Merge 24Q3 to AOSP main
Bug: 357762254
Merged-In: I91df897d8ae7d8e4b1b49a7eb20f6bb5fe99755c
Change-Id: Ifc0e5917fd9599c10bce7c5b99031b845bc2f95b
diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 12768b9..3e8c902 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -20,9 +20,6 @@
# PowerStats HAL
BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
-# sscoredump
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
-
# Public
PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te
new file mode 100644
index 0000000..8bf71cc
--- /dev/null
+++ b/system_ext/private/pixelntnservice_app.te
@@ -0,0 +1,5 @@
+typeattribute pixelntnservice_app coredomain;
+
+app_domain(pixelntnservice_app);
+allow pixelntnservice_app app_api_service:service_manager find;
+set_prop(pixelntnservice_app, telephony_modem_prop)
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index a8e9042..1bc593c 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -5,4 +5,5 @@
persist.modem.esim_profiles_exist u:object_r:esim_modem_prop:s0 exact string
# Telephony
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn
telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 6ac7149..2f3c678 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -6,3 +6,6 @@
# HbmSVManager
user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# PixelNtnService
+user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te
new file mode 100644
index 0000000..10661b6
--- /dev/null
+++ b/system_ext/public/pixelntnservice_app.te
@@ -0,0 +1 @@
+type pixelntnservice_app, domain;
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index 1abcc84..bf64eaa 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -6,7 +6,8 @@
# Telephony
system_public_prop(telephony_ril_prop)
+system_restricted_prop(telephony_modem_prop)
userdebug_or_eng(`
set_prop(shell, telephony_ril_prop)
-')
\ No newline at end of file
+')
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6b94d7d..737d604 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,11 +1,14 @@
+
chre vendor_data_file dir b/301948771
-dumpstate virtual_camera binder b/312894628
-dumpstate virtual_camera process b/312894628
+dump_display sysfs file b/340722772
hal_power_default hal_power_default capability b/240632824
+hal_sensors_default sysfs file b/340723303
hal_vibrator_default default_android_service service_manager b/317316478
incidentd debugfs_wakeup_sources file b/282626428
incidentd incidentd anon_inode b/282626428
kernel dm_device blk_file b/315907959
+kernel kernel capability b/340722537
+kernel kernel capability b/340723030
kernel tmpfs chr_file b/315907959
rfsd vendor_cbd_prop file b/317734418
shell sysfs_net file b/329380904
@@ -14,6 +17,7 @@
untrusted_app shell_test_data_file dir b/305600845
untrusted_app system_data_root_file dir b/305600845
untrusted_app userdebug_or_eng_prop file b/305600845
+vendor_init debugfs_trace_marker file b/340723222
vendor_init default_prop file b/315104713
vendor_init default_prop file b/316817111
vendor_init default_prop property_service b/315104713
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index cbd222f..6b41f57 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -5,6 +5,7 @@
set_prop(cbd, vendor_modem_prop)
set_prop(cbd, vendor_cbd_prop)
set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
# Allow cbd to setuid from root to radio
# TODO: confirming with vendor via b/182334947
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 4011476..69e0d3a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -362,6 +362,7 @@
# Fingerprint
/dev/goodix_fp u:object_r:fingerprint_device:s0
+/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# Wifi Firmware config update
/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0
diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index f115682..d44eed6 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -8,7 +8,11 @@
allow kernel self:capability2 perfmon;
allow kernel self:perf_event cpu;
-dontaudit kernel vendor_battery_debugfs:dir search;
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
-dontaudit kernel vendor_votable_debugfs:dir { search };
-dontaudit kernel vendor_usb_debugfs:dir search;
+userdebug_or_eng(`
+ allow kernel vendor_battery_debugfs:dir search;
+ allow kernel vendor_regmap_debugfs:dir search;
+ allow kernel vendor_usb_debugfs:dir search;
+ allow kernel vendor_votable_debugfs:dir search;
+ allow kernel vendor_charger_debugfs:dir search;
+ allow kernel vendor_maxfg_debugfs:dir search;
+')
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index 63dec36..0eb7498 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -17,7 +17,7 @@
allow modem_svc_sit modem_stat_data_file:dir create_dir_perms;
