sync codebase
Bug: 162370942
Test: build pass
Change-Id: I73af3d6fa79a2dbf70f855274383cbf3d2af1745
Merged-In: I68126a1e1ae6193c85f6e0d9baf92a83023f436f
diff --git a/astd/astd.te b/astd/astd.te
new file mode 100644
index 0000000..9f29caa
--- /dev/null
+++ b/astd/astd.te
@@ -0,0 +1,17 @@
+# astd service
+type astd, domain;
+
+# /vendor/bin/astc u:object_r:vendor_shell_exec:s0
+# system/sepolicy/public/vendor_shell.te
+# type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+# /vendor/bin/astd u:object_r:vendor_toolbox_exec:s0
+# system/sepolicy/public/vendor_toolbox.te
+# type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+type astd_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(astd)
+')
+
diff --git a/astd/file_contexts b/astd/file_contexts
new file mode 100644
index 0000000..0df5774
--- /dev/null
+++ b/astd/file_contexts
@@ -0,0 +1,3 @@
+/vendor/bin/astc u:object_r:astd_exec:s0
+/vendor/bin/astd u:object_r:astd_exec:s0
+
diff --git a/atrace/genfs_contexts b/atrace/genfs_contexts
new file mode 100644
index 0000000..ce4e879
--- /dev/null
+++ b/atrace/genfs_contexts
@@ -0,0 +1 @@
+genfscon debugfs /tracing/events/fastrpc/fastrpc_dma_stat u:object_r:debugfs_tracing:s0
diff --git a/citadel/file_contexts b/citadel/file_contexts
index d749e46..5376def 100644
--- a/citadel/file_contexts
+++ b/citadel/file_contexts
@@ -4,7 +4,9 @@
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0
diff --git a/citadel/hal_identity_citadel.te b/citadel/hal_identity_citadel.te
new file mode 100644
index 0000000..e29310c
--- /dev/null
+++ b/citadel/hal_identity_citadel.te
@@ -0,0 +1,9 @@
+type hal_identity_citadel, domain;
+type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_identity_citadel)
+binder_call(hal_identity_citadel, citadeld)
+allow hal_identity_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_identity_citadel, hal_identity)
+init_daemon_domain(hal_identity_citadel)
diff --git a/citadel/hal_keymint_citadel.te b/citadel/hal_keymint_citadel.te
new file mode 100644
index 0000000..b08f767
--- /dev/null
+++ b/citadel/hal_keymint_citadel.te
@@ -0,0 +1,11 @@
+type hal_keymint_citadel, domain;
+hal_server_domain(hal_keymint_citadel, hal_keymint)
+
+type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_citadel)
+
+vndbinder_use(hal_keymint_citadel)
+binder_call(hal_keymint_citadel, citadeld)
+allow hal_keymint_citadel citadeld_service:service_manager find;
+
+get_prop(hal_keymint_citadel, vendor_security_patch_level_prop)
diff --git a/citadel/recovery.te b/citadel/recovery.te
index c68244f..523af80 100644
--- a/citadel/recovery.te
+++ b/citadel/recovery.te
@@ -1,3 +1,4 @@
recovery_only(`
allow recovery citadel_device:chr_file rw_file_perms;
+ allow fastbootd citadel_device:chr_file rw_file_perms;
')
diff --git a/citadel/service_contexts b/citadel/service_contexts
new file mode 100644
index 0000000..5639b58
--- /dev/null
+++ b/citadel/service_contexts
@@ -0,0 +1,2 @@
+android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0
diff --git a/common/file.te b/common/file.te
index 7dc080d..8fb41bc 100644
--- a/common/file.te
+++ b/common/file.te
@@ -1,4 +1,2 @@
type persist_file, file_type, vendor_persist_type;
-type firmware_file, file_type, contextmount_type, vendor_file_type;
-
-allow firmware_file self:filesystem associate;
+type sysfs_iio_devices, fs_type, sysfs_type;
diff --git a/common/file_contexts b/common/file_contexts
index e86fd9f..0adc634 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -1,9 +1,10 @@
/mnt/vendor/persist(/.*)? u:object_r:persist_file:s0
-/vendor/firmware_mnt(/.*)? u:object_r:firmware_file:s0
/persist(/.*)? u:object_r:persist_file:s0
-/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0
/vendor/bin/grep u:object_r:vendor_toolbox_exec:s0
/vendor/bin/awk u:object_r:vendor_toolbox_exec:s0
