diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 05:19:24 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 05:19:24 +0000 |
commit | aecf29990f12ebb51f30aa4f1c9478533a0ca064 (patch) | |
tree | dd227c4a890df2c71705a92dc2f701c54a057de1 | |
parent | e7e061b4aed2a99649025b1978ff099fe33a535c (diff) | |
parent | 07cccd56b507bb63faad951c5f9f31e0ca46f788 (diff) | |
download | pixel-sepolicy-644ed03824b774f415ca875c36b1e2a9823137cd.tar.gz |
Snap for 10453563 from 07cccd56b507bb63faad951c5f9f31e0ca46f788 to mainline-uwb-releaseaml_uwb_341710010aml_uwb_341513070aml_uwb_341511050aml_uwb_341310300aml_uwb_341310030aml_uwb_341111010aml_uwb_341011000android14-mainline-uwb-release
Change-Id: I92138f29ec4c869ee965d3c3dbaf15e77fd2b22c
57 files changed, 213 insertions, 45 deletions
diff --git a/astd/astd.te b/astd/astd.te index 9f29caa..815e832 100644 --- a/astd/astd.te +++ b/astd/astd.te @@ -1,15 +1,8 @@ # astd service type astd, domain; +type astd_exec, exec_type, file_type, system_file_type; -# /vendor/bin/astc u:object_r:vendor_shell_exec:s0 -# system/sepolicy/public/vendor_shell.te -# type vendor_shell_exec, exec_type, vendor_file_type, file_type; - -# /vendor/bin/astd u:object_r:vendor_toolbox_exec:s0 -# system/sepolicy/public/vendor_toolbox.te -# type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; - -type astd_exec, exec_type, vendor_file_type, file_type; +typeattribute astd coredomain; userdebug_or_eng(` init_daemon_domain(astd) diff --git a/astd/file_contexts b/astd/file_contexts index 0df5774..17ac54c 100644 --- a/astd/file_contexts +++ b/astd/file_contexts @@ -1,3 +1,3 @@ -/vendor/bin/astc u:object_r:astd_exec:s0 -/vendor/bin/astd u:object_r:astd_exec:s0 +/system_ext/bin/astc u:object_r:astd_exec:s0 +/system_ext/bin/astd u:object_r:astd_exec:s0 diff --git a/citadel/file_contexts b/citadel/file_contexts index 5376def..a253a3d 100644 --- a/citadel/file_contexts +++ b/citadel/file_contexts @@ -4,7 +4,10 @@ /vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 /vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0 /vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 /vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 diff --git a/citadel/hal_authsecret_citadel.te b/citadel/hal_authsecret_citadel.te new file mode 100644 index 0000000..029d957 --- /dev/null +++ b/citadel/hal_authsecret_citadel.te @@ -0,0 +1,9 @@ +type hal_authsecret_citadel, domain; +type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_authsecret_citadel) +binder_call(hal_authsecret_citadel, citadeld) +allow hal_authsecret_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_authsecret_citadel, hal_authsecret) +init_daemon_domain(hal_authsecret_citadel) diff --git a/citadel/hal_oemlock_citadel.te b/citadel/hal_oemlock_citadel.te new file mode 100644 index 0000000..d3ff719 --- /dev/null +++ b/citadel/hal_oemlock_citadel.te @@ -0,0 +1,9 @@ +type hal_oemlock_citadel, domain; +type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_oemlock_citadel) +binder_call(hal_oemlock_citadel, citadeld) +allow hal_oemlock_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_oemlock_citadel, hal_oemlock) +init_daemon_domain(hal_oemlock_citadel) diff --git a/citadel/vndservice.te b/citadel/vndservice.te index a756bce..880c09c 100644 --- a/citadel/vndservice.te +++ b/citadel/vndservice.te @@ -1,2 +1 @@ type citadeld_service, vndservice_manager_type; -type hal_power_stats_vendor_service, vndservice_manager_type; diff --git a/common/vendor/te_macros b/common/vendor/te_macros new file mode 100644 index 0000000..c9a9c04 --- /dev/null +++ b/common/vendor/te_macros @@ -0,0 +1,17 @@ +##################################### +# pixel_bugreport(domain_name) +# Defines a new domain for executables under /vendor/bin/dump +# Grants permissions to interact with dumpstate and write to bugreport. +# See go/pixel-defrag for more details. +define(`pixel_bugreport', ` +type $1, domain; +type $1_exec, exec_type, vendor_file_type, file_type; +typeattribute $1 hal_dumpstate; +domain_auto_trans(hal_dumpstate_default, $1_exec, $1) + +allow $1 dumpstate:fd use; +allow $1 dumpstate:fifo_file { write getattr }; +allow $1 hal_dumpstate_default:fd use; +allow $1 shell_data_file:file { write getattr }; +') + diff --git a/debugpolicy/file.te b/debugpolicy/file.te index 604ba50..e2ef397 100644 --- a/debugpolicy/file.te +++ b/debugpolicy/file.te @@ -1,2 +1,2 @@ # sysfs -type sysfs_dpm_variant, sysfs_type, fs_type; # dpm variant +type sysfs_dpm, sysfs_type, fs_type; # dpm diff --git a/debugpolicy/genfs_contexts b/debugpolicy/genfs_contexts index d30809d..b36e9f1 100644 --- a/debugpolicy/genfs_contexts +++ b/debugpolicy/genfs_contexts @@ -1 +1,2 @@ -genfscon sysfs /firmware/devicetree/base/dpm/variant u:object_r:sysfs_dpm_variant:s0 +genfscon sysfs /firmware/devicetree/base/dpm/variant u:object_r:sysfs_dpm:s0 +genfscon sysfs /firmware/devicetree/base/dpm/version u:object_r:sysfs_dpm:s0 diff --git a/debugpolicy/init_dpm.te b/debugpolicy/init_dpm.te index b91c561..3a4f936 100644 --- a/debugpolicy/init_dpm.te +++ b/debugpolicy/init_dpm.te @@ -5,7 +5,7 @@ init_daemon_domain(init_dpm) userdebug_or_eng(` allow init_dpm vendor_toolbox_exec:file execute_no_trans; -allow init_dpm sysfs_dpm_variant:file r_file_perms; +allow init_dpm sysfs_dpm:file r_file_perms; allow init_dpm block_device:dir search; allow init_dpm dpm_block_device:blk_file rw_file_perms; ') diff --git a/fingerprint-extension/system_ext/private/file_contexts b/fingerprint-extension/system_ext/private/file_contexts index e66f969..954424d 100644 --- a/fingerprint-extension/system_ext/private/file_contexts +++ b/fingerprint-extension/system_ext/private/file_contexts @@ -1 +1 @@ -/system_ext/bin/fingerprint\.extension\.sh u:object_r:init-fingerprint-extension_exec:s0 +/system_ext/bin/fingerprint\.extension u:object_r:init-fingerprint-extension_exec:s0 diff --git a/googlebattery/dumpstate.te b/googlebattery/dumpstate.te new file mode 100644 index 0000000..5de6a2e --- /dev/null +++ b/googlebattery/dumpstate.te @@ -0,0 +1,3 @@ +# To find and bind Google Battery HAL +allow dumpstate hal_googlebattery_service:service_manager find; +binder_call(dumpstate, hal_googlebattery) diff --git a/googlebattery/file_contexts b/googlebattery/file_contexts index 9e247bb..efd6cc5 100644 --- a/googlebattery/file_contexts +++ b/googlebattery/file_contexts @@ -1 +1 @@ -/vendor/bin/hw/vendor\.google\.google_battery@1\.2-service-vendor u:object_r:hal_googlebattery_exec:s0 +/vendor/bin/hw/vendor\.google\.google_battery-service u:object_r:hal_googlebattery_exec:s0 diff --git a/googlebattery/hal_googlebattery.te b/googlebattery/hal_googlebattery.te index cd1253b..2cc3a7c 100644 --- a/googlebattery/hal_googlebattery.te +++ b/googlebattery/hal_googlebattery.te @@ -4,15 +4,17 @@ type hal_googlebattery_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_googlebattery) r_dir_file(hal_googlebattery, sysfs_batteryinfo) -r_dir_file(hal_googlebattery, sysfs_wlc) + allow hal_googlebattery sysfs_batteryinfo:file rw_file_perms; allow hal_googlebattery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow hal_googlebattery sysfs_chargelevel:file rw_file_perms; -allow hal_googlebattery sysfs_wlc:file rw_file_perms; + set_prop(hal_googlebattery, vendor_battery_defender_prop) -hwbinder_use(hal_googlebattery) -add_hwservice(hal_googlebattery, hal_googlebattery_hwservice) -get_prop(hal_googlebattery, hwservicemanager_prop) +binder_call(hal_googlebattery, servicemanager) +add_service(hal_googlebattery, hal_googlebattery_service) + +allow hal_googlebattery dumpstate:fd use; +allow hal_googlebattery dumpstate:fifo_file write; diff --git a/googlebattery/hwservice.te b/googlebattery/hwservice.te deleted file mode 100644 index 40323ef..0000000 --- a/googlebattery/hwservice.te +++ /dev/null @@ -1 +0,0 @@ -type hal_googlebattery_hwservice, hwservice_manager_type; diff --git a/googlebattery/hwservice_contexts b/googlebattery/hwservice_contexts deleted file mode 100644 index 40f1526..0000000 --- a/googlebattery/hwservice_contexts +++ /dev/null @@ -1 +0,0 @@ -vendor.google.google_battery::IGoogleBattery u:object_r:hal_googlebattery_hwservice:s0 diff --git a/googlebattery/platform_app.te b/googlebattery/platform_app.te index 0ee586f..39d4e5e 100644 --- a/googlebattery/platform_app.te +++ b/googlebattery/platform_app.te @@ -1,3 +1,3 @@ # allow SystemUI to find and bind Google Battery HAL -allow platform_app hal_googlebattery_hwservice:hwservice_manager find; +allow platform_app hal_googlebattery_service:service_manager find; binder_call(platform_app, hal_googlebattery) diff --git a/googlebattery/service.te b/googlebattery/service.te new file mode 100644 index 0000000..e68baa9 --- /dev/null +++ b/googlebattery/service.te @@ -0,0 +1 @@ +type hal_googlebattery_service, hal_service_type, service_manager_type; diff --git a/googlebattery/service_contexts b/googlebattery/service_contexts new file mode 100644 index 0000000..93954c7 --- /dev/null +++ b/googlebattery/service_contexts @@ -0,0 +1 @@ +vendor.google.google_battery.IGoogleBattery/default u:object_r:hal_googlebattery_service:s0 diff --git a/googlebattery/system_app.te b/googlebattery/system_app.te index 05723bf..7854a1d 100644 --- a/googlebattery/system_app.te +++ b/googlebattery/system_app.te @@ -1,3 +1,3 @@ # To allow Settings to find and bind Google Battery HAL -allow system_app hal_googlebattery_hwservice:hwservice_manager find; +allow system_app hal_googlebattery_service:service_manager find; binder_call(system_app, hal_googlebattery) diff --git a/googlebattery/turbo_adapter.te b/googlebattery/turbo_adapter.te index 33f99cd..2794fd1 100644 --- a/googlebattery/turbo_adapter.te +++ b/googlebattery/turbo_adapter.te @@ -1,3 +1,3 @@ # To find and bind Google Battery HAL -allow turbo_adapter hal_googlebattery_hwservice:hwservice_manager find; +allow turbo_adapter hal_googlebattery_service:service_manager find; binder_call(turbo_adapter, hal_googlebattery) diff --git a/hardware_info_app/device.te b/hardware_info_app/device.te new file mode 100644 index 0000000..ceaf547 --- /dev/null +++ b/hardware_info_app/device.te @@ -0,0 +1,2 @@ +# Battery history +type battery_history_device, dev_type; diff --git a/hardware_info_app/file.te b/hardware_info_app/file.te new file mode 100644 index 0000000..f891722 --- /dev/null +++ b/hardware_info_app/file.te @@ -0,0 +1,12 @@ +# Storage Health HAL +type sysfs_scsi_devices_0000, sysfs_type, fs_type; + +# PixelStats_vendor +type sysfs_pixelstats, fs_type, sysfs_type; + +# Display +type sysfs_display, sysfs_type, fs_type; + +# SoC +type sysfs_soc, sysfs_type, fs_type; +type sysfs_chip_id, sysfs_type, fs_type; diff --git a/hardware_info_app/hardware_info_app.te b/hardware_info_app/hardware_info_app.te new file mode 100644 index 0000000..751bb88 --- /dev/null +++ b/hardware_info_app/hardware_info_app.te @@ -0,0 +1,26 @@ +type hardware_info_app, domain; +app_domain(hardware_info_app) + +allow hardware_info_app app_api_service:service_manager find; + +# Storage +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; + +# Audio +allow hardware_info_app sysfs_pixelstats:file r_file_perms; + +# Batteryinfo +allow hardware_info_app sysfs_batteryinfo:dir search; +allow hardware_info_app sysfs_batteryinfo:file r_file_perms; + +# Display +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file r_file_perms; + +# SoC +allow hardware_info_app sysfs_soc:file r_file_perms; +allow hardware_info_app sysfs_chip_id:file r_file_perms; + +# Batery history +allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/hardware_info_app/seapp_contexts b/hardware_info_app/seapp_contexts new file mode 100644 index 0000000..390f160 --- /dev/null +++ b/hardware_info_app/seapp_contexts @@ -0,0 +1,2 @@ +# Hardware Info Collection +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/input/dumpstate.te b/input/dumpstate.te index 748ff35..38aa25e 100644 --- a/input/dumpstate.te +++ b/input/dumpstate.te @@ -1,2 +1,2 @@ binder_call(dumpstate, twoshay) - +allow dumpstate touch_context_service:service_manager find; diff --git a/input/platform_app.te b/input/platform_app.te index 17cc511..2d47236 100644 --- a/input/platform_app.te +++ b/input/platform_app.te @@ -1,2 +1,3 @@ allow platform_app touch_context_service:service_manager find; +allow platform_app gril_antenna_tuning_service:service_manager find; binder_call(platform_app, twoshay) diff --git a/input/service.te b/input/service.te index 63681d2..d521666 100644 --- a/input/service.te +++ b/input/service.te @@ -1 +1,2 @@ -type touch_context_service, service_manager_type, vendor_service; +type gril_antenna_tuning_service, service_manager_type, hal_service_type; +type touch_context_service, service_manager_type, hal_service_type; diff --git a/input/service_contexts b/input/service_contexts index 95e70f8..ed69aef 100644 --- a/input/service_contexts +++ b/input/service_contexts @@ -1 +1,2 @@ +com.google.input.algos.gril.IGrilAntennaTuningService/default u:object_r:gril_antenna_tuning_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 diff --git a/input/twoshay.te b/input/twoshay.te index 71b5771..3d48318 100644 --- a/input/twoshay.te +++ b/input/twoshay.te @@ -8,6 +8,8 @@ allow twoshay twoshay:capability sys_nice; binder_use(twoshay) add_service(twoshay, touch_context_service) +add_service(twoshay, gril_antenna_tuning_service) +binder_call(twoshay, platform_app) allow twoshay fwk_stats_service:service_manager find; binder_call(twoshay, stats_service_server) @@ -20,4 +22,4 @@ allow twoshay dumpstate:fifo_file write; dontaudit twoshay twoshay:capability dac_override; # b/226830650 -dontaudit twoshay boot_status_prop:file read;
