diff options
38 files changed, 106 insertions, 33 deletions
@@ -5,6 +5,7 @@ jbires@google.com jeffv@google.com jgalenson@google.com nnk@google.com +rurumihong@google.com sspatil@google.com tomcherry@google.com trong@google.com diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk index c03312c..8ea3e0a 100644 --- a/coral-sepolicy.mk +++ b/coral-sepolicy.mk @@ -6,3 +6,4 @@ BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/google BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/common BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150 BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common +BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te new file mode 100644 index 0000000..977590d --- /dev/null +++ b/tracking_denials/bootanim.te @@ -0,0 +1,2 @@ +# b/128958090 +dontaudit bootanim sysfs_msm_subsys:dir search; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te new file mode 100644 index 0000000..edab2c3 --- /dev/null +++ b/tracking_denials/gmscore_app.te @@ -0,0 +1,4 @@ +# b/149543390 +dontaudit gmscore_app firmware_file:filesystem getattr; +dontaudit gmscore_app mnt_vendor_file:dir search; +dontaudit gmscore_app sysfs_msm_subsys:file read; diff --git a/tracking_denials/hal_audio_default.te b/tracking_denials/hal_audio_default.te new file mode 100644 index 0000000..f0bd336 --- /dev/null +++ b/tracking_denials/hal_audio_default.te @@ -0,0 +1,2 @@ +# b/129111829 +dontaudit hal_audio_default exported3_system_prop:file read; diff --git a/tracking_denials/hal_face_default.te b/tracking_denials/hal_face_default.te new file mode 100644 index 0000000..1be13a5 --- /dev/null +++ b/tracking_denials/hal_face_default.te @@ -0,0 +1,2 @@ +# b/134894179 +dontaudit hal_face_default exported_camera_prop:file read; diff --git a/tracking_denials/hal_graphics_allocator_default.te b/tracking_denials/hal_graphics_allocator_default.te new file mode 100644 index 0000000..68eb040 --- /dev/null +++ b/tracking_denials/hal_graphics_allocator_default.te @@ -0,0 +1,2 @@ +# b/149542444 +dontaudit hal_graphics_allocator_default sysfs_msm_subsys:dir search; diff --git a/tracking_denials/ims.te b/tracking_denials/ims.te new file mode 100644 index 0000000..255f3ec --- /dev/null +++ b/tracking_denials/ims.te @@ -0,0 +1,2 @@ +# b/129460752 +dontaudit ims sysfs_faceauth:dir search; diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te new file mode 100644 index 0000000..d4039af --- /dev/null +++ b/tracking_denials/init-insmod-sh.te @@ -0,0 +1,2 @@ +# b/149543972 +dontaudit init-insmod-sh proc_cmdline:file read; diff --git a/tracking_denials/init.te b/tracking_denials/init.te new file mode 100644 index 0000000..d4ce80b --- /dev/null +++ b/tracking_denials/init.te @@ -0,0 +1,2 @@ +# b/149542343 +dontaudit init kernel:system module_request; diff --git a/tracking_denials/location.te b/tracking_denials/location.te new file mode 100644 index 0000000..6e64ef1 --- /dev/null +++ b/tracking_denials/location.te @@ -0,0 +1,2 @@ +# b/149544069 +dontaudit location qtidataservices_app:binder call; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te new file mode 100644 index 0000000..d58e641 --- /dev/null +++ b/tracking_denials/platform_app.te @@ -0,0 +1,2 @@ +# b/149542783 +dontaudit platform_app sysfs_msm_subsys:dir search; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 0000000..3878ed5 --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,2 @@ +# b/149543179 +dontaudit priv_app sysfs_msm_subsys:file read; diff --git a/tracking_denials/radio.te b/tracking_denials/radio.te new file mode 100644 index 0000000..7a81617 --- /dev/null +++ b/tracking_denials/radio.te @@ -0,0 +1,2 @@ +# b/129455852 +dontaudit radio proc_filesystems:file read; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 0000000..9c96382 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,2 @@ +# b/149544591 +dontaudit surfaceflinger sysfs_msm_subsys:dir search; diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te new file mode 100644 index 0000000..7037625 --- /dev/null +++ b/tracking_denials/system_app.te @@ -0,0 +1,3 @@ +# b/149544592 +dontaudit system_app apk_verity_prop:file read; +dontaudit system_app sysfs_msm_subsys:dir search; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te new file mode 100644 index 0000000..79d8a91 --- /dev/null +++ b/tracking_denials/system_server.te @@ -0,0 +1,2 @@ +# b/149544018 +dontaudit system_server sysfs_msm_subsys:file read; diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te new file mode 100644 index 0000000..3f996b5 --- /dev/null +++ b/tracking_denials/tee.te @@ -0,0 +1,2 @@ +# b/132393475 +dontaudit tee sysfs_wake_lock:file append; diff --git a/tracking_denials/thermal-engine.te b/tracking_denials/thermal-engine.te new file mode 100644 index 0000000..9fd5ba2 --- /dev/null +++ b/tracking_denials/thermal-engine.te @@ -0,0 +1,9 @@ +# b/124250714 +dontaudit thermal-engine socket_device:dir write; +dontaudit thermal-engine sysfs_batteryinfo:dir search; +dontaudit thermal-engine sysfs:dir read; +dontaudit thermal-engine sysfs_esoc:dir search; +dontaudit thermal-engine sysfs_faceauth:dir search; +dontaudit thermal-engine sysfs_leds:dir search; +dontaudit thermal-engine sysfs_soc:dir search; +dontaudit thermal-engine sysfs_ssr:file read; diff --git a/tracking_denials/time_daemon.te b/tracking_denials/time_daemon.te new file mode 100644 index 0000000..a3ab78c --- /dev/null +++ b/tracking_denials/time_daemon.te @@ -0,0 +1,3 @@ +# b/136426663 +dontaudit time_daemon sysfs_esoc:dir search; +dontaudit time_daemon sysfs_msm_subsys:dir search; diff --git a/tracking_denials/untrusted_app_29.te b/tracking_denials/untrusted_app_29.te new file mode 100644 index 0000000..047852d --- /dev/null +++ b/tracking_denials/untrusted_app_29.te @@ -0,0 +1,2 @@ +# b/149544802 +dontaudit untrusted_app_29 sysfs_msm_subsys:dir search; diff --git a/tracking_denials/vendor_pd_mapper.te b/tracking_denials/vendor_pd_mapper.te new file mode 100644 index 0000000..4930dd1 --- /dev/null +++ b/tracking_denials/vendor_pd_mapper.te @@ -0,0 +1,3 @@ +# b/129744410 +dontaudit vendor_pd_mapper sysfs_esoc:dir search; +dontaudit vendor_pd_mapper sysfs_msm_subsys:dir search; diff --git a/tracking_denials/wcnss_service.te b/tracking_denials/wcnss_service.te new file mode 100644 index 0000000..9b4b83d --- /dev/null +++ b/tracking_denials/wcnss_service.te @@ -0,0 +1,2 @@ +# b/130262158 +dontaudit wcnss_service kernel:system module_request; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index fd3d5ff..115ab75 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -28,6 +28,7 @@ /vendor/bin/hw/android\.hardware\.authsecret@1\.0-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.face@1\.0-service\.google u:object_r:hal_face_default_exec:s0 /vendor/bin/hw/android\.hardware\.camera\.provider@2\.4-service-google u:object_r:hal_camera_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0 /vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 @@ -42,7 +43,7 @@ /vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 /vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0 /vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 -/vendor/bin/hw/hardware\.google\.light@1\.0-service u:object_r:hal_light_default_exec:s0 +/vendor/bin/hw/hardware\.google\.light@1\.1-service u:object_r:hal_light_default_exec:s0 /vendor/bin/hw/vendor\.google\.airbrush@1\.0-service u:object_r:airbrush_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 @@ -53,13 +54,13 @@ /vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 /vendor/bin/modem_svc u:object_r:modem_svc_exec:s0 /vendor/bin/ramoops u:object_r:ramoops_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service\.coral u:object_r:hal_dumpstate_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate@1\.