diff options
| -rw-r--r-- | private/tracking_denials.te | 7 | ||||
| -rw-r--r-- | tracking_denials/bootanim.te | 2 | ||||
| -rw-r--r-- | tracking_denials/flags_health_check.te | 111 | ||||
| -rw-r--r-- | tracking_denials/grilservice_app.te | 3 | ||||
| -rw-r--r-- | tracking_denials/hal_bootctl_default.te | 3 | ||||
| -rw-r--r-- | tracking_denials/hal_power_default.te | 3 | ||||
| -rw-r--r-- | tracking_denials/hal_sensors_default.te | 10 | ||||
| -rw-r--r-- | tracking_denials/hal_wifi_ext.te | 2 | ||||
| -rw-r--r-- | tracking_denials/init-insmod-sh.te | 1 | ||||
| -rw-r--r-- | tracking_denials/init.te | 6 | ||||
| -rw-r--r-- | tracking_denials/platform_app.te | 2 | ||||
| -rw-r--r-- | tracking_denials/sensors.te | 9 | ||||
| -rw-r--r-- | tracking_denials/shell.te | 6 | ||||
| -rw-r--r-- | tracking_denials/system_app.te | 6 | ||||
| -rw-r--r-- | tracking_denials/vendor_init.te | 3 | ||||
| -rw-r--r-- | tracking_denials/vendor_misc_writer.te | 4 |
16 files changed, 18 insertions, 160 deletions
diff --git a/private/tracking_denials.te b/private/tracking_denials.te new file mode 100644 index 0000000..167034b --- /dev/null +++ b/private/tracking_denials.te @@ -0,0 +1,7 @@ +# b/152624411 +dontaudit linkerconfig self:capability kill; + +# b/152624073 +dontaudit system_suspend sysfs_batteryinfo:dir read; +dontaudit system_suspend sysfs:dir read; +dontaudit system_suspend sysfs_rtc:dir read; diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te deleted file mode 100644 index 9c8abab..0000000 --- a/tracking_denials/bootanim.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/148005188 -dontaudit bootanim kernel:system module_request; diff --git a/tracking_denials/flags_health_check.te b/tracking_denials/flags_health_check.te deleted file mode 100644 index 3b0bd47..0000000 --- a/tracking_denials/flags_health_check.te +++ /dev/null @@ -1,111 +0,0 @@ -# b/150278974 -dontaudit flags_health_check adbd_prop:file { getattr map open }; -dontaudit flags_health_check apexd_prop:file { getattr map open }; -dontaudit flags_health_check apk_verity_prop:file { getattr map open }; -dontaudit flags_health_check bluetooth_a2dp_offload_prop:file { getattr map open }; -dontaudit flags_health_check bluetooth_audio_hal_prop:file { getattr map open }; -dontaudit flags_health_check bluetooth_prop:file { getattr map open }; -dontaudit flags_health_check bootloader_boot_reason_prop:file { getattr map open }; -dontaudit flags_health_check boottime_prop:file { getattr map open }; -dontaudit flags_health_check bpf_progs_loaded_prop:file { getattr map open }; -dontaudit flags_health_check camera_prop:file { getattr map open }; -dontaudit flags_health_check camera_ro_prop:file { getattr map open }; -dontaudit flags_health_check charger_prop:file { getattr map open }; -dontaudit flags_health_check cnd_vendor_prop:file { getattr map open }; -dontaudit flags_health_check cold_boot_done_prop:file { getattr map open }; -dontaudit flags_health_check cpu_variant_prop:file { getattr map open }; -dontaudit flags_health_check ctl_adbd_prop:file { getattr map open }; -dontaudit flags_health_check ctl_apexd_prop:file { getattr map open }; -dontaudit flags_health_check ctl_bootanim_prop:file { getattr map open }; -dontaudit flags_health_check ctl_bugreport_prop:file { getattr map open }; -dontaudit flags_health_check ctl_console_prop:file { getattr map open }; -dontaudit flags_health_check ctl_default_prop:file { getattr map open }; -dontaudit flags_health_check ctl_dumpstate_prop:file { getattr map open }; -dontaudit flags_health_check ctl_fuse_prop:file { getattr map open }; -dontaudit flags_health_check ctl_gsid_prop:file { getattr map open }; -dontaudit flags_health_check ctl_interface_restart_prop:file { getattr map open }; -dontaudit flags_health_check ctl_interface_start_prop:file { getattr map open }; -dontaudit flags_health_check ctl_interface_stop_prop:file { getattr map