Merge "modem_svc: move shared_modem_platform related sepolicy to gs-common" into main
diff --git a/audio/aidl.mk b/audio/aidl.mk
index 7dd56bc..68458dd 100644
--- a/audio/aidl.mk
+++ b/audio/aidl.mk
@@ -16,7 +16,11 @@
libhapticgeneratoraidl \
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/aidl
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hdmi_audio
+ifeq ($(AUDIO_USE_DPTX_SEPOLICY),true)
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hdmi_audio/dptx
+else
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hdmi_audio/drmdp
+endif
include device/google/gs-common/audio/common.mk
diff --git a/audio/hidl_zuma.mk b/audio/hidl_zuma.mk
index 6fb3449..64ad2ba 100644
--- a/audio/hidl_zuma.mk
+++ b/audio/hidl_zuma.mk
@@ -42,7 +42,7 @@
endif
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hidl
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hdmi_audio
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hdmi_audio/drmdp
include device/google/gs-common/audio/common.mk
diff --git a/audio/sepolicy/hdmi_audio/dptx/genfs_contexts b/audio/sepolicy/hdmi_audio/dptx/genfs_contexts
new file mode 100644
index 0000000..64803be
--- /dev/null
+++ b/audio/sepolicy/hdmi_audio/dptx/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/dwc_dptx-audio/extcon/hdmi_audio u:object_r:sysfs_extcon:s0
diff --git a/audio/sepolicy/hdmi_audio/genfs_contexts b/audio/sepolicy/hdmi_audio/drmdp/genfs_contexts
similarity index 100%
rename from audio/sepolicy/hdmi_audio/genfs_contexts
rename to audio/sepolicy/hdmi_audio/drmdp/genfs_contexts
diff --git a/chre/sepolicy/hal_contexthub_default.te b/chre/sepolicy/hal_contexthub_default.te
index 87e3a42..50e7ca3 100644
--- a/chre/sepolicy/hal_contexthub_default.te
+++ b/chre/sepolicy/hal_contexthub_default.te
@@ -35,3 +35,6 @@
# Allow binder calls with clients
binder_call(hal_contexthub_default, hal_sensors_default)
+
+# Allow access for AoC properties.
+get_prop(hal_contexthub_default, vendor_aoc_prop)
diff --git a/gcam_app/sepolicy/product/private/debug_camera_app.te b/gcam_app/sepolicy/product/private/debug_camera_app.te
index 4402e55..9d4643d 100644
--- a/gcam_app/sepolicy/product/private/debug_camera_app.te
+++ b/gcam_app/sepolicy/product/private/debug_camera_app.te
@@ -1,28 +1,16 @@
# GCANext and GCAEng.
-# b/363018500
typeattribute debug_camera_app coredomain;
userdebug_or_eng(`
app_domain(debug_camera_app)
net_domain(debug_camera_app)
- allow debug_camera_app activity_service:service_manager find;
- allow debug_camera_app activity_task_service:service_manager find;
+ allow debug_camera_app app_api_service:service_manager find;
allow debug_camera_app audioserver_service:service_manager find;
- allow debug_camera_app batterystats_service:service_manager find;
allow debug_camera_app cameraserver_service:service_manager find;
- allow debug_camera_app device_policy_service:service_manager find;
- allow debug_camera_app device_state_service:service_manager find;
- allow debug_camera_app gpu_service:service_manager find;
allow debug_camera_app mediaextractor_service:service_manager find;
allow debug_camera_app mediametrics_service:service_manager find;
allow debug_camera_app mediaserver_service:service_manager find;
- allow debug_camera_app powerstats_service:service_manager find;
- allow debug_camera_app sensorservice_service:service_manager find;
- allow debug_camera_app thermal_service:service_manager find;
- allow debug_camera_app trust_service:service_manager find;
- allow debug_camera_app vibrator_manager_service:service_manager find;
- allow debug_camera_app virtual_device_native_service:service_manager find;