/vendor/bin/cp u:object_r:vendor_toolbox_exec:s0
/vendor/bin/toolbox_vendor u:object_r:vendor_toolbox_exec:s0
+
+/vendor/bin/hw/android\.hardware\.atrace@1\.0-service.pixel u:object_r:hal_atrace_default_exec:s0
+
diff --git a/common/genfs_contexts b/common/genfs_contexts
new file mode 100644
index 0000000..d762381
--- /dev/null
+++ b/common/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /bus/iio/devices u:object_r:sysfs_iio_devices:s0
diff --git a/common/init-insmod-sh.te b/common/init-insmod-sh.te
deleted file mode 100644
index 16bc87c..0000000
--- a/common/init-insmod-sh.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type init-insmod-sh, domain;
-type init-insmod-sh_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(init-insmod-sh)
-
-allow init-insmod-sh vendor_toolbox_exec:file rx_file_perms;
-allow init-insmod-sh self:capability sys_module;
-allow init-insmod-sh vendor_kernel_modules:system module_load;
-allow init-insmod-sh kernel:key search;
-
-# modprobe needs sys_nice and setsched for driver threads
-allow init-insmod-sh self:capability sys_nice;
-allow init-insmod-sh kernel:process setsched;
-
-# modprobe need proc_modules
-allow init-insmod-sh proc_modules:file r_file_perms;
-
-# Set the vendor.all.modules.ready property
-set_prop(init-insmod-sh, vendor_device_prop)
diff --git a/common/init.te b/common/init.te
deleted file mode 100644
index 1ff76db..0000000
--- a/common/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow init firmware_file:dir mounton;
-allow init firmware_file:filesystem { getattr mount relabelfrom };
diff --git a/common/property.te b/common/property.te
deleted file mode 100644
index 50f7b34..0000000
--- a/common/property.te
+++ /dev/null
@@ -1 +0,0 @@
-vendor_internal_prop(vendor_device_prop)
diff --git a/common/property_contexts b/common/property_contexts
deleted file mode 100644
index 8343ea5..0000000
--- a/common/property_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-vendor.all.modules.ready u:object_r:vendor_device_prop:s0
-vendor.all.devices.ready u:object_r:vendor_device_prop:s0
diff --git a/common/vendor_init.te b/common/vendor_init.te
new file mode 100644
index 0000000..7299a26
--- /dev/null
+++ b/common/vendor_init.te
@@ -0,0 +1,2 @@
+# for cgroup migration
+allow vendor_init cgroup:file rw_file_perms;
diff --git a/flipendo/flipendo.te b/flipendo/flipendo.te
index 957ebe9..a147885 100644
--- a/flipendo/flipendo.te
+++ b/flipendo/flipendo.te
@@ -2,7 +2,7 @@
app_domain(flipendo)
-# Access to ISstats service to log atoms
+# Access to Westworld logging service
allow flipendo fwk_stats_service:service_manager find;
binder_use(flipendo)
@@ -15,3 +15,5 @@
# Access to PowerHal service
hal_client_domain(flipendo, hal_power);
+
+dontaudit flipendo vendor_hwservice_type:hwservice_manager find;
diff --git a/logger_app/logger_app.te b/logger_app/logger_app.te
index e61df02..6ee040c 100644
--- a/logger_app/logger_app.te
+++ b/logger_app/logger_app.te
@@ -5,4 +5,6 @@
net_domain(logger_app)
allow logger_app app_api_service:service_manager find;
+ allow logger_app tcpdump_vendor_data_file:dir create_dir_perms;
+ allow logger_app tcpdump_vendor_data_file:file create_file_perms;
')
diff --git a/mm/gki/file.te b/mm/gki/file.te
index 9970f78..d0e1b64 100644
--- a/mm/gki/file.te
+++ b/mm/gki/file.te
@@ -1,4 +1,5 @@
type mm_logd_vendor_data_file, file_type, data_file_type;
type debugfs_page_owner, debugfs_type, fs_type;
+type proc_watermark_boost_factor, fs_type, proc_type;
type proc_min_free_kbytes, fs_type, proc_type;
type proc_lowmem_reserve_ratio, fs_type, proc_type;
diff --git a/mm/gki/genfs_contexts b/mm/gki/genfs_contexts
index 852bc3e..957a343 100644
--- a/mm/gki/genfs_contexts
+++ b/mm/gki/genfs_contexts
@@ -1,3 +1,4 @@
