[automerger skipped] Merge Android 14 QPR1 am: 5f9cc46c75 -s ours am: 7af1b9d304 -s ours am: e8cb7392ba -s ours
am skip reason: Merged-In I8ee515e5ae5498296342d1f432ba9fa5716f221d with SHA-1 3dbfb9e35f is already in history
Original change: https://android-review.googlesource.com/c/device/google/gs201-sepolicy/+/2866361
Change-Id: I2dfdcd71b09693fc3e9f6de7f3c376b94ee43846
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/private/google_camera_app.te b/private/google_camera_app.te
index dc7ee28..6a9dff3 100644
--- a/private/google_camera_app.te
+++ b/private/google_camera_app.te
@@ -12,3 +12,6 @@
# Allows camera app to access the PowerHAL.
hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2639b9d..3972629 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,25 +1,11 @@
-cat_engine_service_app system_app_data_file dir b/238705599
-dex2oat privapp_data_file dir b/276386138
-hal_contexthub_default fwk_stats_service service_manager b/241714943
+hal_face_default traced_producer_socket sock_file b/305600808
hal_power_default hal_power_default capability b/237492146
-hal_radioext_default radio_vendor_data_file file b/237093466
-incidentd debugfs_wakeup_sources file b/237492091
-incidentd incidentd anon_inode b/268147092
-init-insmod-sh vendor_ready_prop property_service b/239364360
-kernel vendor_charger_debugfs dir b/238571150
-kernel vendor_usb_debugfs dir b/227121550
-shell adb_keys_file file b/239484612
-shell cache_file lnk_file b/239484612
-shell init_exec lnk_file b/239484612
-shell linkerconfig_file dir b/239484612
-shell metadata_file dir b/239484612
-shell mirror_data_file dir b/239484612
-shell postinstall_mnt_dir dir b/239484612
-shell rootfs file b/239484612
-shell sscoredump_vendor_data_crashinfo_file dir b/241714944
-shell system_dlkm_file dir b/239484612
-su modem_img_file filesystem b/240653918
-system_app proc_pagetypeinfo file b/275645892
-system_server privapp_data_file lnk_file b/276385494
-system_server system_userdir_file dir b/282096141
-platform_app hal_uwb_vendor_service find b/290766628
+incidentd debugfs_wakeup_sources file b/282626428
+incidentd incidentd anon_inode b/282626428
+kernel vendor_charger_debugfs dir b/307863370
+rild default_prop file b/315720727
+rild default_prop file b/315721328
+surfaceflinger selinuxfs file b/315104594
+vendor_init default_prop file b/315104479
+vendor_init default_prop file b/315104803
+vendor_init default_prop property_service b/315104803
diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te
new file mode 100644
index 0000000..68719b9
--- /dev/null
+++ b/tracking_denials/dmd.te
@@ -0,0 +1,2 @@
+#b/303391666
+dontaudit dmd servicemanager:binder { call };
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 0dc30ea..ffb8518 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,2 @@
# b/185723618
dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/237491813
-dontaudit dumpstate app_zygote:process { signal };
-# b/277155245
-dontaudit dumpstate default_android_service:service_manager { find };
diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te
deleted file mode 100644
index cfe7fcf..0000000
--- a/tracking_denials/hal_drm_widevine.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/229209076
-dontaudit hal_drm_widevine vndbinder_device:chr_file { read };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
deleted file mode 100644
index a2ce6fd..0000000
--- a/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/237492146
-dontaudit hal_power_default hal_power_default:capability { dac_override };
-dontaudit hal_power_default hal_power_default:capability { dac_read_search };
diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te
deleted file mode 100644
index abbd2f9..0000000
--- a/tracking_denials/hal_thermal_default.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/205904328
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write };
diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te
deleted file mode 100644
index 2e0025f..0000000
--- a/tracking_denials/hal_uwb_vendor_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/208721505
-dontaudit hal_uwb_vendor_default dumpstate:fd { use };
-dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write };
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
index 390bfa3..d9199c7 100644
--- a/tracking_denials/hal_vibrator_default.te
+++ b/tracking_denials/hal_vibrator_default.te
@@ -1,2 +1,3 @@
-# b/274727778
-dontaudit hal_vibrator_default default_android_service:service_manager { find };
