:14:55 +00:00
chenkris
5a1bb0df6e Allow fingerprint to access the folder /data/vendor/fingerprint 
Fix the following avc denial:
android.hardwar: type=1400 audit(0.0:20): avc:  denied  { write } for  name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0

Bug: 267766859
Test: Tested fingerprint under enforcing mode
Change-Id: I11c465fe89fcbfa7d9132ccee1c7666d1cd75a24
 2024-05-08 08:46:26 +00:00
Enzo Liao
66254ad14d Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. 
New paths (ag/26620507):
  RamdumpService: device/google/gs-common/ramdump_app
  SSRestartDetector: device/google/gs-common/ssr_detector_app

Bug: 298102808
Design: go/sys-software-logging
Test: Manual
Change-Id: I57f9b8b77aa070ad2216cae1e84630a26a03618d
 2024-04-11 02:03:11 +00:00
kadirpili
60c66448ef gs201: telephony property for cbd 
Bug: 315104803
Change-Id: I2560871e9477a5f8dcd9519b6c60353e89c5df82
 2024-04-01 05:12:58 +00:00
Hungyen Weng
2b9b7cc688 Allow modem_svc to access modem files and perfetto 
Bug: 330730987

Test: Confirmed that modem_svc is able to access token db files in modem partition
Test: Confiemed that modem_svc can send traces to perfetto

Change-Id: Id50a1fc3b343be9eec834418638c689d8ea56b35
 2024-03-22 23:53:34 +00:00
Spade Lee
596f6ab199 pixelstats_vendor: add logbuffer_device r_file_perms 
avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0

Bug: 329174074
Test: no denied log, and able to read logbuffer in pixelstats_vendor
Change-Id: Ia591a091fe470c2c367b80b8f1ef9eea6002462c
Signed-off-by: Spade Lee <spadelee@google.com>
 2024-03-22 07:30:26 +00:00
Spade Lee
269f1640d8 sepolicy: allow kernel to search vendor debugfs 
audit: type=1400 audit(1710259012.824:4): avc:  denied  { search } for  pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0
audit: type=1400 audit(1710427790.680:2): avc:  denied  { search } for  pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1
audit: type=1400 audit(1710427790.680:3): avc:  denied  { search } for  pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1

Bug: 328016570
Bug: 329317898
Test: check all debugfs folders are correctly mounted
Change-Id: I7ca3804056bbfd8459bac2c029a494767f3ae1a6
Signed-off-by: Spade Lee <spadelee@google.com>
 2024-03-20 18:17:15 +00:00
Sungtak Lee
9088b1a9be Add AIDL media.c2 into service_contexts 
Bug: 321808716
Change-Id: Ib2426b1997517b23d1301f3a1a30d9029d129971
 2024-03-05 06:16:54 +00:00
Peter Lin
1c7d8f80f2 add dsim wakeup labels 
Bug: 322035303
Bug: 321733124
test: ls sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup -Z
Change-Id: Ifcf73176620f44743a8aa252f8afed85c3af475c
 2024-03-04 03:02:14 +00:00
Will McVicker
9be1081f00 Update tcpm i2c sepolicy with new device name 
The new name fixes uninformative kernel wakelock names.

Bug: 315190967
Bug: 323447554
Change-Id: I88ecec344fd1eb84c5ca12a6bd3fad38cc40295b
 2024-02-22 17:54:36 +00:00
Lei Ju
967204e373 [gs201] Use common settings for Contexthub HAL 
The change also labeled files under /data/vendor/chre/ to grant
required access.

Test: compilation
Bug: 248615564
Change-Id: Ia96b7a592523e7b5e64acb8cb7ae4f0f1fc3a78b
 2024-02-18 11:43:27 -08:00
Jacky Liu
28c042f51a Update i2c device paths 
Update i2c device paths with static bus numbers.

Bug: 323447554
Test: Boot to home
Change-Id: I3d41e1819aa7df896322a0dca44449c1e871dff8
 2024-02-06 16:16:53 +00:00
Darren Hsu
1f8b299ace sepolicy: allow hal_power_stats to read sysfs_display 
avc:  denied  { read } for  name="available_disp_stats"
dev="sysfs" ino=76162 scontext=u:r:hal_power_stats_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 317767775
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: I272f69f4c4720eb4800a8a13ef62e1ab34cbaedf
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2024-01-29 05:59:52 +00:00
Jack Wu
f32bd56cb0 dontaudit on dir search for vendor_charger_debugfs 
Bug: 307863370
Change-Id: I6da7b9426cdcc6152ff05ef7cd0cf18b718ab875
Signed-off-by: Jack Wu <wjack@google.com>
 2024-01-26 20:13:23 +08:00
Ken Yang
f1c2498079 selinux: label wakeup for BMS I2C 0x36, 0x69 
Bug: 319035561
Change-Id: I45a80157d2a1d12a27a748aed31bb0ae5b08e7b5
Signed-off-by: Ken Yang <yangken@google.com>
 2024-01-10 06:12:19 +00:00
wenchangliu
997782c603 gs201: move mediacodec_samsung sepolicy to gs-common 
remove mediacodec_samsung sepolicy in legacy path since we will include it from gs-common.

