From 7ea6a447199f7456a8ff089df5301694c7aa8710 Mon Sep 17 00:00:00 2001 From: Peter Csaszar Date: Fri, 28 May 2021 23:58:13 -0700 Subject: [PATCH] pixel-selinux: Add mlstrustedobject for SJTAG This CL adds the "mlstrustedobject" to types for files involved in the SJTAG authentication flow, in order to address MLS-based AVC denials. Bug: 189466122 Test: No more AVC denials when activating SJTAG in BetterBug Signed-off-by: Peter Csaszar Change-Id: Ieb88653830ce95751eee5cf26c26fd6302067bce --- whitechapel/vendor/google/file.te | 6 ++++++ whitechapel/vendor/google/ssr_detector.te | 1 + 2 files changed, 7 insertions(+) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 4c1a2a1a..412f03d0 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -144,6 +144,9 @@ type sysfs_edgetpu, sysfs_type, fs_type; # Vendor sched files type sysfs_vendor_sched, sysfs_type, fs_type; +userdebug_or_eng(` + typeattribute sysfs_vendor_sched mlstrustedobject; +') type proc_vendor_sched, proc_type, fs_type; # GPS @@ -211,3 +214,6 @@ type vendor_wlc_fwupdata_file, vendor_file_type, file_type; # SJTAG type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te index a70edece..16e0e9f0 100644 --- a/whitechapel/vendor/google/ssr_detector.te +++ b/whitechapel/vendor/google/ssr_detector.te @@ -14,6 +14,7 @@ userdebug_or_eng(` get_prop(ssr_detector_app, vendor_aoc_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms; ') get_prop(ssr_detector_app, vendor_ssrdump_prop)