[automerger skipped] Sepolicy: add permission to allow create, connect udp socket am: 060b562310 -s ours
am skip reason: Merged-In Id9ba79ba87010326c53b6aec408e5cdb291122a6 with SHA-1 09e0e1b280 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/19771223
Change-Id: I0ee313ca921ff8001ba64e7c0b38dc4551687aa5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/edgetpu/service.te b/edgetpu/service.te
index 46bee03..09fa9cb 100644
--- a/edgetpu/service.te
+++ b/edgetpu/service.te
@@ -1,5 +1,5 @@
# EdgeTPU binder service type declaration.
type edgetpu_app_service, service_manager_type;
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, hal_service_type;
+type edgetpu_nnapi_service, app_api_service, service_manager_type;
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index ed3728d..0000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193474772
-dontaudit fsverity_init domain:key view;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
deleted file mode 100644
index 2b51e8b..0000000
--- a/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/194142604
-dontaudit postinstall_dexopt odsign_prop:file read;
diff --git a/telephony/user/file.te b/telephony/user/file.te
deleted file mode 100644
index 05f3c5e..0000000
--- a/telephony/user/file.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# Radio
-type radio_vendor_data_file, file_type, data_file_type;
-userdebug_or_eng(`
- typeattribute radio_vendor_data_file mlstrustedobject;
-')
diff --git a/telephony/user/file_contexts b/telephony/user/file_contexts
index 1e0c1a4..1aafb7e 100644
--- a/telephony/user/file_contexts
+++ b/telephony/user/file_contexts
@@ -1,5 +1,3 @@
# ECC List
/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0
-# Radio files.
-/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index fc4afa4..ffb8518 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,2 @@
# b/185723618
dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/190337283
-dontaudit dumpstate debugfs_wakeup_sources:file read;
-# b/226717475
-dontaudit dumpstate app_zygote:process { signal };
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index 2187eab..0000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/187015816
-dontaudit incidentd apex_info_file:file getattr;
-# b/190337296
-dontaudit incidentd debugfs_wakeup_sources:file read;
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
deleted file mode 100644
index 8b2358b..0000000
--- a/tracking_denials/init-insmod-sh.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/193474772
-dontaudit init-insmod-sh self:key write;
-# b/193726003
-dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search;
diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
deleted file mode 100644
index 21776b7..0000000
--- a/tracking_denials/kernel.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#b/228181404
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
\ No newline at end of file
diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
deleted file mode 100644
index 98e7b85..0000000
--- a/tracking_denials/update_engine.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/187016910
-dontaudit update_engine mnt_vendor_file:dir search ;
diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te
deleted file mode 100644
index 91933c0..0000000
--- a/tracking_denials/uwb_vendor_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193009345
-dontaudit uwb_vendor_app radio_service:service_manager find;
diff --git a/usf/file.te b/usf/file.te
index e264c27..8f49e32 100644
--- a/usf/file.te
+++ b/usf/file.te
@@ -10,3 +10,7 @@
# end with "data_file".
type sensor_reg_data_file, file_type, data_file_type;
+# Declare the sensor debug data file type. By convention, data file types
+# end with "data_file".
+type sensor_debug_data_file, file_type, data_file_type;
+
diff --git a/usf/file_contexts b/usf/file_contexts
index ff3d41d..3c7833b 100644
--- a/usf/file_contexts
+++ b/usf/file_contexts
@@ -8,3 +8,5 @@
# Sensor registry data files.
/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
+# Sensor debug data files.
+/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index bda44c9..595aeef 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -12,6 +12,12 @@
allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
+userdebug_or_eng(`
+ # Allow creation and writing of sensor debug data files.
+ allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
+ allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
+')
+
# Allow access to the AoC communication driver.
allow hal_sensors_default aoc_device:chr_file rw_file_perms;
@@ -49,6 +55,9 @@
# Allow sensor HAL to read AoC dumpstate.
allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
+# Allow access for AoC properties.
