Snap for 7664297 from 9d762a5e619a153d2994107482ba6cc91f2efb04 to main-cg-testing-release

Change-Id: Iecf1e7c53cc8ba59ef12e0a0f7583864beefc20a
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2021-08-22 09:00:41 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2021-08-22 09:00:41 +0000
commit: 9407162c3264cd489b0c6501b67760ad35e79e2c (patch)
tree: a054928ad048cb5796f0251ab47ff8a6f523f8a6
parent: b0464e748dae1f9802a7c5fbcaef55fd0910a58c (diff)
parent: 9d762a5e619a153d2994107482ba6cc91f2efb04 (diff)
download: crosshatch-sepolicy-9407162c3264cd489b0c6501b67760ad35e79e2c.tar.gz
24 files changed, 48 insertions, 79 deletions
diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg
new file mode 100644
index 0000000..3591c7f
--- /dev/null
+++ b/PREUPLOAD.cfg
@@ -0,0 +1,3 @@
+[Hook Scripts]
+aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "."
+
diff --git a/crosshatch-sepolicy.mk b/crosshatch-sepolicy.mk
index 2538aca..7acee6e 100644
--- a/crosshatch-sepolicy.mk
+++ b/crosshatch-sepolicy.mk
@@ -7,9 +7,9 @@ BOARD_VENDOR_SEPOLICY_DIRS += device/google/crosshatch-sepolicy/vendor/qcom/sdm8
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/crosshatch-sepolicy/vendor/google
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/crosshatch-sepolicy/vendor/verizon
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/crosshatch-sepolicy/tracking_denials
+BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/ramdump/common
 
 # Pixel-wide policies
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
 BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 
 # vendors for backward compatibility
diff --git a/private/toolbox.te b/private/toolbox.te
new file mode 100644
index 0000000..0c9f4e7
--- /dev/null
+++ b/private/toolbox.te
@@ -0,0 +1,6 @@
+# b/192320719
+dontaudit toolbox virtualizationservice_data_file:dir getattr;
+# b/193366323
+dontaudit toolbox toolbox:capability dac_override;
+dontaudit toolbox toolbox:capability dac_read_search;
+dontaudit toolbox toolbox:capability fowner;
diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te
new file mode 100644
index 0000000..3508008
--- /dev/null
+++ b/tracking_denials/hal_wlc.te
@@ -0,0 +1,2 @@
+# b/190690354
+dontaudit hal_wlc sysfs_msm_subsys:dir search;
diff --git a/vendor/google/bug_map b/vendor/google/bug_map
index 572b334..810d53a 100644
--- a/vendor/google/bug_map
+++ b/vendor/google/bug_map
@@ -2,12 +2,14 @@ bootanim vendor_default_prop file b/79617173
 cdsprpcd system_file dir b/109882276
 dataservice_app vendor_default_prop file b/79617173
 factory_ota_app vendor_default_prop file b/79617173
+google_camera_app selinuxfs file b/175910397
 hal_bluetooth_default hal_bluetooth_default socket b/126576829
 hal_bluetooth_default ramdump_vendor_data_file dir b/129298416
 hal_camera_default persist_file file b/123018469
 hal_health_default persist_file dir b/127303305
 hal_health_default persist_file file b/127303305
 hal_health_default sysfs_usb_c dir b/126568362
+hal_health_default unlabeled file b/156200409
 init sysfs_graphics file b/126568362
 netmgrd system_file file b/117232795
 platform_app vendor_default_prop file b/79617173
diff --git a/vendor/google/file.te b/vendor/google/file.te
index ae65f49..7a7d931 100644
--- a/vendor/google/file.te
+++ b/vendor/google/file.te
@@ -5,6 +5,3 @@ type sysfs_display, sysfs_type, fs_type;
 type sysfs_pixelstats, sysfs_type, fs_type;
 type persist_battery_file, file_type;
 type sysfs_chargelevel, sysfs_type, fs_type;
-
-# RamdumpFS
-allow ramdump_vendor_mnt_file self:filesystem associate;
diff --git a/vendor/google/genfs_contexts b/vendor/google/genfs_contexts
index bfccebd..aa4e9b1 100644
--- a/vendor/google/genfs_contexts
+++ b/vendor/google/genfs_contexts
@@ -11,6 +11,9 @@ genfscon debugfs /logbuffer/smblib              u:object_r:debugfs_usb:s0
 genfscon debugfs /logbuffer/usbpd               u:object_r:debugfs_usb:s0
 genfscon debugfs /logbuffer/wireless            u:object_r:debugfs_usb:s0
 
+# Input
+genfscon sysfs /devices/platform/soc/a600000.ssusb/a600000.dwc3/xhci-hcd.1.auto/usb1  u:object_r:sysfs_uhid:s0
+
 # Battery
 genfscon sysfs /devices/platform/soc/soc:google,battery/power_supply/battery    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/soc/880000.i2c/i2c-1/1-0061/power_supply/wireless    u:object_r:sysfs_batteryinfo:s0
@@ -28,4 +31,5 @@ genfscon sysfs /devices/platform/soc/soc:google,charger/bd_resume_time
 genfscon sysfs /devices/platform/soc/soc:google,charger/bd_trigger_temp         u:object_r:sysfs_chargelevel:s0
 genfscon sysfs /devices/platform/soc/soc:google,charger/bd_trigger_time         u:object_r:sysfs_chargelevel:s0
 genfscon sysfs /devices/platform/soc/soc:google,charger/bd_trigger_voltage      u:object_r:sysfs_chargelevel:s0
-genfscon sysfs /devices/platform/soc/soc:google,charger/bd_temp_enable		u:object_r:sysfs_chargelevel:s0
+genfscon sysfs /devices/platform/soc/soc:google,charger/bd_temp_enable          u:object_r:sysfs_chargelevel:s0
+genfscon sysfs /devices/platform/soc/soc:google,charger/bd_clear                u:object_r:sysfs_chargelevel:s0
diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te
index c757bc7..3146a11 100644
--- a/vendor/google/grilservice_app.te
+++ b/vendor/google/grilservice_app.te
@@ -9,3 +9,6 @@ allow grilservice_app hal_bluetooth_sar_hwservice:hwservice_manager find;
 
 binder_call(grilservice_app, hal_radioext_default)
 binder_call(grilservice_app, hal_wifi_ext)
+
+# this denial on grilservice_app since this AudioMetric functionality is not used in legacy device.
+dontaudit grilservice_app hal_audiometricext_hwservice:hwservice_manager find;
diff --git a/vendor/google/hal_health_default.te b/vendor/google/hal_health_default.te
index 41c5009..290972e 100644
--- a/vendor/google/hal_health_default.te
+++ b/vendor/google/hal_health_default.te
@@ -8,6 +8,7 @@ allow hal_health_default sysfs_wlc:dir r_dir_perms;
 
 allow hal_health_default hal_pixelstats_hwservice:hwservice_manager find;
 allow hal_health_default pixelstats_system:binder call;
+allow hal_health_default fwk_stats_hwservice:hwservice_manager find;
 binder_call(hal_health_default, statsd)
 allow hal_health_default fwk_stats_service:service_manager find;
 binder_use(hal_health_default)
diff --git a/vendor/google/hal_identity_citadel.te b/vendor/google/hal_identity_citadel.te
deleted file mode 100644
index e29310c..0000000
--- a/vendor/google/hal_identity_citadel.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hal_identity_citadel, domain;
-type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(hal_identity_citadel)
-binder_call(hal_identity_citadel, citadeld)
-allow hal_identity_citadel citadeld_service:service_manager find;
-
-hal_server_domain(hal_identity_citadel, hal_identity)
-init_daemon_domain(hal_identity_citadel)
diff --git a/vendor/google/hwservice.te b/vendor/google/hwservice.te
index 100e93a..33c9891 100644
--- a/vendor/google/hwservice.te
+++ b/vendor/google/hwservice.te
@@ -1,2 +1,3 @@
 type hal_wifi_ext_hwservice, hwservice_manager_type, vendor_hwservice_type;
 type hal_bluetooth_sar_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_audiometricext_hwservice, hwservice_manager_type;
diff --git a/vendor/google/hwservice_contexts b/vendor/google/hwservice_contexts
index d937e30..a1e1e04 100644
--- a/vendor/google/hwservice_contexts
+++ b/vendor/google/hwservice_contexts
@@ -2,3 +2,4 @@ vendor.google.wifi_ext::IWifiExt                                u:object_r:hal_w
 
 # BT HAL HWSERVICE
 hardware.google.bluetooth.sar::IBluetoothSar                    u:object_r:hal_bluetooth_sar_hwservice:s0
+vendor.google.audiometricext::IAudioMetricExt                   u:object_r:hal_audiometricext_hwservice:s0
diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te
index 06a4b7d..4135269 100644
--- a/vendor/google/pixelstats_vendor.te
+++ b/vendor/google/pixelstats_vendor.te
@@ -9,6 +9,9 @@ hwbinder_use(pixelstats_vendor)
 allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find;
 binder_call(pixelstats_vendor, pixelstats_system)
 
+allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
+binder_call(pixelstats_vendor, stats_service_server)
+
 binder_use(pixelstats_vendor)
 allow pixelstats_vendor fwk_stats_service:service_manager find;
 
diff --git a/vendor/google/property.te b/vendor/google/property.te
index 4125cd9..6a17f1e 100644
--- a/vendor/google/property.te
+++ b/vendor/google/property.te
@@ -8,3 +8,6 @@ vendor_internal_prop(vendor_fingerprint_prop)
 
 # hal_health
 vendor_internal_prop(vendor_battery_defender_prop)
+
+# Logger
+vendor_internal_prop(vendor_logger_prop)
diff --git a/vendor/google/property_contexts b/vendor/google/property_contexts
index 9d4c87b..cfe1fe8 100644
--- a/vendor/google/property_contexts
+++ b/vendor/google/property_contexts
@@ -19,3 +19,7 @@ vendor.battery.defender.                      u:object_r:vendor_battery_defender
 # fingerprint
 vendor.fps.init.succeed               u:object_r:vendor_fingerprint_prop:s0
 vendor.fps.init_retry.count           u:object_r:vendor_fingerprint_prop:s0
+
+# Logger app
+vendor.pixellogger.                           u:object_r:vendor_logger_prop:s0
+persist.vendor.pixellogger.                   u:object_r:vendor_logger_prop:s0
diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te
index 2b65291..0dcd4fc 100644
--- a/vendor/qcom/common/device.te
+++ b/vendor/qcom/common/device.te
@@ -1,15 +1,15 @@
-type ab_block_device, dev_type;
+type ab_block_device, dev_type, bdev_type;
 type at_device, dev_type;
 type avtimer_device, dev_type;
 type bt_device, dev_type;
-type devinfo_block_device, dev_type;
+type devinfo_block_device, dev_type, bdev_type;
 type diag_device, dev_type, mlstrustedobject;
 type dsp_device, dev_type;
 type easel_device, dev_type, mlstrustedobject;
-type gpt_block_device, dev_type;
+type gpt_block_device, dev_type, bdev_type;
 type ipa_dev, dev_type;
-type modem_block_device, dev_type;
-type persist_block_device, dev_type;
+type modem_block_device, dev_type, bdev_type;
+type persist_block_device, dev_type, bdev_type;
 type qsee_ipc_irq_spss_device, dev_type;
 type qdsp_device, dev_type, mlstrustedobject;
 type ramdump_device, dev_type;
@@ -18,7 +18,7 @@ type seemplog_device, dev_type;
 type sg_device, dev_type;
 type smd_device, dev_type;
 type spcom_device, dev_type;
-type ssd_block_device, dev_type;
+type ssd_block_device, dev_type, bdev_type;
 type ssr_device, dev_type;
 type wlan_device, dev_type;
-type xbl_block_device, dev_type;
+type xbl_block_device, dev_type, bdev_type;
diff --git a/vendor/qcom/common/dumpstate.te b/vendor/qcom/common/dumpstate.te
index a4f2563..1a25d98 100644
--- a/vendor/qcom/common/dumpstate.te
+++ b/vendor/qcom/common/dumpstate.te
@@ -10,6 +10,7 @@ userdebug_or_eng(`
   allow dumpstate persist_file:dir r_dir_perms;
   allow dumpstate sysfs_leds:dir search;
   allow dumpstate system_block_device:blk_file r_file_perms;
+  allow dumpstate media_rw_data_file:file append;
 
   dontaudit dumpstate self:netlink_xfrm_socket create_socket_perms_no_ioctl;
 
diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te
index 9163a1d..13d6008 100644
--- a/vendor/qcom/common/file.te
+++ b/vendor/qcom/common/file.te
@@ -13,7 +13,7 @@ type sysfs_msm_wlan, sysfs_type, fs_type;
 type sysfs_poweroff, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
 type sysfs_soc, sysfs_type, fs_type;
-type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type;
 type sysfs_scsi_devices_other, sysfs_type, fs_type;
 type sysfs_system_sleep_stats, sysfs_type, fs_type;
 type sysfs_timestamp_switch, sysfs_type, fs_type;
@@ -93,8 +93,6 @@ type display_vendor_data_file, file_type, data_file_type;
 type nfc_vendor_data_file, file_type, data_file_type;
 type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
 type wifidump_vendor_data_file, file_type, data_file_type;
 type modem_dump_file, file_type, data_file_type;
 type sensors_vendor_data_file, file_type, data_file_type;
diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts
index 1f935e9..9fc7c15 100644
--- a/vendor/qcom/common/file_contexts
+++ b/vendor/qcom/common/file_contexts
@@ -72,12 +72,6 @@
 # Block devices for the drive that holds the xbl_a and xbl_b partitions.
 /dev/block/sd[bc]1?                             u:object_r:xbl_block_device:s0
 
-###################################
-# ramdumpfs files
-#
-/mnt/vendor/ramdump(/.*)?                       u:object_r:ramdump_vendor_mnt_file:s0
-/ramdump(/.*)?                                  u:object_r:ramdump_vendor_mnt_file:s0
-
 # Block device for hal_bootctl
 /dev/block/sde                                  u:object_r:boot_block_device:s0
 
