nehemiah-zb/lineage_patches_unified
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial unified commit for Android 12, syncing up to v400.a

Browse Source
This commit is contained in:
Andy CrossGate Yan
2021-10-20 14:54:55 +00:00
commit 796726eb09
166 changed files with 20826 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
patches_treble_phh/platform_external_selinux/0001-Increase-default-log_level-to-get-actual-selinux-err.patch Normal file
View File

@@ -0,0 +1,26 @@
From 69ec54d90d2b41ae4e1c27be02b320432c9a1f92 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Mon, 9 Apr 2018 00:19:49 +0200
Subject: [PATCH 1/8] Increase default log_level to get actual selinux error in
kmsg
---
secilc/secilc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 9c78e425..71a0f685 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -103,7 +103,7 @@ int main(int argc, char *argv[])
int opt_index = 0;
char *fc_buf = NULL;
size_t fc_size;
- enum cil_log_level log_level = CIL_ERR;
+ enum cil_log_level log_level = CIL_WARN;
static struct option long_opts[] = {
{"help", no_argument, 0, 'h'},
{"verbose", no_argument, 0, 'v'},
--
2.25.1

45
patches_treble_phh/platform_external_selinux/0002-Revert-libsepol-Make-an-unknown-permission-an-error-.patch Normal file
View File

@@ -0,0 +1,45 @@
From 9f95f8b0858cec9d105efcfb5923a96610eab76f Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 9 Sep 2020 22:36:42 +0200
Subject: [PATCH 2/8] Revert "libsepol: Make an unknown permission an error in
CIL"
This reverts commit dc4e54126bf25dea4d51820922ccd1959be68fbc.
This is required because some targets calls undefined permissions:
- Realme X2 Pro calls sigcont
- Honor 7X calls perf_event
---
libsepol/cil/src/cil_resolve_ast.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 87575860..e72abdeb 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -131,14 +131,18 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
}
}
if (rc != SEPOL_OK) {
+ struct cil_list *empty_list;
if (class_flavor == CIL_MAP_CLASS) {
cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
- } else {
- cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
+ goto exit;
}
- goto exit;
+ cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+ /* Use an empty list to represent unknown perm */
+ cil_list_init(&empty_list, perm_strs->flavor);
+ cil_list_append(*perm_datums, CIL_LIST, empty_list);
+ } else {
+ cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
}
- cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
} else {
cil_list_append(*perm_datums, curr->flavor, curr->data);
}
--
2.25.1

125
patches_treble_phh/platform_external_selinux/0003-Workaround-device-phh-treble-conflict-with-SELinux-p.patch Normal file
View File

@@ -0,0 +1,125 @@
From 357d0c61451ab507248697d1b2327f6204884b78 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 31 Mar 2021 23:32:37 +0200
Subject: [PATCH 3/8] Workaround device/phh/treble conflict with SELinux policy
device/phh/treble defines the following three types (hostapd,
sysfs_usb_supply, rpmb_device)
However, Qualcomm Samsung Android 11 devices export those symbols as
typealias.
Type and typealias are fundamentally not mergeable.
Luckily, Samsung doesn't do anything with those typealias, so we can
simply ignore them.
Change-Id: I52938703c1c39de8f881c98c82cfbf5a04d96cf7
---
libsepol/cil/src/cil_binary.c | 8 ++++++--
libsepol/cil/src/cil_build_ast.c | 15 +++++++++++----
libsepol/cil/src/cil_resolve_ast.c | 15 +++++++++++++--
3 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 03d53e1f..160fd0e0 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -515,13 +515,17 @@ int cil_typealias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alias)
type_datum_init(sepol_alias);
rc = __cil_get_sepol_type_datum(pdb, DATUM(cil_alias->actual), &sepol_type);
- if (rc != SEPOL_OK) goto exit;
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed at %s:%s:%d\n", __FILE__, __FUNCTION__, __LINE__);
+ goto exit;
+ }
sepol_alias->flavor = TYPE_TYPE;
key = cil_strdup(cil_alias->datum.fqn);
rc = symtab_insert(pdb, SYM_TYPES, key, sepol_alias, SCOPE_DECL, 0, NULL);
if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed at %s:%s:%d:%d\n", __FILE__, __FUNCTION__, __LINE__, rc);
goto exit;
}
sepol_alias->s.value = sepol_type->s.value;
@@ -3776,7 +3780,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
exit:
if (rc != SEPOL_OK) {
- cil_tree_log(node, CIL_ERR, "Binary policy creation failed");
+ cil_tree_log(node, CIL_ERR, "Binary policy creation failed, for pass = %d, flavor = %d", pass, node->flavor);
}
return rc;
}
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 307b1ee3..aaec0a9b 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -108,7 +108,7 @@ int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_s
{
int rc = SEPOL_ERR;
symtab_t *symtab = NULL;
- struct cil_symtab_datum *prev;
+ struct cil_symtab_datum *prev = NULL;
rc = __cil_verify_name((const char*)key);
if (rc != SEPOL_OK) {
@@ -133,13 +133,20 @@ int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_s
/* multiple_decls not ok, ret error */
cil_log(CIL_ERR, "Re-declaration of %s %s\n",
cil_node_to_string(ast_node), key);
- if (cil_symtab_get_datum(symtab, key, &datum) == SEPOL_OK) {
+ if (cil_symtab_get_datum(symtab, key, &prev) == SEPOL_OK) {
if (sflavor == CIL_SYM_BLOCKS) {
- struct cil_tree_node *node = datum->nodes->head->data;
+ struct cil_tree_node *node = prev->nodes->head->data;
cil_tree_log(node, CIL_ERR, "Previous declaration");
}
}
- goto exit;
+ if(
+ strcmp(key, "sysfs_usb_supply") == 0 ||
+ strcmp(key, "hostapd") == 0 ||
+ strcmp(key, "rpmb_device") == 0) {
+ cil_log(CIL_ERR, "Ignoring...");
+ } else {
+ goto exit;
+ }
}
/* multiple_decls is enabled and works for this datum type, add node */
cil_list_append(prev->nodes, CIL_NODE, ast_node);
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index e72abdeb..db3f24f4 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -512,7 +512,13 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
}
if (NODE(alias_datum)->flavor != alias_flavor) {
cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
- rc = SEPOL_ERR;
+ if(
+ strcmp(alias_datum->name, "hostapd") == 0 ||
+ strcmp(alias_datum->name, "sysfs_usb_supply") == 0 ||
+ strcmp(alias_datum->name, "rpmb_device") == 0)
+ rc = 0;
+ else
+ rc = SEPOL_ERR;
goto exit;
}
@@ -553,7 +559,12 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f
int limit = 2;
if (alias->actual == NULL) {
- cil_tree_log(current, CIL_ERR, "Alias declared but not used");
+ cil_tree_log(current, CIL_ERR, "Alias %s declared but not used", a1->datum.name);
+ if(
+ strcmp(a1->datum.name, "hostapd") == 0 ||
+ strcmp(a1->datum.name, "sysfs_usb_supply") == 0 ||
+ strcmp(a1->datum.name, "rpmb_device") == 0)
+ return SEPOL_OK;
return SEPOL_ERR;
}
--
2.25.1

