pixel-selinux: add SJTAG policies

These are the SELinux policies for the sysfs files of the SJTAG
kernel interface. The files are in the following directories:

  /sys/devices/platform/sjtag_ap/interface/
  /sys/devices/platform/sjtag_gsa/interface/

Bug: 207571417
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: I5ec50d9ff7cd0e08ade7acce21e73751e93a0aff
This commit is contained in:
Peter Csaszar 2022-02-14 20:29:23 -08:00
parent c8c1f766d2
commit 4041f814be
4 changed files with 25 additions and 0 deletions

View file

@ -91,3 +91,14 @@ type sysfs_st33spi, sysfs_type, fs_type;
# GPU
type sysfs_gpu, sysfs_type, fs_type;
# Vendor sched files
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
# SJTAG
type sysfs_sjtag, fs_type, sysfs_type;
userdebug_or_eng(`
typeattribute sysfs_sjtag mlstrustedobject;
')

View file

@ -210,3 +210,7 @@ genfscon sysfs /devices/platform/100b0000.TPU u:obje
# Camera
genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0
genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0
# SJTAG
genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0
genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0

5
whitechapel_pro/shell.te Normal file
View file

@ -0,0 +1,5 @@
# Allow access to the SJTAG kernel interface from the shell
userdebug_or_eng(`
allow shell sysfs_sjtag:dir r_dir_perms;
allow shell sysfs_sjtag:file rw_file_perms;
')

View file

@ -12,6 +12,11 @@ userdebug_or_eng(`
allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
get_prop(ssr_detector_app, vendor_aoc_prop)
allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
allow ssr_detector_app sysfs_vendor_sched:dir search;
allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms;
allow ssr_detector_app cgroup:file write;
')
get_prop(ssr_detector_app, vendor_ssrdump_prop)