From 9b43199c16c51ddd4d164d362bcac45220271db7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 9 Mar 2023 02:25:39 +0800 Subject: Introduce pixel_battery pixel_battery_service attribute Bug: 272204013 Bug: 264266705 Bug: 268572197 Bug: 269813282 Change-Id: If616886556d1cdbc5e4bfdba5988710d666a9b56 --- common/vendor/attributes | 2 ++ googlebattery/hal_googlebattery.te | 2 +- googlebattery/service.te | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 common/vendor/attributes diff --git a/common/vendor/attributes b/common/vendor/attributes new file mode 100644 index 0000000..25b59ac --- /dev/null +++ b/common/vendor/attributes @@ -0,0 +1,2 @@ +attribute pixel_battery_domain; +attribute pixel_battery_service_type; diff --git a/googlebattery/hal_googlebattery.te b/googlebattery/hal_googlebattery.te index 2cc3a7c..370b8d6 100644 --- a/googlebattery/hal_googlebattery.te +++ b/googlebattery/hal_googlebattery.te @@ -1,4 +1,4 @@ -type hal_googlebattery, domain; +type hal_googlebattery, domain, pixel_battery_domain; type hal_googlebattery_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_googlebattery) diff --git a/googlebattery/service.te b/googlebattery/service.te index e68baa9..440b1ce 100644 --- a/googlebattery/service.te +++ b/googlebattery/service.te @@ -1 +1 @@ -type hal_googlebattery_service, hal_service_type, service_manager_type; +type hal_googlebattery_service, hal_service_type, service_manager_type, pixel_battery_service_type; -- cgit v1.2.3 From bccb217de7194e0f81c22ae828a1a3ec0d865ffe Mon Sep 17 00:00:00 2001 From: Mark Chang Date: Wed, 22 Mar 2023 07:03:10 +0000 Subject: Add new IScreenProtectorDetectorService interface to twoshay. Fixes denial: SELinux : avc: denied { add } for pid=9557 uid=0 name=com.google.input.algos.spd.IScreenProtectorDetectorService/default scontext=u:r:twoshay:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 Bug: 260302317 Test: Device boot without denials. Change-Id: I3d4d19405e32165285f8c47e3ba5f74bcc643f77 Signed-off-by: Mark Chang --- input/platform_app.te | 1 + input/service.te | 1 + input/service_contexts | 1 + input/twoshay.te | 1 + 4 files changed, 4 insertions(+) diff --git a/input/platform_app.te b/input/platform_app.te index 17cc511..be9509c 100644 --- a/input/platform_app.te +++ b/input/platform_app.te @@ -1,2 +1,3 @@ +allow platform_app screen_protector_detector_service:service_manager find; allow platform_app touch_context_service:service_manager find; binder_call(platform_app, twoshay) diff --git a/input/service.te b/input/service.te index 989cd1b..bf9df0c 100644 --- a/input/service.te +++ b/input/service.te @@ -1 +1,2 @@ type touch_context_service, service_manager_type, hal_service_type; +type screen_protector_detector_service, service_manager_type, hal_service_type; diff --git a/input/service_contexts b/input/service_contexts index 95e70f8..8a9f592 100644 --- a/input/service_contexts +++ b/input/service_contexts @@ -1 +1,2 @@ com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 +com.google.input.algos.spd.IScreenProtectorDetectorService/default u:object_r:screen_protector_detector_service:s0 diff --git a/input/twoshay.te b/input/twoshay.te index 0511f3d..9878c11 100644 --- a/input/twoshay.te +++ b/input/twoshay.te @@ -7,6 +7,7 @@ allow twoshay touch_offload_device:chr_file rw_file_perms; allow twoshay twoshay:capability sys_nice; binder_use(twoshay) +add_service(twoshay, screen_protector_detector_service) add_service(twoshay, touch_context_service) binder_call(twoshay, platform_app) -- cgit v1.2.3 From e682a521ee961e0c891aa7ce0138a4f6fc23b1e8 