Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
397 Commits 2 Branches 0 Tags
3d68a0b40feb4bb90e55ffc3e4ad769735e65f74
Commit Graph

153 Commits

Author SHA1 Message Date
TreeHugger Robot
bd54d8c743 Merge "Adding allows and file_contexts to handle the following camera denials" 2017-04-26 05:15:36 +00:00
Max Bires
93f989ecc1 Adding allows and file_contexts to handle the following camera denials 
These were occuring on camera init:
denied { read } for pid=699 comm="CAM_laser_sens" name="input"
dev="tmpfs" ino=17802 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=dir

denied { write } for pid=699 comm="CAM_laser_sens"
name="enable_ps_sensor" dev="sysfs" ino=39968
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { call } for pid=810 comm="cameraserver"
scontext=u:r:cameraserver:s0 tcontext=u:r:mediacodec:s0 tclass=binder

Bug: 37669506
Test: These denials no longer occur during init
Change-Id: Ie97ab9433efd43da29f18ffa652c43701b3662af
 2017-04-26 03:28:38 +00:00
TreeHugger Robot
d28655ffd0 Merge "Putting system_server into permissive." 2017-04-26 00:41:46 +00:00
Max Bires
3914ca04bd Putting system_server into permissive. 
System_server is attempting to access a .so that is currently labeled as
a vendor file, which is messing up the ability of anything on the device
to interact with sensor services. This will temporarily be put into
permissive until the .so can be properly relabeled.

Denial:
denied { execute } for pid=1380 comm="system_server" path="/vendor/li
b64/liblocation_api.so" dev="sda20" ino=929
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

Bug: 37675139
Bug: 37669506
Test: adb shell dumpsys sensorservice works as expected
Change-Id: Ia13641dfaf4ab65f9060dc35b3778b9c88fb0242
 2017-04-25 16:00:49 -07:00
TreeHugger Robot
4248fac623 Merge "Adding allows for smlog and dumpstate" 2017-04-25 22:47:05 +00:00
Miao Wang
9898d9d468 Bring-up RenderScript HAL for Muskie / Walleye 
Bug: 36097673
Test: mm && tested on Walleye to make sure QCOM driver load.
Test: RS CTS tests pass
Test: Imageprocessing tests pass, and confirming running on GPU.

Change-Id: Iaca74a8e90d9fd10e4327bd55d982e95b700ca0f
 2017-04-25 14:11:06 -07:00
Jie Song
85b1b4d5e1 Adding allows for smlog and dumpstate 
1. Adding allows for smlog and dumpstate
2. Moving log path to data/vendor

Bug: 37169733
Test: Verify modem logs in bugreport
Change-Id: Ifaef1976bc7b88afdd3ee2a7ef82a78853c5ee14
 2017-04-25 13:55:49 -07:00
TreeHugger Robot
b13737cc28 Merge "Removing wcnss_service from permissive mode" 2017-04-25 07:22:44 +00:00
TreeHugger Robot
995d1a1374 Merge "Removing qti from permissive mode" 2017-04-25 07:13:21 +00:00
TreeHugger Robot
d833149ab2 Merge "Removing ssr_setup from permissive mode" 2017-04-25 06:59:56 +00:00
TreeHugger Robot
d3c3621777 Merge "Removing adsprpcd from permissive mode" 2017-04-25 06:57:15 +00:00
TreeHugger Robot
d3f92bf1d1 Merge "Removing thermal-engine from permissive mode" 2017-04-25 06:55:31 +00:00
TreeHugger Robot
4d2e138f7d Merge "Removing init_power from individual permissive domain." 2017-04-25 06:39:52 +00:00
TreeHugger Robot
aa83795f2f Merge "Removing permissive mode on pd_mapper domain." 2017-04-25 06:32:43 +00:00
Max Bires
982994ed05 Removing wcnss_service from permissive mode 
Bug: 34784662
Test: wcnss_service domain is in enforcing mode and the device functions
normally

