diff options
author | linjoey <linjoey@google.com> | 2020-03-09 16:23:30 +0800 |
---|---|---|
committer | linjoey <linjoey@google.com> | 2020-03-17 16:16:06 +0800 |
commit | d2029e9577b76144643c9e5a31f402380ba23a67 (patch) | |
tree | 9568012c64d410622c6848fda3e8f79acf609b98 | |
parent | d2b8cfc32b87d10a63189e786474ea66282d5ed7 (diff) | |
download | device_google_wahoo-d2029e9577b76144643c9e5a31f402380ba23a67.tar.gz device_google_wahoo-d2029e9577b76144643c9e5a31f402380ba23a67.tar.bz2 device_google_wahoo-d2029e9577b76144643c9e5a31f402380ba23a67.zip |
display: dontaudit various domains for read/search sysfs_msm_subsys
Graphics drivers gfx promo #0454 adds dependency on gpu_model sysfs
node. This needs various domains to have sepolicy to read and search the
sysfs node. Dontaudit these domains for read/search into sysfs_msm_subsys
Bug: 150924173
Test: device logs does not throw selinux denials, pass pre-submit checks
Change-Id: I5b2dd718d6af92ed557da17181d6595f72f0cc29
-rw-r--r-- | sepolicy/vendor/app.te | 3 | ||||
-rw-r--r-- | sepolicy/vendor/bootanim.te | 3 | ||||
-rw-r--r-- | sepolicy/vendor/cameraserver.te | 3 | ||||
-rw-r--r-- | sepolicy/vendor/hal_graphics_allocator_default.te | 3 | ||||
-rw-r--r-- | sepolicy/vendor/surfaceflinger.te | 3 | ||||
-rw-r--r-- | sepolicy/vendor/system_server.te | 3 |
6 files changed, 18 insertions, 0 deletions
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index 036cccd7..43c8bb13 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,2 +1,5 @@ # For the camera app get_prop(appdomain, camera_prop) + +dontaudit appdomain sysfs_msm_subsys:dir search; +dontaudit appdomain sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te index ab76d057..4ac529b4 100644 --- a/sepolicy/vendor/bootanim.te +++ b/sepolicy/vendor/bootanim.te @@ -8,3 +8,6 @@ dontaudit bootanim system_data_file:dir read; # TODO(b/37205419): Remove upon resolution dontaudit bootanim kernel:system module_request; + +dontaudit bootanim sysfs_msm_subsys:dir search; +dontaudit bootanim sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te index b9adc4c5..50854562 100644 --- a/sepolicy/vendor/cameraserver.te +++ b/sepolicy/vendor/cameraserver.te @@ -8,4 +8,7 @@ allow cameraserver sysfs_camera:dir search; allow cameraserver system_server:unix_stream_socket { read write }; +dontaudit cameraserver sysfs_msm_subsys:dir search; +dontaudit cameraserver sysfs_msm_subsys:file r_file_perms; + binder_call(cameraserver, mediacodec) diff --git a/sepolicy/vendor/hal_graphics_allocator_default.te b/sepolicy/vendor/hal_graphics_allocator_default.te index 102fe8b3..09333d1f 100644 --- a/sepolicy/vendor/hal_graphics_allocator_default.te +++ b/sepolicy/vendor/hal_graphics_allocator_default.te @@ -1 +1,4 @@ dontaudit hal_graphics_allocator_default kernel:system module_request; + +dontaudit hal_graphics_allocator_default sysfs_msm_subsys:dir search; +dontaudit hal_graphics_allocator_default sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te index 636d98b4..a1282bc4 100644 --- a/sepolicy/vendor/surfaceflinger.te +++ b/sepolicy/vendor/surfaceflinger.te @@ -5,3 +5,6 @@ allow surfaceflinger debugfs_ion:dir search; typeattribute surfaceflinger system_writes_vendor_properties_violators; set_prop(surfaceflinger, public_vendor_system_prop) + +dontaudit surfaceflinger sysfs_msm_subsys:dir search; +dontaudit surfaceflinger sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index d7b84619..13b64dbc 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -23,3 +23,6 @@ typeattribute system_server system_writes_vendor_properties_violators; set_prop(system_server, public_vendor_system_prop) dontaudit system_server self:capability sys_module; + +dontaudit system_server sysfs_msm_subsys:dir search; +dontaudit system_server sysfs_msm_subsys:file r_file_perms;
\ No newline at end of file |