diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 00:56:18 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 00:56:18 +0000 |
commit | 2328d08b298cc619a672894edd3f34d2343b45b2 (patch) | |
tree | 8ff21998ed7b8ed2537f3370b88b2d954258ce90 | |
parent | c909f0f7663d419e8c21694a2d40720c1aa3c9ac (diff) | |
parent | e03684088d97dc3cdbba2b5bd81c935245642f43 (diff) | |
download | tangorpro-sepolicy-android14-mainline-resolv-release.tar.gz |
Snap for 10447354 from e03684088d97dc3cdbba2b5bd81c935245642f43 to mainline-resolv-releaseaml_res_341510000aml_res_341410010aml_res_341311030aml_res_341110000aml_res_340912000android14-mainline-resolv-release
Change-Id: I04c23266668713fc33f5f6a70a67e440b2d2d07e
29 files changed, 181 insertions, 19 deletions
diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts index da02008..66d690f 100644 --- a/bluetooth/file_contexts +++ b/bluetooth/file_contexts @@ -1,5 +1,4 @@ # Bluetooth -/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 +/vendor/bin/hw/android\.hardware\.bluetooth@1\.1-service\.synabtlinux u:object_r:hal_bluetooth_synabtlinux_exec:s0 -/dev/btpower u:object_r:bt_device:s0 /dev/ttySAC18 u:object_r:hci_attach_dev:s0 diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts index 2b2d437..d18d164 100644 --- a/bluetooth/genfs_contexts +++ b/bluetooth/genfs_contexts @@ -1 +1,3 @@ -genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index dcd2b7f..c764133 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -1,9 +1,23 @@ -allow hal_bluetooth_default bt_device:chr_file rw_file_perms; +type hal_bluetooth_synabtlinux, domain; +type hal_bluetooth_synabtlinux_exec, exec_type, file_type, vendor_file_type; -add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice) +hal_server_domain(hal_bluetooth_synabtlinux, hal_bluetooth) +init_daemon_domain(hal_bluetooth_synabtlinux) -userdebug_or_eng(` - allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms; - allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms }; - set_prop(hal_bluetooth_default, vendor_ssrdump_prop) -') +allow hal_bluetooth_synabtlinux self:socket { create bind read write }; +allow hal_bluetooth_synabtlinux self:bluetooth_socket { create bind read write }; +allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms; +allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find; +add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice) +vndbinder_use(hal_bluetooth_synabtlinux) +binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default) +get_prop(hal_bluetooth_synabtlinux, boot_status_prop) + +allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; + + userdebug_or_eng(` + allow hal_bluetooth_synabtlinux logbuffer_device:chr_file r_file_perms; + allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:file create_file_perms; + ') diff --git a/fingerprint_capacitance/file.te b/fingerprint_capacitance/file.te new file mode 100644 index 0000000..0218b46 --- /dev/null +++ b/fingerprint_capacitance/file.te @@ -0,0 +1 @@ +type sysfs_fingerprint, sysfs_type, fs_type; diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts new file mode 100644 index 0000000..aa6d801 --- /dev/null +++ b/fingerprint_capacitance/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 diff --git a/fingerprint_capacitance/genfs_contexts b/fingerprint_capacitance/genfs_contexts new file mode 100644 index 0000000..9fe2a86 --- /dev/null +++ b/fingerprint_capacitance/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te new file mode 100644 index 0000000..632086a --- /dev/null +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -0,0 +1,39 @@ +# hal_fingerprint_capacitance definition +type hal_fingerprint_capacitance, domain; +hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) + +type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_capacitance) + +set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) + +# allow fingerprint to access file +allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_capacitance, hal_power); + +# allow fingerprint to find fwk service +allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; + +# allow fingerprint to access sysfs_leds +allow hal_fingerprint_capacitance sysfs_leds:dir search; +allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; + +# allow fingerprint to access sysfs_batteryinfo +allow hal_fingerprint_capacitance sysfs_batteryinfo:dir search; +allow hal_fingerprint_capacitance sysfs_batteryinfo:file rw_file_perms; + +# allow fingerprint to access input_device +allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; + +# allow fingerprint to access hwservice +hwbinder_use(hal_fingerprint_capacitance) +add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) + +# allow fingerprint to access fwk sensor hwservice +allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find; diff --git a/fingerprint_capacitance/hwservice.te b/fingerprint_capacitance/hwservice.te new file mode 100644 index 0000000..68c51ab --- /dev/null +++ b/fingerprint_capacitance/hwservice.te @@ -0,0 +1 @@ +type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type; diff --git a/fingerprint_capacitance/hwservice_contexts b/fingerprint_capacitance/hwservice_contexts new file mode 100644 index 0000000..ed09300 --- /dev/null +++ b/fingerprint_capacitance/hwservice_contexts @@ -0,0 +1,2 @@ +com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 +com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 diff --git a/fingerprint_capacitance/servicemanager.te b/fingerprint_capacitance/servicemanager.te new file mode 100644 index 0000000..6e1afe9 --- /dev/null +++ b/fingerprint_capacitance/servicemanager.te @@ -0,0 +1 @@ +binder_call(servicemanager, hal_fingerprint_capacitance) diff --git a/fingerprint_capacitance/system_app.te b/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..f583431 --- /dev/null +++ b/fingerprint_capacitance/system_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(system_app, hal_fingerprint) diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 0000000..cd094a3 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# Allow platform apps to access system_update_service (e.g. check if update info is available). +allow platform_app system_update_service:service_manager find;
