nehemiah-zb/lineage_patches_unified
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial unified commit for Android 14, with TrebleDroid GSI target, syncing up to 20240208

Browse Source
This commit is contained in:
Andy CrossGate Yan
2024-02-17 16:46:38 +08:00
commit e9902a4450
281 changed files with 169698 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
patches_treble_td/platform_external_selinux/0001-Increase-default-log_level-to-get-actual-selinux-err.patch Normal file
View File

@@ -0,0 +1,26 @@
From aa0cbcaebbaf0886abfd6bd97232798c7cb5be9b Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Mon, 9 Apr 2018 00:19:49 +0200
Subject: [PATCH 01/10] Increase default log_level to get actual selinux error
in kmsg
---
secilc/secilc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 80d3583d..a51630b2 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -107,7 +107,7 @@ int main(int argc, char *argv[])
int opt_index = 0;
char *fc_buf = NULL;
size_t fc_size;
- enum cil_log_level log_level = CIL_ERR;
+ enum cil_log_level log_level = CIL_WARN;
static struct option long_opts[] = {
{"help", no_argument, 0, 'h'},
{"verbose", no_argument, 0, 'v'},
--
2.25.1

45
patches_treble_td/platform_external_selinux/0002-Revert-libsepol-Make-an-unknown-permission-an-error-.patch Normal file
View File

@@ -0,0 +1,45 @@
From a88a863bdd7cee7e8d8a681d7f32d9ff6d0bc746 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 9 Sep 2020 22:36:42 +0200
Subject: [PATCH 02/10] Revert "libsepol: Make an unknown permission an error
in CIL"
This reverts commit dc4e54126bf25dea4d51820922ccd1959be68fbc.
This is required because some targets calls undefined permissions:
- Realme X2 Pro calls sigcont
- Honor 7X calls perf_event
---
libsepol/cil/src/cil_resolve_ast.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index d2bfdc81..91fa1075 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -136,14 +136,18 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
}
}
if (rc != SEPOL_OK) {
+ struct cil_list *empty_list;
if (class_flavor == CIL_MAP_CLASS) {
cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
- } else {
- cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
+ goto exit;
}
- goto exit;
+ cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+ /* Use an empty list to represent unknown perm */
+ cil_list_init(&empty_list, perm_strs->flavor);
+ cil_list_append(*perm_datums, CIL_LIST, empty_list);
+ } else {
+ cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
}
- cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
} else {
cil_list_append(*perm_datums, curr->flavor, curr->data);
}
--
2.25.1

116
patches_treble_td/platform_external_selinux/0003-Workaround-device-phh-treble-conflict-with-SELinux-p.patch Normal file
View File