genfscon debugfs /page_owner u:object_r:debugfs_page_owner:s0
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/lowmem_reserve_ratio u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/min_free_kbytes u:object_r:proc_watermark_boost_factor:s0
diff --git a/pixelstats/file.te b/pixelstats/file.te
new file mode 100644
index 0000000..76f87a2
--- /dev/null
+++ b/pixelstats/file.te
@@ -0,0 +1,2 @@
+type debugfs_mgm, debugfs_type, fs_type;
+type sysfs_pixel_stat, fs_type, sysfs_type;
diff --git a/pixelstats/genfs_contexts b/pixelstats/genfs_contexts
new file mode 100644
index 0000000..8eee8bb
--- /dev/null
+++ b/pixelstats/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon debugfs /physical-memory-group-manager u:object_r:debugfs_mgm:s0
+genfscon sysfs /kernel/pixel_stat u:object_r:sysfs_pixel_stat:s0
diff --git a/pixelstats/pixelstats_vendor.te b/pixelstats/pixelstats_vendor.te
index 6d2ce3a..4b43168 100644
--- a/pixelstats/pixelstats_vendor.te
+++ b/pixelstats/pixelstats_vendor.te
@@ -6,11 +6,23 @@
allow pixelstats_vendor sysfs_scsi_devices_0000:dir search;
allow pixelstats_vendor sysfs_scsi_devices_0000:file r_file_perms;
allow pixelstats_vendor sysfs_fs_f2fs:dir search;
-allow pixelstats_vendor sysfs_fs_f2fs:file r_file_perms;
+allow pixelstats_vendor sysfs_fs_f2fs:file rw_file_perms;
get_prop(pixelstats_vendor, boottime_public_prop)
-allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
+allow pixelstats_vendor fwk_stats_service:service_manager find;
binder_call(pixelstats_vendor, stats_service_server)
allow pixelstats_vendor sysfs_zram:dir search;
allow pixelstats_vendor sysfs_zram:file r_file_perms;
+allow pixelstats_vendor sysfs_pixel_stat:dir r_dir_perms;
+allow pixelstats_vendor sysfs_pixel_stat:file r_file_perms;
+
+userdebug_or_eng(`
+ allow pixelstats_vendor proc_vmstat:file r_file_perms;
+ allow pixelstats_vendor sysfs_ion:dir search;
+ allow pixelstats_vendor sysfs_ion:file r_file_perms;
+ allow pixelstats_vendor sysfs_dma_heap:dir search;
+ allow pixelstats_vendor sysfs_dma_heap:file r_file_perms;
+ allow pixelstats_vendor kernel:dir search;
+ allow pixelstats_vendor kernel:file r_file_perms;
+')
diff --git a/power-libperfmgr/hal_power_default.te b/power-libperfmgr/hal_power_default.te
index 4daffd7..314bc11 100644
--- a/power-libperfmgr/hal_power_default.te
+++ b/power-libperfmgr/hal_power_default.te
@@ -1,8 +1,15 @@
+typeattribute hal_power_default mlstrustedsubject;
+
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
allow hal_power_default latency_device:chr_file rw_file_perms;
+allow hal_power_default cgroup:file r_file_perms;
# To get/set powerhal state property
set_prop(hal_power_default, vendor_power_prop)
# Rule for hal_power_default to access graphics composer process
unix_socket_connect(hal_power_default, pps, hal_graphics_composer_default);
+
+# Set scheduling info for apps (for adpf)
+allow hal_power_default appdomain:process { getsched setsched };
+allow hal_power_default self:capability sys_nice;
diff --git a/power-libperfmgr/vendor_init.te b/power-libperfmgr/vendor_init.te
new file mode 100644
index 0000000..18cc402
--- /dev/null
+++ b/power-libperfmgr/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_power_prop)
diff --git a/powerstats/device.te b/powerstats/device.te
new file mode 100644
index 0000000..449df82
--- /dev/null
+++ b/powerstats/device.te
@@ -0,0 +1 @@
+type power_stats_device, dev_type;
diff --git a/powerstats/file.te b/powerstats/file.te
new file mode 100644
index 0000000..0df8fa5
--- /dev/null
+++ b/powerstats/file.te
@@ -0,0 +1 @@
+type sysfs_power_stats, fs_type, sysfs_type;
diff --git a/powerstats/hal_power_stats_default.te b/powerstats/hal_power_stats_default.te
index 7e00470..b125ef7 100644
--- a/powerstats/hal_power_stats_default.te