84
patches_treble_phh/platform_external_selinux/0004-Fix-boot-on-Moto-devices-using-unknown-class.patch Normal file
View File

@@ -0,0 +1,84 @@
From df88fcc15f776b8ba1831b491509137b01b58356 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 25 Oct 2019 13:29:20 +0200
Subject: [PATCH 4/8] Fix boot on Moto devices using unknown class
vendor sepolicy never contains new class or classorder, and are not
allowed to.
Though this is not tested, and it turns out Moto did it anyway.
This raises an issue, because class need to be ordered, and thus the cil
contains the ordering. This ordering needs to be merged.
Android 10 added new classes, so the ordering can no longer be merged,
and secilc fails on those devices, preventing boot.
Considering vendor are not supposed to declare new class (and thus
declare classorder), this fix ignores class-es/classorder in vendor
SELinux policy.
Since the vendor selinux policy has allows rules based on this context,
those allows will fail since the class doesn't exist.
Workaround this by ignoring rules with the problematic class
( keystore_moto_key )
Lucky us, this new class `keystore_moto_key` is used by Moto for
framework to framework (more accurately priv app to keymaster), since
our own framework doesn't use this class, simply ignoring it fixes the
issue.
Change-Id: I66339857634ebfdba359f12a99dfd0bff709d80b
---
libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index aaec0a9b..6b4b8708 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -393,6 +393,14 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct
struct cil_tree_node *perms = NULL;
int rc = SEPOL_ERR;
+ {
+ const char* path = cil_tree_get_cil_path(parse_current);
+ if(strstr(path, "vendor")) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
if (rc != SEPOL_OK) {
goto exit;
@@ -459,6 +467,14 @@ int cil_gen_classorder(struct cil_db *db, struct cil_tree_node *parse_current, s
struct cil_list_item *head = NULL;
int rc = SEPOL_ERR;
+ {
+ const char* path = cil_tree_get_cil_path(parse_current);
+ if(strstr(path, "vendor")) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
if (db == NULL || parse_current == NULL || ast_node == NULL) {
goto exit;
}
@@ -2057,6 +2073,14 @@ int cil_gen_avrule(struct cil_tree_node *parse_current, struct cil_tree_node *as
rule->src_str = parse_current->next->data;
rule->tgt_str = parse_current->next->next->data;
+ {
+ const char *classname = parse_current->next->next->next->cl_head->data;
+ if(strcmp(classname, "keystore_moto_key") == 0) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
rc = cil_fill_classperms_list(parse_current->next->next->next, &rule->perms.classperms);
if (rc != SEPOL_OK) {
goto exit;
--
2.25.1

43
patches_treble_phh/platform_external_selinux/0005-Allow-devices-virtual-block-genfscon-conflict-seen-o.patch Normal file
View File