Change-Id: Ia61351802b62448119f318cdcaede713bdbba674
 2017-04-24 22:47:01 -07:00
Max Bires
e1bed673f2 Removing qti from permissive mode 
Bug: 34784662
Test: qti is in enforcing mode and the device functions normally
Change-Id: Ief42b66b97ecc17690197e283ca3d6d5ff8e93e1
 2017-04-24 22:36:49 -07:00
Max Bires
dcb824b799 Removing ssr_setup from permissive mode 
Bug: 34784662
Test: ssr_setup is in enforcing and the device functions normally
Change-Id: Iacd79ec0da63b5bee3c898fadd91fb73ed70dcb6
 2017-04-24 22:30:57 -07:00
Max Bires
a8067f5b39 Removing thermal-engine from permissive mode 
Bug: 34784662
Test: thermal-engine is in enforcing mode and the device functions
normally

Change-Id: I5d98ef35a1d3c3fa2a0acc07766d776285693219
 2017-04-24 22:25:44 -07:00
Max Bires
4cda1b6f35 Removing adsprpcd from permissive mode 
Bug: 34784662
Test: The device functions normally and adsprpcd is in enforcing mode
Change-Id: Ib2778c175efcecfbf61e95ef18af1cb917d20fa2
 2017-04-24 22:14:06 -07:00
Max Bires
34ef0ea4ae Removing permissive mode on pd_mapper domain. 
Bug: 34784662
Test: pd_mapper is in enforcing and the phone functions normally
Change-Id: I3306fb67dcecb8c256688312f5929be1599da10d
 2017-04-24 22:07:39 -07:00
Max Bires
5c3da1d867 Removing init_power from individual permissive domain. 
Bug: 34784662
Test: init_power is no longer in permissive mode and the device
functions normally
Change-Id: I944ff957b84140a88b4622dabf528ac634a4aa28
 2017-04-24 22:06:10 -07:00
Max Bires
153209ac9d Fixing camera app not launching 
denied { read } for pid=9669 comm="id.GoogleCamera"
name="u:object_r:camera_prop:s0" dev="tmpfs" ino=17770
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:camera_prop:s0 tclass=file

Bug: 37633957
Test: Camera launches
Change-Id: I2b68a13eaea0ee83e83f8e92cfda9d46c4531060
 2017-04-24 19:56:38 -07:00
TreeHugger Robot
2021e7ad05 Merge "Adding allows to fix perfd and setup_wizard denials" 2017-04-25 02:31:57 +00:00
Max Bires
3d06ccc559 Adding allows to fix perfd and setup_wizard denials 
denied { read write } for pid=1361 comm="Binder:1361_4" name="sdd4"
dev="tmpfs" ino=10187 scontext=u:r:system_server:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

denied { write } for pid=805 comm="perfd" name="scaling_min_freq"
dev="sysfs" ino=29879 scontext=u:r:perfd:s0
tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

Test: Startup wizard no longer crashes a few times before working
Change-Id: I85425e00d1b834d0775ec940befec4ecee514df7
 2017-04-24 23:24:20 +00:00
TreeHugger Robot
ef4927ef50 Merge "Added allowing at_device to port-bridge." 2017-04-24 22:31:42 +00:00
Max Bires
2238a616bc Fixing boot blocking selinux policy. 
Following denials were blocking boot:

denied { read } for pid=589 comm="vold"
name="u:object_r:tee_listener_prop:s0" dev="tmpfs" ino=17236
scontext=u:r:vold:s0 tcontext=u:object_r:tee_listener_prop:s0
tclass=file

denied { read } for pid=555 comm="android.hardwar"
name="u:object_r:tee_listener_prop:s0" dev="tmpfs" ino=17236
scontext=u:r:hal_keymaster_qti:s0
tcontext=u:object_r:tee_listener_prop:s0 tclass=file

denied { read } for pid=555 comm="android.hardwar"
name="u:object_r:tee_listener_prop:s0" dev="tmpfs" ino=17236
scontext=u:r:vold:s0
tcontext=u:object_r:tee_listener_prop:s0 tclass=file