open }; -dontaudit flags_health_check ctl_mdnsd_prop:file { getattr map open }; -dontaudit flags_health_check ctl_restart_prop:file { getattr map open }; -dontaudit flags_health_check ctl_rildaemon_prop:file { getattr map open }; -dontaudit flags_health_check ctl_sigstop_prop:file { getattr map open }; -dontaudit flags_health_check ctl_start_prop:file { getattr map open }; -dontaudit flags_health_check ctl_stop_prop:file { getattr map open }; -dontaudit flags_health_check ctl_vendor_rmt_storage_prop:file { getattr map open read }; -dontaudit flags_health_check device_logging_prop:file { getattr map open }; -dontaudit flags_health_check dumpstate_options_prop:file { getattr map open read }; -dontaudit flags_health_check dynamic_system_prop:file { getattr map open }; -dontaudit flags_health_check ecoservice_prop:file { getattr map open }; -dontaudit flags_health_check exported_audio_prop:file { getattr map open }; -dontaudit flags_health_check exported_bluetooth_prop:file { getattr map open }; -dontaudit flags_health_check exported_overlay_prop:file { getattr map open }; -dontaudit flags_health_check exported_wifi_prop:file { getattr map open }; -dontaudit flags_health_check sota_prop:file { getattr map open }; -dontaudit flags_health_check firstboot_prop:file { getattr map open }; -dontaudit flags_health_check gsid_prop:file { getattr map open }; -dontaudit flags_health_check heapprofd_enabled_prop:file { getattr map open }; -dontaudit flags_health_check hwservicemanager_prop:file { getattr map open }; -dontaudit flags_health_check init_perf_lsm_hooks_prop:file { getattr map open }; -dontaudit flags_health_check init_svc_debug_prop:file { getattr map open }; -dontaudit flags_health_check last_boot_reason_prop:file { getattr map open }; -dontaudit flags_health_check llkd_prop:file { getattr map open }; -dontaudit flags_health_check logpersistd_logging_prop:file { getattr map open }; -dontaudit flags_health_check lowpan_prop:file { getattr map open read }; -dontaudit flags_health_check lpdumpd_prop:file { getattr map open }; -dontaudit flags_health_check mmc_prop:file { getattr map open }; -dontaudit flags_health_check mock_ota_prop:file { getattr map open }; -dontaudit flags_health_check net_dns_prop:file { getattr map open }; -dontaudit flags_health_check netd_stable_secret_prop:file { getattr map open read }; -dontaudit flags_health_check nnapi_ext_deny_product_prop:file { getattr map open }; -dontaudit flags_health_check overlay_prop:file { getattr map open }; -dontaudit flags_health_check persistent_properties_ready_prop:file { getattr map open }; -dontaudit flags_health_check power_prop:file { getattr map open }; -dontaudit flags_health_check public_vendor_default_prop:file { getattr map open }; -dontaudit flags_health_check public_vendor_system_prop:file { getattr map open }; -dontaudit flags_health_check qcom_ims_prop:file { getattr map open }; -dontaudit flags_health_check rebootescrow_hal_prop:file { getattr map open }; -dontaudit flags_health_check safemode_prop:file { getattr map open }; -dontaudit flags_health_check serialno_prop:file { getattr map open }; -dontaudit flags_health_check spcomlib_prop:file { getattr map open }; -dontaudit flags_health_check system_adbd_prop:file { getattr map open }; -dontaudit flags_health_check system_boot_reason_prop:file { getattr map open }; -dontaudit flags_health_check system_jvmti_agent_prop:file { getattr map open read }; -dontaudit flags_health_check system_lmk_prop:file { getattr map open }; -dontaudit flags_health_check system_trace_prop:file { getattr map open }; -dontaudit flags_health_check test_boot_reason_prop:file { getattr map open }; -dontaudit flags_health_check test_harness_prop:file { getattr map open }; -dontaudit flags_health_check theme_prop:file { getattr map open }; -dontaudit flags_health_check time_prop:file { getattr map open }; -dontaudit flags_health_check