+++ b/powerstats/hal_power_stats_default.te
@@ -3,3 +3,6 @@
vndbinder_use(hal_power_stats)
add_service(hal_power_stats_server, hal_power_stats_service)
+r_dir_file(hal_power_stats_default, sysfs_power_stats)
+
+allow hal_power_stats_default power_stats_device:chr_file rw_file_perms;
diff --git a/ramdump/bug_map b/ramdump/bug_map
new file mode 100644
index 0000000..0554746
--- /dev/null
+++ b/ramdump/bug_map
@@ -0,0 +1,3 @@
+ramdump vendor_hw_plat_prop file b/161103878
+ramdump public_vendor_default_prop file b/161103878
+ramdump proc_bootconfig file b/181615626
diff --git a/ramdump/common/file.te b/ramdump/common/file.te
new file mode 100644
index 0000000..78ad1db
--- /dev/null
+++ b/ramdump/common/file.te
@@ -0,0 +1,3 @@
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_fs, file_type, data_file_type, mlstrustedobject;
diff --git a/ramdump/common/file_contexts b/ramdump/common/file_contexts
new file mode 100644
index 0000000..c0c087f
--- /dev/null
+++ b/ramdump/common/file_contexts
@@ -0,0 +1,2 @@
+/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0
+/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0
diff --git a/ramdump/common/property.te b/ramdump/common/property.te
new file mode 100644
index 0000000..1409a3d
--- /dev/null
+++ b/ramdump/common/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_ramdump_prop)
diff --git a/ramdump/common/property_contexts b/ramdump/common/property_contexts
new file mode 100644
index 0000000..25749fa
--- /dev/null
+++ b/ramdump/common/property_contexts
@@ -0,0 +1,2 @@
+ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0
+vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0
diff --git a/ramdump/file.te b/ramdump/file.te
new file mode 100644
index 0000000..3fa2b2f
--- /dev/null
+++ b/ramdump/file.te
@@ -0,0 +1 @@
+allow ramdump_vendor_mnt_file self:filesystem associate;
diff --git a/ramdump/file_contexts b/ramdump/file_contexts
new file mode 100644
index 0000000..590e61b
--- /dev/null
+++ b/ramdump/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/ramdump u:object_r:ramdump_exec:s0
diff --git a/ramdump/ramdump.te b/ramdump/ramdump.te
new file mode 100644
index 0000000..d66139f
--- /dev/null
+++ b/ramdump/ramdump.te
@@ -0,0 +1,48 @@
+type ramdump_exec, exec_type, vendor_file_type, file_type;
+type ramdump, domain;
+
+userdebug_or_eng(`
+ init_daemon_domain(ramdump)
+
+ set_prop(ramdump, vendor_ramdump_prop)
+
+ # f2fs set pin file requires sys_admin
+ allow ramdump self:capability { sys_admin sys_rawio };
+
+ allow ramdump ramdump_vendor_data_file:dir create_dir_perms;
+ allow ramdump ramdump_vendor_data_file:file create_file_perms;
+ allow ramdump proc_cmdline:file r_file_perms;
+
+ allow ramdump block_device:dir search;
+ allow ramdump misc_block_device:blk_file rw_file_perms;
+ allow ramdump userdata_block_device:blk_file rw_file_perms;
+
+ # Allow ReadDefaultFstab().
+ read_fstab(ramdump)
+
+ # read /fstab.${ro.hardware}
+ allow ramdump rootfs:file r_file_perms;
+
+ r_dir_file(ramdump, sysfs_type)
+
+ # To access statsd.
+ hwbinder_use(ramdump)
+ get_prop(ramdump, hwservicemanager_prop)
+ get_prop(ramdump, boot_status_prop)
+ allow ramdump fwk_stats_hwservice:hwservice_manager find;
+ binder_call(ramdump, stats_service_server)
+ allow ramdump fwk_stats_service:service_manager find;
+ binder_use(ramdump)
+
+ # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
+ allow ramdump fuse:filesystem relabelfrom;
+ allow ramdump fuse_device:chr_file rw_file_perms;
+ allow ramdump mnt_vendor_file:dir r_dir_perms;
+ allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
+ allow ramdump ramdump_vendor_fs:filesystem { mount unmount relabelfrom relabelto };
+ allow ramdump_vendor_mnt_file ramdump_vendor_fs:filesystem associate;
+
+ # Access new Stats AIDL APIs (ag/13714907).