@@ -0,0 +1,43 @@
From 55627b8443a01f8daa37892d0cede3fef98a6758 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 6 Sep 2019 15:07:25 +0200
Subject: [PATCH 5/8] Allow /devices/virtual/block/ genfscon conflict (seen on
Xiaomi Mi 9)
Change-Id: I06e4e9d5b82d61a8aeab595b47e2589249675895
---
libsepol/cil/src/cil_post.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index a0cadfde..68c0318e 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -477,7 +477,23 @@ int cil_post_genfscon_context_compare(const void *a, const void *b)
{
struct cil_genfscon *a_genfscon = *(struct cil_genfscon**)a;
struct cil_genfscon *b_genfscon = *(struct cil_genfscon**)b;
- return context_compare(a_genfscon->context, b_genfscon->context);
+ int rc = context_compare(a_genfscon->context, b_genfscon->context);
+ if(rc) {
+ fprintf(stderr, "hello %s\n", a_genfscon->fs_str);
+ int bypass = 0;
+ /*
+ * This conflict has been seen on Xiaomi Mi 9:
+ * - AOSP Q says (genfscon sysfs /devices/virtual/block/ (u object_r sysfs_devices_block ((s0) (s0))))
+ * - stock rom says (genfscon sysfs /devices/virtual/block/ (u object_r sysfs_ufs_target ((s0) (s0))))
+ */
+ if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
+ bypass = 1;
+ if(bypass == 1) {
+ fprintf(stderr, "Received conflicting %s vs %s but ignore\n", a_genfscon->path_str, b_genfscon->path_str);
+ return 0;
+ }
+ }
+ return rc;
}
int cil_post_netifcon_context_compare(const void *a, const void *b)
--
2.25.1

44
patches_treble_phh/platform_external_selinux/0006-if-service-is-rcs-accept-conflict.-Seen-on-Moto-E5.patch Normal file
View File

@@ -0,0 +1,44 @@
From ec8e7155afc36bbe1a9649ba307abaa92c32cb0d Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Thu, 12 Sep 2019 20:37:04 +0200
Subject: [PATCH 6/8] if service is "rcs", accept conflict. Seen on Moto E5
Change-Id: I0cc2d0fad83f403f2b5d7458039b1564ce5ed9dd
---
libselinux/src/label_backends_android.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
index d81faabe..1e4513e9 100644
--- a/libselinux/src/label_backends_android.c
+++ b/libselinux/src/label_backends_android.c
@@ -62,14 +62,24 @@ static int nodups_specs(struct saved_data *data)
curr_spec->property_key)) {
if (strcmp(spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw)) {
- rc = -1;
- errno = EINVAL;
selinux_log
(SELINUX_ERROR,
"Multiple different specifications for %s (%s and %s).\n",
curr_spec->property_key,
spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw);
+ int ignore = 0;
+ /*
+ * This issue has been found on Moto E5
+ * E SELinux : Multiple different specifications for rcs (u:object_r:radio_service:s0 and u:object_r:mot_rcs_service:s0).
+ */
+ if(!strcmp(curr_spec->property_key, "rcs"))
+ ignore = 1;
+
+ if(!ignore) {
+ rc = -1;
+ errno = EINVAL;
+ }
} else {
selinux_log
(SELINUX_WARNING,
--
2.25.1

27
patches_treble_phh/platform_external_selinux/0007-Allow-mismatches-of-exfat-genfscon.patch Normal file
View File

@@ -0,0 +1,27 @@
From 379d7cf233f500f1914fb86698688717b84385d0 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Sun, 24 May 2020 17:22:22 +0200
Subject: [PATCH 7/8] Allow mismatches of exfat genfscon
---
libsepol/cil/src/cil_post.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 68c0318e..75e5128c 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -488,6 +488,10 @@ int cil_post_genfscon_context_compare(const void *a, const void *b)
*/
if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
bypass = 1;
+ if(strcmp(a_genfscon->fs_str, "exfat") == 0 || strcmp(a_genfscon->fs_str, "esdfs") == 0) {
+ if(strcmp(a_genfscon->path_str, "/") == 0)
+ bypass = 1;
+ }
if(bypass == 1) {
fprintf(stderr, "Received conflicting %s vs %s but ignore\n", a_genfscon->path_str, b_genfscon->path_str);
return 0;
--
2.25.1

27
patches_treble_phh/platform_external_selinux/0008-Enable-multipl_decls-by-default.-This-is-needed-beca.patch Normal file
View File

@@ -0,0 +1,27 @@
From aca2ac082800d1db0bb6a1b7ffa9069dd3a3bc2d Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 2 Mar 2018 22:49:55 +0100
Subject: [PATCH 8/8] Enable multipl_decls by default. This is needed because
8.0 init doesn't add -m
Change-Id: I43dc661d519f7b8576d72a828d8cbd444592bf5e
---
secilc/secilc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 71a0f685..a7e2e531 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -91,7 +91,7 @@ int main(int argc, char *argv[])
int target = SEPOL_TARGET_SELINUX;
int mls = -1;
int disable_dontaudit = 0;
- int multiple_decls = 0;
+ int multiple_decls = 1;
int disable_neverallow = 0;
int preserve_tunables = 0;
int handle_unknown = -1;
--
2.25.1