[automerger skipped] Merge changes from topic "gs101_network_access" into tm-qpr-dev am: c3c4aa626b -s ours am: 4cb7381067 -s ours
am skip reason: Merged-In Id9ba79ba87010326c53b6aec408e5cdb291122a6 with SHA-1 09e0e1b280 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/19771223
Change-Id: Ie3457178a2ae2977b529a69b89cb65bb2e45f0ba
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/bluetooth/device.te b/bluetooth/device.te
deleted file mode 100644
index a256332..0000000
--- a/bluetooth/device.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Bt Wifi Coexistence device
-type wb_coexistence_dev, dev_type;
-
diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
deleted file mode 100644
index d4681db..0000000
--- a/bluetooth/file_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-# Bluetooth
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0
-
-/dev/wbrc u:object_r:wb_coexistence_dev:s0
-/dev/ttySAC16 u:object_r:hci_attach_dev:s0
-
diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts
deleted file mode 100644
index 607e146..0000000
--- a/bluetooth/genfs_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0
-
diff --git a/bluetooth/hal_bluetooth_btlinux.te b/bluetooth/hal_bluetooth_btlinux.te
deleted file mode 100644
index f348099..0000000
--- a/bluetooth/hal_bluetooth_btlinux.te
+++ /dev/null
@@ -1,22 +0,0 @@
-add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice);
-get_prop(hal_bluetooth_btlinux, boot_status_prop)
-
-allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
-allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
-binder_call(hal_bluetooth_btlinux, servicemanager)
-
-# power stats
-vndbinder_use(hal_bluetooth_btlinux)
-allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find;
-binder_call(hal_bluetooth_btlinux, hal_power_stats_default)
-
-allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
-allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
-
-userdebug_or_eng(`
- allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
- allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
- allow hal_bluetooth_btlinux logbuffer_device:chr_file r_file_perms;
-')
diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te
deleted file mode 100644
index 5e36cd0..0000000
--- a/bluetooth/hwservice.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Bluetooth HAL extension
-type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
-
diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
deleted file mode 100644
index 8480b4e..0000000
--- a/bluetooth/hwservice_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-# Bluetooth HAL extension
-hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ewp::IBluetoothEwp u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ext::IBluetoothExt u:object_r:hal_bluetooth_coexistence_hwservice:s0
diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index d33fcd4..b9bb717 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -20,9 +20,6 @@
#
# Pixel-wide
#
-# Dauntless (uses Citadel policy currently)
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
-
# PowerStats HAL
BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 0000000..f9fbf73
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1,9 @@
+dumpstate app_zygote process b/238263438
+dumpstate hal_input_processor_default process b/238143262
+dumpstate incident process b/238570971
+dumpstate incident process b/238571324
+dumpstate incident process b/238571420
+hal_drm_default default_prop file b/232714489
+hal_power_default hal_power_default capability b/240632824
+incidentd debugfs_wakeup_sources file b/238263568
+su modem_img_file filesystem b/238825802
diff --git a/tracking_denials/hal_drm_default.te b/tracking_denials/hal_drm_default.te
index ee4ed08..872f5a0 100644
--- a/tracking_denials/hal_drm_default.te
+++ b/tracking_denials/hal_drm_default.te
@@ -1,2 +1,4 @@
# b/223502652
dontaudit hal_drm_default vndbinder_device:chr_file { read };
+# b/232714489
+dontaudit hal_drm_default default_prop:file { read };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
deleted file mode 100644
index 47f5162..0000000
--- a/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/192617242
-dontaudit hal_power_default hal_power_default:capability dac_read_search;
-dontaudit hal_power_default hal_power_default:capability dac_override;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
deleted file mode 100644
index d27b8e9..0000000
--- a/tracking_denials/vendor_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190337297
-dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;
diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 9dfd9bf..cdf1b98 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -23,3 +23,6 @@
allow chre fwk_stats_service:service_manager find;
binder_call(chre, stats_service_server)
+# Allow CHRE to use WakeLock
+wakelock_use(chre)
+
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 94ec0bb..7a70e33 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -42,9 +42,6 @@
# AMCS device
type amcs_device, dev_type;
-# Battery history
-type battery_history_device, dev_type;
-
# Raw HID device
type hidraw_device, dev_type;
diff --git a/whitechapel/vendor/google/e2fs.te b/whitechapel/vendor/google/e2fs.te
index a666459..3e72adf 100644
--- a/whitechapel/vendor/google/e2fs.te
+++ b/whitechapel/vendor/google/e2fs.te
@@ -4,3 +4,5 @@
allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 847499d..479732e 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -7,6 +7,7 @@
type vendor_log_file, file_type, data_file_type;
type vendor_cbd_log_file, file_type, data_file_type;
type vendor_dmd_log_file, file_type, data_file_type;
+type vendor_hwc_log_file, file_type, data_file_type;
type vendor_rfsd_log_file, file_type, data_file_type;
type vendor_dump_log_file, file_type, data_file_type;
type vendor_rild_log_file, file_type, data_file_type;
@@ -78,7 +79,6 @@
type mediadrm_vendor_data_file, file_type, data_file_type;
# Storage Health HAL
-type sysfs_scsi_devices_0000, sysfs_type, fs_type;
type debugfs_f2fs, debugfs_type, fs_type;
type proc_f2fs, proc_type, fs_type;
@@ -141,9 +141,6 @@
type sysfs_gps, sysfs_type, fs_type;
type sysfs_gps_assert, sysfs_type, fs_type;
-# Display
-type sysfs_display, sysfs_type, fs_type;
-
# Backlight
type sysfs_backlight, sysfs_type, fs_type;
@@ -160,7 +157,6 @@
# Chosen
type sysfs_chosen, sysfs_type, fs_type;
-type sysfs_chip_id, sysfs_type, fs_type;
type sysfs_spi, sysfs_type, fs_type;
# Battery
@@ -186,9 +182,6 @@
type persist_uwb_file, file_type, vendor_persist_type;
type uwb_data_vendor, file_type, data_file_type;
-# PixelStats_vendor
-type sysfs_pixelstats, fs_type, sysfs_type;
-
# WLC FW
type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index da2222b..3f10d22 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -154,6 +154,7 @@
/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0
/data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0
/data/vendor/log/dmd(/.*)? u:object_r:vendor_dmd_log_file:s0
+/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0
/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0
/data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0
/data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0
@@ -225,6 +226,7 @@
/dev/lwis-sensor-imx355-front u:object_r:lwis_device:s0
/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0
/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx471 u:object_r:lwis_device:s0
/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0
/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0
/dev/lwis-slc u:object_r:lwis_device:s0
@@ -279,7 +281,7 @@
/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
# Kernel modules related
-/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0
+/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0
# USB
/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0
@@ -358,9 +360,6 @@
# RILD files
/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0
-# Citadel StrongBox
-/dev/gsc0 u:object_r:citadel_device:s0
-
# Tetheroffload Service
/dev/dit2 u:object_r:vendor_toe_device:s0
/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service u:object_r:hal_tetheroffload_default_exec:s0
@@ -368,9 +367,6 @@
# battery history
/dev/battery_history u:object_r:battery_history_device:s0
-# Vendor_kernel_modules
-/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0
-
# Display
/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/fsck.te b/whitechapel/vendor/google/fsck.te
index d29555b..cb9470d 100644
--- a/whitechapel/vendor/google/fsck.te
+++ b/whitechapel/vendor/google/fsck.te
@@ -1,3 +1,5 @@
allow fsck persist_block_device:blk_file rw_file_perms;
allow fsck efs_block_device:blk_file rw_file_perms;
allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5fa8755..5e7cd50 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -399,6 +399,10 @@
genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0
genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/system/chip-id/unique_id u:object_r:sysfs_soc:s0
+genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0
+genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0
+
# Devfreq directory
genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq_dir:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 28137c7..ab01049 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -20,6 +20,9 @@
allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
+allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms;
+
allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
@@ -92,10 +95,6 @@
allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
-allow hal_dumpstate_default citadeld_service:service_manager find;
-allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans;
-binder_call(hal_dumpstate_default, citadeld);
-
allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
binder_call(hal_dumpstate_default, hal_graphics_composer_default);
allow hal_dumpstate_default sysfs_display:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te
