From 17ab68a5ac296847c0c442dc28559a4001d4c2a8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:53:25 +0000 Subject: [PATCH] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I7ca3804056bbfd8459bac2c029a494767f3ae1a6 Signed-off-by: Spade Lee --- whitechapel_pro/kernel.te | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index d5ed958e..d44eed68 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -8,9 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_regmap_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +')