From 0ac2d9f7bc0a8293eeb458975cc796f4a9db0588 Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Tue, 19 Mar 2024 07:52:45 +0000
Subject: [PATCH] sepolicy: allow kernel to search vendor debugfs

audit: type=1400 audit(1710259012.824:4): avc:  denied  { search } for  pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0
audit: type=1400 audit(1710427790.680:2): avc:  denied  { search } for  pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1
audit: type=1400 audit(1710427790.680:3): avc:  denied  { search } for  pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1

Bug: 328016570
Bug: 329317898
Test: check all debugfs folders are correctly mounted
Change-Id: I0e0c2fee4d508cc4e76714df0efbe5eca7ca5966
Signed-off-by: Spade Lee <spadelee@google.com>
---
 vendor/kernel.te | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/vendor/kernel.te b/vendor/kernel.te
index 7eca5ce6..0f35bfed 100644
--- a/vendor/kernel.te
+++ b/vendor/kernel.te
@@ -8,19 +8,16 @@ allow kernel per_boot_file:file r_file_perms;
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
 
-no_debugfs_restriction(`
+userdebug_or_eng(`
   allow kernel vendor_battery_debugfs:dir search;
+  allow kernel vendor_regmap_debugfs:dir search;
+  allow kernel vendor_usb_debugfs:dir search;
+  allow kernel vendor_votable_debugfs:dir search;
+  allow kernel vendor_charger_debugfs:dir search;
+  allow kernel vendor_maxfg_debugfs:dir search;
 ')
 
-dontaudit kernel vendor_maxfg_debugfs:dir search;
 dontaudit kernel sepolicy_file:file getattr;
 dontaudit kernel system_bootstrap_lib_file:dir getattr;
 dontaudit kernel system_bootstrap_lib_file:file getattr;
 dontaudit kernel system_dlkm_file:dir getattr;
-dontaudit kernel vendor_battery_debugfs:dir search;
-dontaudit kernel vendor_charger_debugfs:dir search;
-dontaudit kernel vendor_votable_debugfs:dir search;
-dontaudit kernel vendor_usb_debugfs:dir search;
-
-allow kernel vendor_regmap_debugfs:dir search;
-