+ allow ramdump fwk_stats_service:service_manager find;
+ binder_call(ramdump, servicemanager)
+')
diff --git a/rebalance_interrupts/file.te b/rebalance_interrupts/file.te
new file mode 100644
index 0000000..4b8bd35
--- /dev/null
+++ b/rebalance_interrupts/file.te
@@ -0,0 +1,2 @@
+type sysfs_irq, fs_type, sysfs_type;
+type proc_irq, fs_type, proc_type;
diff --git a/rebalance_interrupts/file_contexts b/rebalance_interrupts/file_contexts
new file mode 100644
index 0000000..bb25b5c
--- /dev/null
+++ b/rebalance_interrupts/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/rebalance_interrupts-vendor u:object_r:rebalance_interrupts_vendor_exec:s0
+
diff --git a/rebalance_interrupts/genfs_contexts b/rebalance_interrupts/genfs_contexts
new file mode 100644
index 0000000..fc264b5
--- /dev/null
+++ b/rebalance_interrupts/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon sysfs /kernel/irq u:object_r:sysfs_irq:s0
+genfscon proc /irq u:object_r:proc_irq:s0
diff --git a/rebalance_interrupts/rebalance_interrupts.te b/rebalance_interrupts/rebalance_interrupts.te
new file mode 100644
index 0000000..668a696
--- /dev/null
+++ b/rebalance_interrupts/rebalance_interrupts.te
@@ -0,0 +1,10 @@
+# rebalance_interrupts vendor
+type rebalance_interrupts_vendor, domain;
+
+type rebalance_interrupts_vendor_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(rebalance_interrupts_vendor)
+
+allow rebalance_interrupts_vendor sysfs_irq:dir r_dir_perms;
+allow rebalance_interrupts_vendor sysfs_irq:file r_file_perms;
+allow rebalance_interrupts_vendor proc_irq:dir r_dir_perms;
+allow rebalance_interrupts_vendor proc_irq:file rw_file_perms;
diff --git a/sscoredump/device.te b/sscoredump/device.te
new file mode 100644
index 0000000..7614dd4
--- /dev/null
+++ b/sscoredump/device.te
@@ -0,0 +1 @@
+type sscoredump_device, dev_type;
diff --git a/sscoredump/file.te b/sscoredump/file.te
new file mode 100644
index 0000000..337f524
--- /dev/null
+++ b/sscoredump/file.te
@@ -0,0 +1,7 @@
+# files
+type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
+type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
+
+# sysfs
+type sysfs_sscoredump_level, sysfs_type, fs_type; # sscoredump level
+type sysfs_sscoredump_subsystem_report_count, sysfs_type, fs_type; # subsystem report_count: per device explicit path
diff --git a/sscoredump/file_contexts b/sscoredump/file_contexts
new file mode 100644
index 0000000..b375ffa
--- /dev/null
+++ b/sscoredump/file_contexts
@@ -0,0 +1,4 @@
+/vendor/bin/sscoredump u:object_r:sscoredump_exec:s0
+/data/vendor/ssrdump(/.*)? u:object_r:sscoredump_vendor_data_crashinfo_file:s0
+/data/vendor/ssrdump/coredump(/.*)? u:object_r:sscoredump_vendor_data_coredump_file:s0
+/dev/sscd_.* u:object_r:sscoredump_device:s0
diff --git a/sscoredump/genfs_contexts b/sscoredump/genfs_contexts
new file mode 100644
index 0000000..5a6e494
--- /dev/null
+++ b/sscoredump/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /class/sscoredump/level u:object_r:sysfs_sscoredump_level:s0
diff --git a/sscoredump/sscoredump.te b/sscoredump/sscoredump.te
new file mode 100644
index 0000000..70d6e1b
--- /dev/null
+++ b/sscoredump/sscoredump.te
@@ -0,0 +1,18 @@
+type sscoredump, domain;
+type sscoredump_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(sscoredump)
+
+set_prop(sscoredump, vendor_ssrdump_prop)
+
+allow sscoredump device:dir r_dir_perms;
+allow sscoredump sscoredump_device:chr_file rw_file_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+allow sscoredump sysfs_sscoredump_subsystem_report_count:file r_file_perms;
+
+userdebug_or_eng(`
+ allow sscoredump sysfs_sscoredump_level:file rw_file_perms;
+ allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+ allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
diff --git a/storage/file.te b/storage/file.te
new file mode 100644
index 0000000..ba7f362
--- /dev/null
+++ b/storage/file.te
@@ -0,0 +1 @@
+type debugfs_lpm, debugfs_type, fs_type;
diff --git a/storage/genfs_contexts b/storage/genfs_contexts
new file mode 100644
index 0000000..2f0b5bb
--- /dev/null
+++ b/storage/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon debugfs /lpm_stats/stats u:object_r:debugfs_lpm:s0
+genfscon sysfs /devices/platform/soc/1d84000.ufshc/power u:object_r:sysfs_scsi_devices_0000:s0
diff --git a/storage/shell.te b/storage/shell.te
new file mode 100644
index 0000000..d8145f1
--- /dev/null
+++ b/storage/shell.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ allow shell debugfs_lpm:file r_file_perms;
+ allow shell sysfs_scsi_devices_0000:file r_file_perms;
+ allow shell sysfs_mmc:dir r_dir_perms;
+')
+
diff --git a/thermal/file.te b/thermal/file.te
new file mode 100644
index 0000000..a2b1ab8
--- /dev/null
+++ b/thermal/file.te
