Add chre policy am: fb2e376d26

Original change: https://googleplex-android-review.googlesource.com/c/device/google/zuma-sepolicy/+/21533834 Change-Id: Iff4cde7901e7d05627e7f9f7c0d27fc457bba4dc Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-02-23 05:14:46 +00:00 · 2023-02-23 05:14:46 +00:00 · a4ccb38798
commit a4ccb38798
parent 640d478d5a fb2e376d26
2 changed files with 13 additions and 12 deletions
--- a/tracking_denials/chre.te
+++ b/tracking_denials/chre.te
@ -1,19 +1,8 @@
-# b/260522435
-dontaudit chre aoc_device:chr_file { getattr };
-dontaudit chre aoc_device:chr_file { open };
-dontaudit chre aoc_device:chr_file { read write };
-dontaudit chre chre:capability2 { block_suspend };
-dontaudit chre device:dir { read };
-dontaudit chre device:dir { watch };
 # b/261105224
 dontaudit chre hal_system_suspend_service:service_manager { find };
 dontaudit chre servicemanager:binder { call };
-dontaudit chre sysfs_aoc:dir { search };
-dontaudit chre sysfs_aoc_boottime:file { getattr };
-dontaudit chre sysfs_aoc_boottime:file { open };
-dontaudit chre sysfs_aoc_boottime:file { read };
 dontaudit chre system_suspend_server:binder { call };
 # b/264489633
 userdebug_or_eng(`
  permissive chre;
-')
+')
--- a/vendor/chre.te
+++ b/vendor/chre.te
@ -2,3 +2,15 @@ type chre, domain;
 type chre_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(chre)

+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
+
+# Allow CHRE to use WakeLock
+wakelock_use(chre)