Bug: 37633957
Test: Device boots
Change-Id: I6be2bafde9a6f1d14802cfa39b170c55858a4d36
 2017-04-24 21:54:01 +00:00
Kyunam.jo
f22572013b Added allowing at_device to port-bridge. 
denied { read write } for pid=749 comm="port-bridge" name="at_mdm0" dev="tmpfs" ino=22585 scontext=u:r:port-bridge:s0 tcontext=u:object_r:at_device:s0 tclass=chr_file permissive=0
denied { read write } for pid=749 comm="port-bridge" name="at_mdm0" dev="tmpfs" ino=22585 scontext=u:r:port-bridge:s0 tcontext=u:object_r:at_device:s0 tclass=chr_file permissive=0
denied { read write } for pid=749 comm="port-bridge" name="at_usb0" dev="tmpfs" ino=21293 scontext=u:r:port-bridge:s0 tcontext=u:object_r:at_device:s0 tclass=chr_file permissive=0

Bug: 37628525
Test: Taimen is no longer blocked on boot
Change-Id: Ib2e1443471c822d20627286b090b2edc4de9578b
 2017-04-24 14:12:49 -07:00
TreeHugger Robot
990d8690d9 Merge "Moving these into permissive so global enforcing can be turned on." 2017-04-23 20:00:11 +00:00
Max Bires
a3e68ffd51 Moving these into permissive so global enforcing can be turned on. 
There are some issues with wi-fi calling that need these to be
individually flipped into permissive for now so that they can continue
to function.

Test: Wi-Fi calling works
Change-Id: Ib8dff8c5a6a9e7a0d702e558a950ce7315f78881
 2017-04-23 11:52:02 -07:00
Thierry Strudel
0b19015b63 Merge changes from topic 'avb' 
* changes:
  init.hardware.rc: start qseecomd on fs
  manifest.xml: add gatekeeper and keymaster definitions
  Add sepolicies for binderized QCOM KM 3.0 and GK 1.0 HAL
  device: don't use generic GK and KM HALs
  device: add frp prop
 2017-04-22 01:34:07 +00:00
TreeHugger Robot
9e55f530d9 Merge "VR hal to choose thermal config" 2017-04-22 00:51:40 +00:00
Roopesh Rajashekharaiah Nataraja
0d3ddf604b Add sepolicies for binderized QCOM KM 3.0 and GK 1.0 HAL 
Change-Id: Icb480b1072a70a7afd1296dc6feaec045d610b7a
 2017-04-21 16:37:22 -07:00
Alex Klyubin
e8a357824a Grant device-specific hwservicemanager access 
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call from either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Bug: 34454312

Change-Id: I7d70a240188e1f4eea1a57ed3ae33a1d7ee79559
 2017-04-21 13:06:23 -07:00
Badhri Jagan Sridharan
5fb5ea21b9 Add selinux rules for dumping usb debugfs logs 
Bug: 36178613
Test: ran adb bugreport and noticed the logs to be dumped.
Change-Id: I24ba5883f7ffd5faf5bd02d0dc362feb30011c09
 2017-04-21 18:38:38 +00:00
Wei Wang
6fc920280b VR hal to choose thermal config 
Test: thermal config changed enter/exit VR mode in muskie
Bug: 36514493
Change-Id: I3711f94e667684710afcf812dcb316a9a2ba86ef
 2017-04-21 11:21:57 -07:00
Max Bires
1cedb2bc80 Merge "declare keystore and vold as passthrough HAL clients of keymaster" 2017-04-20 20:03:23 +00:00
TreeHugger Robot
3d0f0c8ec1 Merge "Adding file_contexts and allows that stopped boot in enforcing." 2017-04-20 00:05:11 +00:00
Max Bires
55f59017a0 Adding file_contexts and allows that stopped boot in enforcing. 
At some point, changes were checked in that broke enforcing mode. The
following denials should now be fixed:

denied { read } for pid=15 comm="kworker/1:0" name="slpi_v2.b12"
dev="sda
20" ino=369 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

denied { read } for pid=580 comm="vold"
name="android.hardware.keymaster@3.0-impl.so" dev="sda20" ino=802
scontext=u:r:vold:s0 tcontext=u:object_r:vendor_file:s0 tclass=file

denied { read } for pid=779 comm="keystore"
name="android.hardware.keymaster@3.0-impl.so" dev="sda20" ino=802
scontext=u:r:keystore:s0 tcontext=u:object_r:vendor_file:s0 tclass=file

