device_google_wahoo

mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00

Files

Brian Duddie 892c70989b Add binderized sensors HAL

Make the sensors HAL binderized, and add the necessary sepolicy entries
to grant it permissions for these denials:

type=1400 audit(5246168.379:61): avc: denied { search } for pid=7558
comm="android.hardwar" name="/" dev="sdd3" ino=2
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_file:s0
tclass=dir permissive=0

type=1400 audit(1493161320.949:152): avc: denied { search } for pid=7558
comm="android.hardwar" name="msm_subsys" dev="sysfs" ino=19027
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
type=1400 audit(1493161320.949:153): avc: denied { read } for pid=7558
comm="android.hardwar" name="devices" dev="sysfs" ino=19029
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
type=1400 audit(1493161320.949:154): avc: denied { open } for pid=7558
comm="android.hardwar" path="/sys/bus/msm_subsys/devices" dev="sysfs"
ino=19029 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
type=1400 audit(1493161320.949:155): avc: denied { read } for pid=7558
comm="android.hardwar" name="subsys0" dev="sysfs" ino=34647
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file permissive=1
type=1400 audit(1493161320.949:156): avc: denied { read } for pid=7558
comm="android.hardwar" name="name" dev="sysfs" ino=34639
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1
type=1400 audit(1493161320.949:157): avc: denied { open } for pid=7558
comm="android.hardwar"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=34639 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1

type=1400 audit(1493161320.959:158): avc: denied { search } for pid=7558
comm="android.hardwar" name="sensors" dev="sdd3" ino=12
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:persist_sensors_file:s0 tclass=dir permissive=1
type=1400 audit(1493161320.959:159): avc: denied { read } for pid=7558
comm="android.hardwar" name="sensors_settings" dev="sdd3" ino=13
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1
type=1400 audit(1493161320.959:160): avc: denied { open } for pid=7558
comm="android.hardwar" path="/persist/sensors/sensors_settings"
dev="sdd3" ino=13 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1

type=1400 audit(1493161320.959:161): avc: denied { create } for pid=7558
comm="android.hardwar" scontext=u:r:hal_sensors_default:s0
tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1
type=1400 audit(1493161320.959:162): avc: denied { ioctl } for pid=7558
comm="android.hardwar" path="socket:[85874]" dev="sockfs" ino=85874
ioctlcmd=c304 scontext=u:r:hal_sensors_default:s0
tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1
type=1400 audit(1493161320.959:163): avc: denied { write } for pid=7558
comm="android.hardwar" scontext=u:r:hal_sensors_default:s0
tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1
type=1400 audit(1493161320.979:164): avc: denied { read } for pid=7558
comm="android.hardwar" scontext=u:r:hal_sensors_default:s0
tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1
type=1400 audit(1493161346.039:168): avc: denied { ioctl } for pid=7558
comm="sensors@1.0-ser" path="socket:[85876]" dev="sockfs" ino=85876
ioctlcmd=c302 scontext=u:r:hal_sensors_default:s0
tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1

Bug: 36097227
Test: load on device, confirm sensors stack comes up, perform screen
  orientation sanity test, check no selinux denials in kernel log, run
  VTS using:
    vts-tradefed run commandAndExit vts --module VtsHalSensorsV1_0Target
  Note that there are known VTS failures tracked under bug 37710268.
  This change does not introduce any new failures.
Change-Id: I8f6017f3d080cde7ec009182f0f5fbb90980d424

2017-04-26 10:39:13 -07:00

adsprpcd.te

Removing adsprpcd from permissive mode

2017-04-24 22:14:06 -07:00

audioserver.te

Bring up binderized Audio and Soundtrigger services on new Pixels

2017-03-30 11:19:37 -07:00

bluetooth.te

Import common file from device specific directory

2017-03-04 23:34:45 -08:00

bootanim.te

Import common file from device specific directory

2017-03-04 23:34:45 -08:00

cameraserver.te

Adding rules and contexts for following denials

2017-03-22 10:56:52 -07:00

chre.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

cnd.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

device.te

Merge "Add eSE daemon."