Bug: 318793681
Test: build pass, camera record, youtube
Change-Id: I08a9ce89155324b0ac749bde4a9d205585a57320
Signed-off-by: wenchangliu <wenchangliu@google.com>
 2024-01-09 14:49:56 +00:00
Chi Zhang
c45f36f10e Allow GRIL to get power stats. 
SELinux : avc:  denied  { find } for pid=3147 uid=10219 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:grilservice_app:s0:c219,c256,c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1

Bug: 286187143
Test: build and boot
Change-Id: I4588708267fc0f582c767a93e5a422a6e40b6369
 2023-12-19 12:21:45 -08:00
Jenny Ho
04bc1d210a sepolicy: add read wlc sysfs permission 
12-12 18:33:17.960000  1000   906   906 I auditd  : type=1400 audit(0.0:10): avc:  denied  { read } for  comm="android.hardwar" name="type" dev="sysfs" ino=75851 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0

Bug: 306534100
Change-Id: I3381aaa1e08637c1cc8eb278bd775c81b32ed3bd
Signed-off-by: Jenny Ho <hsiufangho@google.com>
 2023-12-13 07:31:13 +00:00
Boon Jun Soh
a4fa4427bc Fix rlsservice sepolicy 
Allows bugreport generation

Bug: 315255760
Bug: 309379465
Test: abd bugreport & ensure lack of rls avc denied logs
Change-Id: Ic390d6ddd6bac78e5979c78bc6d02262f08b3468
 2023-12-11 07:30:24 +00:00
David Drysdale
eca39285c5 Add Secretkeeper HAL 
Test: VtsAidlAuthGraphSessionTest
Bug: 306364873
Change-Id: I84d4098960d6445da1eb7e58e25a015cd591d6b3
 2023-12-06 10:21:00 +00:00
Jason Chiu
e2d9795558 gs201: move sepolicy related to bootctrl hal to gs-common 
Bug: 265063384
Change-Id: I30a71900c2a305b05ae6e17d658df32d95097d14
Signed-off-by: Jason Chiu <jasoncschiu@google.com>
 2023-12-05 01:21:53 +08:00
Khoa Hong
a2847d4475 Suppress avc error log on debugfs's usb folder. 
The XHCI driver in kernel will write debugging information to DebugFS on
some USB host operations (for example: plugging in a USB headphone). We
are not using those information right now.

Bug: 305880925
Bug: 311088739
Test: No error when plugging a USB headphone in.
Change-Id: I3b53a3924a1fb3f2a37b0d8a1ae9df037cbc1dd2
 2023-11-30 14:59:09 +08:00
Randall Huang
2bd12254f4 Move sg_device related policy 
Bug: 312582937
Test: make selinux_policy
Change-Id: I18617643e66d6d2fe5ff19e440dea204206b3035
Signed-off-by: Randall Huang <huangrandall@google.com>
 2023-11-22 14:16:38 +08:00
Alex Iacobucci
8f30df1dcf aoc: add sysfs file entry 
Test: on device
Bug: 309950738
Change-Id: Ie5437a02b3a4f69d05ecb274169b4bd328315a22
Signed-off-by: Alex Iacobucci <alexiacobucci@google.com>
 2023-11-20 20:22:25 +00:00
Devika Krishnadas
3b40f18e29 Add Pixel Mapper as a sp-HAL 
Bug: 267352318

Change-Id: I460f379d8d6904f5bda3f67a7158c0ac6f2e7b5f
Signed-off-by: Devika Krishnadas <kdevika@google.com>
 2023-11-20 18:17:26 +00:00
Kyle Tso
7411947a02 dontaudit on dir search for vendor_votable_debugfs 
Bug: 305880925
Bug: 309379994
Change-Id: I7317bdb4ec80eb73a57cbb924d3132579e0b4f98
Signed-off-by: Kyle Tso <kyletso@google.com>
 2023-11-17 05:22:09 +00:00
Daniel Norman
b204558a73 Removes duplicate hidraw_device type definition. 
This type is now defined by the platform.

Bug: 303522222
Change-Id: Ia2f817ce99548c30f39a5164c8f6ec323db66155
Test: ls -z /dev/hidraw0
 2023-11-10 22:52:26 +00:00