diff options
| author | Xin Li <delphij@google.com> | 2023-08-14 15:41:00 -0700 |
|---|---|---|
| committer | Xin Li <delphij@google.com> | 2023-08-14 15:41:00 -0700 |
| commit | ddbca9e70a8690a24c4eba1007b45d6a7b021216 (patch) | |
| tree | 6e0b28b48502ced244a982538d807ac989c224ee | |
| parent | 8d3fb6f7e00a57f0191b0cb951e07e0cc0d09b84 (diff) | |
| parent | de7a7c1338c843fe0378ca90d5973a2562a9d1d9 (diff) | |
| download | pixel-sepolicy-tmp_amf_298295554.tar.gz | |
Merge Android U (ab/10368041)tmp_amf_298295554
Bug: 291102124
Merged-In: Ib9f0a43dfd2ffbd9729b56b12a12ffaa74f2b7a1
Change-Id: Ifc5cc7c0acc0318a4854b280f0fa95b7ea273af8
| -rw-r--r-- | citadel/file_contexts | 3 | ||||
| -rw-r--r-- | citadel/hal_authsecret_citadel.te | 9 | ||||
| -rw-r--r-- | citadel/hal_oemlock_citadel.te | 9 | ||||
| -rw-r--r-- | citadel/vndservice.te | 1 | ||||
| -rw-r--r-- | common/vendor/te_macros | 17 | ||||
| -rw-r--r-- | debugpolicy/file.te | 2 | ||||
| -rw-r--r-- | debugpolicy/genfs_contexts | 3 | ||||
| -rw-r--r-- | debugpolicy/init_dpm.te | 2 | ||||
| -rw-r--r-- | googlebattery/hal_googlebattery.te | 4 | ||||
| -rw-r--r-- | input/dumpstate.te | 2 | ||||
| -rw-r--r-- | input/genfs_contexts | 2 | ||||
| -rw-r--r-- | input/platform_app.te | 1 | ||||
| -rw-r--r-- | input/service.te | 1 | ||||
| -rw-r--r-- | input/service_contexts | 1 | ||||
| -rw-r--r-- | input/twoshay.te | 1 | ||||
| -rw-r--r-- | pixelstats/pixelstats_vendor.te | 3 | ||||
| -rw-r--r-- | power-libperfmgr/file_contexts | 2 | ||||
| -rw-r--r-- | power-libperfmgr/sendhint.te | 8 | ||||
| -rw-r--r-- | powerstats/vndservice.te | 1 | ||||
| -rw-r--r-- | ramdump/file_contexts | 1 | ||||
| -rw-r--r-- | thermal/hal_thermal_default.te | 4 |
21 files changed, 66 insertions, 11 deletions
diff --git a/citadel/file_contexts b/citadel/file_contexts index 5376def..a253a3d 100644 --- a/citadel/file_contexts +++ b/citadel/file_contexts @@ -4,7 +4,10 @@ /vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 /vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0 /vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 /vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 diff --git a/citadel/hal_authsecret_citadel.te b/citadel/hal_authsecret_citadel.te new file mode 100644 index 0000000..029d957 --- /dev/null +++ b/citadel/hal_authsecret_citadel.te @@ -0,0 +1,9 @@ +type hal_authsecret_citadel, domain; +type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_authsecret_citadel) +binder_call(hal_authsecret_citadel, citadeld) +allow hal_authsecret_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_authsecret_citadel, hal_authsecret) +init_daemon_domain(hal_authsecret_citadel) diff --git a/citadel/hal_oemlock_citadel.te b/citadel/hal_oemlock_citadel.te new file mode 100644 index 0000000..d3ff719 --- /dev/null +++ b/citadel/hal_oemlock_citadel.te @@ -0,0 +1,9 @@ +type hal_oemlock_citadel, domain; +type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_oemlock_citadel) +binder_call(hal_oemlock_citadel, citadeld) +allow hal_oemlock_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_oemlock_citadel, hal_oemlock) +init_daemon_domain(hal_oemlock_citadel) diff --git a/citadel/vndservice.te b/citadel/vndservice.te index a756bce..880c09c 100644 --- a/citadel/vndservice.te +++ b/citadel/vndservice.te @@ -1,2 +1 @@ type citadeld_service, vndservice_manager_type; -type hal_power_stats_vendor_service, vndservice_manager_type; diff --git a/common/vendor/te_macros b/common/vendor/te_macros new file mode 100644 index 0000000..c9a9c04 --- /dev/null +++ b/common/vendor/te_macros @@ -0,0 +1,17 @@ +##################################### +# pixel_bugreport(domain_name) +# Defines a new domain for executables under /vendor/bin/dump +# Grants permissions to interact with dumpstate and write to bugreport. +# See go/pixel-defrag for more details. +define(`pixel_bugreport', ` +type $1, domain; +type $1_exec, exec_type, vendor_file_type, file_type; +typeattribute $1 hal_dumpstate; +domain_auto_trans(hal_dumpstate_default, $1_exec, $1) + +allow $1 dumpstate:fd use; +allow $1 dumpstate:fifo_file { write getattr }; +allow $1 hal_dumpstate_default:fd use; +allow $1 shell_data_file:file { write getattr }; +') + diff --git a/debugpolicy/file.te b/debugpolicy/file.te index 604ba50..e2ef397 100644 --- a/debugpolicy/file.te +++ b/debugpolicy/file.te @@ -1,2 +1,2 @@ # sysfs -type sysfs_dpm_variant, sysfs_type, fs_type; # dpm variant +type sysfs_dpm, sysfs_type, fs_type; # dpm diff --git a/debugpolicy/genfs_contexts b/debugpolicy/genfs_contexts index d30809d..b36e9f1 100644 --- a/debugpolicy/genfs_contexts +++ b/debugpolicy/genfs_contexts @@ -1 +1,2 @@ -genfscon sysfs /firmware/devicetree/base/dpm/variant u:object_r:sysfs_dpm_variant:s0 +genfscon sysfs /firmware/devicetree/base/dpm/variant u:object_r:sysfs_dpm:s0 +genfscon sysfs /firmware/devicetree/base/dpm/version u:object_r:sysfs_dpm:s0 diff --git a/debugpolicy/init_dpm.te b/debugpolicy/init_dpm.te index b91c561..3a4f936 100644 --- a/debugpolicy/init_dpm.te +++ b/debugpolicy/init_dpm.te @@ -5,7 +5,7 @@ init_daemon_domain(init_dpm) userdebug_or_eng(` allow init_dpm vendor_toolbox_exec:file execute_no_trans; -allow init_dpm sysfs_dpm_variant:file r_file_perms; +allow init_dpm sysfs_dpm:file r_file_perms; allow init_dpm block_device:dir search; allow init_dpm dpm_block_device:blk_file rw_file_perms; ') diff --git a/googlebattery/hal_googlebattery.te b/googlebattery/hal_googlebattery.te index 005e47c..2cc3a7c 100644 --- a/googlebattery/hal_googlebattery.te +++ b/googlebattery/hal_googlebattery.te @@ -4,12 +4,12 @@ type hal_googlebattery_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_googlebattery) r_dir_file(hal_googlebattery, sysfs_batteryinfo) -r_dir_file(hal_googlebattery, sysfs_wlc) + allow hal_googlebattery sysfs_batteryinfo:file rw_file_perms; allow hal_googlebattery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow hal_googlebattery sysfs_chargelevel:file rw_file_perms; -allow hal_googlebattery sysfs_wlc:file rw_file_perms; + set_prop(hal_googlebattery, vendor_battery_defender_prop) diff --git a/input/dumpstate.te b/input/dumpstate.te index 748ff35..38aa25e 100644 --- a/input/dumpstate.te +++ b/input/dumpstate.te @@ -1,2 +1,2 @@ binder_call(dumpstate, twoshay) - +allow dumpstate touch_context_service:service_manager find; diff --git a/input/genfs_contexts b/input/genfs_contexts deleted file mode 100644 index 19f57be..0000000 --- a/input/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Touch -genfscon sysfs /devices/virtual/goog_touch_interface u:object_r:sysfs_touch:s0 diff --git a/input/platform_app.te b/input/platform_app.te index 17cc511..2d47236 100644 --- a/input/platform_app.te +++ b/input/platform_app.te @@ -1,2 +1,3 @@ allow platform_app touch_context_service:service_manager find; +allow platform_app gril_antenna_tuning_service:service_manager find; binder_call(platform_app, twoshay) diff --git a/input/service.te b/input/service.te index 989cd1b..d521666 100644 --- a/input/service.te +++ b/input/service.te @@ -1 +1,2 @@ +type gril_antenna_tuning_service, service_manager_type, hal_service_type; type touch_context_service, service_manager_type, hal_service_type; diff --git a/input/service_contexts b/input/service_contexts index 95e70f8..ed69aef 100644 --- a/input/service_contexts +++ b/input/service_contexts @@ -1 +1,2 @@ +com.google.input.algos.gril.IGrilAntennaTuningService/default u:object_r:gril_antenna_tuning_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 diff --git a/input/twoshay.te b/input/twoshay.te index 0511f3d..3d48318 100644 --- a/input/twoshay.te +++ b/input/twoshay.te @@ -8,6 +8,7 @@ allow twoshay twoshay:capability sys_nice; binder_use(twoshay) add_service(twoshay, touch_context_service) +add_service(twoshay, gril_antenna_tuning_service) binder_call(twoshay, platform_app) allow twoshay fwk_stats_service:service_manager find; diff --git a/pixelstats/pixelstats_vendor.te b/pixelstats/pixelstats_vendor.te index 34da9df..d0850b1 100644 --- a/pixelstats/pixelstats_vendor.te +++ b/pixelstats/pixelstats_vendor.te @@ -11,8 +11,9 @@ r_dir_file(pixelstats_vendor, sysfs_batteryinfo) allow pixelstats_vendor sysfs_batteryinfo:file w_file_perms; allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow pixelstats_vendor mnt_vendor_file:dir search; allow pixelstats_vendor sysfs_scsi_devices_0000:dir search; -allow pixelstats_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_fs_f2fs:dir search; allow pixelstats_vendor sysfs_fs_f2fs:file rw_file_perms; get_prop(pixelstats_vendor, boottime_public_prop) diff --git a/power-libperfmgr/file_contexts b/power-libperfmgr/file_contexts index 027be7a..8ab659f 100644 --- a/power-libperfmgr/file_contexts +++ b/power-libperfmgr/file_contexts @@ -1,5 +1,5 @@ /vendor/bin/hw/android\.hardware\.power-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0 -/vendor/bin/hw/android\.hardware\.power@1\.3-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0 +/vendor/bin/sendhint u:object_r:sendhint_vendor_exec:s0 /dev/cpu_dma_latency u:object_r:latency_device:s0 /dev/socket/pps u:object_r:pps_socket:s0 diff --git a/power-libperfmgr/sendhint.te b/power-libperfmgr/sendhint.te new file mode 100644 index 0000000..e453abe --- /dev/null +++ b/power-libperfmgr/sendhint.te @@ -0,0 +1,8 @@ +# sendhint vendor +type sendhint_vendor, domain; + +type sendhint_vendor_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sendhint_vendor) +hal_client_domain(sendhint_vendor, hal_power); +# sendhint writes directly to kmsg during the boot process +allow sendhint_vendor kmsg_device:chr_file { getattr w_file_perms }; diff --git a/powerstats/vndservice.te b/powerstats/vndservice.te new file mode 100644 index 0000000..b4386f8 --- /dev/null +++ b/powerstats/vndservice.te @@ -0,0 +1 @@ +type hal_power_stats_vendor_service, vndservice_manager_type; diff --git a/ramdump/file_contexts b/ramdump/file_contexts index 590e61b..2f51f74 100644 --- a/ramdump/file_contexts +++ b/ramdump/file_contexts @@ -1 +1,2 @@ /vendor/bin/ramdump u:object_r:ramdump_exec:s0 +/vendor/bin/ramdump32 u:object_r:ramdump_exec:s0 diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te index 2498b20..45ccf3a 100644 --- a/thermal/hal_thermal_default.te +++ b/thermal/hal_thermal_default.te @@ -10,3 +10,7 @@ hal_client_domain(hal_thermal_default, hal_power); # read thermal_config get_prop(hal_thermal_default, vendor_thermal_prop) + +# Needed for reporting thermal stats event +allow hal_thermal_default fwk_stats_service:service_manager find; +binder_call(hal_thermal_default, servicemanager) |