[01]-service\.coral u:object_r:hal_dumpstate_impl_exec:s0 /vendor/bin/ramdump u:object_r:ramdump_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/hw/vendor\.google\.wireless_charger@1\.0-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.1-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.graphics\.composer@2\.3-service-sm8150 u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/init_dp.sh u:object_r:init_dp_exec:s0 diff --git a/vendor/google/google_camera_app.te b/vendor/google/google_camera_app.te index 195bef2..f62d4e7 100644 --- a/vendor/google/google_camera_app.te +++ b/vendor/google/google_camera_app.te @@ -36,10 +36,6 @@ allow google_camera_app mediadrmserver_service:service_manager find; allow google_camera_app radio_service:service_manager find; allow google_camera_app app_api_service:service_manager find; allow google_camera_app vr_manager_service:service_manager find; -allow google_camera_app gpu_service:service_manager find; - -# Allow untrusted apps to interact with gpuservice -binder_call(google_camera_app, gpuservice) # gdbserver for ndk-gdb ptrace attaches to app process. allow google_camera_app self:process ptrace; diff --git a/vendor/qcom/common/hal_contexthub.te b/vendor/google/hal_contexthub.te index 10c5d53..10c5d53 100644 --- a/vendor/qcom/common/hal_contexthub.te +++ b/vendor/google/hal_contexthub.te diff --git a/vendor/google/hal_dumpstate_impl.te b/vendor/google/hal_dumpstate_impl.te index 8f8d432..450c2d2 100644 --- a/vendor/google/hal_dumpstate_impl.te +++ b/vendor/google/hal_dumpstate_impl.te @@ -71,12 +71,8 @@ allow hal_dumpstate_impl debugfs_tracing_instances:file r_file_perms; # Access to modem files userdebug_or_eng(` - allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms; - allow hal_dumpstate_impl modem_dump_file:file create_file_perms; allow hal_dumpstate_impl netmgrd_data_file:dir r_dir_perms; allow hal_dumpstate_impl netmgrd_data_file:file r_file_perms; - allow hal_dumpstate_impl vendor_radio_data_file:dir r_dir_perms; - allow hal_dumpstate_impl vendor_radio_data_file:file r_file_perms; allow hal_dumpstate_impl tcpdump_vendor_data_file:dir create_dir_perms; allow hal_dumpstate_impl tcpdump_vendor_data_file:file create_file_perms; allow hal_dumpstate_impl ssr_log_file:dir search; @@ -84,9 +80,14 @@ userdebug_or_eng(` allow hal_dumpstate_impl mpss_rfs_data_file:dir r_dir_perms; allow hal_dumpstate_impl mpss_rfs_data_file:file r_file_perms; - set_prop(hal_dumpstate_impl, vendor_modem_diag_prop) set_prop(hal_dumpstate_impl, vendor_tcpdump_log_prop) ') +allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms; +allow hal_dumpstate_impl modem_dump_file:file create_file_perms; +allow hal_dumpstate_impl vendor_radio_data_file:dir r_dir_perms; +allow hal_dumpstate_impl vendor_radio_data_file:file r_file_perms; + +set_prop(hal_dumpstate_impl, vendor_modem_diag_prop) # Access to modem stat domain_auto_trans(hal_dumpstate_impl, modem_svc_exec, modem_svc) @@ -130,17 +131,23 @@ allow hal_dumpstate_impl shell_data_file:file getattr; # Access to knowles framework info allow hal_dumpstate_impl sysfs_knowles_info:file r_file_perms; -dontaudit hal_dumpstate_impl modem_dump_file:dir create_dir_perms; -dontaudit hal_dumpstate_impl modem_dump_file:file create_file_perms; +#dump sensors log +userdebug_or_eng(` + allow hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms; + allow hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms; +') + +# Access to vendor logging property +set_prop(hal_dumpstate_impl, vendor_logging_prop) + dontaudit hal_dumpstate_impl netmgrd_data_file:dir r_dir_perms; dontaudit hal_dumpstate_impl netmgrd_data_file:file r_file_perms; -dontaudit hal_dumpstate_impl vendor_radio_data_file:dir r_dir_perms; -dontaudit hal_dumpstate_impl vendor_radio_data_file:file r_file_perms; dontaudit hal_dumpstate_impl tcpdump_vendor_data_file:dir create_dir_perms; dontaudit hal_dumpstate_impl tcpdump_vendor_data_file:file create_file_perms; dontaudit hal_dumpstate_impl ssr_log_file:dir search; dontaudit hal_dumpstate_impl ssr_log_file:file r_file_perms; dontaudit hal_dumpstate_impl mpss_rfs_data_file:dir r_dir_perms; dontaudit hal_dumpstate_impl mpss_rfs_data_file:file r_file_perms; -dontaudit hal_dumpstate_impl vendor_modem_diag_prop:file r_file_perms; dontaudit hal_dumpstate_impl vendor_tcpdump_log_prop:file r_file_perms; +dontaudit hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms; +dontaudit hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms; diff --git a/vendor/google/refreshrate_app.te b/vendor/google/refreshrate_app.te index a0af245..c747bbf 100644 --- a/vendor/google/refreshrate_app.te +++ b/vendor/google/refreshrate_app.te @@ -1,11 +1,11 @@ type refreshrate_app, domain; app_domain(refreshrate_app); +hal_client_domain(refreshrate_app, hal_light) # Standard system services allow refreshrate_app app_api_service:service_manager find; allow refreshrate_app surfaceflinger_service:service_manager find; binder_call(refreshrate_app, gpuservice) - set_prop(refreshrate_app, vendor_display_prop); diff --git a/vendor/google/vendor_init.te b/vendor/google/vendor_init.te index 95aba95..678826e 100644 --- a/vendor/google/vendor_init.te +++ b/vendor/google/vendor_init.te @@ -29,3 +29,5 @@ userdebug_or_eng(` # Allow vendor_init to write vendor_tcpdump_log_prop on userdebug or eng ROM set_prop(vendor_init, vendor_tcpdump_log_prop) ') + +set_prop(vendor_init, vendor_logging_prop) diff --git a/vendor/qcom/common/diag.te b/vendor/qcom/common/diag.te index afaa9e0..3ad8432 100644 --- a/vendor/qcom/common/diag.te +++ b/vendor/qcom/common/diag.te @@ -1,5 +1,4 @@ type diag, domain; type diag_exec, exec_type, vendor_file_type, file_type; -userdebug_or_eng(` - init_daemon_domain(diag) -') + +init_daemon_domain(diag) diff --git a/vendor/qcom/common/hal_bluetooth_default.te b/vendor/qcom/common/hal_bluetooth_default.te index 6f1cb38..2b08fd4 100644 --- a/vendor/qcom/common/hal_bluetooth_default.te +++ b/vendor/qcom/common/hal_bluetooth_default.te @@ -5,7 +5,7 @@ allow hal_bluetooth_default hal_bluetooth_sar_hwservice:hwservice_manager { add userdebug_or_eng(` allow hal_bluetooth_default diag_device:chr_file rw_file_perms; allow hal_bluetooth_default ramdump_vendor_data_file:dir rw_dir_perms; - allow hal_bluetooth_default ramdump_vendor_data_file:file { create w_file_perms }; + allow hal_bluetooth_default ramdump_vendor_data_file:file { create rw_file_perms }; r_dir_file(hal_bluetooth_default, debugfs_ipc) set_prop(hal_bluetooth_default, vendor_ssr_prop) ') diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te index a09b551..d9675cd 100644 --- a/vendor/qcom/common/hal_gnss_qti.te +++ b/vendor/qcom/common/hal_gnss_qti.te @@ -25,3 +25,6 @@ allow hal_gnss_qti location_socket:dir rw_dir_perms; allow hal_gnss_qti