From a2e6c51431608cdd72b1b23e15c27811622dfaff Mon Sep 17 00:00:00 2001 From: Steve Pfetsch Date: Fri, 18 Nov 2022 08:45:41 +0000 Subject: [PATCH] gs201-sepolicy: provide permission for TouchInspector app [DO NOT MERGE] Resolve these access violations: avc: denied { write } for name="driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { open } for path="/proc/fts/driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { getattr } for path="/proc/fts/driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { read } for name="driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { open } for path="/proc/fts_ext/driver_test" dev="proc" ino=4026535574 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { getattr } for path="/proc/fts_ext/driver_test" dev="proc" ino=4026535574 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector Bug: 182118395 Signed-off-by: Steve Pfetsch Change-Id: Ia3bd2323b77134b8e47d858f36756780dec98c19 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/google_touch_app.te | 11 +++++++++++ whitechapel_pro/seapp_contexts | 3 +++ 3 files changed, 17 insertions(+) create mode 100644 whitechapel_pro/google_touch_app.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e3a6bd52..288bb7c2 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -109,6 +109,9 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch type proc_touch, proc_type, fs_type; +userdebug_or_eng(` + typeattribute proc_touch mlstrustedobject; +') # Vendor sched files userdebug_or_eng(` diff --git a/whitechapel_pro/google_touch_app.te b/whitechapel_pro/google_touch_app.te new file mode 100644 index 00000000..f90fde1e --- /dev/null +++ b/whitechapel_pro/google_touch_app.te @@ -0,0 +1,11 @@ +type google_touch_app, domain; + +userdebug_or_eng(` + app_domain(google_touch_app) + + allow google_touch_app app_api_service:service_manager find; + + allow google_touch_app sysfs_touch:dir r_dir_perms; + allow google_touch_app sysfs_touch:file rw_file_perms; + allow google_touch_app proc_touch:file rw_file_perms; +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 720081c7..d7fd69de 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -44,6 +44,9 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user +# Touch app +user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user + # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all