Merge "sensors: Add sensor related rule to chre." into sc-dev am: b8ec327d5c

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/13885466

Change-Id: I9a4f8817963617f8e212d8ffdf36a17e5580d192

tracking_denials/hal_sensors_default.te

@@ -1,59 +0,0 @@
-# b/182086633
-dontaudit hal_sensors_default servicemanager:binder { call };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default device:dir { watch };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-dontaudit hal_sensors_default mnt_vendor_file:dir { search };
-dontaudit hal_sensors_default persist_file:dir { search };
-dontaudit hal_sensors_default persist_file:dir { getattr };
-dontaudit hal_sensors_default persist_file:dir { read };
-dontaudit hal_sensors_default persist_file:dir { open };
-dontaudit hal_sensors_default persist_file:file { getattr };
-dontaudit hal_sensors_default persist_file:file { read };
-dontaudit hal_sensors_default persist_file:file { open };
-dontaudit hal_sensors_default vendor_data_file:dir { read };
-dontaudit hal_sensors_default vendor_data_file:dir { open };
-dontaudit hal_sensors_default vendor_data_file:file { getattr };
-dontaudit hal_sensors_default vendor_data_file:file { read };
-dontaudit hal_sensors_default vendor_data_file:file { open };
-dontaudit hal_sensors_default fwk_stats_service:service_manager { find };
-dontaudit hal_sensors_default servicemanager:binder { call };
-dontaudit hal_sensors_default servicemanager:binder { transfer };
-dontaudit hal_sensors_default servicemanager:binder { transfer };
-dontaudit hal_sensors_default servicemanager:binder { call };
-dontaudit hal_sensors_default aoc_device:chr_file { getattr };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-dontaudit hal_sensors_default vendor_data_file:file { write };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
-dontaudit hal_sensors_default vendor_data_file:file { write };
-dontaudit hal_sensors_default vendor_data_file:file { read };
-dontaudit hal_sensors_default vendor_data_file:file { getattr };
-dontaudit hal_sensors_default persist_file:dir { search };
-dontaudit hal_sensors_default vendor_data_file:dir { open };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default vendor_data_file:dir { read };
-dontaudit hal_sensors_default persist_file:file { open };
-dontaudit hal_sensors_default vendor_data_file:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
-dontaudit hal_sensors_default persist_file:file { read };
-dontaudit hal_sensors_default persist_file:file { getattr };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default persist_file:dir { open };
-dontaudit hal_sensors_default persist_file:dir { read };
-dontaudit hal_sensors_default persist_file:dir { getattr };
-dontaudit hal_sensors_default vendor_data_file:file { open };
-dontaudit hal_sensors_default mnt_vendor_file:dir { search };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default device:dir { watch };
-dontaudit hal_sensors_default servicemanager:binder { transfer };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-# b/182523946
-dontaudit hal_sensors_default chre_socket:sock_file { write };
-dontaudit hal_sensors_default chre:unix_stream_socket { connectto };
-dontaudit hal_sensors_default chre:unix_stream_socket { connectto };

usf/sensor_hal.te

@@ -20,3 +20,34 @@ allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
 
 # Allow create thread to watch AOC's device.
 allow hal_sensors_default device:dir r_dir_perms;
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_leds:dir search;
+allow hal_sensors_default sysfs_leds:file rw_file_perms;
+
+# Allow access to the power supply files for MagCC.
+r_dir_file(hal_sensors_default, sysfs_batteryinfo)
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
+
+# Allow access to sensor service for sensor_listener.
+binder_call(hal_sensors_default, system_server);
+
+# Allow access to the stats service.
+allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
+
+# Allow access to the sysfs_aoc.
+allow hal_sensors_default sysfs_aoc:dir search;
+
+#
+# Suez type enforcements.
+#
+
+# Allow SensorSuez to connect AIDL stats.
+binder_use(hal_sensors_default);
+allow hal_sensors_default fwk_stats_service:service_manager find;
+
+# Allow access to CHRE socket to connect to nanoapps.
+unix_socket_connect(hal_sensors_default, chre, chre)

whitechapel/vendor/google/hal_sensors_default.te

@@ -1,23 +0,0 @@
-# Allow access to the files of CDT information.
-r_dir_file(hal_sensors_default, sysfs_chosen)
-
-# Allow access to the leds driver.
-allow hal_sensors_default sysfs_leds:dir search;
-allow hal_sensors_default sysfs_leds:file rw_file_perms;
-
-# Allow access to the power supply files for MagCC.
-r_dir_file(hal_sensors_default, sysfs_batteryinfo)
-allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
-
-# Allow access to sensor service for sensor_listener.
-binder_call(hal_sensors_default, system_server);
-
-# Allow access to the stats service.
-allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
-
-# Allow access to the sysfs_aoc.
-allow hal_sensors_default sysfs_aoc:dir search;
-
-# Allow SensorSuez to connect AIDL stats.
-binder_use(hal_sensors_default);
-allow hal_sensors_default fwk_stats_service:service_manager find;