@@ -0,0 +1,116 @@
From 01034f4009d29c401d5f007f76044482c0ed8bd0 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 31 Mar 2021 23:32:37 +0200
Subject: [PATCH 03/10] Workaround device/phh/treble conflict with SELinux
policy
device/phh/treble defines the following three types (hostapd,
sysfs_usb_supply, rpmb_device)
However, Qualcomm Samsung Android 11 devices export those symbols as
typealias.
Type and typealias are fundamentally not mergeable.
Luckily, Samsung doesn't do anything with those typealias, so we can
simply ignore them.
---
libsepol/cil/src/cil_binary.c | 8 ++++++--
libsepol/cil/src/cil_build_ast.c | 11 +++++++++--
libsepol/cil/src/cil_resolve_ast.c | 15 +++++++++++++--
3 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 40615db2..74a52956 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -511,13 +511,17 @@ int cil_typealias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alias)
type_datum_init(sepol_alias);
rc = __cil_get_sepol_type_datum(pdb, DATUM(cil_alias->actual), &sepol_type);
- if (rc != SEPOL_OK) goto exit;
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed at %s:%s:%d\n", __FILE__, __FUNCTION__, __LINE__);
+ goto exit;
+ }
sepol_alias->flavor = TYPE_TYPE;
key = cil_strdup(cil_alias->datum.fqn);
rc = symtab_insert(pdb, SYM_TYPES, key, sepol_alias, SCOPE_DECL, 0, NULL);
if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed at %s:%s:%d:%d\n", __FILE__, __FUNCTION__, __LINE__, rc);
goto exit;
}
sepol_alias->s.value = sepol_type->s.value;
@@ -3995,7 +3999,7 @@ static int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
exit:
if (rc != SEPOL_OK) {
- cil_tree_log(node, CIL_ERR, "Binary policy creation failed");
+ cil_tree_log(node, CIL_ERR, "Binary policy creation failed, for pass = %d, flavor = %d", pass, node->flavor);
}
return rc;
}
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 4177c9f6..118de1f5 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -116,7 +116,7 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
rc = cil_symtab_insert(symtab, key, datum, node);
if (rc == SEPOL_EEXIST) {
- struct cil_symtab_datum *prev;
+ struct cil_symtab_datum *prev = NULL;
rc = cil_symtab_get_datum(symtab, key, &prev);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Re-declaration of %s %s, but previous declaration could not be found\n",cil_node_to_string(node), key);
@@ -129,7 +129,14 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
cil_node_to_string(node), key);
cil_tree_log(node, CIL_ERR, "Previous declaration of %s",
cil_node_to_string(n));
- return SEPOL_ERR;
+ if(
+ strcmp(key, "sysfs_usb_supply") == 0 ||
+ strcmp(key, "hostapd") == 0 ||
+ strcmp(key, "rpmb_device") == 0) {
+ cil_log(CIL_ERR, "Ignoring...");
+ } else {
+ return SEPOL_ERR;
+ }
}
/* multiple_decls is enabled and works for this datum type, add node */
cil_list_append(prev->nodes, CIL_NODE, node);
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 91fa1075..d20fb7ee 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -522,7 +522,13 @@ static int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_ar
}
if (FLAVOR(alias_datum) != alias_flavor) {
cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
- rc = SEPOL_ERR;
+ if(
+ strcmp(alias_datum->name, "hostapd") == 0 ||
+ strcmp(alias_datum->name, "sysfs_usb_supply") == 0 ||
+ strcmp(alias_datum->name, "rpmb_device") == 0)
+ rc = 0;
+ else
+ rc = SEPOL_ERR;
goto exit;
}
@@ -563,7 +569,12 @@ static int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_f
int limit = 2;
if (alias->actual == NULL) {
- cil_tree_log(current, CIL_ERR, "Alias declared but not used");
+ cil_tree_log(current, CIL_ERR, "Alias %s declared but not used", a1->datum.name);
+ if(
+ strcmp(a1->datum.name, "hostapd") == 0 ||
+ strcmp(a1->datum.name, "sysfs_usb_supply") == 0 ||
+ strcmp(a1->datum.name, "rpmb_device") == 0)
+ return SEPOL_OK;
return SEPOL_ERR;
}
--
2.25.1

43
patches_treble_td/platform_external_selinux/0004-Allow-devices-virtual-block-genfscon-conflict-seen-o.patch Normal file
View File

@@ -0,0 +1,43 @@
From 81fa34b00d80113ed4015b99dab093826c1acb89 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 6 Sep 2019 15:07:25 +0200
Subject: [PATCH 04/10] Allow /devices/virtual/block/ genfscon conflict (seen
on Xiaomi Mi 9)
Change-Id: I06e4e9d5b82d61a8aeab595b47e2589249675895
---
libsepol/cil/src/cil_post.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index a7c66ead..99410da0 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -491,7 +491,23 @@ static int cil_post_genfscon_context_compare(const void *a, const void *b)
{
struct cil_genfscon *a_genfscon = *(struct cil_genfscon**)a;
struct cil_genfscon *b_genfscon = *(struct cil_genfscon**)b;
- return context_compare(a_genfscon->context, b_genfscon->context);
+ int rc = context_compare(a_genfscon->context, b_genfscon->context);
+ if(rc) {
+ fprintf(stderr, "hello %s\n", a_genfscon->fs_str);
+ int bypass = 0;
+ /*
+ * This conflict has been seen on Xiaomi Mi 9:
+ * - AOSP Q says (genfscon sysfs /devices/virtual/block/ (u object_r sysfs_devices_block ((s0) (s0))))
+ * - stock rom says (genfscon sysfs /devices/virtual/block/ (u object_r sysfs_ufs_target ((s0) (s0))))
+ */
+ if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
+ bypass = 1;
+ if(bypass == 1) {
+ fprintf(stderr, "Received conflicting %s vs %s but ignore\n", a_genfscon->path_str, b_genfscon->path_str);
+ return 0;
+ }
+ }
+ return rc;
}
static int cil_post_netifcon_context_compare(const void *a, const void *b)
--
2.25.1