# Allows GCA_Eng & GCA-Next to access the PowerHAL.
hal_client_domain(debug_camera_app, hal_power)
diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te
index e3e4d92..b9e1bd4 100644
--- a/gps/pixel/sepolicy/hal_gnss_pixel.te
+++ b/gps/pixel/sepolicy/hal_gnss_pixel.te
@@ -24,3 +24,6 @@
# Allow access ssrdump information
allow hal_gnss_pixel sscoredump_vendor_data_crashinfo_file:file r_file_perms;
allow hal_gnss_pixel sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+
+# Allow pixel gnss access vendor_gps_file
+allow hal_gnss_pixel vendor_gps_file:file create_file_perms;
diff --git a/gril/aidl/2.1/compatibility_matrix.xml b/gril/aidl/2.1/compatibility_matrix.xml
new file mode 100644
index 0000000..c1ce8f9
--- /dev/null
+++ b/gril/aidl/2.1/compatibility_matrix.xml
@@ -0,0 +1,10 @@
+<compatibility-matrix version="1.0" type="framework">
+ <hal format="aidl" optional="true">
+ <name>vendor.google.radio_ext</name>
+ <version>3</version>
+ <interface>
+ <name>IRadioExt</name>
+ <instance>default</instance>
+ </interface>
+ </hal>
+</compatibility-matrix>
diff --git a/gril/aidl/2.1/gril_aidl.mk b/gril/aidl/2.1/gril_aidl.mk
new file mode 100644
index 0000000..d5bc3fc
--- /dev/null
+++ b/gril/aidl/2.1/gril_aidl.mk
@@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.1/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.1/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy
diff --git a/gril/aidl/2.1/sepolicy/file_contexts b/gril/aidl/2.1/sepolicy/file_contexts
new file mode 100644
index 0000000..9973b80
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_aidl_radio_ext_exec:s0
diff --git a/gril/aidl/2.1/sepolicy/grilservice_app.te b/gril/aidl/2.1/sepolicy/grilservice_app.te
new file mode 100644
index 0000000..812c8a2
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/grilservice_app.te
@@ -0,0 +1,4 @@
+# allow grilservice_app to find hal_radio_ext_service
+allow grilservice_app hal_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_aidl_radio_ext)
+binder_call(grilservice_app, twoshay)
diff --git a/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
new file mode 100644
index 0000000..eaff153
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
@@ -0,0 +1,36 @@
+# hal_aidl_radio_ext domain
+type hal_aidl_radio_ext, domain;
+type hal_aidl_radio_ext_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(hal_aidl_radio_ext)
+
+get_prop(hal_aidl_radio_ext, hwservicemanager_prop)
+get_prop(hal_aidl_radio_ext, telephony_modemtype_prop)
+set_prop(hal_aidl_radio_ext, vendor_gril_prop)
+
+binder_call(hal_aidl_radio_ext, servicemanager)
+binder_call(hal_aidl_radio_ext, grilservice_app)
+binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux)
+
+add_service(hal_aidl_radio_ext, hal_radio_ext_service)
+
+# RW /dev/oem_ipc0
+allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_aidl_radio_ext radio_vendor_data_file:dir create_dir_perms;
+allow hal_aidl_radio_ext radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_service:service_manager find;
+
+# Allow access to the backlight driver to set ssc_mode
+allow hal_aidl_radio_ext sysfs_leds:dir search;
+allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms;
+
+# legacy/zuma/vendor
+allow hal_aidl_radio_ext sysfs_display:file rw_file_perms;
+
+# Allow access to read display port info
+allow hal_aidl_radio_ext sysfs:file r_file_perms;
diff --git a/gril/aidl/2.1/sepolicy/hal_camera_default.te b/gril/aidl/2.1/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..61f8001
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/hal_camera_default.te
@@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_aidl_radio_ext
+binder_call(hal_camera_default, hal_aidl_radio_ext);
diff --git a/gril/aidl/2.1/sepolicy/twoshay.te b/gril/aidl/2.1/sepolicy/twoshay.te
new file mode 100644
index 0000000..f7d3fe1
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/twoshay.te
@@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_aidl_radio_ext
+binder_call(twoshay, hal_aidl_radio_ext)
diff --git a/gxp/sepolicy/edgetpu_tachyon_service.te b/gxp/sepolicy/edgetpu_tachyon_service.te
