diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:37:01 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 04:37:01 +0000 |
| commit | 825246e51ebd25575ddbb923fac8e6b96c665570 (patch) | |
| tree | 64ebb72ac6c0a94e6681a65f122738969d518ef5 | |
| parent | d1e255663932cc4b893b56e57f296a760cbb319e (diff) | |
| parent | 130dee380511d71679dd56028cef257442bae0a4 (diff) | |
| download | redbull-sepolicy-android14-mainline-adservices-release.tar.gz | |
Snap for 10453563 from 130dee380511d71679dd56028cef257442bae0a4 to mainline-adservices-releaseaml_ads_341615050aml_ads_341517040aml_ads_341413000aml_ads_341316030aml_ads_341131050aml_ads_341027030aml_ads_340915050android14-mainline-adservices-release
Change-Id: I72a7b9f41fc38c6bc5a9030107bbc4e96f9ba8ee
29 files changed, 71 insertions, 17 deletions
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..016afc6 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,3 @@ +hal_drm_widevine default_prop file b/238263416 +hal_googlebattery dumpstate fd b/238263849 +shell qemu_sf_lcd_density_prop file b/238953936 diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index b5b2ddc..0000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/187129195 -dontaudit incidentd apex_info_file:file getattr; diff --git a/vendor/google/dumpstate.te b/vendor/google/dumpstate.te index b3fc3dd..c69e874 100644 --- a/vendor/google/dumpstate.te +++ b/vendor/google/dumpstate.te @@ -15,3 +15,10 @@ allow dumpstate firmware_file:dir r_dir_perms; allow dumpstate firmware_file:filesystem getattr; dontaudit dumpstate debugfs_dma_buf:file r_file_perms; +dontaudit dumpstate incidentd:process sigkill; + +# dumpstate may trigger a screen capture using /system/bin/screencap. In this +# case, the gralloc implementation will attempt to retrieve information about +# the GPU using /sys/class/kgsl/**/gpu_model. +allow dumpstate sysfs_msm_subsys:dir search; +allow dumpstate sysfs_msm_subsys:file rw_file_perms; diff --git a/vendor/google/e2fs.te b/vendor/google/e2fs.te new file mode 100644 index 0000000..4d2b596 --- /dev/null +++ b/vendor/google/e2fs.te @@ -0,0 +1,2 @@ +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/file.te b/vendor/google/file.te index df68cd0..53a5f88 100644 --- a/vendor/google/file.te +++ b/vendor/google/file.te @@ -12,7 +12,6 @@ type sysfs_touch, sysfs_type, fs_type; type sysfs_power_stats_ignore, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_pixelstats, fs_type, sysfs_type; -type sysfs_wlc, sysfs_type, fs_type; type sysfs_pstore, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; @@ -50,3 +49,5 @@ type updated_wifi_firmware_data_file, file_type, data_file_type; # Firmware mount type firmware_file, file_type, contextmount_type, vendor_file_type; allow firmware_file self:filesystem associate; + +type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 5ed23bc..5a0e30c 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -31,6 +31,8 @@ /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/vendor.qti.hardware.display.composer-service u:object_r:hal_graphics_composer_default_exec:s0 diff --git a/vendor/google/fsck.te b/vendor/google/fsck.te index 1500b5f..7d94ea1 100644 --- a/vendor/google/fsck.te +++ b/vendor/google/fsck.te @@ -1 +1,3 @@ allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/google/genfs_contexts b/vendor/google/genfs_contexts index 36335f1..263f93b 100644 --- a/vendor/google/genfs_contexts +++ b/vendor/google/genfs_contexts @@ -94,7 +94,6 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.q genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,qpnp-smb5/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,usb-pdphy@1700/usbpd0/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm7250b@2:google,bms/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/soc/98c000.i2c/i2c-1/1-003b u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-02/c440000.qcom,spmi:qcom,pm7250b@2:qpnp,qg/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,qpnp-smb5/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-02/c440000.qcom,spmi:qcom,pm7250b@2:qcom,usb-pdphy@1700/usbpd0/power_supply u:object_r:sysfs_batteryinfo:s0 diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index 4c8d81e..b41c009 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -5,6 +5,7 @@ app_domain(grilservice_app) allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app app_api_service:service_manager find; binder_call(grilservice_app, hal_bluetooth_default) binder_call(grilservice_app, hal_radioext_default) diff --git a/vendor/google/hal_dumpstate_impl.te