"LA.UM.12.2.1.r1-02900-sdm660.0"
* tag 'LA.UM.12.2.1.r1-02900-sdm660.0':
Sepolicy : Allow vendor_init to access bluetooth prop.
Add sepolicy dir and sock permissions to location module
location AVC denials during user profile switch
Conflicts:
legacy/vendor/common/property_contexts
Change-Id: Ic870aa5f9abe177e4d8c00a1bf3d9b66b67e3d75
Allow location module to have directory read, write
and socket create permissions in /data/vendor/ path.
CRs-Fixed: 2205732
Change-Id: I4a75623b562337e13b121bacf86af0f97f457916
"LA.UM.12.2.1.r1-02500-sdm660.0"
* tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy:
sepolicy : Allow apps to have read access to vendor_display_prop
sepolicy:qcc: add qcc path to dropbox
sepolicy:qcc : switch to platform app
Sepolicy : dontaudit to vendor.hw.fm.init property
SE Policy change to fix avc denial for qcrild socket
Avc denials on sdm660 from location, hal_gnss_qti
sepolicy: Add file context for Widevine DRM
sepolicy: Add file context for DRM
sepolicy: Fix qcc avc denial issue
sepolicy:donotaudit for com.qualcomm.location
Sepolicy rules to allow Gnss Hal to access ssgtz
sepolicy rules to allow Gnss Hal to access RIL Srv
Allow vendor_location_xtwifi_client to access ssgtzd socket
Conflicts:
generic/vendor/common/file_contexts
legacy/vendor/common/vendor_init.te
Change-Id: Ibcd6a15e0ee9ab5bee6da5bafb41702e67549e30
As qualcomm relabels read_ahead_kb and friends as sysfs_mmc_host
we explicitly need to grant apexd access to it or it will break.
This results in eg GSIs to be unbootable.
type=1400 audit(3799551.036:40): avc: denied { read write }
for comm="apexd" name="read_ahead_kb" dev="sysfs" ino=81305
scontext=u:r:apexd:s0 tcontext=u:object_r:sysfs_mmc_host:s0
tclass=file permissive=0
Change-Id: Iea24b94318893e8526e06e24bc3308acba37b0cc
Signed-off-by: Alexander Martinz <amartinz@shiftphones.com>
Set context for widevine services
android.hardware.drm-service-widevine
android.hardware.drm-service-lazy.widevine
validation:
xts test case: passes all the xts test case
Change-Id: I568149e2c91f86a72007fb5b04f5597f133eea64
The name was changed from thermal.msm8953 to a generic one while
moving to 2.0. Hence, add proper label to the new HAL binary.
Change-Id: I7e73035224a3f421c1f8f8e7a4e0f6ab072fab32
(cherry picked from commit 578d104a6e72b9289af668780acd571bad4bc489)
- commit https://review.lineageos.org/c/LineageOS/android_device_qcom_sepolicy/+/360376
relabeled the usb hal and we hit the following log:
usb@1.0-service: type=1400 audit(0.0:5346): avc: denied { search } for uid=1000 name="usbpd0" dev="sysfs" ino=40564 scontext=u:r:hal_usb_default:s0 tcontext=u:object_r:sysfs_usbpd_device:s0 tclass=dir permissive=0
07-13 12: 41:07.134 816 2117 E android.hardware.usb@1.0-service: uevent received SUBSYSTEM=dual_role_usb
07-13 12: 41:07.135 816 2117 I android.hardware.usb@1.0-service: otg_default
07-13 12: 41:07.135 816 2117 E android.hardware.usb@1.0-service: getCurrentRole: Failed to open filesystem node
07-13 12: 41:07.135 816 2117 E android.hardware.usb@1.0-service: Error while retreiving portNames
07-13 12: 41:07.138 1588 2451 E UsbPortManager: port status enquiry failed
Co-authored-by: ExactExampl <64069095+ExactExampl@users.noreply.github.com>
Change-Id: I6b58a248195c59f09514caa7b89c2810f7a8e146
Add the sepolicy rules for trustzone
access service to provide it access to
various vendor and android services.
Change-Id: I80f8bcb9a917ed18331fa3b92f1e8c65f8c631ad
"LA.UM.11.2.1.r1-03400-sdm660.0"
# By Arvind Kumar (1) and Jiani Liu (1)
# Via Jiani Liu (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-03400-sdm660.0':
Add sepolicy for ISupplicantVendor aidl
Permission to access binderfs for binder info
Change-Id: Ice22795ff63de9cc918af6a22e113fe1fce1de83
"LA.UM.11.2.1.r1-03300-sdm660.0"
# By Jiani Liu (1) and Sanghoon Shin (1)
# Via Gerrit - the friendly Code Review server (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-03300-sdm660.0':
Add sepolicy for ISupplicantVendor aidl
sepolicy: fix issue on non-snap target
Change-Id: I512ef692ad0178c26817da2745b67e5dd43c1ee1
This commit adds required sepolicy changes to avoid avc denial for new
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default.
Change-Id: Ie272772338299eb2c684b1c3683e062b12ca486b
This commit adds required sepolicy changes to avoid avc denial for new
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default.
Change-Id: Ie272772338299eb2c684b1c3683e062b12ca486b
levelFrom is used to determine the level (sensitivity + categories)
for MLS/MCS. If set to all, level is determined from both UID and
user ID. This is bad for poweroffalarm, as it needs to be able to
write to /persist/alarm/data which has a context without mls_level:
u:object_r:persist_alarm_file:s0
instead of
u:object_r:persist_alarm_file:s0:c0,c256,c512,c768
Change-Id: I9a8b706cdedc090281e4b5542eb34816b7ff338e
"LA.UM.11.2.1.r1-01900-sdm660.0"
# By Neelu Maheshwari (1) and Sanghoon Shin (1)
# Via Gerrit - the friendly Code Review server (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-01900-sdm660.0':
sepolicy: fix issue on non-snap target
Sepolicy : Fixed Multiple AVC Denials in 11.2.1 SDM660.
Conflicts:
generic/vendor/common/hwservice.te
generic/vendor/common/hwservice_contexts
legacy/vendor/msm8996/hal_qccvndhalservice.te
legacy/vendor/sdm660/file_contexts
qva/vendor/common/hwservice.te
qva/vendor/common/hwservice_contexts
Change-Id: Ic0fa79f8c74969f25061f50706000abee5b0d008
Make power off alarm app as an independent app domain so that
the sepolies will not affect other apps.
[Giovix92]: Adapt it to lineage-18.1
CRs-Fixed: 2113144
Original Change-Id: Ia80575b6dea893bde30636b9a814a6f20ea54b6f
Change-Id: Ie56c5cbade7332a145f10cd5fff0955bcfc724ef
