Merge "Add sepolicy for device drop monitor."
diff --git a/OWNERS b/OWNERS
index c2705c9..374d508 100644
--- a/OWNERS
+++ b/OWNERS
@@ -5,6 +5,7 @@
jeffv@google.com
jgalenson@google.com
nnk@google.com
+rurumihong@google.com
sspatil@google.com
tomcherry@google.com
trong@google.com
diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk
index c03312c..8ea3e0a 100644
--- a/coral-sepolicy.mk
+++ b/coral-sepolicy.mk
@@ -6,3 +6,4 @@
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/common
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common
+BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials
diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te
new file mode 100644
index 0000000..977590d
--- /dev/null
+++ b/tracking_denials/bootanim.te
@@ -0,0 +1,2 @@
+# b/128958090
+dontaudit bootanim sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
new file mode 100644
index 0000000..edab2c3
--- /dev/null
+++ b/tracking_denials/gmscore_app.te
@@ -0,0 +1,4 @@
+# b/149543390
+dontaudit gmscore_app firmware_file:filesystem getattr;
+dontaudit gmscore_app mnt_vendor_file:dir search;
+dontaudit gmscore_app sysfs_msm_subsys:file read;
diff --git a/tracking_denials/hal_audio_default.te b/tracking_denials/hal_audio_default.te
new file mode 100644
index 0000000..f0bd336
--- /dev/null
+++ b/tracking_denials/hal_audio_default.te
@@ -0,0 +1,2 @@
+# b/129111829
+dontaudit hal_audio_default exported3_system_prop:file read;
diff --git a/tracking_denials/hal_face_default.te b/tracking_denials/hal_face_default.te
new file mode 100644
index 0000000..1be13a5
--- /dev/null
+++ b/tracking_denials/hal_face_default.te
@@ -0,0 +1,2 @@
+# b/134894179
+dontaudit hal_face_default exported_camera_prop:file read;
diff --git a/tracking_denials/hal_graphics_allocator_default.te b/tracking_denials/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..68eb040
--- /dev/null
+++ b/tracking_denials/hal_graphics_allocator_default.te
@@ -0,0 +1,2 @@
+# b/149542444
+dontaudit hal_graphics_allocator_default sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/ims.te b/tracking_denials/ims.te
new file mode 100644
index 0000000..255f3ec
--- /dev/null
+++ b/tracking_denials/ims.te
@@ -0,0 +1,2 @@
+# b/129460752
+dontaudit ims sysfs_faceauth:dir search;
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
new file mode 100644
index 0000000..d4039af
--- /dev/null
+++ b/tracking_denials/init-insmod-sh.te
@@ -0,0 +1,2 @@
+# b/149543972
+dontaudit init-insmod-sh proc_cmdline:file read;
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
new file mode 100644
index 0000000..d4ce80b
--- /dev/null
+++ b/tracking_denials/init.te
@@ -0,0 +1,2 @@
+# b/149542343
+dontaudit init kernel:system module_request;
diff --git a/tracking_denials/location.te b/tracking_denials/location.te
new file mode 100644
index 0000000..6e64ef1
--- /dev/null
+++ b/tracking_denials/location.te
@@ -0,0 +1,2 @@
+# b/149544069
+dontaudit location qtidataservices_app:binder call;
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
new file mode 100644
index 0000000..d58e641
--- /dev/null
+++ b/tracking_denials/platform_app.te
@@ -0,0 +1,2 @@
+# b/149542783
+dontaudit platform_app sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
new file mode 100644
index 0000000..3878ed5
--- /dev/null
+++ b/tracking_denials/priv_app.te
@@ -0,0 +1,2 @@
+# b/149543179
+dontaudit priv_app sysfs_msm_subsys:file read;
diff --git a/tracking_denials/radio.te b/tracking_denials/radio.te
new file mode 100644
index 0000000..7a81617
--- /dev/null
+++ b/tracking_denials/radio.te
@@ -0,0 +1,2 @@
+# b/129455852
+dontaudit radio proc_filesystems:file read;
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
new file mode 100644
index 0000000..9c96382
--- /dev/null
+++ b/tracking_denials/surfaceflinger.te
@@ -0,0 +1,2 @@
+# b/149544591
+dontaudit surfaceflinger sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
new file mode 100644
index 0000000..7037625
--- /dev/null
+++ b/tracking_denials/system_app.te
@@ -0,0 +1,3 @@
+# b/149544592
+dontaudit system_app apk_verity_prop:file read;
+dontaudit system_app sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
new file mode 100644
index 0000000..79d8a91
--- /dev/null
+++ b/tracking_denials/system_server.te
@@ -0,0 +1,2 @@
+# b/149544018
+dontaudit system_server sysfs_msm_subsys:file read;
diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
new file mode 100644
index 0000000..3f996b5
--- /dev/null
+++ b/tracking_denials/tee.te
@@ -0,0 +1,2 @@
+# b/132393475
+dontaudit tee sysfs_wake_lock:file append;
diff --git a/tracking_denials/thermal-engine.te b/tracking_denials/thermal-engine.te
new file mode 100644
index 0000000..9fd5ba2
--- /dev/null
+++ b/tracking_denials/thermal-engine.te
@@ -0,0 +1,9 @@
+# b/124250714
+dontaudit thermal-engine socket_device:dir write;
+dontaudit thermal-engine sysfs_batteryinfo:dir search;
+dontaudit thermal-engine sysfs:dir read;
+dontaudit thermal-engine sysfs_esoc:dir search;
+dontaudit thermal-engine sysfs_faceauth:dir search;
+dontaudit thermal-engine sysfs_leds:dir search;
+dontaudit thermal-engine sysfs_soc:dir search;
+dontaudit thermal-engine sysfs_ssr:file read;
diff --git a/tracking_denials/time_daemon.te b/tracking_denials/time_daemon.te
new file mode 100644
index 0000000..a3ab78c
--- /dev/null
+++ b/tracking_denials/time_daemon.te
@@ -0,0 +1,3 @@
+# b/136426663
+dontaudit time_daemon sysfs_esoc:dir search;
+dontaudit time_daemon sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/untrusted_app_29.te b/tracking_denials/untrusted_app_29.te
new file mode 100644
index 0000000..047852d
--- /dev/null
+++ b/tracking_denials/untrusted_app_29.te
@@ -0,0 +1,2 @@
+# b/149544802
+dontaudit untrusted_app_29 sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/vendor_pd_mapper.te b/tracking_denials/vendor_pd_mapper.te
new file mode 100644
index 0000000..4930dd1
--- /dev/null
+++ b/tracking_denials/vendor_pd_mapper.te
@@ -0,0 +1,3 @@
+# b/129744410
+dontaudit vendor_pd_mapper sysfs_esoc:dir search;
+dontaudit vendor_pd_mapper sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/wcnss_service.te b/tracking_denials/wcnss_service.te
new file mode 100644
index 0000000..9b4b83d
--- /dev/null
+++ b/tracking_denials/wcnss_service.te
@@ -0,0 +1,2 @@
+# b/130262158
+dontaudit wcnss_service kernel:system module_request;
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index fd3d5ff..115ab75 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -28,6 +28,7 @@
/vendor/bin/hw/android\.hardware\.authsecret@1\.0-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.biometrics\.face@1\.0-service\.google u:object_r:hal_face_default_exec:s0
/vendor/bin/hw/android\.hardware\.camera\.provider@2\.4-service-google u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0
/vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0
@@ -42,7 +43,7 @@
/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0
-/vendor/bin/hw/hardware\.google\.light@1\.0-service u:object_r:hal_light_default_exec:s0
+/vendor/bin/hw/hardware\.google\.light@1\.1-service u:object_r:hal_light_default_exec:s0
/vendor/bin/hw/vendor\.google\.airbrush@1\.0-service u:object_r:airbrush_exec:s0
/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0
@@ -53,13 +54,13 @@
/vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0
/vendor/bin/modem_svc u:object_r:modem_svc_exec:s0
/vendor/bin/ramoops u:object_r:ramoops_exec:s0
-/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service\.coral u:object_r:hal_dumpstate_impl_exec:s0
+/vendor/bin/hw/android\.hardware\.dumpstate@1\.[01]-service\.coral u:object_r:hal_dumpstate_impl_exec:s0
/vendor/bin/ramdump u:object_r:ramdump_exec:s0
/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0
/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0
/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0
/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0
-/vendor/bin/hw/vendor\.google\.wireless_charger@1\.0-service-vendor u:object_r:hal_wlc_exec:s0
+/vendor/bin/hw/vendor\.google\.wireless_charger@1\.1-service-vendor u:object_r:hal_wlc_exec:s0
/vendor/bin/hw/android\.hardware\.graphics\.composer@2\.3-service-sm8150 u:object_r:hal_graphics_composer_default_exec:s0
/vendor/bin/hw/init_dp.sh u:object_r:init_dp_exec:s0