@@ -106,7 +100,6 @@
 /vendor/bin/netmgrd             u:object_r:netmgrd_exec:s0
 /vendor/bin/port-bridge         u:object_r:port-bridge_exec:s0
 /vendor/bin/qti                 u:object_r:qti_exec:s0
-/vendor/bin/ramdump             u:object_r:ramdump_exec:s0
 /vendor/bin/loc_launcher        u:object_r:location_exec:s0
 /vendor/bin/lowi-server         u:object_r:location_exec:s0
 /vendor/bin/xtra-daemon         u:object_r:location_exec:s0
@@ -211,7 +204,6 @@
 /data/vendor/radio(/.*)?               u:object_r:radio_vendor_data_file:s0
 /data/vendor/wifi/cnss_diag(/.*)?      u:object_r:cnss_vendor_data_file:s0
 /data/vendor/wifi/wlan_logs(/.*)?      u:object_r:wifi_vendor_log_data_file:s0
-/data/vendor/ramdump(/.*)?             u:object_r:ramdump_vendor_data_file:s0
 /data/vendor/ssrdump(/.*)?             u:object_r:ramdump_vendor_data_file:s0
 /data/vendor/wifidump(/.*)?            u:object_r:wifidump_vendor_data_file:s0
 /data/vendor/modem_dump(/.*)?          u:object_r:modem_dump_file:s0
diff --git a/vendor/qcom/common/logger_app.te b/vendor/qcom/common/logger_app.te
index 784e98e..fabd55e 100644
--- a/vendor/qcom/common/logger_app.te
+++ b/vendor/qcom/common/logger_app.te
@@ -22,4 +22,6 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_tcpdump_log_prop)
   set_prop(logger_app, vendor_wifi_sniffer_prop)
   set_prop(logger_app, vendor_usb_config_prop)
+  set_prop(logger_app, vendor_logging_prop)
+  set_prop(logger_app, vendor_logger_prop)
 ')
diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te
new file mode 100644
index 0000000..ab3f09d
--- /dev/null
+++ b/vendor/qcom/common/mediatranscoding.te
@@ -0,0 +1,2 @@
+get_prop(domain, vendor_display_prop)
+
diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te
index 34291d1..fa98130 100644
--- a/vendor/qcom/common/property.te
+++ b/vendor/qcom/common/property.te
@@ -2,7 +2,6 @@ vendor_restricted_prop(vendor_camera_prop)
 vendor_restricted_prop(cnd_prop)
 vendor_restricted_prop(ims_prop)
 vendor_internal_prop(vendor_dataqdp_prop)
-vendor_internal_prop(vendor_ramdump_prop)
 vendor_restricted_prop(public_vendor_default_prop)
 vendor_internal_prop(public_vendor_system_prop)
 vendor_restricted_prop(vendor_ssr_prop)
diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts
index 311cfd2..63dc2d1 100644
--- a/vendor/qcom/common/property_contexts
+++ b/vendor/qcom/common/property_contexts
@@ -8,9 +8,7 @@ persist.vendor.sys.cnd     u:object_r:cnd_prop:s0
 vendor.ims.                u:object_r:ims_prop:s0
 persist.vendor.ims.        u:object_r:ims_prop:s0
 persist.net.doxlat         u:object_r:vendor_net_radio_prop:s0
-vendor.debug.ramdump.      u:object_r:vendor_ramdump_prop:s0
 persist.vendor.sys.crash_rcu  u:object_r:vendor_ramdump_prop:s0
-ro.boot.ramdump            u:object_r:vendor_ramdump_prop:s0
 vendor.debug.ssrdump       u:object_r:vendor_ssr_prop:s0
 persist.vendor.sys.cnss.   u:object_r:vendor_cnss_diag_prop:s0
 vendor.sys.listeners.registered   u:object_r:vendor_tee_listener_prop:s0
diff --git a/vendor/qcom/common/ramdump.te b/vendor/qcom/common/ramdump.te
deleted file mode 100644
index 7b2e786..0000000
--- a/vendor/qcom/common/ramdump.te
+++ /dev/null
@@ -1,44 +0,0 @@
-type ramdump_exec, exec_type, vendor_file_type, file_type;
-
-userdebug_or_eng(`
-  type ramdump, domain;
-  init_daemon_domain(ramdump)
-
-  set_prop(ramdump, vendor_ramdump_prop)
-
-  # f2fs set pin file requires sys_admin
-  allow ramdump self:capability sys_admin;
-
-  allow ramdump self:capability sys_rawio;
-
-  allow ramdump ramdump_vendor_data_file:dir create_dir_perms;
-  allow ramdump ramdump_vendor_data_file:file create_file_perms;
-  allow ramdump {
-    proc
-    proc_cmdline
-  }:file r_file_perms;
-
-  allow ramdump block_device:dir search;
-  allow ramdump misc_block_device:blk_file rw_file_perms;
-  allow ramdump userdata_block_device:blk_file rw_file_perms;
-
-  dontaudit ramdump metadata_file:dir search;
-
-  # read from /fstab.sdm845
-  allow ramdump rootfs:file r_file_perms;
-
-  r_dir_file(ramdump, sysfs_type)
-
-  # To access statsd.
-  hwbinder_use(ramdump)
-  get_prop(ramdump, hwservicemanager_prop)
-  allow ramdump fwk_stats_hwservice:hwservice_manager find;
-  binder_call(ramdump, stats_service_server)
-
-  # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
-  allow ramdump fuse:filesystem relabelfrom;
-  allow ramdump fuse_device:chr_file rw_file_perms;
-  allow ramdump mnt_vendor_file:dir r_dir_perms;
-  allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
-  allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto };
-')
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2021-08-22 09:00:41 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2021-08-22 09:00:41 +0000
commit	9407162c3264cd489b0c6501b67760ad35e79e2c (patch)
tree	a054928ad048cb5796f0251ab47ff8a6f523f8a6
parent	b0464e748dae1f9802a7c5fbcaef55fd0910a58c (diff)
parent	9d762a5e619a153d2994107482ba6cc91f2efb04 (diff)
download	crosshatch-sepolicy-9407162c3264cd489b0c6501b67760ad35e79e2c.tar.gz