From 3d4d9159c9e02317b53be2a24f0d1fcacdefa1f6 Mon Sep 17 00:00:00 2001 From: Craig Dooley Date: Tue, 6 Apr 2021 23:44:45 +0000 Subject: [PATCH] Fix SELinux errors with aocd Add inotify support for /dev Fix the aoc vendor property Bug: 184173298 Change-Id: I40a71edd56b2d51f848085c43ae1d10a4c2c0c4b --- tracking_denials/aocd.te | 8 -------- whitechapel/vendor/google/aocd.te | 7 +++++++ whitechapel/vendor/google/file.te | 3 ++- whitechapel/vendor/google/file_contexts | 1 + whitechapel/vendor/google/property.te | 3 +++ whitechapel/vendor/google/property_contexts | 3 +++ 6 files changed, 16 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/aocd.te diff --git a/tracking_denials/aocd.te b/tracking_denials/aocd.te deleted file mode 100644 index ce3c3365..00000000 --- a/tracking_denials/aocd.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/171267323 -dontaudit aocd device:dir r_dir_perms; -# b/182218891 -dontaudit aocd property_socket:sock_file { write }; -dontaudit aocd init:unix_stream_socket { connectto }; -dontaudit aocd vendor_default_prop:property_service { set }; -dontaudit aocd property_socket:sock_file { write }; -dontaudit aocd init:unix_stream_socket { connectto }; diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te index 4cab55af..79add165 100644 --- a/whitechapel/vendor/google/aocd.te +++ b/whitechapel/vendor/google/aocd.te @@ -5,6 +5,7 @@ init_daemon_domain(aocd) # access persist files allow aocd mnt_vendor_file:dir search; allow aocd persist_file:dir search; +r_dir_file(aocd, persist_aoc_file); # sysfs operations allow aocd sysfs_aoc:dir search; @@ -12,3 +13,9 @@ allow aocd sysfs_aoc_firmware:file w_file_perms; # dev operations allow aocd aoc_device:chr_file r_file_perms; + +# allow inotify to watch for additions/removals from /dev +allow aocd device:dir r_dir_perms; + +# set properties +set_prop(aocd, vendor_aoc_prop) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 64f01385..e09ea104 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -96,7 +96,8 @@ type sysfs_aoc_firmware, sysfs_type, fs_type; type sysfs_aoc, sysfs_type, fs_type; # Audio -type persist_audio_file, file_type , vendor_persist_type; +type persist_audio_file, file_type, vendor_persist_type; +type persist_aoc_file, file_type, vendor_persist_type; type audio_vendor_data_file, file_type, data_file_type; type aoc_audio_file, file_type, vendor_file_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 91773613..b6e5fac2 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -291,6 +291,7 @@ /dev/ttySAC16 u:object_r:hci_attach_dev:s0 # Audio +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 /data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 /vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index 05cba796..4e376118 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -33,6 +33,9 @@ system_public_prop(vendor_edgetpu_service_prop) # Battery defender vendor_internal_prop(vendor_battery_defender_prop) +# AoC +vendor_internal_prop(vendor_aoc_prop) + # NFC vendor_internal_prop(vendor_nfc_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 108d5d51..f018e61b 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -92,6 +92,9 @@ persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 # Battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +# AoC +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 + # WiFi vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0