44
patches_treble_td/platform_external_selinux/0005-if-service-is-rcs-accept-conflict.-Seen-on-Moto-E5.patch Normal file
View File

@@ -0,0 +1,44 @@
From 0bc7791b9f1423f70c17b68dd7fb9d672b2bb924 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Thu, 12 Sep 2019 20:37:04 +0200
Subject: [PATCH 05/10] if service is "rcs", accept conflict. Seen on Moto E5
Change-Id: I0cc2d0fad83f403f2b5d7458039b1564ce5ed9dd
---
libselinux/src/label_backends_android.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
index 77f7a1eb..55a30944 100644
--- a/libselinux/src/label_backends_android.c
+++ b/libselinux/src/label_backends_android.c
@@ -62,14 +62,24 @@ static int nodups_specs(struct saved_data *data)
curr_spec->property_key)) {
if (strcmp(spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw)) {
- rc = -1;
- errno = EINVAL;
selinux_log
(SELINUX_ERROR,
"Multiple different specifications for %s (%s and %s).\n",
curr_spec->property_key,
spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw);
+ int ignore = 0;
+ /*
+ * This issue has been found on Moto E5
+ * E SELinux : Multiple different specifications for rcs (u:object_r:radio_service:s0 and u:object_r:mot_rcs_service:s0).
+ */
+ if(!strcmp(curr_spec->property_key, "rcs"))
+ ignore = 1;
+
+ if(!ignore) {
+ rc = -1;
+ errno = EINVAL;
+ }
} else {
selinux_log
(SELINUX_WARNING,
--
2.25.1

27
patches_treble_td/platform_external_selinux/0006-Allow-mismatches-of-exfat-genfscon.patch Normal file
View File

@@ -0,0 +1,27 @@
From c4100e160008273781973b2098267e7d343b8956 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Sun, 24 May 2020 17:22:22 +0200
Subject: [PATCH 06/10] Allow mismatches of exfat genfscon
---
libsepol/cil/src/cil_post.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 99410da0..7f614c03 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -502,6 +502,10 @@ static int cil_post_genfscon_context_compare(const void *a, const void *b)
*/
if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
bypass = 1;
+ if(strcmp(a_genfscon->fs_str, "exfat") == 0 || strcmp(a_genfscon->fs_str, "esdfs") == 0) {
+ if(strcmp(a_genfscon->path_str, "/") == 0)
+ bypass = 1;
+ }
if(bypass == 1) {
fprintf(stderr, "Received conflicting %s vs %s but ignore\n", a_genfscon->path_str, b_genfscon->path_str);
return 0;
--
2.25.1

84
patches_treble_td/platform_external_selinux/0007-Fix-boot-on-Moto-devices-using-unknown-class.patch Normal file
View File

@@ -0,0 +1,84 @@
From 4c0afb19a2170e2cd9c4e2a1fdb48cdb16d4100e Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 25 Oct 2019 13:29:20 +0200
Subject: [PATCH 07/10] Fix boot on Moto devices using unknown class
vendor sepolicy never contains new class or classorder, and are not
allowed to.
Though this is not tested, and it turns out Moto did it anyway.
This raises an issue, because class need to be ordered, and thus the cil
contains the ordering. This ordering needs to be merged.
Android 10 added new classes, so the ordering can no longer be merged,
and secilc fails on those devices, preventing boot.
Considering vendor are not supposed to declare new class (and thus
declare classorder), this fix ignores class-es/classorder in vendor
SELinux policy.
Since the vendor selinux policy has allows rules based on this context,
those allows will fail since the class doesn't exist.
Workaround this by ignoring rules with the problematic class
( keystore_moto_key )
Lucky us, this new class `keystore_moto_key` is used by Moto for
framework to framework (more accurately priv app to keymaster), since
our own framework doesn't use this class, simply ignoring it fixes the
issue.
Change-Id: I66339857634ebfdba359f12a99dfd0bff709d80b
---
libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 118de1f5..77e130d1 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -462,6 +462,14 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct
struct cil_tree_node *perms = NULL;
int rc = SEPOL_ERR;
+ {
+ const char* path = cil_tree_get_cil_path(parse_current);
+ if(strstr(path, "vendor/")) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
if (rc != SEPOL_OK) {
goto exit;
@@ -530,6 +538,14 @@ int cil_gen_classorder(struct cil_db *db, struct cil_tree_node *parse_current, s
struct cil_list_item *head = NULL;
int rc = SEPOL_ERR;
+ {
+ const char* path = cil_tree_get_cil_path(parse_current);
+ if(strstr(path, "vendor/")) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
if (db == NULL || parse_current == NULL || ast_node == NULL) {
goto exit;
}
@@ -2115,6 +2131,14 @@ int cil_gen_avrule(struct cil_tree_node *parse_current, struct cil_tree_node *as
rule->src_str = parse_current->next->data;
rule->tgt_str = parse_current->next->next->data;
+ {
+ const char *classname = parse_current->next->next->next->cl_head->data;
+ if(strcmp(classname, "keystore_moto_key") == 0) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
rc = cil_fill_classperms_list(parse_current->next->next->next, &rule->perms.classperms);
if (rc != SEPOL_OK) {
goto exit;
--
2.25.1

