diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-05-10 15:33:39 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-05-10 15:33:39 +0000 |
commit | 283b5bdef92ca88a9912f65cdd6a55b65e542fb7 (patch) | |
tree | 3a48bc7e704fb5f7b6b06db6773a9f9acc1a0d7a | |
parent | ed9d045ada876a6b5a11c1c49d8a61dae0d14658 (diff) | |
parent | 7e07807e0cc6e2230af2f6bf02c4ea63062af01f (diff) | |
download | redbull-sepolicy-busytown-mac-infra-release.tar.gz |
Snap for 11819167 from 7e07807e0cc6e2230af2f6bf02c4ea63062af01f to busytown-mac-infra-releasebusytown-mac-infra-release
Change-Id: I12bea1e9b079f0645d6cc6043ba9ac4cd8fcc4b3
-rw-r--r-- | system_ext/private/property_contexts | 5 | ||||
-rw-r--r-- | system_ext/private/seapp_contexts | 24 | ||||
-rw-r--r-- | vendor/google/e2fs.te | 2 | ||||
-rw-r--r-- | vendor/google/file.te | 3 | ||||
-rw-r--r-- | vendor/google/fsck.te | 2 | ||||
-rw-r--r-- | vendor/google/genfs_contexts | 1 | ||||
-rw-r--r-- | vendor/google/grilservice_app.te | 3 | ||||
-rw-r--r-- | vendor/google/hal_health_default.te | 2 | ||||
-rw-r--r-- | vendor/google/hal_wireless_charger.te | 8 | ||||
-rw-r--r-- | vendor/google/hal_wlc.te | 2 | ||||
-rw-r--r-- | vendor/google/platform_app.te | 3 | ||||
-rw-r--r-- | vendor/google/seapp_contexts | 18 | ||||
-rw-r--r-- | vendor/google/service.te | 2 | ||||
-rw-r--r-- | vendor/google/service_contexts | 2 | ||||
-rw-r--r-- | vendor/google/system_app.te | 5 | ||||
-rw-r--r-- | vendor/qcom/common/file.te | 1 | ||||
-rw-r--r-- | vendor/qcom/common/file_contexts | 3 | ||||
-rw-r--r-- | vendor/qcom/common/hal_bluetooth_default.te | 6 | ||||
-rw-r--r-- | vendor/qcom/common/qtelephony.te | 5 | ||||
-rw-r--r-- | vendor/qcom/common/radio.te | 3 | ||||
-rw-r--r-- | vendor/qcom/common/seapp_contexts | 3 | ||||
-rw-r--r-- | vendor/qcom/common/service_contexts | 7 | ||||
-rw-r--r-- | vendor/verizon/seapp_contexts | 3 |
23 files changed, 72 insertions, 41 deletions
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts deleted file mode 100644 index abcdd41..0000000 --- a/system_ext/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 0000000..934937f --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,24 @@ +# Use a custom domain for GoogleCamera, to allow for Hexagon DSP access +user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the dogfood beta version, the same access as GoogleCamera +user=_app seinfo=googlepulse name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Domain for DeviceDropMonitor service +user=_app seinfo=platform name=com.google.android.devicedropmonitor domain=device_drop_monitor type=app_data_file levelFrom=all + +# Domain for Display +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Domain for IpHealthMonitor service +user=_app seinfo=platform name=com.google.android.iphealthmonitor domain=ip_health_monitor type=app_data_file levelFrom=all + +# Domain for UvExposureReporter service +user=_app isPrivApp=true name=com.google.android.uvexposurereporter domain=uv_exposure_reporter type=app_data_file levelFrom=all + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# Verizon for OBDM tool +user=_app seinfo=verizon name=com.verizon.obdm domain=obdm_app type=app_data_file levelFrom=all +user=_app seinfo=verizon name=com.verizon.obdm:background domain=obdm_app type=app_data_file levelFrom=all diff --git a/vendor/google/e2fs.te b/vendor/google/e2fs.te new file mode 100644 index 0000000..4d2b596 --- /dev/null +++ b/vendor/google/e2fs.te @@ -0,0 +1,2 @@ +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/file.te b/vendor/google/file.te index df68cd0..53a5f88 100644 --- a/vendor/google/file.te +++ b/vendor/google/file.te @@ -12,7 +12,6 @@ type sysfs_touch, sysfs_type, fs_type; type sysfs_power_stats_ignore, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_pixelstats, fs_type, sysfs_type; -type sysfs_wlc, sysfs_type, fs_type; type sysfs_pstore, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; @@ -50,3 +49,5 @@ type updated_wifi_firmware_data_file, file_type, data_file_type; # Firmware mount type firmware_file, file_type, contextmount_type, vendor_file_type; allow firmware_file self:filesystem associate; + +type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/google/fsck.te b/vendor/google/fsck.te index 1500b5f..7d94ea1 100644 --- a/vendor/google/fsck.te +++ b/vendor/google/fsck.te @@ -1 +1,3 @@ allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/genfs_contexts b/vendor/google/genfs_contexts index 36335f1..263f93b 100644 --- a/vendor/google/genfs_contexts +++ b/vendor/google/genfs_contexts @@ -94,7 +94,6 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.q genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,qpnp-smb5/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,usb-pdphy@1700/usbpd0/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm7250b@2:google,bms/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/soc/98c000.i2c/i2c-1/1-003b