2017-04-12 12:38:03 +00:00

domain.te

Fixing the following denials

2017-04-11 01:26:29 -07:00

dumpstate.te

Adding allows for smlog and dumpstate

2017-04-25 13:55:49 -07:00

esed.te

Merge "Add OemLock and Weaver HAL server policies for esed."

2017-04-18 14:50:47 +00:00

file_contexts

Merge "Adding allows for smlog and dumpstate"

2017-04-25 22:47:05 +00:00

file.te

Adding allows for smlog and dumpstate

2017-04-25 13:55:49 -07:00

folio_daemon.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

gatekeeperd.te

Import common file from device specific directory

2017-03-04 23:34:45 -08:00

genfs_contexts

Fixing the following denials

2017-04-11 01:26:29 -07:00

hal_audio_default.te

Remove unnecessary sepolicy attributes

2017-04-12 18:52:16 -07:00

hal_bluetooth_default.te

Adding allows to fix following denials during run/boot time

2017-04-03 00:23:03 +00:00

hal_bootctl.te

Refactoring block device labeling and adding allows.

2017-04-07 16:11:19 -07:00

hal_camera_default.te

Annotate violators of "no Binder in vendor" rule

2017-03-24 08:40:00 -07:00

hal_camera.te

Add cameraserver and NFC HAL to socket comms violators list

2017-03-30 18:00:38 -07:00

hal_contexthub.te

Add binderized context hub HAL

2017-04-03 11:49:09 -07:00

hal_drm_default.te

Adding file_contexts and allows that stopped boot in enforcing.

2017-04-19 15:35:38 -07:00

hal_dumpstate_impl.te

Adding allows for smlog and dumpstate

2017-04-25 13:55:49 -07:00

hal_fingerprint_default.te

Annotate violators of "no Binder in vendor" rule

2017-03-24 08:40:00 -07:00

hal_fingerprint.te

Adding allows to handle the following denials

2017-04-10 15:39:09 -07:00

hal_gatekeeper_qti.te

Fixing boot blocking selinux policy.

2017-04-24 21:54:01 +00:00

hal_gatekeeper.te

Import common file from device specific directory

2017-03-04 23:34:45 -08:00

hal_graphics_composer_default.te

Fixing the following denials

2017-04-11 01:26:29 -07:00

hal_keymaster_qti.te

Fixing boot blocking selinux policy.

2017-04-24 21:54:01 +00:00

hal_memtrack_default.te

Fixing the following run and boot time denials

2017-04-02 19:07:17 -07:00

hal_nfc_default.te

nfc: sepolicy: creates data/vendor/nfc/ for HAL specific data

2017-03-31 12:02:03 -07:00

hal_power_default.te

Adding allows to handle the following denials.

2017-04-04 16:37:57 +00:00

hal_rcsservice.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

hal_sensors_default.te

Add binderized sensors HAL

2017-04-26 10:39:13 -07:00

hal_thermal_default.te

Enable binderized Thermal HAL.

2017-04-06 16:23:51 +02:00

hal_usb_default.te

Adding allows to handle the following denials.

2017-04-04 16:37:57 +00:00

hal_vibrator_default.te

Fixing the following denials

2017-04-11 01:26:29 -07:00

hal_vr.te

VR hal to choose thermal config

2017-04-21 11:21:57 -07:00

hal_wifi_default.te

Adding allows to handle the following denials

2017-04-10 15:39:09 -07:00

hwservice_contexts

Grant device-specific hwservicemanager access

2017-04-21 13:06:23 -07:00

hwservice.te

Grant device-specific hwservicemanager access

2017-04-21 13:06:23 -07:00

ims.te

Moving these into permissive so global enforcing can be turned on.

2017-04-23 11:52:02 -07:00

imscm.te

Moving these into permissive so global enforcing can be turned on.

2017-04-23 11:52:02 -07:00

init_power.te

Removing init_power from individual permissive domain.

2017-04-24 22:06:10 -07:00

init_radio.te

tag all vendor domains that rely on system executables

2017-04-15 19:30:07 -07:00

init-devstart-sh.te

tag all vendor domains that rely on system executables

2017-04-15 19:30:07 -07:00

init-insmod-sh.te

tag all vendor domains that rely on system executables

2017-04-15 19:30:07 -07:00

init-ipastart-sh.te

tag all vendor domains that rely on system executables

2017-04-15 19:30:07 -07:00

init.te

Refactoring block device labeling and adding allows.