\ No newline at end of file diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..f08d9e4 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,6 @@ +# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands +debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool + +# Default orienation for boot animation counted from natural orienation of the device +# Id at the end corresponds to the display id on the device. See b/246793311 for context. +ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270 diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index 97cf380..f16f331 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -1,2 +1,14 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/tracking_denials + +# fingerprint +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance + +# for mediashell +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public +BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor +PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv + +# system_ext +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..c77f421 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,4 @@ +hal_camera_default boot_status_prop file b/275001805 +hal_camera_default edgetpu_app_service service_manager b/275001805 +hal_dumpstate_default modem_stat_data_file dir b/239115418 +shell sysfs_touch dir b/264823366 diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 0000000..a863220 --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,8 @@ +#Pogo USB control & status +type sysfs_pogo_usb, sysfs_type, fs_type; + +# Cast device certificate +type device_cert_file, file_type, vendor_persist_type; + +# Avoid GPS se failed +type sysfs_gps, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 46faec0..792f30a 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,12 +1,15 @@ # Devices -/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx712 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx712-uw u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx712 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx712-uw u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-front u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-rear u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa-front u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa-rear u:object_r:lwis_device:s0 # Wifi /dev/wlan u:object_r:vendor_wlan_device:s0 + +# Privacy LED +/vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 + +# Cast Factory Credentials +/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0 +/mnt/vendor/persist/nest/cast_auth\.crt u:object_r:device_cert_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 0000000..4b06cfb --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1,27 @@ +# Dock +genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 + +# Touch +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 + +# system suspend wakeup files +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 + +# Pogo usb control & status +genfscon sysfs /devices/platform/google,pogo/pogo_usb_active u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/pogo_usb_capable u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/pogo_docked u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/equal_priority u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/move_data_to_usb u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/google,pogo/hall1_s u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/hall1_n u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/hall2_s u:object_r:sysfs_pogo_usb:s0 diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te new file mode 100644 index 0000000..763121c --- /dev/null +++ b/vendor/grilservice_app.te @@ -0,0 +1,2 @@ +# setBluetoothModeBasedTxPowerCap for SAR +binder_call(grilservice_app, hal_bluetooth_synabtlinux) diff --git a/vendor/hal_drm_cast.te b/vendor/hal_drm_cast.te new file mode 100644 index 0000000..800a231 --- /dev/null +++ b/vendor/hal_drm_cast.te @@ -0,0 +1,9 @@ +type hal_drm_cast, domain; +type hal_drm_cast_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_cast) +hal_server_domain(hal_drm_cast, hal_drm) + +allow hal_drm_cast mnt_vendor_file:dir search; +allow hal_drm_cast persist_file:dir search; +allow hal_drm_cast device_cert_file:file r_file_perms; diff --git a/vendor/hal_lights.te b/vendor/hal_lights.te new file mode 100644 index 0000000..7c43a93 --- /dev/null +++ b/vendor/hal_lights.te @@ -0,0 +1,7 @@ +allow hal_light_default sysfs_leds:dir search; +allow hal_light_default sysfs_leds:file rw_file_perms; +allow hal_light_default mnt_vendor_file:dir search; +allow hal_light_default persist_file:dir search; +allow hal_light_default hal_pixel_display_service:service_manager find; +binder_call(hal_light_default, hal_graphics_composer_default); +r_dir_file(hal_light_default, persist_leds_file); diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..a81c9ba --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux) diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te new file mode 100644 index 0000000..da6b54e --- /dev/null +++ b/vendor/hal_sensors_default.te @@ -0,0 +1,9 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow sensor HAL to access pogo driver hall file node. +allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms; + +# Allow access to the uhid devices. +allow hal_sensors_default uhid_device:chr_file rw_file_perms; diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te new file mode 100644 index 0000000..4f1bfbc --- /dev/null +++ b/vendor/hal_usb_impl.te @@ -0,0 +1,2 @@ +# For Pogo usb management +allow hal_usb_impl sysfs_pogo_usb:file rw_file_perms; diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 0000000..f93a0e0 --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1,2 @@ +# Cast Factory Credentials +android.hardware.drm.IDrmFactory/castkey u:object_r:hal_drm_service:s0 diff --git a/vendor/system_server.te b/vendor/system_server.te new file mode 100644 index 0000000..ba82449 --- /dev/null +++ b/vendor/system_server.te @@ -0,0 +1 @@ +allow system_server sysfs_touch_gti:file r_file_perms; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..de38b6f --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1 @@ +get_prop(vendor_init, gesture_prop) |