u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-02/c440000.qcom,spmi:qcom,pm7250b@2:qpnp,qg/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,qpnp-smb5/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,usb-pdphy@1700/usbpd0/power_supply u:object_r:sysfs_batteryinfo:s0 diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index b41c009..4188d8f 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -13,3 +13,6 @@ binder_call(grilservice_app, hal_wifi_ext) # this denial on grilservice_app since this AudioMetric functionality is not used in legacy device. dontaudit grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +# this denial on grilservice_app since ODPM isn't accessed / available on legacy devices. +dontaudit grilservice_app hal_power_stats_service:service_manager find; + diff --git a/vendor/google/hal_health_default.te b/vendor/google/hal_health_default.te index 9bca064..c9e6a0b 100644 --- a/vendor/google/hal_health_default.te +++ b/vendor/google/hal_health_default.te @@ -1,5 +1,4 @@ r_dir_file(hal_health_default, sysfs_scsi_devices_0000) -r_dir_file(hal_health_default, sysfs_wlc) set_prop(hal_health_default, vendor_shutdown_prop) set_prop(hal_health_default, vendor_battery_defender_prop) @@ -7,7 +6,6 @@ allow hal_health_default fwk_stats_hwservice:hwservice_manager find; allow hal_health_default fwk_stats_service:service_manager find; binder_use(hal_health_default) -allow hal_health_default sysfs_wlc:dir r_dir_perms; allow hal_health_default sysfs_thermal:dir r_dir_perms; allow hal_health_default sysfs_thermal:file rw_file_perms; allow hal_health_default persist_file:dir search; diff --git a/vendor/google/hal_wireless_charger.te b/vendor/google/hal_wireless_charger.te new file mode 100644 index 0000000..f2e0b3a --- /dev/null +++ b/vendor/google/hal_wireless_charger.te @@ -0,0 +1,8 @@ +type hal_wireless_charger, domain; +type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; + +# QCOM device only +allow hal_wireless_charger sysfs_chargelevel:file rw_file_perms; + +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; diff --git a/vendor/google/hal_wlc.te b/vendor/google/hal_wlc.te index dc0c21d..0339bbe 100644 --- a/vendor/google/hal_wlc.te +++ b/vendor/google/hal_wlc.te @@ -9,7 +9,5 @@ get_prop(hal_wlc, hwservicemanager_prop) # Allow access to /sys/class/power_supply/wireless r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; diff --git a/vendor/google/platform_app.te b/vendor/google/platform_app.te index 2dfbc86..03004b3 100644 --- a/vendor/google/platform_app.te +++ b/vendor/google/platform_app.te @@ -8,3 +8,6 @@ allow platform_app nfc_service:service_manager find; allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) + +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts index feda6f8..680d4e6 100644 --- a/vendor/google/seapp_contexts +++ b/vendor/google/seapp_contexts @@ -11,24 +11,6 @@ user=_app seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_da # Domain for GoogleCBRS app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Use a custom domain for GoogleCamera, to allow for Hexagon DSP access -user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the dogfood beta version, the same access as GoogleCamera -user=_app seinfo=googlepulse name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Domain for Display -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - -# Domain for UvExposureReporter service -user=_app isPrivApp=true name=com.google.android.uvexposurereporter domain=uv_exposure_reporter type=app_data_file levelFrom=all - -# Domain for DeviceDropMonitor service -user=_app seinfo=platform name=com.google.android.devicedropmonitor domain=device_drop_monitor type=app_data_file levelFrom=all - -# Domain for IpHealthMonitor service -user=_app seinfo=platform name=com.google.android.iphealthmonitor domain=ip_health_monitor type=app_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/vendor/google/service.te b/vendor/google/service.te index 5b191cc..cc65c0e 100644 --- a/vendor/google/service.te +++ b/vendor/google/service.te @@ -1,2 +1,4 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_wifi_ext_service, service_manager_type, hal_service_type; + +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts index 7b84ac7..a14f133 100644 --- a/vendor/google/service_contexts +++ b/vendor/google/service_contexts @@ -1,3 +1,5 @@ android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 vendor.google.wifi_ext.IWifiExt/default u:object_r:hal_wifi_ext_service:s0 + +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 diff --git a/vendor/google/system_app.te b/vendor/google/system_app.te index a7de933..9499c59 100644 --- a/vendor/google/system_app.te +++ b/vendor/google/system_app.te @@ -2,4 +2,7 @@ allow system_app hal_wlc_hwservice:hwservice_manager find; binder_call(system_app, hal_wlc) binder_call(hal_wlc, system_app) -allow system_app fwk_stats_hwservice:hwservice_manager find;