+get_prop(hal_sensors_default, vendor_aoc_prop)
+
# Allow access for dynamic sensor properties.
get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 0c7a56d..847499d 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -212,3 +212,9 @@
# BootControl
type sysfs_bootctl, sysfs_type, fs_type;
+
+# Radio
+type radio_vendor_data_file, file_type, data_file_type;
+userdebug_or_eng(`
+ typeattribute radio_vendor_data_file mlstrustedobject;
+')
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 80344ef..da2222b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -319,6 +319,8 @@
/dev/acd-debug u:object_r:aoc_device:s0
/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0
/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0
+/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0
+/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0
/dev/amcs u:object_r:amcs_device:s0
# AudioMetric
@@ -434,3 +436,5 @@
# Raw HID device
/dev/hidraw[0-9]* u:object_r:hidraw_device:s0
+# Radio files.
+/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 50853f0..5fa8755 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -14,7 +14,8 @@
genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0
# WiFi
genfscon sysfs /wifi u:object_r:sysfs_wifi:s0
@@ -195,11 +196,11 @@
genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0
@@ -486,6 +487,7 @@
genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0
genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0
genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0
# SJTAG
genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0
@@ -496,12 +498,7 @@
genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0
# thermal sysfs files
-genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters u:object_r:sysfs_thermal:s0
# USB-C throttling stats
genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 01c69b4..28137c7 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -35,6 +35,10 @@
allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans;
allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
+userdebug_or_eng(`
+ allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms;
+ allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms;
+')
allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
index 0e60196..d345e19 100644
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -17,3 +17,4 @@
')
dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
+dontaudit init-insmod-sh self:key write;
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index be15d0e..1419660 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -5,6 +5,10 @@
allow logger_app vendor_gps_file:file create_file_perms;
allow logger_app vendor_gps_file:dir create_dir_perms;
allow logger_app sysfs_sscoredump_level:file r_file_perms;
+ allow logger_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+ binder_call(logger_app, rild)
+
r_dir_file(logger_app, ramdump_vendor_data_file)
r_dir_file(logger_app, sscoredump_vendor_data_coredump_file)
r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5eba1f8..29e35d9 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -61,6 +61,8 @@
vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0
vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0
vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0
+vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0
+vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0
# for display
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 5fc2159..78b14e5 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -26,6 +26,7 @@
binder_call(rild, vendor_ims_app)
binder_call(rild, vendor_rcs_app)
binder_call(rild, oemrilservice_app)
+binder_call(rild, logger_app)
# for hal service
add_hwservice(rild, hal_exynos_rild_hwservice)
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 8d5dc1e..b87c99e 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,2 +1,2 @@
-type hal_pixel_display_service, service_manager_type, vendor_service;
-type hal_uwb_vendor_service, service_manager_type, vendor_service;
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type hal_uwb_vendor_service, service_manager_type, hal_service_type;
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index ada6444..9b0289c 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -11,7 +11,6 @@
allow tee tee_data_file:dir create_dir_perms;
allow tee tee_data_file:lnk_file r_file_perms;
allow tee sg_device:chr_file rw_file_perms;
-allow tee self:capability { setgid setuid };
# Allow storageproxyd access to gsi_public_metadata_file
read_fstab(tee)
diff --git a/whitechapel/vendor/google/update_engine.te b/whitechapel/vendor/google/update_engine.te
index a403d9e..8342f12 100644
--- a/whitechapel/vendor/google/update_engine.te
+++ b/whitechapel/vendor/google/update_engine.te
@@ -1,3 +1,6 @@
allow update_engine custom_ab_block_device:blk_file rw_file_perms;
allow update_engine modem_block_device:blk_file rw_file_perms;
allow update_engine proc_bootconfig:file r_file_perms;
+
+# update_engine probe mnt_vendor_file during OTA, which is a permission not required
+dontaudit update_engine mnt_vendor_file:dir search;