From ed245711ece3bc6947a0033a0f79dd1b7d96c089 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Nov 2021 13:58:05 +0800 Subject: [PATCH] fix sysfs_vendor_sched access Bug: 207062776 Bug: 207062777 Bug: 207062877 Bug: 207062211 Bug: 207062232 Bug: 207062208 Test: boot with no relevant access Change-Id: I585653383ad0061fc6e9669c0590432c235f7e14 --- tracking_denials/hal_power_default.te | 3 --- tracking_denials/init.te | 3 --- tracking_denials/logd.te | 2 -- tracking_denials/logpersist.te | 2 -- tracking_denials/surfaceflinger.te | 2 -- tracking_denials/untrusted_app_30.te | 2 -- tracking_denials/zygote.te | 4 ---- whitechapel_pro/domain.te | 2 ++ whitechapel_pro/untrusted_app_all.te | 1 + 9 files changed, 3 insertions(+), 18 deletions(-) delete mode 100644 tracking_denials/init.te delete mode 100644 tracking_denials/logd.te delete mode 100644 tracking_denials/logpersist.te delete mode 100644 tracking_denials/untrusted_app_30.te delete mode 100644 tracking_denials/zygote.te create mode 100644 whitechapel_pro/domain.te create mode 100644 whitechapel_pro/untrusted_app_all.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 62741ebc..0864301a 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,6 +1,3 @@ # b/207062564 dontaudit hal_power_default sysfs:file { open }; dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs_vendor_sched:dir { search }; -dontaudit hal_power_default sysfs_vendor_sched:file { open }; -dontaudit hal_power_default sysfs_vendor_sched:file { write }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te deleted file mode 100644 index 7f2a01fe..00000000 --- a/tracking_denials/init.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/207062776 -dontaudit init sysfs_vendor_sched:file { open }; -dontaudit init sysfs_vendor_sched:file { write }; diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te deleted file mode 100644 index 1adadfb5..00000000 --- a/tracking_denials/logd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062777 -dontaudit logd sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/logpersist.te b/tracking_denials/logpersist.te deleted file mode 100644 index bf0c1af5..00000000 --- a/tracking_denials/logpersist.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062877 -dontaudit logpersist sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index 97f404c2..3ccdc9c3 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -4,5 +4,3 @@ dontaudit surfaceflinger kernel:process { setsched }; dontaudit surfaceflinger vendor_fw_file:dir { search }; dontaudit surfaceflinger vendor_fw_file:file { open }; dontaudit surfaceflinger vendor_fw_file:file { read }; -# b/207062211 -dontaudit surfaceflinger sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te deleted file mode 100644 index 9236a012..00000000 --- a/tracking_denials/untrusted_app_30.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062232 -dontaudit untrusted_app_30 sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index 0c1eaba1..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/207062208 -dontaudit zygote sysfs_vendor_sched:dir { search }; -dontaudit zygote sysfs_vendor_sched:file { open }; -dontaudit zygote sysfs_vendor_sched:file { write }; diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te new file mode 100644 index 00000000..3e1cbbb7 --- /dev/null +++ b/whitechapel_pro/domain.te @@ -0,0 +1,2 @@ +allow {domain -appdomain -rs} sysfs_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/untrusted_app_all.te b/whitechapel_pro/untrusted_app_all.te new file mode 100644 index 00000000..47d4d1bd --- /dev/null +++ b/whitechapel_pro/untrusted_app_all.te @@ -0,0 +1 @@ +dontaudit untrusted_app_all sysfs_vendor_sched:dir search;