bluejay: add sepolicy for ufs_firmware_update process

Allow the script to access the specified partition and sysfs. Bug: 273305212 Test: full build and test ffu flow Change-Id: I6f86606ebf0da631d1d2c1a433a9d200d6cac51c Signed-off-by: Leo Liou <leoliou@google.com>
2023-03-17 16:24:34 +08:00 · 2023-03-17 16:24:34 +08:00 · ca6ca14a45
commit ca6ca14a45
parent fe21211958
4 changed files with 22 additions and 0 deletions
--- a/bluejay/genfs_contexts
+++ b/bluejay/genfs_contexts
@ -4,3 +4,8 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a      u:object
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a      u:object_r:sysfs_vibrator:s0
+
+# Storage
+genfscon sysfs /devices/platform/14700000.ufs/vendor                    u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/model                     u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/rev                       u:object_r:sysfs_scsi_devices_0000:s0
--- a/vendor/device.te
+++ b/vendor/device.te
@ -0,0 +1,2 @@
+# Block Devices
+type fips_block_device, dev_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -0,0 +1,5 @@
+# Binaries
+/vendor/bin/ufs_firmware_update\.sh                                         u:object_r:ufs_firmware_update_exec:s0
+
+# Devices
+/dev/block/platform/14700000\.ufs/by-name/fips                              u:object_r:fips_block_device:s0
--- a/vendor/ufs_firmware_update.te
+++ b/vendor/ufs_firmware_update.te
@ -0,0 +1,10 @@
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(ufs_firmware_update)
+
+allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+allow ufs_firmware_update block_device:dir r_dir_perms;
+allow ufs_firmware_update fips_block_device:blk_file rw_file_perms;
+allow ufs_firmware_update sysfs:dir r_dir_perms;
+allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;