diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:58:33 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:58:33 +0000 |
commit | ec896334aed8b52e700a2573a032f65ac68b1bae (patch) | |
tree | 6b5e8330eca35e7aca98670351519169932b4191 | |
parent | ea39396cd5b4d80f75e7d051f7aa48022b809013 (diff) | |
parent | 6ce29d087ac30fa683baf9733ff9f1ee984750a4 (diff) | |
download | lynx-sepolicy-aml_sta_341111000.tar.gz |
Snap for 10453563 from 6ce29d087ac30fa683baf9733ff9f1ee984750a4 to mainline-os-statsd-releaseaml_sta_341710000aml_sta_341615000aml_sta_341511040aml_sta_341410000aml_sta_341311010aml_sta_341114000aml_sta_341111000aml_sta_341010020aml_sta_340912000aml_sta_340911000aml_net_341111030android14-mainline-os-statsd-release
Change-Id: Ic5ae5c95cdd0d50bd5e7a77b22cb39025ed423e5
-rw-r--r-- | bluetooth/device.te | 1 | ||||
-rw-r--r-- | bluetooth/file_contexts | 7 | ||||
-rw-r--r-- | bluetooth/hal_bluetooth_default.te | 1 | ||||
-rw-r--r-- | lynx-sepolicy.mk | 1 | ||||
-rw-r--r-- | tracking_denials/bug_map | 5 | ||||
-rw-r--r-- | tracking_denials/dumpstate.te | 2 | ||||
-rw-r--r-- | tracking_denials/grilservice_app.te | 1 | ||||
-rw-r--r-- | tracking_denials/hal_vibrator_default.te | 2 | ||||
-rw-r--r-- | vendor/cnss-daemon.te | 20 | ||||
-rw-r--r-- | vendor/file.te | 4 | ||||
-rw-r--r-- | vendor/file_contexts | 1 | ||||
-rw-r--r-- | vendor/genfs_contexts | 49 | ||||
-rw-r--r-- | vendor/hal_dumpstate_default.te | 2 | ||||
-rw-r--r-- | vendor/hal_power_stats_default.te | 2 | ||||
-rw-r--r-- | vendor/hal_radioext_default.te | 1 | ||||
-rw-r--r-- | vendor/hal_wifi_default.te | 19 | ||||
-rw-r--r-- | vendor/hal_wifi_ext.te | 4 | ||||
-rw-r--r-- | vendor/logger_app.te | 3 | ||||
-rw-r--r-- | vendor/lowi_server.te | 3 | ||||
-rw-r--r-- | vendor/tcpdump_logger.te | 3 | ||||
-rw-r--r-- | vendor/vendor_init.te | 2 | ||||
-rw-r--r-- | vendor/vendor_location.te | 5 | ||||
-rw-r--r-- | vendor/wifi_perf_diag.te | 3 | ||||
-rw-r--r-- | vendor/wifi_sniffer.te | 4 |
24 files changed, 141 insertions, 4 deletions
diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts index da02008..5560dc7 100644 --- a/bluetooth/file_contexts +++ b/bluetooth/file_contexts @@ -1,5 +1,10 @@ -# Bluetooth +# Bluetooth HAL service /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 +# Bluetooth Vendor nodes /dev/btpower u:object_r:bt_device:s0 /dev/ttySAC18 u:object_r:hci_attach_dev:s0 + +# Bluetooth Debuggable HAL nodes +/dev/logbuffer_btpower u:object_r:logbuffer_device:s0 +/dev/logbuffer_tty18 u:object_r:logbuffer_device:s0 diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index dcd2b7f..8bbfa77 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -3,6 +3,7 @@ allow hal_bluetooth_default bt_device:chr_file rw_file_perms; add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice) userdebug_or_eng(` + allow hal_bluetooth_default logbuffer_device:chr_file r_file_perms; allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms; allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms }; set_prop(hal_bluetooth_default, vendor_ssrdump_prop) diff --git a/lynx-sepolicy.mk b/lynx-sepolicy.mk index 6efe95c..4c770e4 100644 --- a/lynx-sepolicy.mk +++ b/lynx-sepolicy.mk @@ -1,2 +1,3 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/tracking_denials diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..a364f18 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,5 @@ +crash_dump vendor_slog_file dir b/238837168 +hal_camera_default boot_status_prop file b/275002086 +hal_camera_default edgetpu_app_service service_manager b/275002086 +kernel vendor_charger_debugfs dir b/239887174 +kernel vendor_regmap_debugfs dir b/238143398 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 0000000..13af0d5 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,2 @@ +# b/277155327 +dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te new file mode 100644 index 0000000..cf98a89 --- /dev/null +++ b/tracking_denials/grilservice_app.te @@ -0,0 +1 @@ +dontaudit grilservice_app hal_bluetooth_default:binder call; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 0000000..ece806d --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,2 @@ +# b/277300226 +dontaudit hal_vibrator_default default_android_service:service_manager { find }; diff --git a/vendor/cnss-daemon.te b/vendor/cnss-daemon.te new file mode 100644 index 0000000..e6ea641 --- /dev/null +++ b/vendor/cnss-daemon.te @@ -0,0 +1,20 @@ +# cnss-daemon service +type cnss-daemon, domain; +type cnss-daemon_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(cnss-daemon) + +net_domain(cnss-daemon) + +allow cnss-daemon self:netlink_generic_socket create_socket_perms_no_ioctl; +allow cnss-daemon self:qipcrtr_socket create_socket_perms_no_ioctl; + +# /data/vendor/wifi/ +allow cnss-daemon vendor_wifi_vendor_data_file:dir create_dir_perms; +allow cnss-daemon vendor_wifi_vendor_data_file:file create_file_perms; + +# /proc/sys/net/ipv4/tcp_adv_win_scal +allow cnss-daemon proc_net:file rw_file_perms; + +# /sys/class/remoteproc +allow cnss-daemon sysfs_cnss_daemon:dir r_dir_perms; +allow cnss-daemon sysfs_cnss_daemon:file r_file_perms; diff --git a/vendor/file.te b/vendor/file.te index 2553c74..7f9aa22 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -2,4 +2,6 @@ type vendor_location_data_file, file_type, data_file_type; type vendor_location_socket, file_type; type vendor_wifi_vendor_data_file, file_type, data_file_type; type vendor_wifihal_socket, file_type; -type vendor_location_sysfs, fs_type, sysfs_type;
\ No newline at end of file +type vendor_location_sysfs, fs_type, sysfs_type; +type vendor_proc_wifi_dbg, fs_type, proc_type; +type sysfs_cnss_daemon, fs_type, sysfs_type;
\ No newline at end of file diff --git a/vendor/file_contexts b/vendor/file_contexts index d692577..bc7e2fc 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -15,3 +15,4 @@ /dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0 /vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0 /vendor/bin/lowi-server u:object_r:lowi_server_exec:s0 +/vendor/bin/cnss-daemon u:object_r:cnss-daemon_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index b51cb91..d85e7b7 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -3,3 +3,52 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a u # Wifi genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0 +genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net u:object_r:sysfs_net:s0 +genfscon sysfs /class/remoteproc u:object_r:sysfs_cnss_daemon:s0 + +# BMS +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply u:object_r:sysfs_batteryinfo:s0 + +# System Suspend +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0 + +# PowerStats +genfscon sysfs /kernel/wifi/power_stats u:object_r:sysfs_power_stats:s0 diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te new file mode 100644 index 0000000..d513b88 --- /dev/null +++ b/vendor/hal_dumpstate_default.te @@ -0,0 +1,2 @@ +# b/267839070 +dontaudit hal_dumpstate_default sysfs:dir { read }; diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..24527f9 --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# Needed to detect wifi on/off +get_prop(hal_power_stats_default, wifi_hal_prop) diff --git a/vendor/hal_radioext_default.te b/vendor/hal_radioext_default.te new file mode 100644 index 0000000..1620f2b --- /dev/null +++ b/vendor/hal_radioext_default.te @@ -0,0 +1 @@ +binder_call(hal_radioext_default, hal_bluetooth_default) diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te new file mode 100644 index 0000000..418aba5 --- /dev/null +++ b/vendor/hal_wifi_default.te @@ -0,0 +1,19 @@ +allow hal_wifi_default vendor_wlan_device:chr_file w_file_perms; +allow hal_wifi_default vendor_wifi_vendor_data_file:dir rw_dir_perms; + +# write to files owned by location daemon +allow hal_wifi_default vendor_location_socket:dir rw_dir_perms; +allow hal_wifi_default vendor_location_socket:{sock_file lnk_file} create_file_perms; +allow hal_wifi_default vendor_location:unix_dgram_socket sendto; +allow hal_wifi_default lowi_server:unix_dgram_socket sendto; + +# Connect to vendor_location via vendor_location socket. +unix_socket_connect(hal_wifi, vendor_location, vendor_location) +allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms; +allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms; + +# allow hal_wifi to write into /proc/debugdriver/driverdump +r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg); + +# Write wlan driver/fw version into property +set_prop(hal_wifi_default, vendor_wifi_version) diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te index a16d595..fbe187d 100644 --- a/vendor/hal_wifi_ext.te +++ b/vendor/hal_wifi_ext.te @@ -1,4 +1,5 @@ allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms; +allow hal_wifi_ext vendor_wifi_vendor_data_file:dir rw_dir_perms; # write to files owned by location daemon allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms; @@ -10,3 +11,6 @@ allow hal_wifi_ext lowi_server:unix_dgram_socket sendto; unix_socket_connect(hal_wifi, vendor_location, vendor_location) allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms; allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms; + +# allow hal_wifi to write into /proc/debugdriver/driverdump +r_dir_file(hal_wifi_ext, vendor_proc_wifi_dbg); diff --git a/vendor/logger_app.te b/vendor/logger_app.te new file mode 100644 index 0000000..26c0cc6 --- /dev/null +++ b/vendor/logger_app.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow logger_app vendor_wifi_vendor_data_file:dir rw_dir_perms; +') diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te index c1281f9..21dfb81 100644 --- a/vendor/lowi_server.te +++ b/vendor/lowi_server.te @@ -10,7 +10,7 @@ allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl; ## lowi-server ############## allow lowi_server vendor_location:fd use; -allow lowi_server vendor_location:unix_dgram_socket sendto; +allow lowi_server vendor_location:unix_dgram_socket {sendto read write}; # some additional network access allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl; @@ -28,6 +28,7 @@ allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto; allow lowi_server vendor_wifihal_socket:dir rw_dir_perms; allow lowi_server vendor_wifihal_socket:sock_file create_file_perms; allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto; +unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_default); unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext); # /dev/socket/vendor_location diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te new file mode 100644 index 0000000..9f00bb7 --- /dev/null +++ b/vendor/tcpdump_logger.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow tcpdump_logger vendor_wifi_vendor_data_file:dir rw_dir_perms; +') diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..cc2e3ad --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1,2 @@ +# Camera +set_prop(vendor_init, vendor_camera_prop) diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te index cefcd49..b41c6a8 100644 --- a/vendor/vendor_location.te +++ b/vendor/vendor_location.te @@ -13,3 +13,8 @@ allow vendor_location vendor_location_socket:dir rw_dir_perms; # /sys/devices/soc0/soc_id allow vendor_location vendor_location_sysfs:file create_file_perms; + +# /dev/socket/location/mq/* +allow vendor_location lowi_server:unix_dgram_socket {sendto read write}; +allow vendor_location hal_wifi_default:unix_dgram_socket {sendto read write}; +allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write}; diff --git a/vendor/wifi_perf_diag.te b/vendor/wifi_perf_diag.te new file mode 100644 index 0000000..b49c0da --- /dev/null +++ b/vendor/wifi_perf_diag.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow wifi_perf_diag vendor_wifi_vendor_data_file:dir rw_dir_perms; +') diff --git a/vendor/wifi_sniffer.te b/vendor/wifi_sniffer.te new file mode 100644 index 0000000..c1e5cfa --- /dev/null +++ b/vendor/wifi_sniffer.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow wifi_sniffer self:capability { setuid setgid }; + allow wifi_sniffer vendor_wifi_vendor_data_file:dir rw_dir_perms; +') |