display: dontaudit various domains for read/search sysfs_msm_subsys

Graphics drivers gfx promo #0454 adds dependency on gpu_model sysfs
node. This needs various domains to have sepolicy to read and search the
sysfs node. Dontaudit these domains for read/search into sysfs_msm_subsys

Bug: 150924173
Test: device logs does not throw selinux denials, pass pre-submit checks
Change-Id: I5b2dd718d6af92ed557da17181d6595f72f0cc29

6 files changed, 18 insertions, 0 deletions

diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
index 036cccd7..43c8bb13 100644
--- a/sepolicy/vendor/app.te
+++ b/sepolicy/vendor/app.te
@@ -1,2 +1,5 @@
 # For the camera app
 get_prop(appdomain, camera_prop)
+
+dontaudit appdomain sysfs_msm_subsys:dir search;
+dontaudit appdomain sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te
index ab76d057..4ac529b4 100644
--- a/sepolicy/vendor/bootanim.te
+++ b/sepolicy/vendor/bootanim.te
@@ -8,3 +8,6 @@ dontaudit bootanim system_data_file:dir read;
 
 # TODO(b/37205419): Remove upon resolution
 dontaudit bootanim kernel:system module_request;
+
+dontaudit bootanim sysfs_msm_subsys:dir search;
+dontaudit bootanim sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te
index b9adc4c5..50854562 100644
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -8,4 +8,7 @@ allow cameraserver sysfs_camera:dir search;
 
 allow cameraserver system_server:unix_stream_socket { read write };
 
+dontaudit cameraserver sysfs_msm_subsys:dir search;
+dontaudit cameraserver sysfs_msm_subsys:file r_file_perms;
+
 binder_call(cameraserver, mediacodec)
diff --git a/sepolicy/vendor/hal_graphics_allocator_default.te b/sepolicy/vendor/hal_graphics_allocator_default.te
index 102fe8b3..09333d1f 100644
--- a/sepolicy/vendor/hal_graphics_allocator_default.te
+++ b/sepolicy/vendor/hal_graphics_allocator_default.te
@@ -1 +1,4 @@
 dontaudit hal_graphics_allocator_default kernel:system module_request;
+
+dontaudit hal_graphics_allocator_default sysfs_msm_subsys:dir search;
+dontaudit hal_graphics_allocator_default sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
index 636d98b4..a1282bc4 100644
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -5,3 +5,6 @@ allow surfaceflinger debugfs_ion:dir search;
 
 typeattribute surfaceflinger system_writes_vendor_properties_violators;
 set_prop(surfaceflinger, public_vendor_system_prop)
+
+dontaudit surfaceflinger sysfs_msm_subsys:dir search;
+dontaudit surfaceflinger sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index d7b84619..13b64dbc 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -23,3 +23,6 @@ typeattribute system_server system_writes_vendor_properties_violators;
 set_prop(system_server, public_vendor_system_prop)
 
 dontaudit system_server self:capability sys_module;
+
+dontaudit system_server sysfs_msm_subsys:dir search;
+dontaudit system_server sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file