traced_enabled_prop:file { getattr map open }; -dontaudit flags_health_check traced_lazy_prop:file { getattr map open }; -dontaudit flags_health_check vehicle_hal_prop:file { getattr map open }; -dontaudit flags_health_check vendor_audio_prop:file { getattr map open }; -dontaudit flags_health_check vendor_aware_available_prop:file { getattr map open read }; -dontaudit flags_health_check vendor_bluetooth_prop:file { getattr map open }; -dontaudit flags_health_check vendor_build_type_prop:file { getattr map open }; -dontaudit flags_health_check vendor_cnss_diag_prop:file { getattr map open }; -dontaudit flags_health_check vendor_default_prop:file { getattr map open }; -dontaudit flags_health_check vendor_device_prop:file { getattr map open }; -dontaudit flags_health_check vendor_display_prop:file { getattr map open }; -dontaudit flags_health_check vendor_hvdcp_opti_prop:file { getattr map open read }; -dontaudit flags_health_check vendor_logging_prop:file { getattr map open }; -dontaudit flags_health_check vendor_modem_diag_prop:file { getattr map open }; -dontaudit flags_health_check vendor_modem_prop:file { getattr map open }; -dontaudit flags_health_check vendor_per_mgr_state_prop:file { getattr map open }; -dontaudit flags_health_check vendor_radio_prop:file { getattr map open }; -dontaudit flags_health_check vendor_ramdump_prop:file { getattr map open }; -dontaudit flags_health_check vendor_ramoops_prop:file { getattr map open }; -dontaudit flags_health_check vendor_secure_element_prop:file { getattr map open }; -dontaudit flags_health_check vendor_security_patch_level_prop:file { getattr map open }; -dontaudit flags_health_check vendor_shutdown_prop:file { getattr map open read }; -dontaudit flags_health_check vendor_ssr_prop:file { getattr map open }; -dontaudit flags_health_check vendor_tcpdump_log_prop:file { getattr map open }; -dontaudit flags_health_check vendor_tee_listener_prop:file { getattr map open }; -dontaudit flags_health_check vendor_thermal_prop:file { getattr map open }; -dontaudit flags_health_check vendor_usb_prop:file { getattr map open }; -dontaudit flags_health_check vendor_vibrator_prop:file { getattr map open }; -dontaudit flags_health_check vendor_wifi_version:file { getattr map open read }; -dontaudit flags_health_check vendor_xlat_prop:file { getattr map open }; -dontaudit flags_health_check virtual_ab_prop:file { getattr map open }; -dontaudit flags_health_check wifi_prop:file { getattr map open }; diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te deleted file mode 100644 index e680d97..0000000 --- a/tracking_denials/grilservice_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/150278173 -dontaudit grilservice_app hal_wifi_ext:binder { call transfer }; -dontaudit grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te new file mode 100644 index 0000000..51ce199 --- /dev/null +++ b/tracking_denials/hal_bootctl_default.te @@ -0,0 +1,3 @@ +# b/152624953 +dontaudit hal_bootctl_default gsi_metadata_file:dir search; +dontaudit hal_bootctl_default public_vendor_default_prop:file { getattr map open read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 0000000..5fd1e27 --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/152624075 +dontaudit hal_power_default self:capability { dac_override dac_read_search }; +dontaudit hal_power_default system_data_root_file:dir read; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index bcbef74..0000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/150278844 -dontaudit hal_sensors_default diag_device:chr_file { ioctl open read write }; -dontaudit hal_sensors_default mnt_vendor_file:dir search; -dontaudit hal_sensors_default persist_file:dir search; -dontaudit hal_sensors_default persist_file:lnk_file read; -dontaudit hal_sensors_default self:qipcrtr_socket { create getattr read setopt write }; -dontaudit hal_sensors_default sensors_persist_file:dir search; -dontaudit hal_sensors_default sensors_persist_file:file { getattr open read }; -dontaudit hal_sensors_default sensors_vendor_data_file:dir search; -dontaudit hal_sensors_default vndbinder_device:chr_file { ioctl map open read write }; diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te deleted file mode 100644 index a9c33ae..0000000 --- a/tracking_denials/hal_wifi_ext.