Mon Sep 17 00:00:00 2001 From: Bryan Bong Gyoune Kim Date: Mon, 29 May 2023 19:37:48 -0700 Subject: pixel-sepolicy: init_dpm.sh to read/write on custom_ab_block_device DPM images can have "custom_ab_block_device" label. Thus, we should allow init_dpm.sh to read/write on custom_ab_block_device. Bug: 283725554 Change-Id: I37e680373f2194e5a858eb32e810461b1c0091dd Signed-off-by: Bryan Bong Gyoune Kim --- debugpolicy/init_dpm.te | 1 + 1 file changed, 1 insertion(+) diff --git a/debugpolicy/init_dpm.te b/debugpolicy/init_dpm.te index 3a4f936..8938eef 100644 --- a/debugpolicy/init_dpm.te +++ b/debugpolicy/init_dpm.te @@ -8,4 +8,5 @@ allow init_dpm vendor_toolbox_exec:file execute_no_trans; allow init_dpm sysfs_dpm:file r_file_perms; allow init_dpm block_device:dir search; allow init_dpm dpm_block_device:blk_file rw_file_perms; +allow init_dpm custom_ab_block_device:blk_file rw_file_perms; ') -- cgit v1.2.3 From 9ba20fa49501e7ec63f1e33b868afa81c45b7227 Mon Sep 17 00:00:00 2001 From: joeshih Date: Mon, 19 Jun 2023 10:42:44 +0800 Subject: [SEPolicy]Remove deprcated sota stuff. - Move SEPolicy stuff at gs-common. - Refer to go/pixel-defrag. Bug: 287167439 Test: Forrest build to verify pass. Change-Id: I20793841d7bf6212a22b2ea080767291b9280ef7 --- sota_app/system_ext/factory_ota_app.te | 32 -------------------------------- sota_app/system_ext/property_contexts | 4 ---- sota_app/system_ext/seapp_contexts | 2 -- sota_app/system_ext/vendor_init.te | 1 - 4 files changed, 39 deletions(-) delete mode 100644 sota_app/system_ext/factory_ota_app.te delete mode 100644 sota_app/system_ext/property_contexts delete mode 100644 sota_app/system_ext/seapp_contexts delete mode 100644 sota_app/system_ext/vendor_init.te diff --git a/sota_app/system_ext/factory_ota_app.te b/sota_app/system_ext/factory_ota_app.te deleted file mode 100644 index f48adeb..0000000 --- a/sota_app/system_ext/factory_ota_app.te +++ /dev/null @@ -1,32 +0,0 @@ -type factory_ota_app, domain, coredomain; - -app_domain(factory_ota_app) -net_domain(factory_ota_app) - -# Write to /data/ota_package for OTA packages. -# Factory OTA client will download OTA image into ota_package folder and unzip it. -# Than Update engine could use it to execute OTA process. -# So Factory OTA client need read / write and create file access right for this folder -allow factory_ota_app ota_package_file:dir rw_dir_perms; -allow factory_ota_app ota_package_file:file create_file_perms; - -# Properties -# For write system property persist.* -set_prop(factory_ota_app, sota_prop); - -# Services -# For get access WiFi manager service and activity service -allow factory_ota_app app_api_service:service_manager find; -# Allow Factory OTA to call Update Engine -binder_call(factory_ota_app, update_engine) -# Allow Update Engine to call the Factory OTA callback -binder_call(update_engine, factory_ota_app) -#For access update engine function -allow factory_ota_app update_engine_service:service_manager find; -#For disable NFC wake up device feature -allow factory_ota_app nfc_service:service_manager find; -#For get device IMEI -allow factory_ota_app radio_service:service_manager find; - -# For suppress more GPU service sepolicy error log. -dontaudit factory_ota_app gpuservice:binder call; diff --git a/sota_app/system_ext/property_contexts b/sota_app/system_ext/property_contexts deleted file mode 100644 index 444fda2..0000000 --- a/sota_app/system_ext/property_contexts +++ /dev/null @@ -1,4 +0,0 @@ -ro.boot.sota u:object_r:sota_prop:s0 -ro.boot.sota. u:object_r:sota_prop:s0 -persist.vendor.factoryota. u:object_r:sota_prop:s0 -persist.vendor.radio.bootwithlpm u:object_r:sota_prop:s0 diff --git a/sota_app/system_ext/seapp_contexts b/sota_app/system_ext/seapp_contexts deleted file mode 100644 index 673f451..0000000 --- a/sota_app/system_ext/seapp_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Factory OTA -user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all diff --git a/sota_app/system_ext/vendor_init.te b/sota_app/system_ext/vendor_init.te deleted file mode 100644 index 11191e3..0000000 --- a/sota_app/system_ext/vendor_init.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(vendor_init, sota_prop) -- cgit v1.2.3 From 05e213f564c79a0e1e9ba6b1977617f2a8b75366 Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Mon, 26 Jun 2023 13:24:22 -0700 Subject: Allow power-libperfmgr to write thermal properties Bug: 273618797 Test: run genshin and check thermal props Change-Id: If0b15220383d25e5fe0e028652e945c998245c65 --- power-libperfmgr/hal_power_default.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/power-libperfmgr/hal_power_default.te b/power-libperfmgr/hal_power_default.te index b4d4f65..8d6a9fe 100644 --- a/power-libperfmgr/hal_power_default.te +++ b/power-libperfmgr/hal_power_default.te @@ -28,11 +28,12 @@ allow hal_power_default proc_stat:file r_file_perms; allow hal_power_default proc_vendor_sched:dir r_dir_perms; allow hal_power_default proc_vendor_sched:file r_file_perms; -# Allow read/write thermal sysfs +# Allow read/write thermal sysfs and property allow hal_power_default thermal_link_device:dir r_dir_perms; allow hal_power_default sysfs_thermal:dir r_dir_perms; allow hal_power_default sysfs_thermal:file rw_file_perms; allow hal_power_default sysfs_thermal:lnk_file r_file_perms; +set_prop(hal_power_default, vendor_thermal_prop) userdebug_or_eng(` # Allow reading /data/vendor/* for debugging -- cgit v1.2.3 From 04549d35061f5579cfcfde9845269e3b64e7c6f2 Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Wed, 5 Jul 2023 12:25:23 +0800 Subject: Add cs40l26 module version attributes to sysfs_vibrator Related paths: /sys/module/cs40l26_core/version /sys/module/cl_dsp_core/version Bug: 289189911 Test: dumpsys android.hardware.vibrator.IVibrator/default Change-Id: I58ffe287fb281cb450bf0d3b1228609d589efd72 Merged-In: I58ffe287fb281cb450bf0d3b1228609d589efd72 --- vibrator/cs40l26/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vibrator/cs40l26/file_contexts b/vibrator/cs40l26/file_contexts index 5c9f669..fbbda2c 100644 --- a/vibrator/cs40l26/file_contexts +++ b/vibrator/cs40l26/file_contexts @@ -3,3 +3,6 @@ /dev/snd/pcmC0D24p u:object_r:vibrator_snd_device:s0 /dev/snd/pcmC1D24p u:object_r:vibrator_snd_device:s0 + +/sys/module/cs40l26_core/version u:object_r:sysfs_vibrator:s0 +/sys/module/cl_dsp_core/version u:object_r:sysfs_vibrator:s0 -- cgit v1.2.3 From 9f4865ff57be736dec9159b0eeeb78a94d1e89f6 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 9 Aug 2023 13:07:45 +0900 Subject: Move turbo_adapter sepolicy to system_ext Because TurboAdapter is installed to system_ext and labeling it with vendor sepolicy is a Treble violation. Bug: 280547417 Test: TH Change-Id: Id4c114ec3039dcfe2ceb29930d500a4d8f67778b --- turbo_adapter/private/seapp_contexts | 1 + turbo_adapter/private/turbo_adapter.te | 27 +++++++++++++++++++++++++++ turbo_adapter/public/turbo_adapter.te | 1 + turbo_adapter/seapp_contexts | 1 - turbo_adapter/turbo_adapter.te | 27 --------------------------- 5 files changed, 29 insertions(+), 28 deletions(-) create mode 100644 