26
patches_treble_td/platform_external_selinux/0008-Improve-SELinux-policy-workaround-on-device-phh-treb.patch Normal file
View File

@@ -0,0 +1,26 @@
From 18cdd4e9ff37377b80f837c92026f1ce3514d074 Mon Sep 17 00:00:00 2001
From: ponces <ponces26@gmail.com>
Date: Mon, 7 Nov 2022 16:14:20 +0000
Subject: [PATCH 08/10] Improve SELinux policy workaround on device/phh/treble
conflict to exit with SEPOL_OK instead of SEPOL_EEXIST
This fixes boot on many Samsung devices as exiting with SEPOL_EEXIST will prevent them to boot
---
libsepol/cil/src/cil_build_ast.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 77e130d1..daf8b8b3 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -141,7 +141,6 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
/* multiple_decls is enabled and works for this datum type, add node */
cil_list_append(prev->nodes, CIL_NODE, node);
node->data = prev;
- return SEPOL_EEXIST;
}
return SEPOL_OK;
--
2.25.1

33
patches_treble_td/platform_external_selinux/0009-Allow-sys-vm-watermark_scale_factor-conflict-seen-on.patch Normal file
View File

@@ -0,0 +1,33 @@
From e62c978dbf5f214f392355a0d111adc772f10b60 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Thu, 20 Jul 2023 14:21:21 -0400
Subject: [PATCH 09/10] Allow /sys/vm/watermark_scale_factor conflict -- seen
on Freebox Player Pop
---
libsepol/cil/src/cil_post.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 7f614c03..1703b3b6 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -502,6 +502,15 @@ static int cil_post_genfscon_context_compare(const void *a, const void *b)
*/
if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
bypass = 1;
+ /*
+ * This conflict has been seen on Freebox Player Pop
+ * - AOSP T says (genfscon proc "/sys/vm/watermark_scale_factor" (u object_r proc_watermark_scale_factor ((s0) (s0))))
+ * - stock rom says proc_vm_writable
+ *
+ * Stock ROM uses it only in recovery so it's safe to ignore
+ */
+ if(strcmp(a_genfscon->path_str, "/sys/vm/watermark_scale_factor") == 0)
+ bypass = 1;
if(strcmp(a_genfscon->fs_str, "exfat") == 0 || strcmp(a_genfscon->fs_str, "esdfs") == 0) {
if(strcmp(a_genfscon->path_str, "/") == 0)
bypass = 1;
--
2.25.1

25
patches_treble_td/platform_external_selinux/0010-Allow-conflict-on-fuseblk.patch Normal file
View File

@@ -0,0 +1,25 @@
From d69b637d22bd02e44ece4e68e53b9151dfda8247 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 6 Oct 2023 08:49:59 -0400
Subject: [PATCH 10/10] Allow conflict on fuseblk
---
libsepol/cil/src/cil_post.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 1703b3b6..5428005d 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -511,7 +511,7 @@ static int cil_post_genfscon_context_compare(const void *a, const void *b)
*/
if(strcmp(a_genfscon->path_str, "/sys/vm/watermark_scale_factor") == 0)
bypass = 1;
- if(strcmp(a_genfscon->fs_str, "exfat") == 0 || strcmp(a_genfscon->fs_str, "esdfs") == 0) {
+ if(strcmp(a_genfscon->fs_str, "exfat") == 0 || strcmp(a_genfscon->fs_str, "esdfs") == 0 || strcmp(a_genfscon->fs_str, "fuseblk") == 0) {
if(strcmp(a_genfscon->path_str, "/") == 0)
bypass = 1;
}
--
2.25.1