allow modem_svc_sit modem_stat_data_file:file create_file_perms;
-allow modem_svc_sit mnt_vendor_file:dir search;
+allow modem_svc_sit mnt_vendor_file:dir r_dir_perms;
allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
allow modem_svc_sit modem_userdata_file:file create_file_perms;
@@ -33,3 +33,12 @@
# Modem property
set_prop(modem_svc_sit, vendor_modem_prop)
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(modem_svc_sit)
+
+# Allow modem_svc_sit to access modem image file/dir
+allow modem_svc_sit modem_img_file:dir r_dir_perms;
+allow modem_svc_sit modem_img_file:file r_file_perms;
+allow modem_svc_sit modem_img_file:lnk_file r_file_perms;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 7496a7c..33e9511 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -25,6 +25,7 @@
# Batery history
allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+allow pixelstats_vendor logbuffer_device:chr_file r_file_perms;
#vendor-metrics
r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)
diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te
deleted file mode 100644
index 308e9fb..0000000
--- a/whitechapel/vendor/google/ramdump_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ramdump_app, domain;
-
-userdebug_or_eng(`
- app_domain(ramdump_app)
-
- allow ramdump_app app_api_service:service_manager find;
-
- allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
- allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
-
- set_prop(ramdump_app, vendor_ramdump_prop)
- get_prop(ramdump_app, system_boot_reason_prop)
-
- # To access ramdumpfs.
- allow ramdump_app mnt_vendor_file:dir search;
- allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
- allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
-
- # To access subsystem ramdump files and dirs.
- allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
- allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
- allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
- allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-')
diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te
index 2f7102f..f51ba86 100644
--- a/whitechapel/vendor/google/rfsd.te
+++ b/whitechapel/vendor/google/rfsd.te
@@ -32,6 +32,7 @@
# Allow to set rild and modem property
set_prop(rfsd, vendor_modem_prop)
set_prop(rfsd, vendor_rild_prop)
+set_prop(cbd, vendor_cbd_prop)
# Allow rfsd to access modem image file/dir
allow rfsd modem_img_file:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f2c53eb..804c36c 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -17,10 +17,6 @@
user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all
user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all
-# coredump/ramdump
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
-user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
-
# grilservice
user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 074dedf..2536252 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -3,3 +3,4 @@
android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0
vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
rlsservice u:object_r:rls_service:s0
+android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
deleted file mode 100644
index f27fcc5..0000000
--- a/whitechapel/vendor/google/ssr_detector.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ssr_detector_app, domain;
-
-app_domain(ssr_detector_app)
-allow ssr_detector_app app_api_service:service_manager find;
-allow ssr_detector_app radio_service:service_manager find;
-
-allow ssr_detector_app system_app_data_file:dir create_dir_perms;
-allow ssr_detector_app system_app_data_file:file create_file_perms;
-
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-userdebug_or_eng(`
- allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
- allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
- allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
- allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
- allow ssr_detector_app proc_vendor_sched:dir search;
- allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
- allow ssr_detector_app cgroup:file write;
-')
-
-get_prop(ssr_detector_app, vendor_ssrdump_prop)
-get_prop(ssr_detector_app, vendor_wifi_version)
-get_prop(ssr_detector_app, vendor_aoc_prop)
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 5ff78d4..3771394 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -14,6 +14,8 @@
set_prop(vendor_init, vendor_tcpdump_log_prop)
set_prop(vendor_init, vendor_logger_prop)
set_prop(vendor_init, esim_modem_prop)
+get_prop(vendor_init, telephony_modem_prop)
+
allow vendor_init proc_dirty:file w_file_perms;
allow vendor_init proc_sched:file write;