Merge "Add file_contexts for sepolicy mainline module"
diff --git a/Android.bp b/Android.bp
index e517356..8ee5cbc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1156,6 +1156,33 @@
installable: false,
}
+// bug_map - Bug tracking information for selinux denials loaded by auditd.
+se_filegroup {
+ name: "bug_map_files",
+ srcs: ["bug_map"],
+}
+
+se_bug_map {
+ name: "plat_bug_map",
+ srcs: [":bug_map_files"],
+ stem: "bug_map",
+}
+
+se_bug_map {
+ name: "system_ext_bug_map",
+ srcs: [":bug_map_files"],
+ stem: "bug_map",
+ system_ext_specific: true,
+}
+
+se_bug_map {
+ name: "vendor_bug_map",
+ srcs: [":bug_map_files"],
+ // Legacy file name of the vendor partition bug_map.
+ stem: "selinux_denial_metadata",
+ vendor: true,
+}
+
//////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables:
diff --git a/Android.mk b/Android.mk
index 6fd84e9..efacc1b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -381,6 +381,7 @@
plat_service_contexts_test \
plat_hwservice_contexts \
plat_hwservice_contexts_test \
+ plat_bug_map \
searchpolicy \
# This conditional inclusion closely mimics the conditional logic
@@ -455,6 +456,7 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
+ system_ext_bug_map \
$(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
@@ -549,6 +551,7 @@
vendor_service_contexts \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
+ vendor_bug_map \
vndservice_contexts \
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -567,9 +570,6 @@
LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
LOCAL_REQUIRED_MODULES += selinux_policy_product
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
@@ -1212,26 +1212,6 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_denial_metadata
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
-
-$(LOCAL_BUILT_MODULE) : $(bug_files)
- @mkdir -p $(dir $@)
- cat $^ > $@
-
-bug_files :=
-
-##################################
include $(LOCAL_PATH)/seapp_contexts.mk
##################################
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 3126430..e3b6541 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -31,6 +31,7 @@
"soong-sysprop",
],
srcs: [
+ "bug_map.go",
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
new file mode 100644
index 0000000..91c6347
--- /dev/null
+++ b/build/soong/bug_map.go
@@ -0,0 +1,112 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_bug_map", bugMapFactory)
+}
+
+// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
+func bugMapFactory() android.Module {
+ c := &bugMap{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type bugMap struct {
+ android.ModuleBase
+ properties bugMapProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type bugMapProperties struct {
+ // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (b *bugMap) stem() string {
+ return proptools.StringDefault(b.properties.Stem, b.Name())
+}
+
+func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
+ srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
+ for _, src := range b.properties.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ module := android.GetModuleFromPathDep(ctx, m, "")
+ if module == nil {
+ // Error would have been handled by ExtractSourcesDeps
+ continue
+ }
+ if fg, ok := module.(*fileGroup); ok {
+ if b.SocSpecific() {
+ srcPaths = append(srcPaths, fg.VendorSrcs()...)
+ srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
+ } else if b.SystemExtSpecific() {
+ srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+ } else {
+ srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+ }
+ } else {
+ ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+ }
+ } else {
+ srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+ }
+ }
+ return android.FirstUniquePaths(srcPaths)
+}
+
+func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
+ ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
+ }
+
+ srcPaths := b.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, b.Name())
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining bug_map for " + b.Name(),
+ })
+
+ b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ b.installSource = out
+ ctx.InstallFile(b.installPath, b.stem(), b.installSource)
+}
+
+func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(b.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
+ },
+ },
+ }}
+}
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 343ec7a..25cfda4 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,3 +41,7 @@
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
+# this should perhaps be moved to the bpfloader binary itself. Allow both.
+neverallow { domain -bpfloader -init } proc_bpf:file write;
diff --git a/private/charger.te b/private/charger.te
index 8be113f..c5f3a50 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -2,16 +2,13 @@
# charger needs to tell init to continue the boot
# process when running in charger mode.
+# The system charger needs to be allowed to set these properties on legacy devices.
