From b7aa4a2742789e99ee58ce7c93c6be2a5ac7be19 Mon Sep 17 00:00:00 2001 From: Kai Hsieh Date: Tue, 7 Jan 2025 17:37:43 +0800 Subject: [PATCH] Add SEPolicy allowing GIA to communicate with Suez service Attached AVC error log in commit message: ``` [ 68.276362] SELinux: avc: denied { find } for pid=6775 uid=0 name=android.frameworks.stats.IStats/default scontext=u:r:gia:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1 [ 68.280115] type=1400 audit(1736239951.684:21): avc: denied { call } for comm="binder:6775_3" scontext=u:r:gia:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1 ``` Flag: build.RELEASE_PIXEL_GIA_ENABLED Test: Manualy, check `dmesg` to make sure that the cooresponding service can be started normally. Bug: 369965212 Change-Id: I26d4b324f1359b1b895ea8d3fd51c0877098c5ea Signed-off-by: Kai Hsieh --- input/gia/gia.mk | 4 ++-- input/gia/sepolicy/gia.te | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/input/gia/gia.mk b/input/gia/gia.mk index d46fa96..febac5b 100644 --- a/input/gia/gia.mk +++ b/input/gia/gia.mk @@ -1,8 +1,8 @@ -# GIA is not designed for AOSP +# When not AOSP target ifeq (,$(filter aosp_%, $(TARGET_PRODUCT))) BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy - # If Pixel System Service exists, allow it to access GIA + # When not factory target ifeq (,$(filter factory_%, $(TARGET_PRODUCT))) BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy-pixelsystemservice endif diff --git a/input/gia/sepolicy/gia.te b/input/gia/sepolicy/gia.te index 2c84e7c..4a310ea 100644 --- a/input/gia/sepolicy/gia.te +++ b/input/gia/sepolicy/gia.te @@ -16,3 +16,7 @@ hal_server_domain(gia, hal_gia) # allow gia for accessing touch related system file-nodes allow gia sysfs_touch_gti:dir r_dir_perms; allow gia sysfs_touch_gti:file rw_file_perms; + +# allow gia for collecting device stats +allow gia fwk_stats_service:service_manager find; +binder_call(gia, stats_service_server);