From 35e5021597de1a3b522d0e019de6baa7abce7c64 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Tue, 26 Dec 2023 17:25:29 -0800 Subject: [PATCH] Update common chre sepolicy for socket connection With multiclient HAL, the socket server domain changes from chre to hal_contexthub_default. Bug: 248615564 Test: updated the sepolicies and observed that avc violation logs disappears. Change-Id: Ic5717cee6d2714bec49814a1b779266de79dc4f3 --- chre/sepolicy/hal_contexthub_default.te | 5 +++-- sensors/sepolicy/hal_sensors_default.te | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/chre/sepolicy/hal_contexthub_default.te b/chre/sepolicy/hal_contexthub_default.te index 3d67bd3..542d383 100644 --- a/chre/sepolicy/hal_contexthub_default.te +++ b/chre/sepolicy/hal_contexthub_default.te @@ -1,5 +1,6 @@ -# Allow context hub HAL to communicate with daemon via socket -unix_socket_connect(hal_contexthub_default, chre, chre) +# +# Context hub multiclient HAL common selinux policies +# # Permit communication with AoC allow hal_contexthub_default aoc_device:chr_file rw_file_perms; diff --git a/sensors/sepolicy/hal_sensors_default.te b/sensors/sepolicy/hal_sensors_default.te index 1d152d4..85a8262 100644 --- a/sensors/sepolicy/hal_sensors_default.te +++ b/sensors/sepolicy/hal_sensors_default.te @@ -60,6 +60,9 @@ allow hal_sensors_default fwk_stats_service:service_manager find; # Allow access to CHRE socket to connect to nanoapps. unix_socket_connect(hal_sensors_default, chre, chre) +## TODO(b/248615564): Remove above rule after CHRE multiclient HAL is launched. +unix_socket_connect(hal_sensors_default, chre, hal_contexthub_default) + # Allow access to the power supply files for MagCC. r_dir_file(hal_sensors_default, sysfs_batteryinfo)