Merge TQ2A.230405.003
Bug: 271343657
Merged-In: I8c265919f7ae4b18aa304b0a584536d2a0f4b27a
Change-Id: I61dd94e23d10e5405135626487ddadddb1f89f9f
diff --git a/confirmationui/file_contexts b/confirmationui/file_contexts
index 49db417..377857d 100644
--- a/confirmationui/file_contexts
+++ b/confirmationui/file_contexts
@@ -1,4 +1,4 @@
/vendor/bin/securedpud\.slider u:object_r:securedpud_slider_exec:s0
-/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0
/dev/tui-driver u:object_r:tui_device:s0
diff --git a/edgetpu/service.te b/edgetpu/service.te
index 46bee03..09fa9cb 100644
--- a/edgetpu/service.te
+++ b/edgetpu/service.te
@@ -1,5 +1,5 @@
# EdgeTPU binder service type declaration.
type edgetpu_app_service, service_manager_type;
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, hal_service_type;
+type edgetpu_nnapi_service, app_api_service, service_manager_type;
diff --git a/private/dex2oat.te b/private/dex2oat.te
deleted file mode 100644
index 50d7852..0000000
--- a/private/dex2oat.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# b/187016929
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat proc_filesystems:file read ;
-dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat proc_filesystems:file read ;
-dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index ed3728d..0000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193474772
-dontaudit fsverity_init domain:key view;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
deleted file mode 100644
index 2b51e8b..0000000
--- a/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/194142604
-dontaudit postinstall_dexopt odsign_prop:file read;
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 0000000..057655b
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1,8 @@
+dumpstate app_zygote process b/238263438
+dumpstate hal_input_processor_default process b/238143262
+dumpstate system_data_file dir b/264483156
+dumpstate system_data_file dir b/264483673
+hal_drm_default default_prop file b/232714489
+hal_power_default hal_power_default capability b/240632824
+incidentd debugfs_wakeup_sources file b/238263568
+su modem_img_file filesystem b/238825802
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index fc4afa4..ffb8518 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,2 @@
# b/185723618
dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/190337283
-dontaudit dumpstate debugfs_wakeup_sources:file read;
-# b/226717475
-dontaudit dumpstate app_zygote:process { signal };
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index 2187eab..0000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/187015816
-dontaudit incidentd apex_info_file:file getattr;
-# b/190337296
-dontaudit incidentd debugfs_wakeup_sources:file read;
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
deleted file mode 100644
index 8b2358b..0000000
--- a/tracking_denials/init-insmod-sh.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/193474772
-dontaudit init-insmod-sh self:key write;
-# b/193726003
-dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search;
diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
index 7901bdc..45ce8ed 100644
--- a/tracking_denials/kernel.te
+++ b/tracking_denials/kernel.te
@@ -1,4 +1,2 @@
-#b/228181404
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
#b/247905787
dontaudit kernel vendor_votable_debugfs:dir { search };
diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
deleted file mode 100644
index 98e7b85..0000000
--- a/tracking_denials/update_engine.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/187016910
-dontaudit update_engine mnt_vendor_file:dir search ;
diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te
deleted file mode 100644
index 91933c0..0000000
--- a/tracking_denials/uwb_vendor_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193009345
-dontaudit uwb_vendor_app radio_service:service_manager find;
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 491d640..595aeef 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -55,6 +55,9 @@
# Allow sensor HAL to read AoC dumpstate.
allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
+# Allow access for AoC properties.
+get_prop(hal_sensors_default, vendor_aoc_prop)
+
# Allow access for dynamic sensor properties.
get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 26c1675..ab321d0 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -18,6 +18,7 @@
# Allow CHRE to talk to the WiFi HAL
allow chre hal_wifi_ext:binder { call transfer };
allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext_service:service_manager find;
# Allow CHRE host to talk to stats service
allow chre fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index a75eff9..7315a91 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -332,6 +332,7 @@
/vendor/bin/storageproxyd u:object_r:tee_exec:s0
/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0
/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
@@ -432,7 +433,7 @@
# Statsd service to support EdgeTPU metrics logging service.
/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
-/vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
# Raw HID device
/dev/hidraw[0-9]* u:object_r:hidraw_device:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8bb12c6..4036cea 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -196,11 +196,11 @@
genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0
@@ -518,12 +518,7 @@
genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0
# thermal sysfs files
-genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters u:object_r:sysfs_thermal:s0
# USB-C throttling stats
genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index 50ff22a..c0ba576 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -5,6 +5,7 @@
allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_service:service_manager find;
allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find;
binder_call(grilservice_app, hal_bluetooth_btlinux)
binder_call(grilservice_app, hal_radioext_default)
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
index 0e60196..d345e19 100644
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -17,3 +17,4 @@
')
dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
+dontaudit init-insmod-sh self:key write;
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index eb25547..c6e7d9a 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -18,7 +18,10 @@
allow pixelstats_vendor sysfs_pca:file rw_file_perms;
# OrientationCollector
+# HIDL sensorservice
allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow pixelstats_vendor fwk_sensor_service:service_manager find;
# Batery history
allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f866e37..ed5f5d7 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -10,6 +10,7 @@
user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all
# Samsung S.LSI IMS
+user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all
user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 8d5dc1e..b87c99e 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,2 +1,2 @@
-type hal_pixel_display_service, service_manager_type, vendor_service;
-type hal_uwb_vendor_service, service_manager_type, vendor_service;
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type hal_uwb_vendor_service, service_manager_type, hal_service_type;
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 934028e..f27fcc5 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -4,7 +4,8 @@
allow ssr_detector_app app_api_service:service_manager find;
allow ssr_detector_app radio_service:service_manager find;
-allow ssr_detector_app system_app_data_file:dir r_dir_perms;
+allow ssr_detector_app system_app_data_file:dir create_dir_perms;
+allow ssr_detector_app system_app_data_file:file create_file_perms;
allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index bf29cbf..e803c0c 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -11,7 +11,6 @@
allow tee tee_data_file:dir create_dir_perms;
allow tee tee_data_file:lnk_file r_file_perms;
allow tee sg_device:chr_file rw_file_perms;
-allow tee self:capability { setgid setuid };
# Allow storageproxyd access to gsi_public_metadata_file
read_fstab(tee)
diff --git a/whitechapel/vendor/google/update_engine.te b/whitechapel/vendor/google/update_engine.te
index a403d9e..8342f12 100644
--- a/whitechapel/vendor/google/update_engine.te
+++ b/whitechapel/vendor/google/update_engine.te
@@ -1,3 +1,6 @@
allow update_engine custom_ab_block_device:blk_file rw_file_perms;
allow update_engine modem_block_device:blk_file rw_file_perms;
allow update_engine proc_bootconfig:file r_file_perms;
+
+# update_engine probe mnt_vendor_file during OTA, which is a permission not required
+dontaudit update_engine mnt_vendor_file:dir search;