turbo_adapter/private/seapp_contexts create mode 100644 turbo_adapter/private/turbo_adapter.te create mode 100644 turbo_adapter/public/turbo_adapter.te delete mode 100644 turbo_adapter/seapp_contexts delete mode 100644 turbo_adapter/turbo_adapter.te diff --git a/turbo_adapter/private/seapp_contexts b/turbo_adapter/private/seapp_contexts new file mode 100644 index 0000000..4f983be --- /dev/null +++ b/turbo_adapter/private/seapp_contexts @@ -0,0 +1 @@ +user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all diff --git a/turbo_adapter/private/turbo_adapter.te b/turbo_adapter/private/turbo_adapter.te new file mode 100644 index 0000000..5eb76c1 --- /dev/null +++ b/turbo_adapter/private/turbo_adapter.te @@ -0,0 +1,27 @@ +# Normal platform_apps cannot access PowerHAL, so we need to define our own domain. Unfortunately +# this means that TurboAdapter doesn't get the platform_app permissions any more, so we need to +# list everything that it needs here. + +typeattribute turbo_adapter coredomain, system_suspend_internal_server; + +app_domain(turbo_adapter) + +# To use ServiceManager +allow turbo_adapter app_api_service:service_manager find; + +# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt) +hal_client_domain(turbo_adapter, hal_power) + +# PAS: for PowerStatsHalDataProvider +hal_client_domain(turbo_adapter, hal_power_stats) + +# PAS: for GoogleCpuTimeProvider +r_dir_file(turbo_adapter, proc_uid_cputime_showstat); + +# PAS: for SuspendControlServiceDataProvider +binder_call(turbo_adapter, system_suspend_internal_server) +get_prop(turbo_adapter, suspend_prop) + +# Allow setting `debug.` properties to propagate experimental feature configuration. +# TODO(b/209406271): Before launching to public, migrate to a more reliable configuration. +set_prop(turbo_adapter, debug_prop) diff --git a/turbo_adapter/public/turbo_adapter.te b/turbo_adapter/public/turbo_adapter.te new file mode 100644 index 0000000..ef2ec65 --- /dev/null +++ b/turbo_adapter/public/turbo_adapter.te @@ -0,0 +1 @@ +type turbo_adapter, domain; diff --git a/turbo_adapter/seapp_contexts b/turbo_adapter/seapp_contexts deleted file mode 100644 index 4f983be..0000000 --- a/turbo_adapter/seapp_contexts +++ /dev/null @@ -1 +0,0 @@ -user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all diff --git a/turbo_adapter/turbo_adapter.te b/turbo_adapter/turbo_adapter.te deleted file mode 100644 index 63cb193..0000000 --- a/turbo_adapter/turbo_adapter.te +++ /dev/null @@ -1,27 +0,0 @@ -# Normal platform_apps cannot access PowerHAL, so we need to define our own domain. Unfortunately -# this means that TurboAdapter doesn't get the platform_app permissions any more, so we need to -# list everything that it needs here. - -type turbo_adapter, domain, coredomain, system_suspend_internal_server; - -app_domain(turbo_adapter) - -# To use ServiceManager -allow turbo_adapter app_api_service:service_manager find; - -# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt) -hal_client_domain(turbo_adapter, hal_power) - -# PAS: for PowerStatsHalDataProvider -hal_client_domain(turbo_adapter, hal_power_stats) - -# PAS: for GoogleCpuTimeProvider -r_dir_file(turbo_adapter, proc_uid_cputime_showstat); - -# PAS: for SuspendControlServiceDataProvider -binder_call(turbo_adapter, system_suspend_internal_server) -get_prop(turbo_adapter, suspend_prop) - -# Allow setting `debug.` properties to propagate experimental feature configuration. -# TODO(b/209406271): Before launching to public, migrate to a more reliable configuration. -set_prop(turbo_adapter, debug_prop) -- cgit v1.2.3