Add hal_contexthub_default to zuma sepolicy; Remove dontaudit rules for

chre [ 7.760870] type=1400 audit(1669944054.440:61): avc: denied { write } for comm="android.hardwar" name="chre" dev="tmpfs" ino=1099 scontext=u:r:hal_contexthub_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1 [ 12.519414] type=1400 audit(1669944059.196:138): avc: denied {connectto } for comm="android.hardwar" path="/dev/socket/chre"scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1 Bug: 264489794 Bug: 261105224 Test: atest scanAvcDeniedLogRightAfterReboot Change-Id: I7bf13913188deedc987f82e54626a18357ab84c5
2023-03-21 22:17:57 +00:00 · 2023-03-21 22:17:57 +00:00 · 1095231e38
commit 1095231e38
parent a382f85f96
6 changed files with 3 additions and 14 deletions
--- a/legacy/whitechapel_pro/file_contexts
+++ b/legacy/whitechapel_pro/file_contexts
@ -2,7 +2,6 @@
 /vendor/bin/dumpsys                                                         u:object_r:vendor_dumpsys:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty           u:object_r:hal_gatekeeper_default_exec:s0
-/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
 /vendor/bin/hw/android\.hardware\.nfc-service\.st                           u:object_r:hal_nfc_default_exec:s0

 # Vendor libraries
--- a/tracking_denials/chre.te
+++ b/tracking_denials/chre.te
@ -1,4 +0,0 @@
-# b/261105224
-dontaudit chre hal_system_suspend_service:service_manager { find };
-dontaudit chre servicemanager:binder { call };
-dontaudit chre system_suspend_server:binder { call };
--- a/tracking_denials/hal_contexthub_default.te
+++ b/tracking_denials/hal_contexthub_default.te
@ -1,7 +0,0 @@
-# b/261105182
-dontaudit hal_contexthub_default chre:unix_stream_socket { connectto };
-dontaudit hal_contexthub_default chre_socket:sock_file { write };
-# b/264489794
-userdebug_or_eng(`
-  permissive hal_contexthub_default;
-')
--- a/tracking_denials/system_suspend.te
+++ b/tracking_denials/system_suspend.te
@ -1,2 +0,0 @@
-# b/261105356
-dontaudit system_suspend_server chre:binder { transfer };
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -12,6 +12,7 @@
 /vendor/bin/hw/android\.hardware\.secure_element-service.uicc               u:object_r:hal_secure_element_uicc_exec:s0
 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                       u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel             u:object_r:hal_graphics_composer_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service                     u:object_r:mediacodec_google_exec:s0
 /vendor/bin/dump/dump_wlan\.sh                                              u:object_r:dump_wlan_exec:s0
 /vendor/bin/dump/dump_cma\.sh                                               u:object_r:dump_cma_exec:s0
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@ -0,0 +1,2 @@
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub_default, chre, chre)