From 1df4e2dde8ce8bed6ed151000ec2a2b488d897eb Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Fri, 3 Feb 2023 16:10:11 +0100 Subject: [PATCH] sepolicy: Fix trusty_apploader avc denials * File permissions missing Bug: 263305034 Test: ran com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I5d0a56a4c31c66610414341118c4089d2c11f3e9 Signed-off-by: Donnie Pollitz --- tracking_denials/trusty_apploader.te | 9 +-------- vendor/trusty_apploader.te | 3 +++ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te index e332dfaf..46e5481b 100644 --- a/tracking_denials/trusty_apploader.te +++ b/tracking_denials/trusty_apploader.te @@ -1,11 +1,4 @@ -# b/263305034 -dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl }; -dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open }; -dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read }; -dontaudit trusty_apploader tee_device:chr_file { ioctl }; -dontaudit trusty_apploader tee_device:chr_file { open }; -dontaudit trusty_apploader tee_device:chr_file { read write }; # b/264489569 userdebug_or_eng(` permissive trusty_apploader; -') \ No newline at end of file +') diff --git a/vendor/trusty_apploader.te b/vendor/trusty_apploader.te index eb2dbcbe..983e3a03 100644 --- a/vendor/trusty_apploader.te +++ b/vendor/trusty_apploader.te @@ -2,3 +2,6 @@ type trusty_apploader, domain; type trusty_apploader_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(trusty_apploader) +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms;