From 2a6c690d1afce7260fdff849bc21a7898348e831 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Mon, 10 Jul 2023 04:29:14 +0000 Subject: [PATCH] Move gxp sepolicies to gs-common This change moves all gxp sepolicies to common. This eliminates the need for having these policies in sepolicy folder of all P22+ devices. Tested: Created private builds and found no selinux violations for P22 & P23 devices. Bug: 288368306 Change-Id: Iec5dfe01dd9088a117f549cc999b9ee2aa2c4484 Signed-off-by: Dinesh Yadav --- gxp/dump.mk | 4 ---- gxp/gxp.mk | 13 +++++++++++++ gxp/sepolicy/device.te | 2 ++ gxp/sepolicy/dump_gxp.te | 2 ++ gxp/sepolicy/file.te | 2 ++ gxp/sepolicy/file_contexts | 12 +++++++++++- gxp/sepolicy/gxp_logging.te | 21 +++++++++++++++++++++ gxp/sepolicy/hal_camera_default.te | 3 +++ gxp/sepolicy/property.te | 3 +++ gxp/sepolicy/property_contexts | 3 +++ gxp/sepolicy/vendor_init.te | 3 +++ 11 files changed, 63 insertions(+), 5 deletions(-) delete mode 100644 gxp/dump.mk create mode 100644 gxp/gxp.mk create mode 100644 gxp/sepolicy/device.te create mode 100644 gxp/sepolicy/file.te create mode 100644 gxp/sepolicy/gxp_logging.te create mode 100644 gxp/sepolicy/hal_camera_default.te create mode 100644 gxp/sepolicy/property.te create mode 100644 gxp/sepolicy/property_contexts create mode 100644 gxp/sepolicy/vendor_init.te diff --git a/gxp/dump.mk b/gxp/dump.mk deleted file mode 100644 index c1f6300..0000000 --- a/gxp/dump.mk +++ /dev/null @@ -1,4 +0,0 @@ -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy/ - -PRODUCT_PACKAGES_DEBUG += dump_gxp - diff --git a/gxp/gxp.mk b/gxp/gxp.mk new file mode 100644 index 0000000..45b0f08 --- /dev/null +++ b/gxp/gxp.mk @@ -0,0 +1,13 @@ +# GXP logging service +PRODUCT_PACKAGES += \ + android.hardware.gxp.logging@service-gxp-logging +# GXP metrics logger library +PRODUCT_PACKAGES += \ + gxp_metrics_logger +# GXP C-API library +PRODUCT_PACKAGES += libgxp +# GXP Debug dump. +PRODUCT_PACKAGES_DEBUG += dump_gxp + +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy + diff --git a/gxp/sepolicy/device.te b/gxp/sepolicy/device.te new file mode 100644 index 0000000..382bc9d --- /dev/null +++ b/gxp/sepolicy/device.te @@ -0,0 +1,2 @@ +# GXP device +type gxp_device, dev_type, mlstrustedobject; diff --git a/gxp/sepolicy/dump_gxp.te b/gxp/sepolicy/dump_gxp.te index 61a0482..8d285c5 100644 --- a/gxp/sepolicy/dump_gxp.te +++ b/gxp/sepolicy/dump_gxp.te @@ -7,5 +7,7 @@ userdebug_or_eng(` allow dump_gxp sscoredump_vendor_data_coredump_file:file r_file_perms; allow dump_gxp sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow dump_gxp sscoredump_vendor_data_crashinfo_file:file r_file_perms; + # Allow dump_gxp to access gxp properties. + get_prop(google_camera_app, vendor_gxp_prop) ') diff --git a/gxp/sepolicy/file.te b/gxp/sepolicy/file.te new file mode 100644 index 0000000..278cdd9 --- /dev/null +++ b/gxp/sepolicy/file.te @@ -0,0 +1,2 @@ +# Gxp sysfs file +type sysfs_gxp, sysfs_type, fs_type; diff --git a/gxp/sepolicy/file_contexts b/gxp/sepolicy/file_contexts index 80420f4..08bef12 100644 --- a/gxp/sepolicy/file_contexts +++ b/gxp/sepolicy/file_contexts @@ -1,2 +1,12 @@ -/vendor/bin/dump/dump_gxp u:object_r:dump_gxp_exec:s0 +# GXP Vendor library +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 + +# GXP logging service +/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 + +# GXP Metrics Collection Library +/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 + +# Allow collection of debug dump. +/vendor/bin/dump/dump_gxp u:object_r:dump_gxp_exec:s0 diff --git a/gxp/sepolicy/gxp_logging.te b/gxp/sepolicy/gxp_logging.te new file mode 100644 index 0000000..fd1af7f --- /dev/null +++ b/gxp/sepolicy/gxp_logging.te @@ -0,0 +1,21 @@ +type gxp_logging, domain; +type gxp_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gxp_logging) + +# The logging service accesses /dev/gxp +allow gxp_logging gxp_device:chr_file rw_file_perms; + +# Allow logging service to access /sys/class/gxp +allow gxp_logging sysfs_gxp:dir search; +allow gxp_logging sysfs_gxp:file rw_file_perms; + +# Allow logging service to log to stats service for reporting metrics. +allow gxp_logging fwk_stats_service:service_manager find; +binder_call(gxp_logging, system_server); +binder_use(gxp_logging) + +# Allow logging service to read gxp properties. +get_prop(gxp_logging, vendor_gxp_prop) + +# Allow gxp tracing service to send packets to Perfetto +userdebug_or_eng(`perfetto_producer(gxp_logging)') diff --git a/gxp/sepolicy/hal_camera_default.te b/gxp/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..5570a2e --- /dev/null +++ b/gxp/sepolicy/hal_camera_default.te @@ -0,0 +1,3 @@ +# Allow the camera hal to access the GXP device and Properties. +allow hal_camera_default gxp_device:chr_file rw_file_perms; +get_prop(hal_camera_default, vendor_gxp_prop) diff --git a/gxp/sepolicy/property.te b/gxp/sepolicy/property.te new file mode 100644 index 0000000..b9741f0 --- /dev/null +++ b/gxp/sepolicy/property.te @@ -0,0 +1,3 @@ +# Gxp Android properties +system_vendor_config_prop(vendor_gxp_prop) + diff --git a/gxp/sepolicy/property_contexts b/gxp/sepolicy/property_contexts new file mode 100644 index 0000000..6093c7c --- /dev/null +++ b/gxp/sepolicy/property_contexts @@ -0,0 +1,3 @@ +# GXP Android Property. +vendor.gxp. u:object_r:vendor_gxp_prop:s0 + diff --git a/gxp/sepolicy/vendor_init.te b/gxp/sepolicy/vendor_init.te new file mode 100644 index 0000000..ec6ceab --- /dev/null +++ b/gxp/sepolicy/vendor_init.te @@ -0,0 +1,3 @@ +# Gxp Android Properties. +set_prop(vendor_init, vendor_gxp_prop) +