From a578c846fa5055f7e1b3d47e0af87b7e5fce2a9c Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Fri, 19 Nov 2021 16:31:09 +0800
Subject: [PATCH] storage: update sepolicy for storage suez

Bug: 206741894
Bug: 188793183
Test: boot to home
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: I206178e34156f0b02c4a5b743ac9467e7dafb74f
---
 tracking_denials/hal_health_default.te     | 4 ----
 tracking_denials/hal_power_default.te      | 5 -----
 whitechapel_pro/hal_health_default.te      | 4 ++++
 whitechapel_pro/hal_power_default.te       | 4 ++++
 whitechapel_pro/hal_power_stats_default.te | 2 ++
 whitechapel_pro/hardware_info_app.te       | 4 ++++
 whitechapel_pro/pixelstats_vendor.te       | 2 ++
 7 files changed, 16 insertions(+), 9 deletions(-)
 create mode 100644 whitechapel_pro/hal_power_default.te
 create mode 100644 whitechapel_pro/hal_power_stats_default.te

diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te
index 3cc7d0cb..a53e7d6a 100644
--- a/tracking_denials/hal_health_default.te
+++ b/tracking_denials/hal_health_default.te
@@ -3,7 +3,3 @@ dontaudit hal_health_default sysfs:file { getattr };
 dontaudit hal_health_default sysfs:file { open };
 dontaudit hal_health_default sysfs:file { read };
 dontaudit hal_health_default sysfs:file { write };
-dontaudit hal_health_default sysfs_scsi_devices_0000:dir { search };
-dontaudit hal_health_default sysfs_scsi_devices_0000:file { getattr };
-dontaudit hal_health_default sysfs_scsi_devices_0000:file { open };
-dontaudit hal_health_default sysfs_scsi_devices_0000:file { read };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
index a9984f9f..62741ebc 100644
--- a/tracking_denials/hal_power_default.te
+++ b/tracking_denials/hal_power_default.te
@@ -1,11 +1,6 @@
 # b/207062564
 dontaudit hal_power_default sysfs:file { open };
 dontaudit hal_power_default sysfs:file { write };
-dontaudit hal_power_default sysfs_fs_f2fs:dir { search };
-dontaudit hal_power_default sysfs_fs_f2fs:file { open };
-dontaudit hal_power_default sysfs_fs_f2fs:file { write };
-dontaudit hal_power_default sysfs_scsi_devices_0000:file { open };
-dontaudit hal_power_default sysfs_scsi_devices_0000:file { write };
 dontaudit hal_power_default sysfs_vendor_sched:dir { search };
 dontaudit hal_power_default sysfs_vendor_sched:file { open };
 dontaudit hal_power_default sysfs_vendor_sched:file { write };
diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te
index bdac85ac..57d3961d 100644
--- a/whitechapel_pro/hal_health_default.te
+++ b/whitechapel_pro/hal_health_default.te
@@ -2,3 +2,7 @@ allow hal_health_default mnt_vendor_file:dir search;
 allow hal_health_default persist_file:dir search;
 
 set_prop(hal_health_default, vendor_battery_defender_prop)
+
+# Access to /sys/devices/platform/14700000.ufs/*
+allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms;
diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te
new file mode 100644
index 00000000..ade34a31
--- /dev/null
+++ b/whitechapel_pro/hal_power_default.te
@@ -0,0 +1,4 @@
+allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms;
+allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms;
+allow hal_power_default sysfs_fs_f2fs:file rw_file_perms;
+
diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te
new file mode 100644
index 00000000..f49572cc
--- /dev/null
+++ b/whitechapel_pro/hal_power_stats_default.te
@@ -0,0 +1,2 @@
+allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te
index 9b52417e..a2207af4 100644
--- a/whitechapel_pro/hardware_info_app.te
+++ b/whitechapel_pro/hardware_info_app.te
@@ -2,3 +2,7 @@ type hardware_info_app, domain;
 app_domain(hardware_info_app)
 
 allow hardware_info_app app_api_service:service_manager find;
+
+# Storage
+allow hardware_info_app sysfs_scsi_devices_0000:dir search;
+allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te
index e8d4b92d..de08a892 100644
--- a/whitechapel_pro/pixelstats_vendor.te
+++ b/whitechapel_pro/pixelstats_vendor.te
@@ -1 +1,3 @@
 binder_use(pixelstats_vendor)
+
+allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;