index 0562aa0..2cf6140 100644
--- a/whitechapel/vendor/google/hal_graphics_composer_default.te
+++ b/whitechapel/vendor/google/hal_graphics_composer_default.te
@@ -4,3 +4,7 @@
# allow HWC to access power hal
binder_call(hal_graphics_composer_default, hal_power_default);
hal_client_domain(hal_graphics_composer_default, hal_power);
+
+# allow HWC to write log file
+allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms;
+allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
deleted file mode 100644
index 80b5337..0000000
--- a/whitechapel/vendor/google/hardware_info_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type hardware_info_app, domain;
-
-app_domain(hardware_info_app)
-
-allow hardware_info_app app_api_service:service_manager find;
-
-# Display
-allow hardware_info_app sysfs_display:dir search;
-allow hardware_info_app sysfs_display:file r_file_perms;
-
-# Audio
-allow hardware_info_app sysfs_pixelstats:dir search;
-allow hardware_info_app sysfs_pixelstats:file r_file_perms;
-
-# Storage
-allow hardware_info_app sysfs_scsi_devices_0000:dir search;
-allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
-
-# Battery
-allow hardware_info_app sysfs_batteryinfo:file r_file_perms;
-allow hardware_info_app sysfs_batteryinfo:dir search;
-
-# SoC
-allow hardware_info_app sysfs:file r_file_perms;
diff --git a/whitechapel/vendor/google/init-display-sh.te b/whitechapel/vendor/google/init-display-sh.te
new file mode 100644
index 0000000..54ff7d6
--- /dev/null
+++ b/whitechapel/vendor/google/init-display-sh.te
@@ -0,0 +1,10 @@
+type init-display-sh, domain;
+type init-display-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(init-display-sh)
+
+allow init-display-sh self:capability sys_module;
+allow init-display-sh vendor_kernel_modules:system module_load;
+allow init-display-sh vendor_toolbox_exec:file execute_no_trans;
+
+dontaudit init-display-sh proc_cmdline:file r_file_perms;
+
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
deleted file mode 100644
index d345e19..0000000
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ /dev/null
@@ -1,20 +0,0 @@
-type init-insmod-sh, domain;
-type init-insmod-sh_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(init-insmod-sh)
-
-allow init-insmod-sh self:capability sys_module;
-allow init-insmod-sh sysfs_leds:dir r_dir_perms;
-allow init-insmod-sh vendor_kernel_modules:system module_load;
-allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
-
-allow init-insmod-sh self:capability sys_nice;
-allow init-insmod-sh kernel:process setsched;
-
-set_prop(init-insmod-sh, vendor_device_prop)
-
-userdebug_or_eng(`
- allow init-insmod-sh vendor_regmap_debugfs:dir search;
-')
-
-dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
-dontaudit init-insmod-sh self:key write;
diff --git a/whitechapel/vendor/google/insmod-sh.te b/whitechapel/vendor/google/insmod-sh.te
new file mode 100644
index 0000000..3c430ff
--- /dev/null
+++ b/whitechapel/vendor/google/insmod-sh.te
@@ -0,0 +1,11 @@
+allow insmod-sh sysfs_leds:dir r_dir_perms;
+
+allow insmod-sh self:capability sys_nice;
+allow insmod-sh kernel:process setsched;
+
+userdebug_or_eng(`
+ allow insmod-sh vendor_regmap_debugfs:dir search;
+')
+
+dontaudit insmod-sh proc_cmdline:file r_file_perms;
+dontaudit insmod-sh self:key write;
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 31ee4b8..cac5e48 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -4,7 +4,6 @@
vendor_internal_prop(vendor_rild_prop)
vendor_internal_prop(sensors_prop)
vendor_internal_prop(vendor_ssrdump_prop)
-vendor_internal_prop(vendor_device_prop)
vendor_internal_prop(vendor_usb_config_prop)
vendor_internal_prop(vendor_secure_element_prop)
vendor_internal_prop(vendor_cbd_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 29e35d9..1085b3b 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -15,12 +15,6 @@
vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0
persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0
-# Kernel modules related
-vendor.common.modules.ready u:object_r:vendor_device_prop:s0
-vendor.device.modules.ready u:object_r:vendor_device_prop:s0
-vendor.all.modules.ready u:object_r:vendor_device_prop:s0
-vendor.all.devices.ready u:object_r:vendor_device_prop:s0
-
# for codec2
vendor.debug.c2.level u:object_r:vendor_codec2_debug_prop:s0
vendor.debug.c2.dump u:object_r:vendor_codec2_debug_prop:s0
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f866e37..7c016d1 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -26,9 +26,6 @@
# HbmSVManager
user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-# Hardware Info Collection
-user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
-
# Domain for omadm
user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index f982424..e13e744 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -8,3 +8,4 @@
dontaudit shell proc_vendor_sched:dir search;
dontaudit shell proc_vendor_sched:file write;
+dontaudit shell sysfs_wlc:dir search;