+# b/306344298
+dontaudit hal_vibrator_default service_manager_type:service_manager find;
+
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index e6fce30..0000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/237492091
-dontaudit incidentd debugfs_wakeup_sources:file { read };
diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
deleted file mode 100644
index a2e2163..0000000
--- a/tracking_denials/kernel.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/227121550
-dontaudit kernel vendor_votable_debugfs:dir search;
diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
index 72e6e6e..a6b549f 100644
--- a/tracking_denials/servicemanager.te
+++ b/tracking_denials/servicemanager.te
@@ -1,2 +1,2 @@
-# b/214122471
-dontaudit servicemanager hal_fingerprint_default:binder { call };
+# b/305600595
+dontaudit servicemanager hal_thermal_default:binder call;
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
deleted file mode 100644
index cd7b63d..0000000
--- a/tracking_denials/surfaceflinger.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/215042694
-dontaudit surfaceflinger kernel:process { setsched };
-# b/208721808
-dontaudit surfaceflinger hal_graphics_composer_default:dir { search };
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
deleted file mode 100644
index ea8ff1e..0000000
--- a/tracking_denials/vendor_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/205656950
-dontaudit vendor_init thermal_link_device:file { create };
diff --git a/tracking_denials/vndservicemanager.te b/tracking_denials/vndservicemanager.te
deleted file mode 100644
index 9931d43..0000000
--- a/tracking_denials/vndservicemanager.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/278639040
-dontaudit vndservicemanager hal_keymint_citadel:binder { call };
-# b/278639040
-dontaudit vndservicemanager hal_keymint_citadel:binder { call };
diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te
index eacf962..876b796 100644
--- a/whitechapel_pro/cat_engine_service_app.te
+++ b/whitechapel_pro/cat_engine_service_app.te
@@ -4,5 +4,6 @@
app_domain(cat_engine_service_app)
get_prop(cat_engine_service_app, vendor_rild_prop)
allow cat_engine_service_app app_api_service:service_manager find;
- allow cat_engine_service_app system_app_data_file:dir r_dir_perms;
+ allow cat_engine_service_app system_app_data_file:dir create_dir_perms;
+ allow cat_engine_service_app system_app_data_file:file create_file_perms;
')
diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te
index add4b9e..427a773 100644
--- a/whitechapel_pro/debug_camera_app.te
+++ b/whitechapel_pro/debug_camera_app.te
@@ -1,12 +1,12 @@
userdebug_or_eng(`
- # Allows camera app to access the GXP device.
+ # Allows camera app to access the GXP device and properties.
allow debug_camera_app gxp_device:chr_file rw_file_perms;
+ get_prop(debug_camera_app, vendor_gxp_prop)
# Allows camera app to search for GXP firmware file.
allow debug_camera_app vendor_fw_file:dir search;
-')
-userdebug_or_eng(`
+
# Allows GCA-Eng to find and access the EdgeTPU.
allow debug_camera_app edgetpu_app_service:service_manager find;
allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-')
\ No newline at end of file
+')
diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te
index 1b17239..ae74fea 100644
--- a/whitechapel_pro/device.te
+++ b/whitechapel_pro/device.te
@@ -1,18 +1,14 @@
-type sda_block_device, dev_type;
-type devinfo_block_device, dev_type;
type modem_block_device, dev_type;
type custom_ab_block_device, dev_type;
type persist_block_device, dev_type;
type efs_block_device, dev_type;
type modem_userdata_block_device, dev_type;
type mfg_data_block_device, dev_type;
-type sg_device, dev_type;
type vendor_toe_device, dev_type;
type lwis_device, dev_type;
type logbuffer_device, dev_type;
type rls_device, dev_type;
type fingerprint_device, dev_type;
-type gxp_device, dev_type, mlstrustedobject;
type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
type vframe_heap_device, dmabuf_heap_device_type, dev_type;
diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te
index eaab9b2..da71a84 100644
--- a/whitechapel_pro/dumpstate.te
+++ b/whitechapel_pro/dumpstate.te
@@ -13,4 +13,4 @@
allow dumpstate modem_userdata_file:dir r_dir_perms;
allow dumpstate modem_img_file:dir r_dir_perms;
allow dumpstate fuse:dir search;
-
+allow dumpstate rlsservice:binder call;
\ No newline at end of file
