[automerger skipped] Merge Android 24Q2 Release (ab/11526283) to aosp-main-future am: 958d751956 -s ours
am skip reason: Merged-In Ifcf73176620f44743a8aa252f8afed85c3af475c with SHA-1 1c7d8f80f2 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/27273660
Change-Id: I629080ea20475918f6c7b4efdf12b6754b4be4a8
Signed-off-by: Automerger Merge Worker <[email protected]>
diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te
new file mode 100644
index 0000000..8bf71cc
--- /dev/null
+++ b/system_ext/private/pixelntnservice_app.te
@@ -0,0 +1,5 @@
+typeattribute pixelntnservice_app coredomain;
+
+app_domain(pixelntnservice_app);
+allow pixelntnservice_app app_api_service:service_manager find;
+set_prop(pixelntnservice_app, telephony_modem_prop)
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index ffb1793..4e60110 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -2,4 +2,5 @@
persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool
# Telephony
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn
telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 82f4347..0a2050e 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -8,3 +8,5 @@
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+# PixelNtnService
+user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te
new file mode 100644
index 0000000..10661b6
--- /dev/null
+++ b/system_ext/public/pixelntnservice_app.te
@@ -0,0 +1 @@
+type pixelntnservice_app, domain;
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index 823acf5..e194720 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -3,7 +3,8 @@
# Telephony
system_public_prop(telephony_ril_prop)
+system_restricted_prop(telephony_modem_prop)
userdebug_or_eng(`
set_prop(shell, telephony_ril_prop)
-')
\ No newline at end of file
+')
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 264c8ba..75fe53c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,13 +1,20 @@
hal_face_default traced_producer_socket sock_file b/305600808
hal_power_default hal_power_default capability b/237492146
+hal_sensors_default sysfs file b/336451433
incidentd debugfs_wakeup_sources file b/282626428
incidentd incidentd anon_inode b/282626428
+insmod-sh insmod-sh key b/336451874
kernel dm_device blk_file b/319403445
+kernel kernel capability b/336451113
kernel tmpfs chr_file b/321731318
rfsd vendor_cbd_prop file b/317734397
+shell sysfs_net file b/329380891
surfaceflinger selinuxfs file b/315104594
+vendor_init debugfs_trace_marker file b/336451787
vendor_init default_prop file b/315104479
vendor_init default_prop file b/315104803
vendor_init default_prop file b/323086703
vendor_init default_prop file b/323086890
+vendor_init default_prop file b/329380363
+vendor_init default_prop file b/329381126
vendor_init default_prop property_service b/315104803
diff --git a/whitechapel_pro/cbd.te b/whitechapel_pro/cbd.te
index c4cfe7a..9cb7ee2 100644
--- a/whitechapel_pro/cbd.te
+++ b/whitechapel_pro/cbd.te
@@ -5,6 +5,7 @@
set_prop(cbd, vendor_modem_prop)
set_prop(cbd, vendor_cbd_prop)
set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
# Allow cbd to set gid/uid from too to radio
allow cbd self:capability { setgid setuid };
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index f7216f6..4bed047 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -208,6 +208,7 @@
/dev/maxfg_history u:object_r:battery_history_device:s0
/dev/battery_history u:object_r:battery_history_device:s0
/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0
+/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# Persist
/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0
diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te
index d5ed958..d44eed6 100644
--- a/whitechapel_pro/kernel.te
+++ b/whitechapel_pro/kernel.te
@@ -8,9 +8,11 @@
allow kernel self:capability2 perfmon;
allow kernel self:perf_event cpu;
-dontaudit kernel vendor_battery_debugfs:dir search;
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
-dontaudit kernel vendor_regmap_debugfs:dir search;
-dontaudit kernel vendor_votable_debugfs:dir search;
-dontaudit kernel vendor_usb_debugfs:dir search;
-dontaudit kernel vendor_charger_debugfs:dir search;
+userdebug_or_eng(`
+ allow kernel vendor_battery_debugfs:dir search;
+ allow kernel vendor_regmap_debugfs:dir search;
+ allow kernel vendor_usb_debugfs:dir search;
+ allow kernel vendor_votable_debugfs:dir search;
+ allow kernel vendor_charger_debugfs:dir search;
+ allow kernel vendor_maxfg_debugfs:dir search;
+')
diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te
index 040082e..5a703c9 100644
--- a/whitechapel_pro/modem_svc_sit.te
+++ b/whitechapel_pro/modem_svc_sit.te
@@ -20,7 +20,7 @@
allow modem_svc_sit vendor_fw_file:dir search;
allow modem_svc_sit vendor_fw_file:file r_file_perms;
-allow modem_svc_sit mnt_vendor_file:dir search;
+allow modem_svc_sit mnt_vendor_file:dir r_dir_perms;
allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
allow modem_svc_sit modem_userdata_file:file create_file_perms;