index 35987dd..31b7e7b 100644
--- a/gxp/sepolicy/edgetpu_tachyon_service.te
+++ b/gxp/sepolicy/edgetpu_tachyon_service.te
@@ -1,3 +1,7 @@
# Allow Tachyon service to access the GXP device and read GXP properties.
allow edgetpu_tachyon_server gxp_device:chr_file rw_file_perms;
get_prop(edgetpu_tachyon_server, vendor_gxp_prop)
+
+# Allow tachyon service to log to stats service for reporting metrics.
+allow edgetpu_tachyon_server fwk_stats_service:service_manager find;
+binder_call(edgetpu_tachyon_server, system_server);
diff --git a/input/gia/aidl/compatibility_matrix.xml b/input/gia/aidl/compatibility_matrix.xml
new file mode 100644
index 0000000..1a348ea
--- /dev/null
+++ b/input/gia/aidl/compatibility_matrix.xml
@@ -0,0 +1,10 @@
+<compatibility-matrix type="framework" version="1.0">
+ <hal format="aidl" optional="true">
+ <name>com.google.input.gia.core</name>
+ <interface>
+ <name>IGiaService</name>
+ <instance>default</instance>
+ </interface>
+ <version>1</version>
+ </hal>
+</compatibility-matrix>
\ No newline at end of file
diff --git a/input/gia/aidl/manifest.xml b/input/gia/aidl/manifest.xml
new file mode 100644
index 0000000..98303c8
--- /dev/null
+++ b/input/gia/aidl/manifest.xml
@@ -0,0 +1,10 @@
+<manifest type="device" version="1.0">
+ <hal format="aidl" optional="true">
+ <name>com.google.input.gia.core</name>
+ <interface>
+ <name>IGiaService</name>
+ <instance>default</instance>
+ </interface>
+ <version>1</version>
+ </hal>
+</manifest>
\ No newline at end of file
diff --git a/input/gia/gia.mk b/input/gia/gia.mk
new file mode 100644
index 0000000..ea079ca
--- /dev/null
+++ b/input/gia/gia.mk
@@ -0,0 +1,11 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy
+
+PRODUCT_PACKAGES += gia
+PRODUCT_PACKAGES += com.google.input.gia.giaservicemanager
+
+PRODUCT_SOONG_NAMESPACES += vendor/google/interfaces
+PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core
+PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core-servicemanager
+
+DEVICE_MANIFEST_FILE += device/google/gs-common/input/gia/aidl/manifest.xml
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/input/gia/aidl/compatibility_matrix.xml
diff --git a/input/gia/sepolicy/attributes b/input/gia/sepolicy/attributes
new file mode 100644
index 0000000..1d61ad3
--- /dev/null
+++ b/input/gia/sepolicy/attributes
@@ -0,0 +1,2 @@
+# This macro produces: define hal_gia, hal_gia_client, hal_gia_server
+hal_attribute(gia)
diff --git a/input/gia/sepolicy/file_contexts b/input/gia/sepolicy/file_contexts
new file mode 100644
index 0000000..99d6857
--- /dev/null
+++ b/input/gia/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+# chmod +x in SEPolicy language
+/vendor/bin/gia u:object_r:gia_exec:s0
diff --git a/input/gia/sepolicy/gia.te b/input/gia/sepolicy/gia.te
new file mode 100644
index 0000000..2c84e7c
--- /dev/null
+++ b/input/gia/sepolicy/gia.te
@@ -0,0 +1,18 @@
+# SEPolicies for GIA (Google Input interface Abstraction layer)
+type gia, domain;
+type gia_exec, exec_type, vendor_file_type, file_type;
+
+# Macro transferring gia_exec to the gia domain
+init_daemon_domain(gia)
+
+# let this domain use the hal service
+hal_client_domain(gia, hal_gia)
+# allow binder communication with service_manager
+binder_use(gia)
+
+# let this domain serve the hal service
+hal_server_domain(gia, hal_gia)
+
+# allow gia for accessing touch related system file-nodes
