sepolicy: Define new policy rule to read gpu model

Add  a new file context label for gpu_model sysfs entry. allowed read
access to that entry.

Addressing the following denials :

type=1400 audit(9324.519:24): avc: denied { read }
for comm="HwBinder:765_2" name="gpu_model" dev="sysfs"
ino=44362 scontext=u:r:hal_graphics_allocator_default:s0
 tcontext=u:object_r:sysfs_kgsl:s0 tclass=file permissive=0

type=1400 audit(9324.519:24): avc: denied { read } for
comm="HwBinder:765_2" name="gpu_model" dev="sysfs" ino=44362
scontext=u:r:hal_graphics_allocator_default:s0 tcontext=u:
object_r:sysfs_kgsl:s0 tclass=file permissive=0

type=1400 audit(9325.619:26): avc: denied { read } for comm=
"BootAnimation" name="gpu_model" dev="sysfs" ino=44362
scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_kgsl:s0
tclass=file permissive=0

type=1400 audit(1566811221.909:56): avc: denied { read } for
comm="android.anim" name="gpu_model" dev="sysfs" ino=44362
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_kgsl:s0
tclass=file permissive=0

avc: denied { read } for name="gpu_model" dev="sysfs" ino=28656
scontext=u:r:location_app:s0:c74,c256,c512,c768 tcontext=u:object_r
:sysfs_kgsl_gpu_model:s0 tclass=file permissive=0

avc: denied { read } for name="gpu_model" dev="sysfs" ino=28656
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:
sysfs_kgsl_gpu_model:s0 tclass=file permissive=0

Change-Id: Ice9dd15278495475615e494c35af065e7736ea93

10 files changed, 22 insertions, 0 deletions

diff --git a/generic/vendor/common/domain.te b/generic/vendor/common/domain.te
index 4e8595b8..01b3724d 100644
--- a/generic/vendor/common/domain.te
+++ b/generic/vendor/common/domain.te
@@ -50,6 +50,7 @@ dontaudit domain kernel:system module_request;
 # For compliance testing test suite reads vendor_security_path_level
 # Which is the public readable property “ ro.vendor.build.security_patch
 get_prop(domain, vendor_security_patch_level_prop)
+
 neverallow {
      coredomain
      -init
@@ -57,3 +58,6 @@ neverallow {
      -vold
      -kernel
      } vendor_persist_type: { dir file } *;
+
+# allow all context to read gpu model
+allow { domain - isolated_app } sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/generic/vendor/common/file.te b/generic/vendor/common/file.te
index 7aaf1497..2fcdf7cc 100644
--- a/generic/vendor/common/file.te
+++ b/generic/vendor/common/file.te
@@ -198,3 +198,6 @@ type qdcmsocket_socket, file_type;
 type sysfs_mhi, sysfs_type, fs_type;
 
 type sysfs_suspend, fs_type, sysfs_type;
+
+# kgsl gpu model file type for sysfs access
+type sysfs_kgsl_gpu_model, sysfs_type, fs_type;
diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts
index eb3d4097..4f8addb7 100644
--- a/generic/vendor/common/file_contexts
+++ b/generic/vendor/common/file_contexts
@@ -425,6 +425,7 @@
 
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:sysfs_kgsl_gpu_model:s0
 
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-f0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,usb-pdphy@[0-9]+/usbpd/usbpd[0-9](/.*)? u:object_r:sysfs_usbpd_device:s0
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-f0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/usb(/.*)?        u:object_r:sysfs_usb_supply:s0
diff --git a/generic/vendor/common/priv_app.te b/generic/vendor/common/priv_app.te
index dd2137f7..b22d7a0d 100644
--- a/generic/vendor/common/priv_app.te
+++ b/generic/vendor/common/priv_app.te
@@ -31,3 +31,4 @@ hal_client_domain(priv_app, hal_perf)
 # priv_app domain
 allow priv_app rs_exec:file rx_file_perms;
 
+allow priv_app sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/legacy/vendor/common/domain.te b/legacy/vendor/common/domain.te
index d788c6a4..c4d6dffc 100644
--- a/legacy/vendor/common/domain.te
+++ b/legacy/vendor/common/domain.te
@@ -69,3 +69,6 @@ allow { domain -isolated_app -runas_app -untrusted_app_25 -untrusted_app_27 -eph
  find;
 allow { domain -isolated_app -runas_app -untrusted_app_25 -untrusted_app_27 -ephemeral_app -mediaprovider -untrusted_app -perfprofd -vold -iorapd -installd } hal_perf_default:binder call;
 allow { domain -isolated_app -runas_app -untrusted_app_25 -untrusted_app_27 -ephemeral_app -mediaprovider -untrusted_app -perfprofd -vold -iorapd -installd } hwservicemanager:binder call;
+
+# allow all context to read gpu model
+allow { domain - isolated_app } sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/legacy/vendor/common/file.te b/legacy/vendor/common/file.te
index 0e13e7a8..8739263a 100644
--- a/legacy/vendor/common/file.te
+++ b/legacy/vendor/common/file.te
@@ -284,6 +284,8 @@ type sysfs_kgsl, sysfs_type, fs_type;
 type sysfs_kgsl_proc, sysfs_type, fs_type;
 # kgsl snapshot file type for sysfs access
 type sysfs_kgsl_snapshot, sysfs_type, fs_type;
+# kgsl gpu model file type for sysfs access
+type sysfs_kgsl_gpu_model, sysfs_type, fs_type;
 
 # secure touch files
 type sysfs_securetouch, fs_type, sysfs_type;
diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts
index 82fb7a2a..6b7ec215 100644
--- a/legacy/vendor/common/file_contexts
+++ b/legacy/vendor/common/file_contexts
@@ -481,6 +481,7 @@
 /sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)?  u:object_r:sysfs_scsi_host:s0
 /sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)?     u:object_r:sysfs_scsi_target:s0
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:sysfs_kgsl_gpu_model:s0
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
 /sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/snapshot(/.*)? u:object_r:sysfs_kgsl_snapshot:s0
 
diff --git a/legacy/vendor/common/location_app.te b/legacy/vendor/common/location_app.te
index 6d42bfc9..74c71025 100644
--- a/legacy/vendor/common/location_app.te
+++ b/legacy/vendor/common/location_app.te
@@ -50,3 +50,5 @@ allowxperm location_app self:socket ioctl msm_sock_ipc_ioctls;
 allow location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
 allow location_app sysfs_data:file r_file_perms;
 unix_socket_connect(location_app, dpmtcm, dpmd)
+
+allow location_app sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/legacy/vendor/common/priv_app.te b/legacy/vendor/common/priv_app.te
index 62ca1ce8..bef2a5e7 100644
--- a/legacy/vendor/common/priv_app.te
+++ b/legacy/vendor/common/priv_app.te
@@ -29,3 +29,5 @@ hal_client_domain(priv_app, hal_perf)
 # TODO(b/123050471): this grants renderscript exec permissions to the
 # priv_app domain
 allow priv_app rs_exec:file rx_file_perms;
+
+allow priv_app sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/qva/vendor/common/location_app.te b/qva/vendor/common/location_app.te
index 558b3caa..4d9c3d9c 100644
--- a/qva/vendor/common/location_app.te
+++ b/qva/vendor/common/location_app.te
@@ -30,3 +30,6 @@
 
 # allow location_app to access perf hal
 hal_client_domain(location_app, hal_perf)
+
+# allow location_app to access gpu_model
+allow location_app sysfs_kgsl_gpu_model:file r_file_perms;