@@ -40,3 +40,12 @@
userdebug_or_eng(`
allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
')
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(modem_svc_sit)
+
+# Allow modem_svc_sit to access modem image file/dir
+allow modem_svc_sit modem_img_file:dir r_dir_perms;
+allow modem_svc_sit modem_img_file:file r_file_perms;
+allow modem_svc_sit modem_img_file:lnk_file r_file_perms;
\ No newline at end of file
diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te
index 15856a1..4002807 100644
--- a/whitechapel_pro/pixelstats_vendor.te
+++ b/whitechapel_pro/pixelstats_vendor.te
@@ -19,6 +19,7 @@
# Batery history
allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+allow pixelstats_vendor logbuffer_device:chr_file r_file_perms;
# storage smart idle maintenance
get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop);
diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te
deleted file mode 100644
index 308e9fb..0000000
--- a/whitechapel_pro/ramdump_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ramdump_app, domain;
-
-userdebug_or_eng(`
- app_domain(ramdump_app)
-
- allow ramdump_app app_api_service:service_manager find;
-
- allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
- allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
-
- set_prop(ramdump_app, vendor_ramdump_prop)
- get_prop(ramdump_app, system_boot_reason_prop)
-
- # To access ramdumpfs.
- allow ramdump_app mnt_vendor_file:dir search;
- allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
- allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
-
- # To access subsystem ramdump files and dirs.
- allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
- allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
- allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
- allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-')
diff --git a/whitechapel_pro/rfsd.te b/whitechapel_pro/rfsd.te
index 2d1f092..b450832 100644
--- a/whitechapel_pro/rfsd.te
+++ b/whitechapel_pro/rfsd.te
@@ -32,6 +32,7 @@
# Allow to set rild and modem property
set_prop(rfsd, vendor_modem_prop)
set_prop(rfsd, vendor_rild_prop)
+set_prop(cbd, vendor_cbd_prop)
# Allow rfsd to access modem image file/dir
allow rfsd modem_img_file:dir r_dir_perms;
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index eda8c10..271e857 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -18,9 +18,6 @@
# Samsung S.LSI engineer mode
user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all
-# coredump/ramdump
-user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
-
# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
@@ -40,9 +37,6 @@
# Domain for EuiccSupportPixel
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
-# Sub System Ramdump
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
-
# Domain for CatEngineService
user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all
diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts
index e3ae0e7..0158b56 100644
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@@ -4,3 +4,5 @@
vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
rlsservice u:object_r:rls_service:s0
+
+android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0
diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te
deleted file mode 100644
index a93d5bd..0000000
--- a/whitechapel_pro/ssr_detector.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type ssr_detector_app, domain;
-
-app_domain(ssr_detector_app)
-allow ssr_detector_app app_api_service:service_manager find;
-allow ssr_detector_app radio_service:service_manager find;
-
-allow ssr_detector_app system_app_data_file:dir create_dir_perms;
-allow ssr_detector_app system_app_data_file:file create_file_perms;
-
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-userdebug_or_eng(`
- allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
- allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
- get_prop(ssr_detector_app, vendor_aoc_prop)
- set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop)
- allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
- allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
- allow ssr_detector_app proc_vendor_sched:dir search;
- allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
- allow ssr_detector_app cgroup:file write;
- allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans;
-')
-
-get_prop(ssr_detector_app, vendor_ssrdump_prop)
-get_prop(ssr_detector_app, vendor_wifi_version)
diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te
index c8acdbb..7ee3c95 100644
--- a/whitechapel_pro/vendor_init.te
+++ b/whitechapel_pro/vendor_init.te
@@ -11,6 +11,8 @@
set_prop(vendor_init, vendor_rild_prop)
set_prop(vendor_init, logpersistd_logging_prop)
set_prop(vendor_init, vendor_logger_prop)
+get_prop(vendor_init, telephony_modem_prop)
+
allow vendor_init proc_dirty:file w_file_perms;
allow vendor_init proc_sched:file w_file_perms;