b/vendor/google/hal_dumpstate_impl.te index f82e156..122f35d 100644 --- a/vendor/google/hal_dumpstate_impl.te +++ b/vendor/google/hal_dumpstate_impl.te @@ -179,3 +179,5 @@ r_dir_file(hal_dumpstate_impl, sysfs_thermal) # Access to /sys/devices/soc0/serial_number r_dir_file(hal_dumpstate_impl, sysfs_soc) + +dontaudit hal_dumpstate_impl rootfs:dir rw_dir_perms; diff --git a/vendor/google/hal_health_default.te b/vendor/google/hal_health_default.te index 9bca064..c9e6a0b 100644 --- a/vendor/google/hal_health_default.te +++ b/vendor/google/hal_health_default.te @@ -1,5 +1,4 @@ r_dir_file(hal_health_default, sysfs_scsi_devices_0000) -r_dir_file(hal_health_default, sysfs_wlc) set_prop(hal_health_default, vendor_shutdown_prop) set_prop(hal_health_default, vendor_battery_defender_prop) @@ -7,7 +6,6 @@ allow hal_health_default fwk_stats_hwservice:hwservice_manager find; allow hal_health_default fwk_stats_service:service_manager find; binder_use(hal_health_default) -allow hal_health_default sysfs_wlc:dir r_dir_perms; allow hal_health_default sysfs_thermal:dir r_dir_perms; allow hal_health_default sysfs_thermal:file rw_file_perms; allow hal_health_default persist_file:dir search; diff --git a/vendor/google/hal_radioext_default.te b/vendor/google/hal_radioext_default.te index 03d17e2..1a6ac35 100644 --- a/vendor/google/hal_radioext_default.te +++ b/vendor/google/hal_radioext_default.te @@ -19,6 +19,7 @@ allow hal_radioext_default self:qipcrtr_socket create_socket_perms_no_ioctl; allowxperm hal_radioext_default self:socket ioctl msm_sock_ipc_ioctls; allow hal_radioext_default hal_wifi_ext_hwservice:hwservice_manager find; +allow hal_radioext_default hal_wifi_ext_service:service_manager find; allow hal_radioext_default hal_wifi_ext:binder call; allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/vendor/google/hal_vibrator_default.te b/vendor/google/hal_vibrator_default.te index 0f5ab39..0ba33f2 100644 --- a/vendor/google/hal_vibrator_default.te +++ b/vendor/google/hal_vibrator_default.te @@ -9,3 +9,4 @@ allow hal_vibrator_default sysfs_thermal:file r_file_perms; get_prop(hal_vibrator_default, vendor_vibrator_prop); binder_call(hal_vibrator_default, system_server) allow hal_vibrator_default fwk_sensor_hwservice:hwservice_manager find; +allow hal_vibrator_default fwk_sensor_service:service_manager find; diff --git a/vendor/google/hal_wifi_ext.te b/vendor/google/hal_wifi_ext.te index 880f944..32aa39c 100644 --- a/vendor/google/hal_wifi_ext.te +++ b/vendor/google/hal_wifi_ext.te @@ -6,6 +6,7 @@ init_daemon_domain(hal_wifi_ext) # Allow to start the IWifi:wifi_ext service add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice); +add_service(hal_wifi_ext, hal_wifi_ext_service) # Allow wifi hal access to LOWI allow hal_wifi_ext location:unix_stream_socket connectto; diff --git a/vendor/google/hal_wireless_charger.te b/vendor/google/hal_wireless_charger.te new file mode 100644 index 0000000..f2e0b3a --- /dev/null +++ b/vendor/google/hal_wireless_charger.te @@ -0,0 +1,8 @@ +type hal_wireless_charger, domain; +type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; + +# QCOM device only +allow hal_wireless_charger sysfs_chargelevel:file rw_file_perms; + +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; diff --git a/vendor/google/hal_wlc.te b/vendor/google/hal_wlc.te index dc0c21d..0339bbe 100644 --- a/vendor/google/hal_wlc.te +++ b/vendor/google/hal_wlc.te @@ -9,7 +9,5 @@ get_prop(hal_wlc, hwservicemanager_prop) # Allow access to /sys/class/power_supply/wireless r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; diff --git a/vendor/google/platform_app.te b/vendor/google/platform_app.te index 2dfbc86..03004b3 100644 --- a/vendor/google/platform_app.te +++ b/vendor/google/platform_app.te @@ -8,3 +8,6 @@ allow platform_app nfc_service:service_manager find; allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) + +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/google/service.te b/vendor/google/service.te index 9c935e9..cc65c0e 100644 --- a/vendor/google/service.te +++ b/vendor/google/service.te @@ -1 +1,4 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_wifi_ext_service, service_manager_type, hal_service_type; + +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts index 4bac73b..a14f133 100644 --- a/vendor/google/service_contexts +++ b/vendor/google/service_contexts @@ -1,2 +1,5 @@ android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +vendor.google.wifi_ext.IWifiExt/default u:object_r:hal_wifi_ext_service:s0 + +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 