Merge "add sepolicy for set_usb_irq.sh" into sc-dev

2021-07-07 16:23:13 +00:00 · 2021-07-07 16:23:13 +00:00 · 9b270f0fc5
commit 9b270f0fc5
parent 72bc4971df 714075eba7
2 changed files with 16 additions and 0 deletions
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@ -270,6 +270,9 @@
 # Kernel modules related
 /vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0

+# USB
+/vendor/bin/hw/set_usb_irq\.sh  u:object_r:set-usb-irq-sh_exec:s0
+
 # NFC
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
--- a/whitechapel/vendor/google/set-usb-irq-sh.te
+++ b/whitechapel/vendor/google/set-usb-irq-sh.te
@ -0,0 +1,13 @@
+type set-usb-irq-sh, domain;
+type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(set-usb-irq-sh)
+
+allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans;
+
+allow set-usb-irq-sh proc_irq:dir r_dir_perms;
+allow set-usb-irq-sh proc_irq:file w_file_perms;
+
+# AFAICT this happens if /proc/irq updates as we're running
+# and we end up trying to write into non-existing file,
+# which implies creation...
+dontaudit set-usb-irq-sh self:capability dac_override;