location:unix_dgram_socket sendto; allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl; + +# Allow Gnss HAL to get updates from health hal +hal_client_domain(hal_gnss_qti, hal_health) diff --git a/vendor/qcom/common/hal_sensors_default.te b/vendor/qcom/common/hal_sensors_default.te index 8f379bc..084992e 100644 --- a/vendor/qcom/common/hal_sensors_default.te +++ b/vendor/qcom/common/hal_sensors_default.te @@ -37,6 +37,10 @@ allow hal_sensors_default persist_file:lnk_file read; allow hal_sensors_default sysfs_ssr:file r_file_perms; +# For Suez metrics collection +allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find; +allow hal_sensors_default system_server:binder call; + dontaudit hal_sensors_default kernel:system module_request; dontaudit hal_sensors_default sysfs_esoc:dir r_dir_perms; dontaudit hal_sensors_default sysfs_faceauth:dir search; diff --git a/vendor/qcom/common/kernel.te b/vendor/qcom/common/kernel.te index 20294c4..2a6ca76 100644 --- a/vendor/qcom/common/kernel.te +++ b/vendor/qcom/common/kernel.te @@ -1,7 +1,5 @@ # For diag over socket -userdebug_or_eng(` - allow kernel self:qipcrtr_socket create; -') +allow kernel self:qipcrtr_socket create; allow kernel debugfs_batteryinfo:dir search; allow kernel debugfs_wlan:dir search; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index 6c421ba..10260fe 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -161,3 +161,7 @@ type vendor_modem_diag_prop, property_type; # Ramdump properties type vendor_ramdump_prop, property_type; + +# vendor logging property +type vendor_logging_prop, property_type; + diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 66b12ed..f663a72 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -80,3 +80,6 @@ vendor.media.ecoservice.log. u:object_r:ecoservice_prop:s0 persist.vendor.data.netmgr.log_to_file u:object_r:vendor_default_prop:s0 persist.vendor.ims. u:object_r:qcom_ims_prop:s0 persist.vendor.qti.telephony.vt_cam_interface u:object_r:public_vendor_default_prop:s0 + +# Vendor verbose logging prop +persist.vendor.verbose_logging_enabled u:object_r:vendor_logging_prop:s0 diff --git a/vendor/qcom/common/qlogd.te b/vendor/qcom/common/qlogd.te index d18b6d6..c023983 100644 --- a/vendor/qcom/common/qlogd.te +++ b/vendor/qcom/common/qlogd.te @@ -5,14 +5,12 @@ type qlogd_exec, exec_type, vendor_file_type, file_type; # make transition from init to its domain init_daemon_domain(qlogd) -userdebug_or_eng(` - allow qlogd diag_device:chr_file rw_file_perms; +allow qlogd diag_device:chr_file rw_file_perms; - allow qlogd vendor_radio_data_file:file create_file_perms; - allow qlogd vendor_radio_data_file:dir create_dir_perms; +allow qlogd vendor_radio_data_file:file create_file_perms; +allow qlogd vendor_radio_data_file:dir create_dir_perms; - set_prop(qlogd, vendor_modem_diag_prop) +set_prop(qlogd, vendor_modem_diag_prop) - allow qlogd self:socket create_socket_perms; - allowxperm qlogd self:socket ioctl msm_sock_ipc_ioctls; -') +allow qlogd self:socket create_socket_perms; +allowxperm qlogd self:socket ioctl msm_sock_ipc_ioctls; diff --git a/vendor/qcom/common/time_daemon.te b/vendor/qcom/common/time_daemon.te index 865ed0b..6a031cc 100644 --- a/vendor/qcom/common/time_daemon.te +++ b/vendor/qcom/common/time_daemon.te @@ -19,6 +19,8 @@ allow time_daemon time_data_file:dir w_dir_perms; allow time_daemon self:capability sys_time; allow time_daemon rtc_device:chr_file r_file_perms; allow time_daemon self:qipcrtr_socket create_socket_perms_no_ioctl; +allow time_daemon sysfs_soc:dir search; +allow time_daemon sysfs_soc:file r_file_perms; # b/68864350 dontaudit time_daemon unlabeled:dir search; |