denied { search read open } for pid=772 comm="port-bridge"
name="msm_subsys" dev="sysfs" ino=18985 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { read } for pid=772 comm="port-bridge" name="name" dev="sysfs"
ino=34583 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=772 comm="port-bridge" name="subsys0"
dev="sysfs" ino=34591 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { search } for pid=772 comm="port-bridge" name="soc0" dev="sysfs"
ino=51157 scontext=u:r:port-bridge:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { read open getattr } for pid=772 comm="port-bridge"
name="soc_id" dev="sysfs" ino=51161 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { read write } for pid=4417 comm="android.hardwar"
name="vndbinder" dev="tmpfs" ino=17743 scontext=u:r:hal_drm_default:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { read } for pid=3980 comm="m.android.phone"
name="libimsmedia_jni.so" dev="sda20" ino=918 scontext=u:r:radio:s0
tcontext=u:object_r:vendor_file:s0 tclass=file

denied { search } for pid=512 comm="ueventd" name="firmware" dev="sda41"
ino=246 scontext=u:r:ueventd:s0
tcontext=u:object_r:vendor_firmware_file:s0 tclass=dir

denied { read } for pid=1279 comm="ueventd" name="a530_pm4.fw"
dev="sda41" ino=251 scontext=u:r:ueventd:s0
tcontext=u:object_r:vendor_firmware_file:s0 tclass=file

Bug: 34784662
Bug: 37438752
Test: The phone successfully boots again
Change-Id: I21d9dc0f60b2cf383c66f8806eed1e1a83367c25
 2017-04-19 15:35:38 -07:00
Sandeep Patil
3be52c8f6e declare keystore and vold as passthrough HAL clients of keymaster 
This is a temporary fix until b/35810138 is resolved and keymaster is
enabled as binderized HAL on wahoo. This MUST be reverted with the fix
for b/35810138

Bug: 34784662
Test:

Change-Id: I298f4cd20e6471c01e8aff391ea6f7b802621f24
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-04-19 15:03:10 -07:00
TreeHugger Robot
6cfe1a87b8 Merge "Add OemLock and Weaver HAL server policies for esed." 2017-04-18 14:50:47 +00:00
Max Bires
c6607276b3 Fixing denials for OTAs 
denied { read } for pid=818 comm="update_engine" name="sda13"
dev="tmpfs" ino=21751 scontext=u:r:update_engine:s0
tcontext=u:object_r:ab_block_device:s0 tclass=blk_file

denied { read } for pid=818 comm="update_engine" name="sda7" dev="tmpfs"
ino=21727 scontext=u:r:update_engine:s0
tcontext=u:object_r:modem_block_device:s0 tclass=blk_file

denied { getattr } for pid=818 comm="update_engine" path="/postinstall"
dev="sda43" ino=42 scontext=u:r:update_engine:s0
tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir

Bug: 37305560
Test: These denials are not present
Change-Id: I47bc5743c58c4c56b95614f0a170d7af16ae2b53
 2017-04-17 11:39:48 -07:00
Sandeep Patil
59b3eaccd3 tag all vendor domains that rely on system executables 
Bug: 36463595
Test: lunch walleye-userdebug && make sepolicy

Change-Id: I7ec48b3109d66f9537e5834933ed28aa76da367e
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-04-15 19:30:07 -07:00
Sandeep Patil
1f85c07202 make all vendor exec_types part of vendor_file_type 
Bug: 36463595
Test: lunch walleye-userdebug && make -j48 sepolicy

Change-Id: Idbc83b06edcb3eb2ea548a16ed93f711cda150c1
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-04-15 19:23:59 -07:00
Andrew Scull
1b416dc8d2 Add OemLock and Weaver HAL server policies for esed. 
Test: Boot daemon and connect to HALs from framework.
Bug: 35628284
Change-Id: I43a1ad5df401f9e9c39d107311d6a670abdce2f0
 2017-04-15 14:42:59 +01:00
Roopesh Rajashekharaiah Nataraja
50ffa4a8d9 IMS: Define sepolicies for UCE 
UCE is user capability exchange functionality where the device notifies
the network its capabilities and can also find out the capabilities of a
different user from the network. Capabilities such as VoLTE,
Video Telephony, etc.