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index fb4bad8..378c466 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -7,8 +7,6 @@
type updated_wifi_firmware_data_file, file_type, data_file_type;
type vendor_media_data_file, file_type, data_file_type;
type vendor_misc_data_file, file_type, data_file_type;
-type sensor_debug_data_file, file_type, data_file_type;
-type sensor_reg_data_file, file_type, data_file_type;
type per_boot_file, file_type, data_file_type, core_data_file_type;
type uwb_data_vendor, file_type, data_file_type;
type powerstats_vendor_data_file, file_type, data_file_type;
@@ -29,7 +27,6 @@
# sysfs
type sysfs_chosen, sysfs_type, fs_type;
-type sysfs_ota, sysfs_type, fs_type;
type bootdevice_sysdev, dev_type;
type sysfs_fabric, sysfs_type, fs_type;
type sysfs_acpm_stats, sysfs_type, fs_type;
@@ -59,7 +56,6 @@
type persist_battery_file, file_type, vendor_persist_type;
type persist_camera_file, file_type, vendor_persist_type;
type persist_modem_file, file_type, vendor_persist_type;
-type persist_sensor_reg_file, file_type, vendor_persist_type;
type persist_ss_file, file_type, vendor_persist_type;
type persist_uwb_file, file_type, vendor_persist_type;
type persist_display_file, file_type, vendor_persist_type;
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 80bf872..e5defcc 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -20,9 +20,9 @@
/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0
/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0
-/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0
/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0
/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0
@@ -35,7 +35,6 @@
/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0
/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0
/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0
-/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0
/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0
/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0
@@ -45,10 +44,14 @@
/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0
/vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0
/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
+/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0
# Vendor Firmwares
/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
+# Gralloc
+/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0
+
# Vendor libraries
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0
@@ -61,8 +64,6 @@
/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0
# Graphics
/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0
@@ -103,6 +104,7 @@
/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0
/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0
/dev/logbuffer_bd u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpif u:object_r:logbuffer_device:s0
/dev/logbuffer_pcie0 u:object_r:logbuffer_device:s0
/dev/logbuffer_pcie1 u:object_r:logbuffer_device:s0
/dev/bbd_pwrstat u:object_r:power_stats_device:s0
@@ -144,7 +146,6 @@
/dev/gxp u:object_r:gxp_device:s0
/dev/dit2 u:object_r:vendor_toe_device:s0
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
-/dev/sg1 u:object_r:sg_device:s0
/dev/st21nfc u:object_r:nfc_device:s0
/dev/st54spi u:object_r:st54spi_device:s0
/dev/st33spi u:object_r:st33spi_device:s0
@@ -205,8 +206,6 @@
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0
/data/per_boot(/.*)? u:object_r:per_boot_file:s0
-/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
-/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0
/dev/maxfg_history u:object_r:battery_history_device:s0
/dev/battery_history u:object_r:battery_history_device:s0
@@ -216,7 +215,6 @@
/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0
/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0
/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
-/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts
index ffc3dbd..ff6464f 100644
--- a/whitechapel_pro/genfs_contexts
+++ b/whitechapel_pro/genfs_contexts
@@ -477,6 +477,18 @@
genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0
# GPS
genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0
+
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0
\ No newline at end of file
diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te
index 572d1d6..0ef04cc 100644
--- a/whitechapel_pro/google_camera_app.te
+++ b/whitechapel_pro/google_camera_app.te
@@ -1,5 +1,6 @@
-# Allows camera app to access the GXP device.
+# Allows camera app to access the GXP device and properties.
allow google_camera_app gxp_device:chr_file rw_file_perms;
+get_prop(google_camera_app, vendor_gxp_prop)
# Allows camera app to search for GXP firmware file.
allow google_camera_app vendor_fw_file:dir search;
@@ -7,6 +8,3 @@
# Allows GCA to find and access the EdgeTPU.
allow google_camera_app edgetpu_app_service:service_manager find;
allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te
deleted file mode 100644
index 107942d..0000000
--- a/whitechapel_pro/gxp_logging.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type gxp_logging, domain;
-type gxp_logging_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(gxp_logging)
-
-# The logging service accesses /dev/gxp
-allow gxp_logging gxp_device:chr_file rw_file_perms;
-
-# Allow gxp tracing service to send packets to Perfetto
-userdebug_or_eng(`perfetto_producer(gxp_logging)')
diff --git a/whitechapel_pro/hal_bootctl_default.te b/whitechapel_pro/hal_bootctl_default.te
deleted file mode 100644
index 30db79b..0000000
--- a/whitechapel_pro/hal_bootctl_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default sysfs_ota:file rw_file_perms;
diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te
index 0590998..c16b248 100644
--- a/whitechapel_pro/hal_camera_default.te
+++ b/whitechapel_pro/hal_camera_default.te
@@ -28,9 +28,6 @@
allow hal_camera_default edgetpu_app_service:service_manager find;
binder_call(hal_camera_default, edgetpu_app_server)
-# Allow the camera hal to access the GXP device.
-allow hal_camera_default gxp_device:chr_file rw_file_perms;
-
# Allow access to data files used by the camera HAL
allow hal_camera_default mnt_vendor_file:dir search;
allow hal_camera_default persist_file:dir search;
diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te
index 076ceaf..620095d 100644
--- a/whitechapel_pro/hal_sensors_default.te
+++ b/whitechapel_pro/hal_sensors_default.te
@@ -2,15 +2,14 @@
# USF sensor HAL SELinux type enforcements.
#
-# Allow access to the AoC communication driver.
-allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+# Allow reading of camera persist files.
+r_dir_file(hal_sensors_default, persist_camera_file)
-# Allow access to CHRE socket to connect to nanoapps.
-allow hal_sensors_default chre:unix_stream_socket connectto;
-allow hal_sensors_default chre_socket:sock_file write;
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
-# Allow create thread to watch AOC's device.
-allow hal_sensors_default device:dir r_dir_perms;
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
# Allow access for dynamic sensor properties.
get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
@@ -18,70 +17,11 @@
# Allow access to raw HID devices for dynamic sensors.
allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
-# Allow SensorSuez to connect AIDL stats.
-allow hal_sensors_default fwk_stats_service:service_manager find;
-
-# Allow reading of sensor registry persist files and camera persist files.
-allow hal_sensors_default mnt_vendor_file:dir search;
-allow hal_sensors_default persist_file:dir search;
-allow hal_sensors_default persist_file:file r_file_perms;
-allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms;
-allow hal_sensors_default persist_sensor_reg_file:file r_file_perms;
-r_dir_file(hal_sensors_default, persist_camera_file)
-
-# Allow creation and writing of sensor registry data files.
-allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
-allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
-
-userdebug_or_eng(`
- # Allow creation and writing of sensor debug data files.
- allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
- allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
-')
-
-# Allow access to the display info for ALS.
-allow hal_sensors_default sysfs_display:file rw_file_perms;
-
-# Allow access to the sysfs_aoc.
-allow hal_sensors_default sysfs_aoc:dir search;
-allow hal_sensors_default sysfs_aoc:file r_file_perms;
-
-# Allow access for AoC properties.
-get_prop(hal_sensors_default, vendor_aoc_prop)
-
-# Allow sensor HAL to read AoC dumpstate.
-allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
-
-# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
-# to synchronize the AP and AoC clock timestamps.
-allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms;
-
-# Allow access to the files of CDT information.
-allow hal_sensors_default sysfs_chosen:dir search;
-allow hal_sensors_default sysfs_chosen:file r_file_perms;
-
-# Allow access to sensor service for sensor_listener.
-binder_call(hal_sensors_default, system_server);
-
-# Allow sensor HAL to reset AOC.
-allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
-
-# Allow sensor HAL to read AoC dumpstate.
-allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
-
# Allow sensor HAL to access the display service HAL
allow hal_sensors_default hal_pixel_display_service:service_manager find;
-# Allow display_info_service access to the backlight driver.
-allow hal_sensors_default sysfs_leds:dir search;
-allow hal_sensors_default sysfs_leds:file r_file_perms;
-
# Allow sensor HAL to access the graphics composer.
-binder_call(hal_sensors_default, hal_graphics_composer_default);
-
-# Allow display_info_service access to the backlight driver.
-allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
+binder_call(hal_sensors_default, hal_graphics_composer_default)
# Allow access to the power supply files for MagCC.
-r_dir_file(hal_sensors_default, sysfs_batteryinfo)
allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te
index 5d2a65e..4c99773 100644
--- a/whitechapel_pro/hal_usb_impl.te
+++ b/whitechapel_pro/hal_usb_impl.te
@@ -29,3 +29,7 @@
allow hal_usb_impl device:dir r_dir_perms;
allow hal_usb_impl usb_device:chr_file rw_file_perms;
allow hal_usb_impl usb_device:dir r_dir_perms;
+
+# For monitoring usb sysfs attributes
+allow hal_usb_impl sysfs_wakeup:dir search;
+allow hal_usb_impl sysfs_wakeup:file r_file_perms;
diff --git a/whitechapel_pro/hal_wireless_charger.te b/whitechapel_pro/hal_wireless_charger.te
index 04b3e5e..8d6c011 100644
--- a/whitechapel_pro/hal_wireless_charger.te
+++ b/whitechapel_pro/hal_wireless_charger.te
@@ -1,2 +1,7 @@
type hal_wireless_charger, domain;
type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
+
+r_dir_file(hal_wireless_charger, sysfs_wlc)
+
+allow hal_wireless_charger sysfs_wlc:dir search;
+allow hal_wireless_charger sysfs_wlc:file rw_file_perms;
diff --git a/whitechapel_pro/init-check_ap_pd_auth-sh.te b/whitechapel_pro/init-check_ap_pd_auth-sh.te
new file mode 100644
index 0000000..bcd855c
--- /dev/null
+++ b/whitechapel_pro/init-check_ap_pd_auth-sh.te
@@ -0,0 +1,14 @@
+type init-check_ap_pd_auth-sh, domain;
+type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(init-check_ap_pd_auth-sh)
+
+ set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop)
+
+ allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms;
+ allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms;
+
+ allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms;
+ allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms;
+')
diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te
index 2cddb45..9f5bf88 100644
--- a/whitechapel_pro/kernel.te
+++ b/whitechapel_pro/kernel.te
@@ -11,3 +11,5 @@
dontaudit kernel vendor_battery_debugfs:dir search;
dontaudit kernel vendor_maxfg_debugfs:dir { search };
dontaudit kernel vendor_regmap_debugfs:dir search;
+dontaudit kernel vendor_votable_debugfs:dir search;
+dontaudit kernel vendor_usb_debugfs:dir search;
diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te
index b5cce03..b21b792 100644
--- a/whitechapel_pro/modem_diagnostic_app.te
+++ b/whitechapel_pro/modem_diagnostic_app.te
@@ -9,6 +9,9 @@
userdebug_or_eng(`
hal_client_domain(modem_diagnostic_app, hal_power_stats);
+ allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find;
+ binder_call(modem_diagnostic_app, rild)
+
binder_call(modem_diagnostic_app, dmd)
set_prop(modem_diagnostic_app, vendor_cbd_prop)
diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te
index 6aba16a..15856a1 100644
--- a/whitechapel_pro/pixelstats_vendor.te
+++ b/whitechapel_pro/pixelstats_vendor.te
@@ -33,6 +33,9 @@
# BCL
allow pixelstats_vendor sysfs_bcl:dir search;
allow pixelstats_vendor sysfs_bcl:file r_file_perms;
+allow pixelstats_vendor mitigation_vendor_data_file:dir search;
+allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms;
+get_prop(pixelstats_vendor, vendor_brownout_reason_prop);
# PCIe statistics
allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search;
diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te
index d297abe..559511a 100644
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@@ -42,5 +42,5 @@
# Mali Integration
vendor_restricted_prop(vendor_arm_runtime_option_prop)
-# ArmNN
-vendor_internal_prop(vendor_armnn_config_prop)
+# SJTAG lock state
+vendor_internal_prop(vendor_sjtag_lock_state_prop)
diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts
index 947adf2..0ff833e 100644
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@@ -83,7 +83,6 @@
persist.vendor.gps. u:object_r:vendor_gps_prop:s0
# Fingerprint
-persist.vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
vendor.gf. u:object_r:vendor_fingerprint_prop:s0
@@ -107,5 +106,6 @@
# Mali GPU driver configuration and debug options
vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix
-# ArmNN configuration
-ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix
+# SJTAG lock state
+ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0
+ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0
diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te
index 534bea1..356e872 100644
--- a/whitechapel_pro/rild.te
+++ b/whitechapel_pro/rild.te
@@ -43,4 +43,6 @@
# Allow rild to ptrace for memory leak detection
userdebug_or_eng(`
allow rild self:process ptrace;
+
+binder_call(rild, modem_diagnostic_app)
')
diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te
index e5f1ace..e531b0d 100644
--- a/whitechapel_pro/rlsservice.te
+++ b/whitechapel_pro/rlsservice.te
@@ -16,6 +16,8 @@
allow rlsservice rls_device:chr_file rw_file_perms;
binder_call(rlsservice, hal_camera_default)
+binder_call(rlsservice, servicemanager)
+
# Allow access to display backlight information
allow rlsservice sysfs_leds:dir search;
@@ -30,3 +32,7 @@
# Allow read camera property
get_prop(rlsservice, vendor_camera_prop);
+
+# Allow rlsservice bugreport generation
+allow rlsservice dumpstate:fd use;
+allow rlsservice dumpstate:fifo_file write;
\ No newline at end of file
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index dcaaf66..eda8c10 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -32,6 +32,7 @@
# Modem Diagnostic System
user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
# CBRS setup app
user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te
index 1c49d4f..2fff668 100644
--- a/whitechapel_pro/service.te
+++ b/whitechapel_pro/service.te
@@ -3,3 +3,5 @@
# WLC
type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
+
+type rls_service, service_manager_type;
diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts
index a3849bb..e3ae0e7 100644
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@@ -2,3 +2,5 @@
hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0
vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
+
+rlsservice u:object_r:rls_service:s0
diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te
index 2caf6d7..a93d5bd 100644
--- a/whitechapel_pro/ssr_detector.te
+++ b/whitechapel_pro/ssr_detector.te
@@ -13,11 +13,13 @@
allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
get_prop(ssr_detector_app, vendor_aoc_prop)
+ set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop)
allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
allow ssr_detector_app proc_vendor_sched:dir search;
allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
allow ssr_detector_app cgroup:file write;
+ allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans;
')
get_prop(ssr_detector_app, vendor_ssrdump_prop)
diff --git a/whitechapel_pro/te_macros b/whitechapel_pro/te_macros
deleted file mode 100644
index 01ac13c..0000000
--- a/whitechapel_pro/te_macros
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# USF SELinux type enforcement macros.
-#
-
-#
-# usf_low_latency_transport(domain)
-#
-# Allows domain use of the USF low latency transport.
-#
-define(`usf_low_latency_transport', `
- allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
- hal_client_domain($1, hal_graphics_allocator)
-')
-
diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te
index 256fb38..bfff0a9 100644
--- a/whitechapel_pro/tee.te
+++ b/whitechapel_pro/tee.te
@@ -7,7 +7,6 @@
allow tee mnt_vendor_file:dir r_dir_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:lnk_file r_file_perms;
-allow tee sg_device:chr_file rw_file_perms;
# Allow storageproxyd access to gsi_public_metadata_file
read_fstab(tee)
diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te
index 415d7c8..c8acdbb 100644
--- a/whitechapel_pro/vendor_init.te
+++ b/whitechapel_pro/vendor_init.te
@@ -41,6 +41,3 @@
# Mali
set_prop(vendor_init, vendor_arm_runtime_option_prop)
-
-# ArmNN
-set_prop(vendor_init, vendor_armnn_config_prop)
diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te
index bd59e83..06ef0b2 100644
--- a/whitechapel_pro/vndservice.te
+++ b/whitechapel_pro/vndservice.te
@@ -1,3 +1,2 @@
-type rls_service, vndservice_manager_type;
type vendor_surfaceflinger_vndservice, vndservice_manager_type;
type eco_service, vndservice_manager_type;
diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts
index 16ae43a..6ddcabf 100644
--- a/whitechapel_pro/vndservice_contexts
+++ b/whitechapel_pro/vndservice_contexts
@@ -1,3 +1,2 @@
-rlsservice u:object_r:rls_service:s0
Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0
media.ecoservice u:object_r:eco_service:s0