set_prop(charger, system_prop)
set_prop(charger, exported_system_prop)
set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
+# The system charger can read ro.charger.*
get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
compatible_property_only(`
neverallow {
@@ -21,11 +18,3 @@
-charger
} charger_prop:file no_rw_file_perms;
')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/charger_type.te b/private/charger_type.te
new file mode 100644
index 0000000..cb699de
--- /dev/null
+++ b/private/charger_type.te
@@ -0,0 +1,38 @@
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger_type, charger_status_prop)
+get_prop(charger_type, charger_config_prop)
+
+# get minui properties
+get_prop(charger_type, recovery_config_prop)
+
+### Neverallow rules for charger properties
+
+# charger_config_prop: Only init and vendor_init is allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+} charger_config_prop:property_service set;
+
+# charger_status_prop: Only init, vendor_init, charger, and hal_health_server
+# are allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -charger
+ -hal_health_server
+} charger_status_prop:property_service set;
+
+# Both charger_config_prop and charger_status_prop:
+# Only init, vendor_init, dumpstate, charger, and hal_health_server
+# are allowed to read it
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+ -charger
+ -hal_health_server
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/clatd.te b/private/clatd.te
index 0fa774a..dfcaf57 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -12,25 +12,9 @@
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 061edca..eaf971b 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1964,6 +1964,7 @@
(typeattributeset privapp_data_file_31_0 (privapp_data_file))
(typeattributeset proc_31_0
( proc
+ proc_bpf
proc_cpu_alignment
))
(typeattributeset proc_abi_31_0 (proc_abi))
@@ -1996,7 +1997,10 @@
(typeattributeset proc_misc_31_0 (proc_misc))
(typeattributeset proc_modules_31_0 (proc_modules))
(typeattributeset proc_mounts_31_0 (proc_mounts))
-(typeattributeset proc_net_31_0 (proc_net))
+(typeattributeset proc_net_31_0
+ ( proc_bpf
+ proc_net
+))
(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
(typeattributeset proc_page_cluster_31_0 (proc_page_cluster))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index f9645f4..47a2e8c 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -14,9 +14,15 @@
hal_contexthub_service
hal_graphics_composer_service
hal_health_service
+ hal_radio_config_service
+ hal_radio_data_service
+ hal_radio_messaging_service
+ hal_radio_modem_service
+ hal_radio_network_service
+ hal_radio_sim_service
+ hal_radio_voice_service
hal_sensors_service
hal_system_suspend_service
- hal_radio_service
hal_tv_tuner_service
hal_uwb_service
hal_uwb_vendor_service
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index c4e589d..69ff58c 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -22,6 +22,7 @@
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2006ffe..39b04f3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -44,6 +44,7 @@
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
@@ -74,8 +75,10 @@
genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
@@ -229,6 +232,12 @@
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
diff --git a/private/init.te b/private/init.te
index 09a9a5e..b02b620 100644
--- a/private/init.te
+++ b/private/init.te
@@ -106,6 +106,11 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
+# attempt to write a non exisiting 'synthetic_events' file, when setting
+# up synthetic events. This is a no-op in tracefs.
+dontaudit init debugfs_tracing_debug:dir { write add_name };
+
# chown/chmod on devices.
allow init {
dev_type
diff --git a/private/service_contexts b/private/service_contexts
index 50002d4..f79715d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -14,7 +14,25 @@
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 4c87b3f..9f620c2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -70,6 +70,12 @@
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
+# For release odex/vdex compress blocks
+allowxperm system_server dalvikcache_data_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
+};
+
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
@@ -712,6 +718,7 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_virtualization_framework_native_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
diff --git a/public/attributes b/public/attributes
index a68a6fc..df82abf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -412,3 +412,10 @@
# Types used for module-specific APEX data directories under
# /data/{misc,misc_ce,misc_de}/apexdata.
attribute apex_data_file_type;
+
+# Domains used for charger.
+# This is the common type for domains that executes charger's
+# functionalities, including setting and getting necessary properties,
+# permissions to maintain the health loop, writing to kernel log, handling
+# inputs and drawing screens, etc.
+attribute charger_type;
diff --git a/public/charger.te b/public/charger.te
index 37359e3..418dff9 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -1,40 +1,5 @@
-type charger, domain;
+type charger, charger_type, domain;
type charger_exec, system_file_type, exec_type, file_type;
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
+# The system charger is a client of HIDL health HAL.
hal_client_domain(charger, hal_health)
diff --git a/public/charger_type.te b/public/charger_type.te
new file mode 100644
index 0000000..4241360
--- /dev/null
+++ b/public/charger_type.te
@@ -0,0 +1,37 @@
+# Write to /dev/kmsg
+allow charger_type kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger_type, rootfs)
+r_dir_file(charger_type, cgroup)
+r_dir_file(charger_type, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger_type sysfs_type:dir r_dir_perms;
+
+allow charger_type self:global_capability_class_set {
+ sys_boot
+ sys_tty_config
+};
+
+wakelock_use(charger_type)
+
+allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger_type sysfs_power:file rw_file_perms;
+
+r_dir_file(charger_type, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger_type pstorefs:dir r_dir_perms;
+allow charger_type pstorefs:file r_file_perms;
+
+allow charger_type graphics_device:dir r_dir_perms;
+allow charger_type graphics_device:chr_file rw_file_perms;
+allow charger_type input_device:dir r_dir_perms;
+allow charger_type input_device:chr_file r_file_perms;
+allow charger_type tty_device:chr_file rw_file_perms;
+allow charger_type proc_sysrq:file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index bfc20d4..b8b9899 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,6 +23,7 @@
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
+type proc_bpf, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpu_alignment, fs_type, proc_type;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index e21796a..8a1fbe5 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,7 +3,13 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-hal_attribute_service(hal_telephony, hal_radio_service)
+hal_attribute_service(hal_telephony, hal_radio_config_service)
+hal_attribute_service(hal_telephony, hal_radio_data_service)
+hal_attribute_service(hal_telephony, hal_radio_messaging_service)
+hal_attribute_service(hal_telephony, hal_radio_modem_service)
+hal_attribute_service(hal_telephony, hal_radio_network_service)
+hal_attribute_service(hal_telephony, hal_radio_sim_service)
+hal_attribute_service(hal_telephony, hal_radio_voice_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 8799134..5c3e4e7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -371,6 +371,7 @@
allow init {
proc_abi
+ proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname
diff --git a/public/service.te b/public/service.te
index 19f7aaa..7f1fbe2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -273,13 +273,19 @@
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
-type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;