+allow gia sysfs_touch_gti:dir r_dir_perms;
+allow gia sysfs_touch_gti:file rw_file_perms;
diff --git a/input/gia/sepolicy/hal_gia.te b/input/gia/sepolicy/hal_gia.te
new file mode 100644
index 0000000..b75c9fb
--- /dev/null
+++ b/input/gia/sepolicy/hal_gia.te
@@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_gia_client, hal_gia_server)
+
+# allow client to find the service & allow server to register the service
+hal_attribute_service(hal_gia, hal_gia_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_gia_server)
diff --git a/input/gia/sepolicy/service.te b/input/gia/sepolicy/service.te
new file mode 100644
index 0000000..aed1135
--- /dev/null
+++ b/input/gia/sepolicy/service.te
@@ -0,0 +1,2 @@
+# Declares GIA related services
+type hal_gia_service, hal_service_type, protected_service, service_manager_type;
diff --git a/input/gia/sepolicy/service_contexts b/input/gia/sepolicy/service_contexts
new file mode 100644
index 0000000..b1773ec
--- /dev/null
+++ b/input/gia/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+# Attaches GIA services to the cooresponding SEPolicy group
+com.google.input.gia.core.IGiaService/default u:object_r:hal_gia_service:s0
diff --git a/mailbox/Android.bp b/mailbox/Android.bp
new file mode 100644
index 0000000..6969685
--- /dev/null
+++ b/mailbox/Android.bp
@@ -0,0 +1,21 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_binary {
+ name: "dump_mailbox",
+ srcs: ["dump/dump_mailbox.cpp"],
+ init_rc: ["init.mailbox.rc"],
+ cflags: [
+ "-Wall",
+ "-Wextra",
+ "-Werror",
+ ],
+ shared_libs: [
+ "libbase",
+ "libdump",
+ "liblog",
+ ],
+ vendor: true,
+ relative_install_path: "dump",
+}
diff --git a/mailbox/dump/dump_mailbox.cpp b/mailbox/dump/dump_mailbox.cpp
new file mode 100644
index 0000000..8f63b30
--- /dev/null
+++ b/mailbox/dump/dump_mailbox.cpp
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <dump/pixel_dump.h>
+#include <android-base/file.h>
+
+int main() {
+ std::string outputDir = concatenatePath(BUGREPORT_PACKING_DIR, "mailbox");
+ if (mkdir(outputDir.c_str(), 0777) == -1) {
+ printf("Unable to create folder: %s\n", outputDir.c_str());
+ return 0;
+ }
+
+ copyFile("/sys/kernel/tracing/instances/goog_cpm_mailbox/trace",
+ concatenatePath(outputDir.c_str(), "goog_cpm_mailbox_trace").c_str());
+ copyFile("/sys/kernel/tracing/instances/goog_nq_mailbox/trace",
+ concatenatePath(outputDir.c_str(), "goog_nq_mailbox_trace").c_str());
+
+ return 0;
+}
diff --git a/mailbox/dump/sepolicy/dump_mailbox.te b/mailbox/dump/sepolicy/dump_mailbox.te
new file mode 100644
index 0000000..64f184c
--- /dev/null
+++ b/mailbox/dump/sepolicy/dump_mailbox.te
@@ -0,0 +1,7 @@
+#
+pixel_bugreport(dump_mailbox)
+allow dump_mailbox radio_vendor_data_file:dir create_dir_perms;
+allow dump_mailbox radio_vendor_data_file:file create_file_perms;
+allow dump_mailbox debugfs_tracing_instances:file r_file_perms;
+allow dump_mailbox debugfs_tracing_instances:dir search;
+allow dump_mailbox debugfs_tracing_instances_mailbox:file r_file_perms;
diff --git a/mailbox/dump/sepolicy/file.te b/mailbox/dump/sepolicy/file.te
new file mode 100644
index 0000000..5bb7bc4
--- /dev/null
+++ b/mailbox/dump/sepolicy/file.te
@@ -0,0 +1,2 @@
+#
+type debugfs_tracing_instances_mailbox, sysfs_type, fs_type;
diff --git a/mailbox/dump/sepolicy/file_contexts b/mailbox/dump/sepolicy/file_contexts
new file mode 100644
index 0000000..b9bea15