@@ -0,0 +1,2 @@
+type thermal_link_device, dev_type;
+type debugfs_thermal, debugfs_type, fs_type;
diff --git a/thermal/file_contexts b/thermal/file_contexts
index e88d6f5..40e00a9 100644
--- a/thermal/file_contexts
+++ b/thermal/file_contexts
@@ -1,2 +1,4 @@
/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0
+/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0
+/dev/thermal(/.*)? u:object_r:thermal_link_device:s0
diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te
index 846f07a..5d8af91 100644
--- a/thermal/hal_thermal_default.te
+++ b/thermal/hal_thermal_default.te
@@ -1,5 +1,7 @@
allow hal_thermal_default sysfs_thermal:dir r_dir_perms;
allow hal_thermal_default sysfs_thermal:file rw_file_perms;
+allow hal_thermal_default sysfs_thermal:lnk_file r_file_perms;
+allow hal_thermal_default thermal_link_device:dir r_dir_perms;
allow hal_thermal_default proc_stat:file r_file_perms;
allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/thermal/init-thermal-symlinks.sh.te b/thermal/init-thermal-symlinks.sh.te
new file mode 100644
index 0000000..093512c
--- /dev/null
+++ b/thermal/init-thermal-symlinks.sh.te
@@ -0,0 +1,12 @@
+type init-thermal-symlinks-sh, domain;
+type init-thermal-symlinks-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-thermal-symlinks-sh)
+
+allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms;
+allow init-thermal-symlinks-sh thermal_link_device:dir rw_dir_perms;
+allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:dir r_dir_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:file r_file_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:lnk_file r_file_perms;
+set_prop(init-thermal-symlinks-sh, vendor_thermal_prop)
diff --git a/thermal/vendor_init.te b/thermal/vendor_init.te
new file mode 100644
index 0000000..3133b1e
--- /dev/null
+++ b/thermal/vendor_init.te
@@ -0,0 +1,2 @@
+allow vendor_init thermal_link_device:dir r_dir_perms;
+allow vendor_init thermal_link_device:lnk_file r_file_perms;
diff --git a/turbo_adapter/turbo_adapter.te b/turbo_adapter/turbo_adapter.te
index b2f0202..ca9ad00 100644
--- a/turbo_adapter/turbo_adapter.te
+++ b/turbo_adapter/turbo_adapter.te
@@ -2,7 +2,7 @@
# this means that TurboAdapter doesn't get the platform_app permissions any more, so we need to
# list everything that it needs here.
-type turbo_adapter, domain, coredomain;
+type turbo_adapter, domain, coredomain, system_suspend_internal_server;
app_domain(turbo_adapter)
@@ -11,3 +11,13 @@
# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt)
hal_client_domain(turbo_adapter, hal_power)
+
+# PAS: for PowerStatsHalDataProvider
+hal_client_domain(turbo_adapter, hal_power_stats)
+
+# PAS: for GoogleCpuTimeProvider
+r_dir_file(turbo_adapter, proc_uid_cputime_showstat);
+
+# PAS: for SuspendControlServiceDataProvider
+binder_call(turbo_adapter, system_suspend_internal_server)
+get_prop(turbo_adapter, suspend_prop)
diff --git a/vibrator/common/device.te b/vibrator/common/device.te
new file mode 100644
index 0000000..3460c8c
--- /dev/null
+++ b/vibrator/common/device.te
@@ -0,0 +1 @@
+type vibrator_snd_device, dev_type;
diff --git a/vibrator/common/file_contexts b/vibrator/common/file_contexts
index 8bdbb99..d1b1060 100644
--- a/vibrator/common/file_contexts
+++ b/vibrator/common/file_contexts
@@ -1 +1,2 @@
-/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
diff --git a/vibrator/common/property.te b/vibrator/common/property.te
new file mode 100644
index 0000000..45556ef
--- /dev/null
+++ b/vibrator/common/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_vibrator_prop)
diff --git a/vibrator/common/service_contexts b/vibrator/common/service_contexts
new file mode 100644
index 0000000..7fe834b
--- /dev/null
+++ b/vibrator/common/service_contexts
@@ -0,0 +1 @@
+android.hardware.vibrator.IVibrator/dual u:object_r:hal_vibrator_service:s0
diff --git a/vibrator/cs40l25/file_contexts b/vibrator/cs40l25/file_contexts
index 400ff14..4cc9af0 100644
--- a/vibrator/cs40l25/file_contexts
+++ b/vibrator/cs40l25/file_contexts
@@ -1 +1,5 @@
-/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l25 u:object_r:hal_vibrator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l25 u:object_r:hal_vibrator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l25-dual u:object_r:hal_vibrator_default_exec:s0
+
+/dev/snd/pcmC0D24p u:object_r:vibrator_snd_device:s0
+/dev/snd/pcmC1D24p u:object_r:vibrator_snd_device:s0
diff --git a/vibrator/cs40l25/hal_vibrator_default.te b/vibrator/cs40l25/hal_vibrator_default.te
index 3c94625..219a6b1 100644
--- a/vibrator/cs40l25/hal_vibrator_default.te
+++ b/vibrator/cs40l25/hal_vibrator_default.te
@@ -2,4 +2,16 @@
allow hal_vibrator_default mnt_vendor_file:dir search;