diff --git a/vendor/google/ssr_detector.te b/vendor/google/ssr_detector.te index 039eadc..3a44e9a 100644 --- a/vendor/google/ssr_detector.te +++ b/vendor/google/ssr_detector.te @@ -16,7 +16,8 @@ get_prop(ssr_detector_app, vendor_wifi_version) get_prop(ssr_detector_app, vendor_adsp_version_prop) # ssr_detector app's data type is system_app_data_file. -allow ssr_detector_app system_app_data_file:dir { getattr search }; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app cgroup:file w_file_perms; diff --git a/vendor/google/su.te b/vendor/google/su.te new file mode 100644 index 0000000..917c2b3 --- /dev/null +++ b/vendor/google/su.te @@ -0,0 +1,2 @@ +# Ignore access to firmware_file (may be triggered by tradefed). +dontaudit su firmware_file:filesystem *; diff --git a/vendor/google/system_app.te b/vendor/google/system_app.te index a7de933..9499c59 100644 --- a/vendor/google/system_app.te +++ b/vendor/google/system_app.te @@ -2,4 +2,7 @@ allow system_app hal_wlc_hwservice:hwservice_manager find; binder_call(system_app, hal_wlc) binder_call(hal_wlc, system_app) -allow system_app fwk_stats_hwservice:hwservice_manager find;
\ No newline at end of file +allow system_app fwk_stats_hwservice:hwservice_manager find; + +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) diff --git a/vendor/qcom/common/chre.te b/vendor/qcom/common/chre.te index 47cbf52..4006a66 100644 --- a/vendor/qcom/common/chre.te +++ b/vendor/qcom/common/chre.te @@ -10,3 +10,7 @@ wakelock_use(chre) # Allow CHRE to obtain audio hal_client_domain(chre, hal_audio) + +# Allow CHRE host to talk to the stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 5000974..99df651 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -52,8 +52,8 @@ /(vendor|system/vendor)/bin/subsystem_ramdump u:object_r:vendor_subsystem_ramdump_exec:s0 /(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0 /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-(service|service-lazy)\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-(service|service-lazy)\.widevine(-v17)? u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index c93440a..a065040 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -2,8 +2,6 @@ type qtelephony, domain; app_domain(qtelephony) -add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) - allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; allow qtelephony hal_telephony_service:service_manager find; @@ -28,3 +26,6 @@ set_prop(qtelephony, vendor_qcom_ims_prop) userdebug_or_eng(` allow qtelephony diag_device:chr_file rw_file_perms; ') + +# b/265255811#comment26 Ignore access AIDL as we freezed target for HIDL +dontaudit qtelephony default_android_service:service_manager { find }; diff --git a/vendor/qcom/common/radio.te b/vendor/qcom/common/radio.te index 487f74f..216ada1 100644 --- a/vendor/qcom/common/radio.te +++ b/vendor/qcom/common/radio.te @@ -4,6 +4,9 @@ binder_call(radio, hal_rcsservice) allow radio hal_imsrtp_hwservice:hwservice_manager find; allow radio mediaextractor_service:service_manager find; + +add_hwservice(radio, vnd_atcmdfwd_hwservice) + userdebug_or_eng(` allow radio diag_device:chr_file rw_file_perms; ') diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index 7497c88..9da5a97 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -1 +1 @@ -type hal_telephony_service, service_manager_type, vendor_service, protected_service; +type hal_telephony_service, service_manager_type, hal_service_type, protected_service; diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts index c11263b..48db21b 100644 --- a/vendor/qcom/common/service_contexts +++ b/vendor/qcom/common/service_contexts @@ -1,3 +1,10 @@ vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_service:s0 vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.am.IQcRilAudio/slot1 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.am.IQcRilAudio/slot2 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.qcrilhook.IQtiOemHook/oemhook0 u:object_r:radio_service:s0 +vendor.qti.hardware.radio.qcrilhook.IQtiOemHook/oemhook1 u:object_r:radio_service:s0 + +vendor.qti.hardware.radio.atcmdfwd.IAtCmdFwd/AtCmdFwdAidl u:object_r:radio_service:s0 +vendor.qti.hardware.radio.atfwd.IAtFwd/AtFwdAidl u:object_r:radio_service:s0 diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts index 9a3ea7e..b9031f8 100644 --- a/vendor/st/file_contexts +++ b/vendor/st/file_contexts @@ -1,6 +1,6 @@ ################################### # vendor binaries -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st u:object_r:hal_secure_element_default_exec:s0 |