zuma: add sepolicy for ufs_firmware_update process

Allow the script to access the specified partition and sysfs. Bug: 224464892 Test: full build and test ffu flow Change-Id: I27f0d4d97f15a7c108e6ae1b8c12fda2c69c303a Signed-off-by: Leo Liou <leoliou@google.com>
2022-11-24 19:15:33 +08:00 · 2022-11-24 19:15:33 +08:00 · 30f3c17252
commit 30f3c17252
parent 8b58ce3b69
4 changed files with 18 additions and 0 deletions
--- a/vendor/device.te
+++ b/vendor/device.te
@ -2,6 +2,7 @@ type persist_block_device, dev_type;
 type custom_ab_block_device, dev_type;
 type devinfo_block_device, dev_type;
 type mfg_data_block_device, dev_type;
+type ufs_internal_block_device, dev_type;
 type logbuffer_device, dev_type;
 type gxp_device, dev_type;
 type fingerprint_device, dev_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -25,6 +25,7 @@
 /vendor/bin/init\.uwb\.calib\.sh                                            u:object_r:vendor_uwb_init_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty         u:object_r:hal_keymint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty         u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/ufs_firmware_update\.sh                                         u:object_r:ufs_firmware_update_exec:s0

 # Vendor Firmwares
 /vendor/firmware(/.*)?                                                      u:object_r:vendor_fw_file:s0
@ -70,6 +71,7 @@
 /dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab]                u:object_r:custom_ab_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab]                  u:object_r:custom_ab_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/ufs_internal                      u:object_r:ufs_internal_block_device:s0
 /dev/gxp                                                                    u:object_r:gxp_device:s0
 /dev/mali0                                                                  u:object_r:gpu_device:s0
 /dev/goodix_fp                                                              u:object_r:fingerprint_device:s0
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@ -27,6 +27,9 @@ genfscon sysfs /devices/platform/13200000.ufs/health_descriptor         u:object
 genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/13200000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf   u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/vendor                    u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/model                     u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/rev                       u:object_r:sysfs_scsi_devices_0000:s0

 # Display
 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma                                u:object_r:sysfs_display:s0
--- a/vendor/ufs_firmware_update.te
+++ b/vendor/ufs_firmware_update.te
@ -0,0 +1,12 @@
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(ufs_firmware_update)
+
+  allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+  allow ufs_firmware_update block_device:dir r_dir_perms;
+  allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms;
+  allow ufs_firmware_update sysfs:dir r_dir_perms;
+  allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
+')