\ No newline at end of file +dontaudit twoshay boot_status_prop:file read; diff --git a/mm/gki/vendor_init.te b/mm/gki/vendor_init.te index 5bedbad..018b318 100644 --- a/mm/gki/vendor_init.te +++ b/mm/gki/vendor_init.te @@ -1,3 +1,6 @@ allow vendor_init proc_watermark_boost_factor:file w_file_perms; allow vendor_init proc_lowmem_reserve_ratio:file w_file_perms; allow vendor_init proc_min_free_kbytes:file w_file_perms; + +allow vendor_init debugfs_tracing_instances:dir create_dir_perms; +allow vendor_init debugfs_tracing_instances:file w_file_perms; diff --git a/pixelstats/pixelstats_vendor.te b/pixelstats/pixelstats_vendor.te index 57aba2f..d0850b1 100644 --- a/pixelstats/pixelstats_vendor.te +++ b/pixelstats/pixelstats_vendor.te @@ -1,5 +1,8 @@ type pixelstats_vendor, domain; +# IStats +binder_use(pixelstats_vendor) + type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(pixelstats_vendor) @@ -8,11 +11,13 @@ r_dir_file(pixelstats_vendor, sysfs_batteryinfo) allow pixelstats_vendor sysfs_batteryinfo:file w_file_perms; allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow pixelstats_vendor mnt_vendor_file:dir search; allow pixelstats_vendor sysfs_scsi_devices_0000:dir search; -allow pixelstats_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_fs_f2fs:dir search; allow pixelstats_vendor sysfs_fs_f2fs:file rw_file_perms; get_prop(pixelstats_vendor, boottime_public_prop) +get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop) allow pixelstats_vendor fwk_stats_service:service_manager find; binder_call(pixelstats_vendor, stats_service_server) @@ -23,6 +28,7 @@ allow pixelstats_vendor sysfs_pixel_stat:dir r_dir_perms; allow pixelstats_vendor sysfs_pixel_stat:file r_file_perms; userdebug_or_eng(` + allow pixelstats_vendor { proc_pressure_cpu proc_pressure_io proc_pressure_mem }:file r_file_perms; allow pixelstats_vendor proc_vmstat:file r_file_perms; allow pixelstats_vendor sysfs_ion:dir search; allow pixelstats_vendor sysfs_ion:file r_file_perms; diff --git a/power-libperfmgr/file_contexts b/power-libperfmgr/file_contexts index 027be7a..8ab659f 100644 --- a/power-libperfmgr/file_contexts +++ b/power-libperfmgr/file_contexts @@ -1,5 +1,5 @@ /vendor/bin/hw/android\.hardware\.power-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0 -/vendor/bin/hw/android\.hardware\.power@1\.3-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0 +/vendor/bin/sendhint u:object_r:sendhint_vendor_exec:s0 /dev/cpu_dma_latency u:object_r:latency_device:s0 /dev/socket/pps u:object_r:pps_socket:s0 diff --git a/power-libperfmgr/sendhint.te b/power-libperfmgr/sendhint.te new file mode 100644 index 0000000..e453abe --- /dev/null +++ b/power-libperfmgr/sendhint.te @@ -0,0 +1,8 @@ +# sendhint vendor +type sendhint_vendor, domain; + +type sendhint_vendor_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sendhint_vendor) +hal_client_domain(sendhint_vendor, hal_power); +# sendhint writes directly to kmsg during the boot process +allow sendhint_vendor kmsg_device:chr_file { getattr w_file_perms }; diff --git a/powerstats/vndservice.te b/powerstats/vndservice.te new file mode 100644 index 0000000..b4386f8 --- /dev/null +++ b/powerstats/vndservice.te @@ -0,0 +1 @@ +type hal_power_stats_vendor_service, vndservice_manager_type; diff --git a/ramdump/file_contexts b/ramdump/file_contexts index 590e61b..2f51f74 100644 --- a/ramdump/file_contexts +++ b/ramdump/file_contexts @@ -1 +1,2 @@ /vendor/bin/ramdump u:object_r:ramdump_exec:s0 +/vendor/bin/ramdump32 u:object_r:ramdump_exec:s0 diff --git a/storage/file.te b/storage/file.te deleted file mode 100644 index ba7f362..0000000 --- a/storage/file.te +++ /dev/null @@ -1 +0,0 @@ -type debugfs_lpm, debugfs_type, fs_type; diff --git a/storage/genfs_contexts b/storage/genfs_contexts deleted file mode 100644 index 2f0b5bb..0000000 --- a/storage/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -genfscon debugfs /lpm_stats/stats u:object_r:debugfs_lpm:s0 -genfscon sysfs /devices/platform/soc/1d84000.ufshc/power u:object_r:sysfs_scsi_devices_0000:s0 diff --git a/storage/shell.te b/storage/shell.te deleted file mode 100644 index d8145f1..0000000 --- a/storage/shell.te +++ /dev/null @@ -1,6 +0,0 @@ -userdebug_or_eng(` - allow shell debugfs_lpm:file r_file_perms; - allow shell sysfs_scsi_devices_0000:file r_file_perms; - allow shell sysfs_mmc:dir r_dir_perms; -') - diff --git a/thermal/file_contexts b/thermal/file_contexts index acd360f..c3fb04f 100644 --- a/thermal/file_contexts +++ b/thermal/file_contexts @@ -1,4 +1,5 @@ /vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0 +/vendor/bin/hw/android\.hardware\.thermal-service\.pixel u:object_r:hal_thermal_default_exec:s0 /vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0 /vendor/bin/thermal_controld u:object_r:pixel-thermal-control-sh_exec:s0 /vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0 diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te index 2498b20..45ccf3a 100644 --- a/thermal/hal_thermal_default.te +++ b/thermal/hal_thermal_default.te @@ -10,3 +10,7 @@ hal_client_domain(hal_thermal_default, hal_power); # read thermal_config get_prop(hal_thermal_default, vendor_thermal_prop) + +# Needed for reporting thermal stats event +allow hal_thermal_default fwk_stats_service:service_manager find; +binder_call(hal_thermal_default, servicemanager) diff --git a/vibrator/common/property_contexts b/vibrator/common/property_contexts index 64a2600..089a357 100644 --- a/vibrator/common/property_contexts +++ b/vibrator/common/property_contexts @@ -1 +1,2 @@ -ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0 +ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0 +persist.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0 diff --git a/vibrator/cs40l25/hal_vibrator_default.te b/vibrator/cs40l25/hal_vibrator_default.te index 219a6b1..81c2f3f 100644 --- a/vibrator/cs40l25/hal_vibrator_default.te +++ b/vibrator/cs40l25/hal_vibrator_default.te @@ -15,3 +15,7 @@ get_prop(hal_vibrator_default, vendor_vibrator_prop); # Allow vibrator HAL's default implementation to use vendor-binder service vndbinder_use(hal_vibrator_default); + +# Allow Vibrator HAL to communicate with stats service +allow hal_vibrator_default fwk_stats_service:service_manager find; +binder_use(hal_vibrator_default) diff --git a/vibrator/cs40l26/hal_vibrator_default.te b/vibrator/cs40l26/hal_vibrator_default.te index 478bee9..c61cefe 100644 --- a/vibrator/cs40l26/hal_vibrator_default.te +++ b/vibrator/cs40l26/hal_vibrator_default.te @@ -15,5 +15,12 @@ r_dir_file(hal_vibrator_default, persist_haptics_file) get_prop(hal_vibrator_default, vendor_vibrator_prop); +# Allow Vibrator HAL to communicate with daemon via socket +unix_socket_connect(hal_vibrator_default, chre, chre); + # Allow vibrator HAL's default implementation to use vendor-binder service vndbinder_use(hal_vibrator_default); + +# Allow Vibrator HAL to communicate with stats service +allow hal_vibrator_default fwk_stats_service:service_manager find; +binder_use(hal_vibrator_default) diff --git a/vibrator/cs40l26/vendor_init.te b/vibrator/cs40l26/vendor_init.te index 417a40c..da5a9d6 100644 --- a/vibrator/cs40l26/vendor_init.te +++ b/vibrator/cs40l26/vendor_init.te @@ -1 +1,2 @@ set_prop(vendor_init, vendor_vibrator_prop) +get_prop(vendor_init, adaptive_haptics_prop) diff --git a/wifi_diagnostic/file_contexts b/wifi_diagnostic/file_contexts new file mode 100644 index 0000000..f0a40d5 --- /dev/null +++ b/wifi_diagnostic/file_contexts @@ -0,0 +1 @@ +/vendor/bin/wifi_diagnostic u:object_r:wifi_diagnostic_exec:s0 diff --git a/wifi_diagnostic/hal_wifi_supplicant_default.te b/wifi_diagnostic/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..9cd58c1 --- /dev/null +++ b/wifi_diagnostic/hal_wifi_supplicant_default.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` +allow hal_wifi_supplicant_default wifi_diagnostic:unix_dgram_socket sendto; +') diff --git a/wifi_diagnostic/logger_app.te b/wifi_diagnostic/logger_app.te new file mode 100644 index 0000000..0fc09a3 --- /dev/null +++ b/wifi_diagnostic/logger_app.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + set_prop(logger_app, vendor_wifi_diagnostic_prop) +') diff --git a/wifi_diagnostic/property.te b/wifi_diagnostic/property.te new file mode 100644 index 0000000..ad69f65 --- /dev/null +++ b/wifi_diagnostic/property.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_wifi_diagnostic_prop) diff --git a/wifi_diagnostic/property_contexts b/wifi_diagnostic/property_contexts new file mode 100644 index 0000000..2348204 --- /dev/null +++ b/wifi_diagnostic/property_contexts @@ -0,0 +1,2 @@ +vendor.wifi.diagnostic.start u:object_r:vendor_wifi_diagnostic_prop:s0 +vendor.wifi.diagnostic.reassocBssid u:object_r:vendor_wifi_diagnostic_prop:s0 diff --git a/wifi_diagnostic/wifi_diagnostic.te b/wifi_diagnostic/wifi_diagnostic.te new file mode 100644 index 0000000..23a39d3 --- /dev/null +++ b/wifi_diagnostic/wifi_diagnostic.te @@ -0,0 +1,29 @@ +type wifi_diagnostic, domain; +type wifi_diagnostic_exec, exec_type, vendor_file_type, file_type; + +# make transition from init to its domain +userdebug_or_eng(` +init_daemon_domain(wifi_diagnostic) +net_domain(wifi_diagnostic) + +# daemon +allow wifi_diagnostic wifi_logging_data_file:dir create_dir_perms; +allow wifi_diagnostic wifi_logging_data_file:file create_file_perms; +allow wifi_diagnostic vendor_shell_exec:file execute_no_trans; +allow wifi_diagnostic wifi_diagnostic_exec:file execute_no_trans; +allow wifi_diagnostic self:capability net_admin; +allow wifi_diagnostic self:udp_socket ioctl; +allowxperm wifi_diagnostic self:udp_socket ioctl { SIOCETHTOOL SIOCDEVPRIVATE }; + +# wpa_cli +allow wifi_diagnostic self:capability { setgid setuid }; +allow wifi_diagnostic wpa_data_file:dir w_dir_perms; +allow wifi_diagnostic wpa_data_file:sock_file { create setattr write unlink }; +allow wifi_diagnostic hal_wifi_supplicant_default:unix_dgram_socket sendto; +allow wifi_diagnostic vendor_file:file execute_no_trans; +allow wifi_diagnostic vendor_file:dir r_dir_perms; + +# property +get_prop(wifi_diagnostic, vendor_wifi_diagnostic_prop) +set_prop(wifi_diagnostic, vendor_wifi_diagnostic_prop) +') diff --git a/wifi_ext/file_contexts b/wifi_ext/file_contexts index ab8343b..c3e6d84 100644 --- a/wifi_ext/file_contexts +++ b/wifi_ext/file_contexts @@ -1,6 +1,8 @@ # Wifi /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor u:object_r:hal_wifi_ext_exec:s0 +/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 # Wifi logger /data/vendor/wifi/wlan_logs(/.*)? u:object_r:wifi_logging_data_file:s0 diff --git a/wifi_ext/hal_wifi_ext.te b/wifi_ext/hal_wifi_ext.te index 2ed274e..17a58df 100644 --- a/wifi_ext/hal_wifi_ext.te +++ b/wifi_ext/hal_wifi_ext.te @@ -6,6 +6,7 @@ init_daemon_domain(hal_wifi_ext) # Allow to start the IWifi:wifi_ext service add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice); +add_service(hal_wifi_ext, hal_wifi_ext_service) # Allow to set up bridged interface allowxperm hal_wifi_ext self:udp_socket ioctl { SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF}; diff --git a/wifi_ext/service.te b/wifi_ext/service.te new file mode 100644 index 0000000..942f3a0 --- /dev/null +++ b/wifi_ext/service.te @@ -0,0 +1,2 @@ +# wifi_ext service +type hal_wifi_ext_service, service_manager_type, hal_service_type; diff --git a/wifi_ext/service_contexts b/wifi_ext/service_contexts new file mode 100644 index 0000000..8f782df --- /dev/null +++ b/wifi_ext/service_contexts @@ -0,0 +1,2 @@ +# Wifi +vendor.google.wifi_ext.IWifiExt/default u:object_r:hal_wifi_ext_service:s0 diff --git a/wifi_sniffer/property_contexts b/wifi_sniffer/property_contexts index 19f7e76..cb55d65 100644 --- a/wifi_sniffer/property_contexts +++ b/wifi_sniffer/property_contexts @@ -1,3 +1,2 @@ -persist.vendor.wifi.sniffer.freq u:object_r:vendor_wifi_sniffer_prop:s0 -persist.vendor.wifi.sniffer.bandwidth u:object_r:vendor_wifi_sniffer_prop:s0 +persist.vendor.wifi.sniffer. u:object_r:vendor_wifi_sniffer_prop:s0 vendor.wifi.sniffer.start u:object_r:vendor_wifi_sniffer_prop:s0 diff --git a/wifi_sniffer/wifi_sniffer.te b/wifi_sniffer/wifi_sniffer.te index 3c9ad62..977d6da 100644 --- a/wifi_sniffer/wifi_sniffer.te +++ b/wifi_sniffer/wifi_sniffer.te @@ -12,7 +12,19 @@ userdebug_or_eng(` # interface up allowxperm wifi_sniffer self:udp_socket ioctl SIOCSIFFLAGS; - allow wifi_sniffer self:netlink_generic_socket create_socket_perms_no_ioctl; + allow wifi_sniffer self:netlink_generic_socket create_socket_perms; + allowxperm wifi_sniffer self:netlink_generic_socket ioctl { 0x8910 0x8946 }; + +# tcpdump + allow wifi_sniffer self:packet_socket create_socket_perms; + allowxperm wifi_sniffer self:packet_socket ioctl { 0x8933 0x8927 }; + allow wifi_sniffer self:unix_dgram_socket ioctl; + allowxperm wifi_sniffer self:unix_dgram_socket ioctl 0x8946; + allow wifi_sniffer sysfs_net:dir search; + allow wifi_sniffer sysfs_net:file r_file_perms; + allow wifi_sniffer tcpdump_exec:file rx_file_perms; + allow wifi_sniffer wifi_logging_data_file:file create_file_perms; + allow wifi_sniffer wifi_logging_data_file:dir create_dir_perms; get_prop(wifi_sniffer, vendor_wifi_sniffer_prop) ') |