allow hal_vibrator_default persist_file:dir search;
+
+allow hal_vibrator_default vibrator_snd_device:chr_file rw_file_perms;
+allow hal_vibrator_default vibrator_snd_device:dir search;
+allow hal_vibrator_default audio_device:dir search;
+allow hal_vibrator_default proc_asound:dir search;
+allow hal_vibrator_default proc_asound:file r_file_perms;
+
r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
+
+# Allow vibrator HAL's default implementation to use vendor-binder service
+vndbinder_use(hal_vibrator_default);
diff --git a/vibrator/cs40l25/property_contexts b/vibrator/cs40l25/property_contexts
new file mode 100644
index 0000000..64a2600
--- /dev/null
+++ b/vibrator/cs40l25/property_contexts
@@ -0,0 +1 @@
+ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/cs40l25/vendor_init.te b/vibrator/cs40l25/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/cs40l25/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/vibrator/cs40l26/file_contexts b/vibrator/cs40l26/file_contexts
new file mode 100644
index 0000000..13513c9
--- /dev/null
+++ b/vibrator/cs40l26/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26 u:object_r:hal_vibrator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-dual u:object_r:hal_vibrator_default_exec:s0
diff --git a/vibrator/cs40l26/hal_vibrator_default.te b/vibrator/cs40l26/hal_vibrator_default.te
new file mode 100644
index 0000000..963a1c9
--- /dev/null
+++ b/vibrator/cs40l26/hal_vibrator_default.te
@@ -0,0 +1,11 @@
+allow hal_vibrator_default input_device:dir search;
+allow hal_vibrator_default input_device:chr_file rw_file_perms;
+
+allow hal_vibrator_default mnt_vendor_file:dir search;
+allow hal_vibrator_default persist_file:dir search;
+r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
+
+# Allow vibrator HAL's default implementation to use vendor-binder service
+vndbinder_use(hal_vibrator_default);
diff --git a/vibrator/cs40l26/property_contexts b/vibrator/cs40l26/property_contexts
new file mode 100644
index 0000000..64a2600
--- /dev/null
+++ b/vibrator/cs40l26/property_contexts
@@ -0,0 +1 @@
+ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/cs40l26/vendor_init.te b/vibrator/cs40l26/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/cs40l26/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/vibrator/drv2624/hal_vibrator_default.te b/vibrator/drv2624/hal_vibrator_default.te
new file mode 100644
index 0000000..e015251
--- /dev/null
+++ b/vibrator/drv2624/hal_vibrator_default.te
@@ -0,0 +1,7 @@
+allow hal_vibrator_default sysfs_leds:dir search;
+
+allow hal_vibrator_default mnt_vendor_file:dir search;
+allow hal_vibrator_default persist_file:dir search;
+r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
diff --git a/vibrator/drv2624/property_contexts b/vibrator/drv2624/property_contexts
new file mode 100644
index 0000000..64a2600
--- /dev/null
+++ b/vibrator/drv2624/property_contexts
@@ -0,0 +1 @@
+ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/drv2624/vendor_init.te b/vibrator/drv2624/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/drv2624/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/wifi_ext/file_contexts b/wifi_ext/file_contexts
new file mode 100644
index 0000000..acbd266
--- /dev/null
+++ b/wifi_ext/file_contexts
@@ -0,0 +1,3 @@
+# Wifi
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
diff --git a/wifi_ext/hal_wifi_ext.te b/wifi_ext/hal_wifi_ext.te
new file mode 100644
index 0000000..7f20b42
--- /dev/null
+++ b/wifi_ext/hal_wifi_ext.te
@@ -0,0 +1,11 @@
+type hal_wifi_ext, domain;
+hal_server_domain(hal_wifi_ext, hal_wifi)
+
+type hal_wifi_ext_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_ext)
+
+# Allow to start the IWifi:wifi_ext service
+add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice);
+
+# Allow to set up bridged interface
+allowxperm hal_wifi_ext self:udp_socket ioctl { SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF};
diff --git a/wifi_ext/hwservice.te b/wifi_ext/hwservice.te
new file mode 100644
index 0000000..1fe9148
--- /dev/null
+++ b/wifi_ext/hwservice.te
@@ -0,0 +1,2 @@
+# wifi_ext service
+type hal_wifi_ext_hwservice, hwservice_manager_type;
diff --git a/wifi_ext/hwservice_contexts b/wifi_ext/hwservice_contexts
new file mode 100644
index 0000000..e8de4ce
--- /dev/null
+++ b/wifi_ext/hwservice_contexts
@@ -0,0 +1,2 @@
+# Wifi
+vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0
diff --git a/wifi_logger/README.md b/wifi_logger/README.md
new file mode 100644
index 0000000..f7fc7c0
--- /dev/null
+++ b/wifi_logger/README.md
@@ -0,0 +1,6 @@
+### wifi logger SELinux rules
+
+This directory contains all the SELinux rules for communication with the
+wlan logger and HAL, and forward the configuration parameter from the file.