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/150278984 -dontaudit hal_wifi_ext grilservice_app:binder call; diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te index ba7ab02..b3cced1 100644 --- a/tracking_denials/init-insmod-sh.te +++ b/tracking_denials/init-insmod-sh.te @@ -1,3 +1,2 @@ # b/143475560 dontaudit init-insmod-sh proc_cmdline:file { getattr open read }; -dontaudit init-insmod-sh self:process execmem; diff --git a/tracking_denials/init.te b/tracking_denials/init.te index ba792d6..67fa403 100644 --- a/tracking_denials/init.te +++ b/tracking_denials/init.te @@ -1,5 +1,5 @@ -# b/146477240 -dontaudit init kernel:system module_request; +# b/152624632 +dontaudit init sysfs:file setattr; # b/146920963 -dontaudit init socket_device:sock_file { create setattr }; +dontaudit init socket_device:sock_file { create setattr unlink }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te new file mode 100644 index 0000000..32ac3eb --- /dev/null +++ b/tracking_denials/platform_app.te @@ -0,0 +1,2 @@ +# b/152624986 +dontaudit platform_app default_android_hwservice:hwservice_manager find; diff --git a/tracking_denials/sensors.te b/tracking_denials/sensors.te deleted file mode 100644 index c16ed76..0000000 --- a/tracking_denials/sensors.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/150280576 -dontaudit sensors ion_device:chr_file { ioctl open read }; -dontaudit sensors qdsp_device:chr_file { ioctl open read }; -dontaudit sensors self:capability2 block_suspend; -dontaudit sensors sensors_persist_file:dir { add_name getattr open read remove_name write }; -dontaudit sensors sensors_persist_file:file { create getattr open read rename unlink write }; -dontaudit sensors sysfs_soc:dir search; -dontaudit sensors sysfs_soc:file { getattr open read }; -dontaudit sensors sysfs_wake_lock:file { open read write }; diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te deleted file mode 100644 index a34da77..0000000 --- a/tracking_denials/shell.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/150280132 -dontaudit shell adbd_prop:file { getattr map open }; -dontaudit shell apexd_prop:file { getattr map open }; -dontaudit shell apk_verity_prop:file { getattr map open }; -dontaudit shell bluetooth_a2dp_offload_prop:file { getattr map open }; -dontaudit shell bluetooth_audio_hal_prop:file { getattr open }; diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te deleted file mode 100644 index 1e07b81..0000000 --- a/tracking_denials/system_app.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/147201102 -dontaudit system_app hal_tui_comm_hwservice:hwservice_manager find; -dontaudit system_app hal_tui_comm_qti:binder { call transfer }; - -# b/150279745 -dontaudit system_app diag_device:chr_file { ioctl open read write }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index f5f2d05..91a9098 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,5 +1,2 @@ # b/145485815 dontaudit vendor_init default_prop:property_service set; - -# b/145488847 -dontaudit vendor_init system_prop:property_service set; diff --git a/tracking_denials/vendor_misc_writer.te b/tracking_denials/vendor_misc_writer.te deleted file mode 100644 index 0fe690b..0000000 --- a/tracking_denials/vendor_misc_writer.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/150279923 -dontaudit vendor_misc_writer gsi_metadata_file:dir search; -dontaudit vendor_misc_writer proc_cmdline:file { getattr open }; -dontaudit vendor_misc_writer public_vendor_default_prop:file { getattr map open read }; |