78047fa17b
[ 8.417813] type=1400 audit(1615518074.988:4): avc: denied { write } for comm="sensors@2.0-ser" name="chre" dev="tmpfs" ino=908 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1
[ 8.418075] type=1400 audit(1615518074.988:5): avc: denied { connectto } for comm="sensors@2.0-ser" path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1
03-12 11:01:14.988 694 694 I sensors@2.0-ser: type=1400 audit(0.0:5): avc: denied { connectto } for path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1
Also merge two sensor_hal related files into single file.
Bug: 182523946
Test: make selinux_policy -j128 and push to device.
No hal_sensors_default related avc deined log during boot.
Signed-off-by: Rick Chen <rickctchen@google.com>
Change-Id: I49ce71ba4703528fb2e26dd8956c4ed741337ffc
53 lines
1.8 KiB
Text
53 lines
1.8 KiB
Text
#
|
|
# USF sensor HAL SELinux type enforcements.
|
|
#
|
|
|
|
# Allow reading of sensor registry persist files.
|
|
allow hal_sensors_default persist_file:dir search;
|
|
allow hal_sensors_default mnt_vendor_file:dir search;
|
|
r_dir_file(hal_sensors_default, persist_sensor_reg_file)
|
|
|
|
# Allow creation and writing of sensor registry data files.
|
|
allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
|
|
allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
|
|
|
|
# Allow access to the AoC communication driver.
|
|
allow hal_sensors_default aoc_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
|
|
# to synchronize the AP and AoC clock timestamps.
|
|
allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
|
|
|
|
# Allow create thread to watch AOC's device.
|
|
allow hal_sensors_default device:dir r_dir_perms;
|
|
|
|
# Allow access to the files of CDT information.
|
|
r_dir_file(hal_sensors_default, sysfs_chosen)
|
|
|
|
# Allow display_info_service access to the backlight driver.
|
|
allow hal_sensors_default sysfs_leds:dir search;
|
|
allow hal_sensors_default sysfs_leds:file rw_file_perms;
|
|
|
|
# Allow access to the power supply files for MagCC.
|
|
r_dir_file(hal_sensors_default, sysfs_batteryinfo)
|
|
allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
|
|
|
|
# Allow access to sensor service for sensor_listener.
|
|
binder_call(hal_sensors_default, system_server);
|
|
|
|
# Allow access to the stats service.
|
|
allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
|
|
|
|
# Allow access to the sysfs_aoc.
|
|
allow hal_sensors_default sysfs_aoc:dir search;
|
|
|
|
#
|
|
# Suez type enforcements.
|
|
#
|
|
|
|
# Allow SensorSuez to connect AIDL stats.
|
|
binder_use(hal_sensors_default);
|
|
allow hal_sensors_default fwk_stats_service:service_manager find;
|
|
|
|
# Allow access to CHRE socket to connect to nanoapps.
|
|
unix_socket_connect(hal_sensors_default, chre, chre)
|