Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pixel-selinux: Add mlstrustedobject for SJTAG

Browse source 
This CL adds the "mlstrustedobject" to types for files involved in the
SJTAG authentication flow, in order to address MLS-based AVC denials.

Bug: 189466122
Test: No more AVC denials when activating SJTAG in BetterBug
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: Ieb88653830ce95751eee5cf26c26fd6302067bce
This commit is contained in:
Peter Csaszar 2021-05-28 23:58:13 -07:00
parent 9f8d552411
commit 7ea6a44719
2 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
whitechapel/vendor/google/file.te vendored
View file

@ -144,6 +144,9 @@ type sysfs_edgetpu, sysfs_type, fs_type;
# Vendor sched files
type sysfs_vendor_sched, sysfs_type, fs_type;
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
type proc_vendor_sched, proc_type, fs_type;
# GPS
@ -211,3 +214,6 @@ type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
# SJTAG
type sysfs_sjtag, fs_type, sysfs_type;
userdebug_or_eng(`
typeattribute sysfs_sjtag mlstrustedobject;
')

1
whitechapel/vendor/google/ssr_detector.te vendored
View file

@ -14,6 +14,7 @@ userdebug_or_eng(`
get_prop(ssr_detector_app, vendor_aoc_prop)
allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms;
')
get_prop(ssr_detector_app, vendor_ssrdump_prop)