From 6f64bf6dd5ac38c8a4f739c05084e20a59ef0741 Mon Sep 17 00:00:00 2001 From: Joel Galenson Date: Thu, 6 Sep 2018 09:15:11 -0700 Subject: OWNERS: Add nnk and remove dcashman Bug: 114211287 Test: none Change-Id: I8707f4316894b8fe4f7618892e6afd350fcbabcd --- OWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OWNERS b/OWNERS index 9d3f1b1..e6fbbd4 100644 --- a/OWNERS +++ b/OWNERS @@ -1,9 +1,9 @@ alanstokes@google.com bowgotsai@google.com -dcashman@google.com jbires@google.com jeffv@google.com jgalenson@google.com +nnk@google.com sspatil@google.com tomcherry@google.com trong@google.com -- cgit v1.2.3 From 83473beaa6f00553ec1ece6de490a02ff1124b6c Mon Sep 17 00:00:00 2001 From: Eino-Ville Talvala Date: Thu, 26 Jul 2018 16:31:01 -0700 Subject: Allow GoogleCameraNext to use google_camera_app domain GoogleCameraNext is the in-dogfood version of GoogleCamera, and needs access to the same resources as the release version does. (cherry picked from commit 8246ae0eb5bd51551f9d1aed58a5565c2a0ef0d3) Test: adb shell ps -O LABEL -p `adb shell pidof com.google.android.googlecamera.fishfood` shows google_camera_app security label after installing and starting GoogleCameraNext Bug: 115554881 Change-Id: I835f644fb32dcb46d477e6baf7288f6363e1e4e4 --- vendor/google/certs/pulse-release.x509.pem | 15 +++++++++++++++ vendor/google/keys.conf | 3 +++ vendor/google/mac_permissions.xml | 3 +++ vendor/qcom/common/seapp_contexts | 5 ++++- 4 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 vendor/google/certs/pulse-release.x509.pem diff --git a/vendor/google/certs/pulse-release.x509.pem b/vendor/google/certs/pulse-release.x509.pem new file mode 100644 index 0000000..fb11572 --- /dev/null +++ b/vendor/google/certs/pulse-release.x509.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n +bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w +HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv +b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93 +bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/ +jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B +IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe +tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td +0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg +Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b +aIOMFB0Km9HbEZHLKg33kOoMsS2zpA== +-----END CERTIFICATE----- diff --git a/vendor/google/keys.conf b/vendor/google/keys.conf index 4a78849..b5e23b9 100644 --- a/vendor/google/keys.conf +++ b/vendor/google/keys.conf @@ -12,5 +12,8 @@ USER : device/google/crosshatch-sepolicy/vendor/google/certs/tango_userde [@GOOGLE] ALL : device/google/crosshatch-sepolicy/vendor/google/certs/app.x509.pem +[@GOOGLEPULSE] +ALL : device/google/crosshatch-sepolicy/vendor/google/certs/pulse-release.x509.pem + [@EASEL] ALL : device/google/crosshatch-sepolicy/vendor/google/certs/easel.x509.pem diff --git a/vendor/google/mac_permissions.xml b/vendor/google/mac_permissions.xml index 401dc83..9350761 100644 --- a/vendor/google/mac_permissions.xml +++ b/vendor/google/mac_permissions.xml @@ -24,6 +24,9 @@ + + + diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index f5f6dca..070cf7e 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -22,7 +22,10 @@ user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_ user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user # Use a custom domain for GoogleCamera, to allow for Hexagon DSP access -user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user +user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the dogfood beta version, the same access as GoogleCamera +user=_app seinfo=googlepulse name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all #Needed for time service apk user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file -- cgit v1.2.3 From 8d0d030753503f29b82ea3fb90521c2c13967ef6 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Fri, 21 Sep 2018 12:56:05 -0700 Subject: ConfirmationUI: Cancel dialog on asynchonous events Add permissions required to propagate incoming phone call notifications to the confirmationui hal and qseecomm. Bug: 116353594 Test: VtsHalConfirmationUIV1_0TargetTest Manually tested by calling the phone while the dialog is active. Change-Id: I6b45d1213216a0ad8c2b288f6a61c39b8a3aad19 --- vendor/qcom/common/hal_tui_comm.