From 714075eba72067489d08c36b87bfed9656092b2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Tue, 29 Jun 2021 14:29:11 -0700 Subject: [PATCH] add sepolicy for set_usb_irq.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: 185092876 Test: TreeHugger, booted on oriole, enabled/disabled tethering Signed-off-by: Maciej Żenczykowski Change-Id: I7361a4390197e04b27eaf153a696e3f800f79b55 --- whitechapel/vendor/google/file_contexts | 3 +++ whitechapel/vendor/google/set-usb-irq-sh.te | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 whitechapel/vendor/google/set-usb-irq-sh.te diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index b892d447..86af0a91 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -270,6 +270,9 @@ # Kernel modules related /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +# USB +/vendor/bin/hw/set_usb_irq\.sh u:object_r:set-usb-irq-sh_exec:s0 + # NFC /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /dev/st21nfc u:object_r:nfc_device:s0 diff --git a/whitechapel/vendor/google/set-usb-irq-sh.te b/whitechapel/vendor/google/set-usb-irq-sh.te new file mode 100644 index 00000000..a00fe3bb --- /dev/null +++ b/whitechapel/vendor/google/set-usb-irq-sh.te @@ -0,0 +1,13 @@ +type set-usb-irq-sh, domain; +type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(set-usb-irq-sh) + +allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans; + +allow set-usb-irq-sh proc_irq:dir r_dir_perms; +allow set-usb-irq-sh proc_irq:file w_file_perms; + +# AFAICT this happens if /proc/irq updates as we're running +# and we end up trying to write into non-existing file, +# which implies creation... +dontaudit set-usb-irq-sh self:capability dac_override;