+
+The implementation is at ['vendor/google/apps/PixelLogger'] directory
diff --git a/wifi_logger/file.te b/wifi_logger/file.te
new file mode 100644
index 0000000..19e7fda
--- /dev/null
+++ b/wifi_logger/file.te
@@ -0,0 +1 @@
+type wifi_logging_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/wifi_logger/file_contexts b/wifi_logger/file_contexts
new file mode 100644
index 0000000..c4f7b21
--- /dev/null
+++ b/wifi_logger/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/wifi_logger u:object_r:wifi_logger_exec:s0
+/data/vendor/wifi/wlan_logs(/.*)? u:object_r:wifi_logging_data_file:s0
diff --git a/wifi_logger/hal_wifi_ext.te b/wifi_logger/hal_wifi_ext.te
new file mode 100644
index 0000000..6d28cfd
--- /dev/null
+++ b/wifi_logger/hal_wifi_ext.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+ allow hal_wifi_ext wifi_logging_data_file:dir rw_dir_perms;
+ allow hal_wifi_ext wifi_logging_data_file:file create_file_perms;
+')
diff --git a/wifi_logger/logger_app.te b/wifi_logger/logger_app.te
new file mode 100644
index 0000000..117a6fe
--- /dev/null
+++ b/wifi_logger/logger_app.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ allow logger_app wifi_logging_data_file:dir create_dir_perms;
+ allow logger_app wifi_logging_data_file:file create_file_perms;
+ set_prop(logger_app, vendor_wlan_logging_prop)
+')
diff --git a/wifi_logger/property.te b/wifi_logger/property.te
new file mode 100644
index 0000000..36b7747
--- /dev/null
+++ b/wifi_logger/property.te
@@ -0,0 +1,3 @@
+# vendor logging property
+vendor_internal_prop(vendor_wlan_logging_prop)
+
diff --git a/wifi_logger/property_contexts b/wifi_logger/property_contexts
new file mode 100644
index 0000000..161fcb7
--- /dev/null
+++ b/wifi_logger/property_contexts
@@ -0,0 +1 @@
+persist.vendor.wifi.logger.start u:object_r:vendor_wlan_logging_prop:s0
diff --git a/wifi_logger/wifi_logger.te b/wifi_logger/wifi_logger.te
new file mode 100644
index 0000000..7a15732
--- /dev/null
+++ b/wifi_logger/wifi_logger.te
@@ -0,0 +1,22 @@
+type wifi_logger, domain;
+type wifi_logger_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ # make transition from init to its domain
+ init_daemon_domain(wifi_logger)
+ net_domain(wifi_logger)
+
+ get_prop(wifi_logger, hwservicemanager_prop)
+ get_prop(wifi_logger, wifi_hal_prop)
+ get_prop(wifi_logger, vendor_wlan_logging_prop)
+ binder_call(wifi_logger, hwservicemanager)
+ binder_call(wifi_logger, hal_wifi_ext)
+
+ allow wifi_logger hal_wifi_ext_hwservice:hwservice_manager find;
+ allow wifi_logger wifi_logging_data_file:dir create_dir_perms;
+ allow wifi_logger wifi_logging_data_file:file create_file_perms;
+ allow wifi_logger wpa_data_file:dir r_dir_perms;
+ allow wifi_logger wpa_data_file:sock_file getattr;
+ allow wifi_logger hostapd_data_file:dir r_dir_perms;
+ allow wifi_logger hostapd_data_file:sock_file getattr;
+')
diff --git a/wifi_sniffer/wifi_sniffer.te b/wifi_sniffer/wifi_sniffer.te
index 70cfa31..3c9ad62 100644
--- a/wifi_sniffer/wifi_sniffer.te
+++ b/wifi_sniffer/wifi_sniffer.te
@@ -15,6 +15,4 @@
allow wifi_sniffer self:netlink_generic_socket create_socket_perms_no_ioctl;
get_prop(wifi_sniffer, vendor_wifi_sniffer_prop)
-
- dontaudit wifi_sniffer debugfs_wlan:dir search;
')