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/qcom/common/hal_tui_comm.te b/vendor/qcom/common/hal_tui_comm.te index c282127..f3f48ba 100644 --- a/vendor/qcom/common/hal_tui_comm.te +++ b/vendor/qcom/common/hal_tui_comm.te @@ -9,5 +9,7 @@ add_hwservice(hal_tui_comm, hal_tui_comm_hwservice) hwbinder_use(hal_tui_comm) binder_call(hal_tui_comm, secure_ui_service_app) +binder_call(hal_tui_comm, hal_confirmationui_default) +binder_call(hal_tui_comm, tee) allow hal_tui_comm hal_graphics_allocator_default:fd use; -- cgit v1.2.3 From 3701bc542a2b8d8369698c7cbc959aed630c7f92 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Sun, 21 Oct 2018 00:08:29 +0900 Subject: allow swappiness change For using swap aggressively, we want to change /proc/sys/vm/swappiness. This CL allows it by selinux part change of crosshatch Bug: 117522738 Test: confirmed swappiness was changed by modifying that vendor init script write /proc/sys/vm/swappiness other value. Signed-off-by: Minchan Kim Change-Id: I75d34163cb1193f8af7e0e40f8fa8e9202340d58 --- vendor/qcom/common/file.te | 1 + vendor/qcom/common/genfs_contexts | 1 + vendor/qcom/common/vendor_init.te | 1 + 3 files changed, 3 insertions(+) diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 83b88f8..6c6f48f 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -53,6 +53,7 @@ type debugfs_sched_features, debugfs_type, fs_type; # /proc type proc_wifi_dbg, proc_type, fs_type; type proc_f2fs, proc_type, fs_type; +type proc_swappiness, proc_type, fs_type; type proc_sysctl_autogroup, proc_type, fs_type; type proc_sysctl_schedboost, proc_type, fs_type; diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts index 9082476..78e3ce6 100644 --- a/vendor/qcom/common/genfs_contexts +++ b/vendor/qcom/common/genfs_contexts @@ -3,6 +3,7 @@ genfscon proc /debugdriver/driverdump u:object_r:proc_wifi_dbg:s genfscon proc /ath_pktlog/cld u:object_r:proc_wifi_dbg:s0 genfscon proc /irq u:object_r:proc_irq:s0 genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 genfscon proc /sys/kernel/sched_autogroup_enabled u:object_r:proc_sysctl_autogroup:s0 genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0 diff --git a/vendor/qcom/common/vendor_init.te b/vendor/qcom/common/vendor_init.te index 9680f19..2ee704d 100644 --- a/vendor/qcom/common/vendor_init.te +++ b/vendor/qcom/common/vendor_init.te @@ -3,6 +3,7 @@ allow vendor_init proc_uid_cpupower:file w_file_perms; allow vendor_init proc_sysctl_autogroup:file w_file_perms; allow vendor_init proc_sysctl_schedboost:file w_file_perms; allow vendor_init proc_irq:file w_file_perms; +allow vendor_init proc_swappiness:file w_file_perms; allow vendor_init camera_vendor_data_file:dir create_dir_perms; dontaudit vendor_init kernel:system module_request; -- cgit v1.2.3 From 20a6a3541e14894bfcb81453a07a066f866f5f09 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Wed, 7 Nov 2018 11:38:39 -0800 Subject: [DO NOT MERGE]Allow stats_companion to register thermal throttling event listener. Test: Build Bug: b/112432890 Change-Id: Ia3dd001c3399176689010b3f7318aea279b38f65 --- vendor/google/system_server.te | 1 + vendor/google/thermalserviced.te | 1 + 2 files changed, 2 insertions(+) create mode 100644 vendor/google/system_server.te create mode 100644 vendor/google/thermalserviced.te diff --git a/vendor/google/system_server.te b/vendor/google/system_server.te new file mode 100644 index 0000000..581723e --- /dev/null +++ b/vendor/google/system_server.te @@ -0,0 +1 @@ +allow system_server thermal_service:service_manager find; diff --git a/vendor/google/thermalserviced.te b/vendor/google/thermalserviced.te new file mode 100644 index 0000000..aa6a085 --- /dev/null +++ b/vendor/google/thermalserviced.te @@ -0,0 +1 @@ +binder_call(thermalserviced, system_server) -- cgit v1.2.3 From 1542b2a530a5e8d68393462890ec5742eb2b18bf Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Wed, 10 Oct 2018 15:03:05 -0700 Subject: Revert sepolicy from "thermal: recommend throttling at low temps" This reverts sepolicy from commit 91c2b8ed0e37a5f7e2aa131378134d5159d15599. Reason for revert: get rid of the hack which is not a right solution for BCL Bug: 80202800 Bug: 117518230 Test: lshal debug "android.hardware.thermal@1.1::IThermal/default" and check threshold Signed-off-by: Wei Wang Change-Id: Ibc663edd00ca0db82616637c61538826c5753d86 Merged-In: Ibc663edd00ca0db82616637c61538826c5753d86 (cherry picked from commit dc2b452202bcf2ebf045ea0639e45fd0d4a0c4ec) --- vendor/qcom/common/hal_thermal_default.te | 7 ------- 1 file changed, 7 deletions(-) diff --git a/vendor/qcom/common/hal_thermal_default.te b/vendor/qcom/common/hal_thermal_default.te index 0d56bc1..608cda0 100644 --- a/vendor/qcom/common/hal_thermal_default.te +++ b/vendor/qcom/common/hal_thermal_default.te @@ -2,13 +2,6 @@ allow hal_thermal_default sysfs_thermal:dir { open read search }; allow hal_thermal_default sysfs_thermal:file { getattr open read }; allow hal_thermal_default sysfs_thermal:lnk_file read; -allow hal_thermal_default sysfs_batteryinfo:dir search; -allow hal_thermal_default sysfs_batteryinfo:file r_file_perms; -allow hal_thermal_default sysfs_batteryinfo:lnk_file read; -allow hal_thermal_default sysfs_msm_subsys:dir search; -allow hal_thermal_default sysfs_msm_subsys:file r_file_perms; -allow hal_thermal_default sysfs_msm_subsys:lnk_file read; - allow hal_thermal_default proc_stat:file { getattr open read }; # read thermal_config get_prop(hal_thermal_default, vendor_thermal_prop) -- cgit v1.2.3