From fb2e376d267e534bfffe20cc527d6a596154d223 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Thu, 23 Feb 2023 11:02:53 +0800
Subject: [PATCH] Add chre policy

Bug: 260522435
Bug: 261105224
Test: boot-to-home
Change-Id: Icd8f1ad497357bbbcb9e34509c736f3976ff0ac7
---
 tracking_denials/chre.te | 13 +------------
 vendor/chre.te           | 12 ++++++++++++
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te
index b0518ffa..ece65802 100644
--- a/tracking_denials/chre.te
+++ b/tracking_denials/chre.te
@@ -1,19 +1,8 @@
-# b/260522435
-dontaudit chre aoc_device:chr_file { getattr };
-dontaudit chre aoc_device:chr_file { open };
-dontaudit chre aoc_device:chr_file { read write };
-dontaudit chre chre:capability2 { block_suspend };
-dontaudit chre device:dir { read };
-dontaudit chre device:dir { watch };
 # b/261105224
 dontaudit chre hal_system_suspend_service:service_manager { find };
 dontaudit chre servicemanager:binder { call };
-dontaudit chre sysfs_aoc:dir { search };
-dontaudit chre sysfs_aoc_boottime:file { getattr };
-dontaudit chre sysfs_aoc_boottime:file { open };
-dontaudit chre sysfs_aoc_boottime:file { read };
 dontaudit chre system_suspend_server:binder { call };
 # b/264489633
 userdebug_or_eng(`
   permissive chre;
-')
\ No newline at end of file
+')
diff --git a/vendor/chre.te b/vendor/chre.te
index 59ee7d58..a1d1ca59 100644
--- a/vendor/chre.te
+++ b/vendor/chre.te
@@ -2,3 +2,15 @@ type chre, domain;
 type chre_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(chre)
 
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
+
+# Allow CHRE to use WakeLock
+wakelock_use(chre)