diff --git a/vendor/qcom/common/hal_contexthub.te b/vendor/google/hal_contexthub.te
similarity index 100%
rename from vendor/qcom/common/hal_contexthub.te
rename to vendor/google/hal_contexthub.te
diff --git a/vendor/google/hal_dumpstate_impl.te b/vendor/google/hal_dumpstate_impl.te
index 8f8d432..450c2d2 100644
--- a/vendor/google/hal_dumpstate_impl.te
+++ b/vendor/google/hal_dumpstate_impl.te
@@ -71,12 +71,8 @@
# Access to modem files
userdebug_or_eng(`
- allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms;
- allow hal_dumpstate_impl modem_dump_file:file create_file_perms;
allow hal_dumpstate_impl netmgrd_data_file:dir r_dir_perms;
allow hal_dumpstate_impl netmgrd_data_file:file r_file_perms;
- allow hal_dumpstate_impl vendor_radio_data_file:dir r_dir_perms;
- allow hal_dumpstate_impl vendor_radio_data_file:file r_file_perms;
allow hal_dumpstate_impl tcpdump_vendor_data_file:dir create_dir_perms;
allow hal_dumpstate_impl tcpdump_vendor_data_file:file create_file_perms;
allow hal_dumpstate_impl ssr_log_file:dir search;
@@ -84,9 +80,14 @@
allow hal_dumpstate_impl mpss_rfs_data_file:dir r_dir_perms;
allow hal_dumpstate_impl mpss_rfs_data_file:file r_file_perms;
- set_prop(hal_dumpstate_impl, vendor_modem_diag_prop)
set_prop(hal_dumpstate_impl, vendor_tcpdump_log_prop)
')
+allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms;
+allow hal_dumpstate_impl modem_dump_file:file create_file_perms;
+allow hal_dumpstate_impl vendor_radio_data_file:dir r_dir_perms;
+allow hal_dumpstate_impl vendor_radio_data_file:file r_file_perms;
+
+set_prop(hal_dumpstate_impl, vendor_modem_diag_prop)
# Access to modem stat
domain_auto_trans(hal_dumpstate_impl, modem_svc_exec, modem_svc)
@@ -130,17 +131,23 @@
# Access to knowles framework info
allow hal_dumpstate_impl sysfs_knowles_info:file r_file_perms;
-dontaudit hal_dumpstate_impl modem_dump_file:dir create_dir_perms;
-dontaudit hal_dumpstate_impl modem_dump_file:file create_file_perms;
+#dump sensors log
+userdebug_or_eng(`
+ allow hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms;
+ allow hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms;
+')
+
+# Access to vendor logging property
+set_prop(hal_dumpstate_impl, vendor_logging_prop)
+
dontaudit hal_dumpstate_impl netmgrd_data_file:dir r_dir_perms;
dontaudit hal_dumpstate_impl netmgrd_data_file:file r_file_perms;
-dontaudit hal_dumpstate_impl vendor_radio_data_file:dir r_dir_perms;
-dontaudit hal_dumpstate_impl vendor_radio_data_file:file r_file_perms;
dontaudit hal_dumpstate_impl tcpdump_vendor_data_file:dir create_dir_perms;
dontaudit hal_dumpstate_impl tcpdump_vendor_data_file:file create_file_perms;
dontaudit hal_dumpstate_impl ssr_log_file:dir search;
dontaudit hal_dumpstate_impl ssr_log_file:file r_file_perms;
dontaudit hal_dumpstate_impl mpss_rfs_data_file:dir r_dir_perms;
dontaudit hal_dumpstate_impl mpss_rfs_data_file:file r_file_perms;
-dontaudit hal_dumpstate_impl vendor_modem_diag_prop:file r_file_perms;
dontaudit hal_dumpstate_impl vendor_tcpdump_log_prop:file r_file_perms;
+dontaudit hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms;
+dontaudit hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms;
diff --git a/vendor/google/refreshrate_app.te b/vendor/google/refreshrate_app.te
index a0af245..c747bbf 100644
--- a/vendor/google/refreshrate_app.te
+++ b/vendor/google/refreshrate_app.te
@@ -1,11 +1,11 @@
type refreshrate_app, domain;
app_domain(refreshrate_app);
+hal_client_domain(refreshrate_app, hal_light)
# Standard system services
allow refreshrate_app app_api_service:service_manager find;
allow refreshrate_app surfaceflinger_service:service_manager find;
binder_call(refreshrate_app, gpuservice)
-
set_prop(refreshrate_app, vendor_display_prop);
diff --git a/vendor/google/vendor_init.te b/vendor/google/vendor_init.te
index 95aba95..678826e 100644
--- a/vendor/google/vendor_init.te
+++ b/vendor/google/vendor_init.te
@@ -29,3 +29,5 @@
# Allow vendor_init to write vendor_tcpdump_log_prop on userdebug or eng ROM
set_prop(vendor_init, vendor_tcpdump_log_prop)
')
+
+set_prop(vendor_init, vendor_logging_prop)
diff --git a/vendor/qcom/common/diag.te b/vendor/qcom/common/diag.te
index afaa9e0..3ad8432 100644
--- a/vendor/qcom/common/diag.te
+++ b/vendor/qcom/common/diag.te
@@ -1,5 +1,4 @@
type diag, domain;
type diag_exec, exec_type, vendor_file_type, file_type;
-userdebug_or_eng(`
- init_daemon_domain(diag)
-')
+
+init_daemon_domain(diag)
diff --git a/vendor/qcom/common/hal_bluetooth_default.te b/vendor/qcom/common/hal_bluetooth_default.te
index 6f1cb38..2b08fd4 100644
--- a/vendor/qcom/common/hal_bluetooth_default.te
+++ b/vendor/qcom/common/hal_bluetooth_default.te
@@ -5,7 +5,7 @@
userdebug_or_eng(`
allow hal_bluetooth_default diag_device:chr_file rw_file_perms;
allow hal_bluetooth_default ramdump_vendor_data_file:dir rw_dir_perms;
- allow hal_bluetooth_default ramdump_vendor_data_file:file { create w_file_perms };
+ allow hal_bluetooth_default ramdump_vendor_data_file:file { create rw_file_perms };
r_dir_file(hal_bluetooth_default, debugfs_ipc)
set_prop(hal_bluetooth_default, vendor_ssr_prop)
')
diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te
index a09b551..d9675cd 100644
--- a/vendor/qcom/common/hal_gnss_qti.te
+++ b/vendor/qcom/common/hal_gnss_qti.te
@@ -25,3 +25,6 @@
allow hal_gnss_qti location:unix_dgram_socket sendto;
allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+# Allow Gnss HAL to get updates from health hal
+hal_client_domain(hal_gnss_qti, hal_health)
diff --git a/vendor/qcom/common/hal_sensors_default.te b/vendor/qcom/common/hal_sensors_default.te
index 8f379bc..084992e 100644
--- a/vendor/qcom/common/hal_sensors_default.te
+++ b/vendor/qcom/common/hal_sensors_default.te
@@ -37,6 +37,10 @@
allow hal_sensors_default sysfs_ssr:file r_file_perms;
+# For Suez metrics collection
+allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
+allow hal_sensors_default system_server:binder call;
+
dontaudit hal_sensors_default kernel:system module_request;
dontaudit hal_sensors_default sysfs_esoc:dir r_dir_perms;
dontaudit hal_sensors_default sysfs_faceauth:dir search;
diff --git a/vendor/qcom/common/kernel.te b/vendor/qcom/common/kernel.te
index 20294c4..2a6ca76 100644
--- a/vendor/qcom/common/kernel.te
+++ b/vendor/qcom/common/kernel.te
@@ -1,7 +1,5 @@
# For diag over socket
-userdebug_or_eng(`
- allow kernel self:qipcrtr_socket create;
-')
+allow kernel self:qipcrtr_socket create;
allow kernel debugfs_batteryinfo:dir search;
allow kernel debugfs_wlan:dir search;
diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te
index 6c421ba..10260fe 100644
--- a/vendor/qcom/common/property.te
+++ b/vendor/qcom/common/property.te
@@ -161,3 +161,7 @@
# Ramdump properties
type vendor_ramdump_prop, property_type;
+
+# vendor logging property
+type vendor_logging_prop, property_type;
+
diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts
index 66b12ed..f663a72 100644
--- a/vendor/qcom/common/property_contexts
+++ b/vendor/qcom/common/property_contexts
@@ -80,3 +80,6 @@
persist.vendor.data.netmgr.log_to_file u:object_r:vendor_default_prop:s0
persist.vendor.ims. u:object_r:qcom_ims_prop:s0
persist.vendor.qti.telephony.vt_cam_interface u:object_r:public_vendor_default_prop:s0
+
+# Vendor verbose logging prop
+persist.vendor.verbose_logging_enabled u:object_r:vendor_logging_prop:s0
diff --git a/vendor/qcom/common/qlogd.te b/vendor/qcom/common/qlogd.te
index d18b6d6..c023983 100644
--- a/vendor/qcom/common/qlogd.te
+++ b/vendor/qcom/common/qlogd.te
@@ -5,14 +5,12 @@
# make transition from init to its domain
init_daemon_domain(qlogd)
-userdebug_or_eng(`
- allow qlogd diag_device:chr_file rw_file_perms;
+allow qlogd diag_device:chr_file rw_file_perms;
- allow qlogd vendor_radio_data_file:file create_file_perms;
- allow qlogd vendor_radio_data_file:dir create_dir_perms;
+allow qlogd vendor_radio_data_file:file create_file_perms;
+allow qlogd vendor_radio_data_file:dir create_dir_perms;
- set_prop(qlogd, vendor_modem_diag_prop)
+set_prop(qlogd, vendor_modem_diag_prop)
- allow qlogd self:socket create_socket_perms;
- allowxperm qlogd self:socket ioctl msm_sock_ipc_ioctls;
-')
+allow qlogd self:socket create_socket_perms;
+allowxperm qlogd self:socket ioctl msm_sock_ipc_ioctls;