\ No newline at end of file +allow system_app fwk_stats_hwservice:hwservice_manager find; + +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 99b8620..37cdeba 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -62,3 +62,4 @@ type debugfs_icnss, debugfs_type, fs_type; type debugfs_ion, debugfs_type, fs_type; type debugfs_tzdbg, debugfs_type, fs_type; type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 5a5c04c..ce842ca 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -53,7 +53,7 @@ /(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0 /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-(service|service-lazy)\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-(service|service-lazy)\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-(service|service-lazy)\.widevine(-v17)? u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 @@ -261,6 +261,7 @@ /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0 /data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 +/data/vendor/ssrdump/coredump(/.*)? u:object_r:sscoredump_vendor_data_coredump_file:s0 /data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 /data/vendor/location(/.*)? u:object_r:location_data_file:s0 diff --git a/vendor/qcom/common/hal_bluetooth_default.te b/vendor/qcom/common/hal_bluetooth_default.te index 7df493d..f5f2128 100644 --- a/vendor/qcom/common/hal_bluetooth_default.te +++ b/vendor/qcom/common/hal_bluetooth_default.te @@ -4,8 +4,10 @@ allow hal_bluetooth_default hal_bluetooth_coexistence_hwservice:hwservice_manage userdebug_or_eng(` allow hal_bluetooth_default diag_device:chr_file rw_file_perms; - allow hal_bluetooth_default ramdump_vendor_data_file:dir rw_dir_perms; - allow hal_bluetooth_default ramdump_vendor_data_file:file { create rw_file_perms }; + allow hal_bluetooth_default ramdump_vendor_data_file:dir create_dir_perms; + allow hal_bluetooth_default ramdump_vendor_data_file:file create_file_perms; + allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:file create_file_perms; r_dir_file(hal_bluetooth_default, debugfs_ipc) set_prop(hal_bluetooth_default, vendor_ssr_prop) ') diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index c93440a..a065040 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -2,8 +2,6 @@ type qtelephony, domain; app_domain(qtelephony) -add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) - allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; allow qtelephony hal_telephony_service:service_manager find; @@ -28,3 +26,6 @@ set_prop(qtelephony, vendor_qcom_ims_prop) userdebug_or_eng(` allow qtelephony diag_device:chr_file rw_file_perms; ') + +# b/265255811#comment26 Ignore access AIDL as we freezed target for HIDL +dontaudit qtelephony default_android_service:service_manager { find }; diff --git a/vendor/qcom/common/radio.te b/vendor/qcom/common/radio.te index 487f74f..216ada1 100644 --- a/vendor/qcom/common/radio.te +++ b/vendor/qcom/common/radio.te @@ -4,6 +4,9 @@ binder_call(radio, hal_rcsservice) allow radio hal_imsrtp_hwservice:hwservice_manager find; allow radio mediaextractor_service:service_manager find; + +add_hwservice(radio, vnd_atcmdfwd_hwservice) + userdebug_or_eng(` allow radio diag_device:chr_file rw_file_perms; ') diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index b899748..7360124 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -9,9 +9,6 @@ user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domai user=_app seinfo=platform name=.qtidataservices domain=qtidataservices_app type=app_data_file levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - #Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts index c11263b..48db21b 100644 --- a/vendor/qcom/common/service_contexts +++ b/vendor/qcom/common/service_contexts @@ -1,3 +1,10 @@ vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_service:s0 vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.am.IQcRilAudio/slot1 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.am.IQcRilAudio/slot2 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.qcrilhook.IQtiOemHook/oemhook0 u:object_r:radio_service:s0 +vendor.qti.hardware.radio.qcrilhook.IQtiOemHook/oemhook1 u:object_r:radio_service:s0 + +vendor.qti.hardware.radio.atcmdfwd.IAtCmdFwd/AtCmdFwdAidl u:object_r:radio_service:s0 +vendor.qti.hardware.radio.atfwd.IAtFwd/AtFwdAidl u:object_r:radio_service:s0 diff --git a/vendor/verizon/seapp_contexts b/vendor/verizon/seapp_contexts deleted file mode 100644 index 951fef3..0000000 --- a/vendor/verizon/seapp_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# Verizon for OBDM tool -user=_app seinfo=verizon name=com.verizon.obdm domain=obdm_app type=app_data_file levelFrom=all -user=_app seinfo=verizon name=com.verizon.obdm:background domain=obdm_app type=app_data_file levelFrom=all |