--- /dev/null
+++ b/mailbox/dump/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/dump/dump_mailbox u:object_r:dump_mailbox_exec:s0
diff --git a/mailbox/dump/sepolicy/genfs_contexts b/mailbox/dump/sepolicy/genfs_contexts
new file mode 100644
index 0000000..0bac5e8
--- /dev/null
+++ b/mailbox/dump/sepolicy/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon tracefs /instances/goog_cpm_mailbox/trace u:object_r:debugfs_tracing_instances_mailbox:s0
+genfscon tracefs /instances/goog_nq_mailbox/trace u:object_r:debugfs_tracing_instances_mailbox:s0
diff --git a/mailbox/init.mailbox.rc b/mailbox/init.mailbox.rc
new file mode 100644
index 0000000..7659290
--- /dev/null
+++ b/mailbox/init.mailbox.rc
@@ -0,0 +1,8 @@
+on property:sys.boot_completed=1
+ chown system system /sys/kernel/tracing/instances/goog_cpm_mailbox
+ chown system system /sys/kernel/tracing/instances/goog_cpm_mailbox/trace
+ write /sys/kernel/tracing/instances/goog_cpm_mailbox/buffer_size_kb 512
+
+ chown system system /sys/kernel/tracing/instances/goog_nq_mailbox
+ chown system system /sys/kernel/tracing/instances/goog_nq_mailbox/trace
+ write /sys/kernel/tracing/instances/goog_nq_mailbox/buffer_size_kb 512
diff --git a/mailbox/mailbox.mk b/mailbox/mailbox.mk
new file mode 100644
index 0000000..aeefb9a
--- /dev/null
+++ b/mailbox/mailbox.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mailbox/dump/sepolicy
+
+PRODUCT_PACKAGES += dump_mailbox
diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te
index 99a3c8d..cf9dfc5 100644
--- a/mediacodec/vpu/sepolicy/mediacodec_google.te
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te
@@ -13,6 +13,7 @@
allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec_google video_device:chr_file { read write open ioctl map };
+allow mediacodec_google gpu_device:chr_file rw_file_perms;
# mediacodec_google should never execute any executable without a domain transition
neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
diff --git a/storage/init.storage.rc b/storage/init.storage.rc
index 77057cd..943c483 100644
--- a/storage/init.storage.rc
+++ b/storage/init.storage.rc
@@ -1,3 +1,11 @@
+on init
+ # Make foreground and background I/O priority different. none-to-rt was
+ # introduced in kernel 5.14. promote-to-rt was introduced in kernel 6.5.
+ # Write none-to-rt first and promote-to-rt next to support both older and
+ # newer kernel versions.
+ write /dev/blkio/blkio.prio.class none-to-rt
+ write /dev/blkio/blkio.prio.class promote-to-rt
+
on property:ro.build.type=userdebug
write /dev/sys/block/bootdevice/pixel/enable_pixel_ufs_logging 1
chown system /dev/sg3
@@ -34,17 +42,13 @@
# UFS
write /dev/sys/block/bootdevice/clkgate_enable 0
+ write /dev/sys/block/bootdevice/wb_on 0
+ write /dev/sys/block/bootdevice/enable_wb_buf_flush 0
on property:sys.boot_completed=1
- # Make foreground and background I/O priority different. none-to-rt was
- # introduced in kernel 5.14. promote-to-rt was introduced in kernel 6.5.
- # Write none-to-rt first and promote-to-rt next to support both older and
- # newer kernel versions.
- write /dev/blkio/blkio.prio.class none-to-rt
- write /dev/blkio/blkio.prio.class promote-to-rt
-
# Health Storage HAL
chown system system /dev/sys/block/bootdevice/manual_gc
+ write /dev/sys/block/bootdevice/manual_gc 0
# Pixelstats
chown system system /dev/sys/block/bootdevice/slowio_read_cnt