2017-04-07 16:11:19 -07:00

ioctl_defines

Adding ism service allow rules and according ioctl_define

2017-03-16 22:10:52 +00:00

ioctl_macros

Import common file from device specific directory

2017-03-04 23:34:45 -08:00

irsc_util.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

kernel.te

Adding file_contexts and allows that stopped boot in enforcing.

2017-04-19 15:35:38 -07:00

keystore.te

declare keystore and vold as passthrough HAL clients of keymaster

2017-04-19 15:03:10 -07:00

location.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

logger_app.te

Merge changes Ice91de09,I0d05425d

2017-04-12 17:34:44 +00:00

mediacodec.te

Adding allows to fix perfd and setup_wizard denials

2017-04-24 23:24:20 +00:00

netmgrd.te

tag all vendor domains that rely on system executables

2017-04-15 19:30:07 -07:00

pd_services.te

Removing permissive mode on pd_mapper domain.

2017-04-24 22:07:39 -07:00

per_mgr.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

per_proxy.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

perfd.te

Adding allows to fix perfd and setup_wizard denials

2017-04-24 23:24:20 +00:00

platform_app.te

Move logging folder from data to data/vendor

2017-04-10 17:25:14 -07:00

port-bridge.te

Added allowing at_device to port-bridge.

2017-04-24 14:12:49 -07:00

property_contexts

VR hal to choose thermal config

2017-04-21 11:21:57 -07:00

property.te

VR hal to choose thermal config

2017-04-21 11:21:57 -07:00

qlogd.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

qmuxd.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

qti.te

Removing qti from permissive mode

2017-04-24 22:36:49 -07:00

radio.te

Merge "Moving these into permissive so global enforcing can be turned on."

2017-04-23 20:00:11 +00:00

ramdump_app.te

sepolicy: Allow ramdump_app to access surfaceflinger_service

2017-04-11 15:23:34 -07:00

ramdump.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

rfs_access.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

rild.te

Grant device-specific hwservicemanager access

2017-04-21 13:06:23 -07:00

rmt_storage.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

seapp_contexts

Move logging folder from data to data/vendor

2017-04-10 17:25:14 -07:00

sensors.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

service_contexts

IMS: Define sepolicies for UCE

2017-04-14 17:58:55 -07:00

service.te

IMS: Define sepolicies for UCE

2017-04-14 17:58:55 -07:00

smlog_dump.te

Adding allows for smlog and dumpstate

2017-04-25 13:55:49 -07:00

ssr_detector.te

Move logging folder from data to data/vendor

2017-04-10 17:25:14 -07:00

ssr_diag.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

ssr_setup.te

Removing ssr_setup from permissive mode

2017-04-24 22:30:57 -07:00

subsystem_ramdump.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

surfaceflinger.te

Adding allow rules and contexts to handle the following denials

2017-04-07 19:57:13 +00:00

system_app.te

Grant device-specific hwservicemanager access

2017-04-21 13:06:23 -07:00

system_server.te

Putting system_server into permissive.

2017-04-25 16:00:49 -07:00

tee.te

Fixing the following denials

2017-04-11 01:26:29 -07:00

thermal-engine.te

Removing thermal-engine from permissive mode

2017-04-24 22:25:44 -07:00

time_daemon.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

ueventd.te

Fixing the following denials

2017-04-11 01:26:29 -07:00

untrusted_app.te

Fixing camera app not launching

2017-04-24 19:56:38 -07:00

update_engine_common.te

Fixing denials for OTAs

2017-04-17 11:39:48 -07:00

update_verifier.te

Refactoring block device labeling and adding allows.

2017-04-07 16:11:19 -07:00

vold.te

Fixing boot blocking selinux policy.

2017-04-24 21:54:01 +00:00

wcnss_filter.te

make all vendor exec_types part of vendor_file_type

2017-04-15 19:23:59 -07:00

wcnss_service.te

Removing wcnss_service from permissive mode

2017-04-24 22:47:01 -07:00