/external/ims/rcs contains the open source code that needs to interact
with the IMS stack in the modem. The UCE HAL acts as a bridge between
the ims stack in the modem and the open source code that provides
the UCE functionality that is used by Android Apps such as Phone and
Contacts.

Previous architecture was as follows:
UCE client app (aosp, system) <--> AIDL (AOSP) <-->
uce_service (system app) <--> (JNI vendor) <-->
(IMS libs: vendor) <--> modem

With Treble we have formed a clean separation between system and
vendor components: UCE app (aosp, system) <--> AIDL (aosp) <-->
UCEService <--> system/priv-app) <--> (HIDL, vendor) <-->
imrcsd (vendor daemon) <--> modem

Hope is that in future the vendor UCE HIDL is absorbed in AOSP and
we can deprecate the UCE Service system app altogether.

Add policies and permissions for UCE HAL service and UCE HAL client to
run and execute.

Bug: 37262741
Test: Check capability in contacts for VT calling

Change-Id: If426c1c046a2acd16ac30f25e15daf4aa0de1383
 2017-04-14 17:58:55 -07:00
Wei Wang
9f0befc870 sepolicy: thermal-engine.te: add shutdown permission 
With recently refactored android_reboot(), we need permission to set
powerctl_prop to trigger init to do reboot logic.

Bug: 37277184
Test: build
Change-Id: If687ef874d51c64795e6175a132c34b406c2b19c
 2017-04-13 10:37:17 -07:00
Alex Klyubin
662399ca0d Merge "Remove unnecessary sepolicy attributes" 2017-04-13 16:26:07 +00:00
Naveen Kalla
0266d437c7 Fix IMS Registration failure 
imsdatadaemon was failing due to selinux denials shown below

02-07 12:07:06.299 W imsdatadaemon: type=1400 audit(0.0:77): avc: denied
{ net_raw } for capability=13 scontext=u:r:ims:s0 tcontext=u:r:ims:s0
tclass=capability permissive=0
02-07 12:07:06.299 W imsdatadaemon: type=1400 audit(0.0:78): avc: denied
{ net_bind_service } for capability=10 scontext=u:r:ims:s0
tcontext=u:r:ims:s0 tclass=capability permissive=0
02-07 12:07:06.299 I auditd  : type=1400 audit(0.0:77): avc: denied {
net_raw } for comm="imsdatadaemon" capability=13 scontext=u:r:ims:s0
tcontext=u:r:ims:s0 tclass=capability permissive=0
02-07 12:07:06.299 I auditd  : type=1400 audit(0.0:78): avc: denied {
net_bind_service } for comm="imsdatadaemon" capability=10
scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=capability permissive=0

Test: Check IMS registration works on device with this fix
Change-Id: Ib0e5078d13f27ccec0ebea4f146d75f29153bf7c
 2017-04-12 23:07:59 -07:00
Alex Klyubin
0a7d71babe Remove unnecessary sepolicy attributes 
Test: mmm system/sepolicy
Bug: 34980020
Change-Id: Iefc2b9bbb32e91f8bb968aaad47d3512bf888a27
 2017-04-12 18:52:16 -07:00
Ecco Park
87a1142b73 Fix sepolicy issue for cnss-diag and cnss-daemon 
1) denial message for cnss-daemon
[  185.251957] type=1400 audit(1492021938.121:423): avc: denied { create } 
for pid=781 comm="cnss_diag" name="local_buffer" scontext=u:r:wcnss_service:s0
tcontext=u:object_r:cnss_vendor_data_file:s0 
tclass=dir permissive=1
[  185.258602] type=1400 audit(1492021938.121:424): avc: denied { setattr }
for pid=781 comm="cnss_diag" name="local_buffer" dev="sda45" ino=2179097
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:cnss_vendor_data_file:s0
tclass=dir permissive=1

2) remove unused cnss_diag.te (instead, we use wcnss_service.te)

Bug: 36734870

Change-Id: Ie0d1a99adf0cde2616eaf099e2757407f43eb77d
Signed-off-by: Ecco Park <eccopark@google.com>
 2017-04-12 20:22:21 +00:00