c31ec37715
[21675.099727] type=1400 audit(1697127034.684:751): avc: denied { write } for comm="binder:912_1" name="reset" dev="sysfs" ino=102250 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_aoc_reset:s0 tclass=file permissive=0
Bug: 304681766
Test: Modify sensor HAL to trigger SSR when init.
No avc denied log when sensor HAL access AOC reset sysfs node.
Change-Id: Iede0fa94a627c5e0d3166bec05ef7041154d8efe
Signed-off-by: Rick Chen <rickctchen@google.com>
67 lines
2.7 KiB
Text
67 lines
2.7 KiB
Text
# Allow access to the AoC communication driver.
|
|
allow hal_sensors_default aoc_device:chr_file rw_file_perms;
|
|
|
|
# Allow create thread to watch AOC's device.
|
|
allow hal_sensors_default device:dir r_dir_perms;
|
|
|
|
# Allow access to CHRE socket to connect to nanoapps.
|
|
allow hal_sensors_default chre:unix_stream_socket connectto;
|
|
allow hal_sensors_default chre_socket:sock_file write;
|
|
|
|
# Allow SensorSuez to connect AIDL stats.
|
|
allow hal_sensors_default fwk_stats_service:service_manager find;
|
|
|
|
# Allow sensor HAL to access the graphics composer.
|
|
binder_call(hal_sensors_default, hal_graphics_composer_default);
|
|
|
|
# Allow sensor HAL to access the display service HAL
|
|
allow hal_sensors_default hal_pixel_display_service:service_manager find;
|
|
|
|
# Allow sensor HAL to access the thermal service HAL
|
|
hal_client_domain(hal_sensors_default, hal_thermal);
|
|
|
|
# Allow reading of sensor registry persist files and camera persist files.
|
|
allow hal_sensors_default mnt_vendor_file:dir search;
|
|
allow hal_sensors_default persist_file:dir search;
|
|
allow hal_sensors_default persist_file:file r_file_perms;
|
|
allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms;
|
|
allow hal_sensors_default persist_sensor_reg_file:file r_file_perms;
|
|
r_dir_file(hal_sensors_default, persist_camera_file)
|
|
|
|
# Allow creation and writing of sensor registry data files.
|
|
allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
|
|
allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
|
|
|
|
# Allow access to the sysfs_aoc.
|
|
allow hal_sensors_default sysfs_aoc:dir search;
|
|
allow hal_sensors_default sysfs_aoc:file r_file_perms;
|
|
|
|
# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
|
|
# to synchronize the AP and AoC clock timestamps.
|
|
allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms;
|
|
|
|
# Allow display_info_service access to the backlight driver.
|
|
allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
|
|
|
|
# Allow access to sensor service for sensor_listener.
|
|
binder_call(hal_sensors_default, system_server);
|
|
|
|
# Allow access for dynamic sensor properties.
|
|
get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
|
|
|
|
# Allow access to raw HID devices for dynamic sensors.
|
|
allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to the display info for ALS.
|
|
allow hal_sensors_default sysfs_display:file rw_file_perms;
|
|
|
|
# Allow access to the files of CDT information.
|
|
allow hal_sensors_default sysfs_chosen:dir search;
|
|
allow hal_sensors_default sysfs_chosen:file r_file_perms;
|
|
|
|
# Allow display_info_service access to the backlight driver.
|
|
allow hal_sensors_default sysfs_leds:dir search;
|
|
allow hal_sensors_default sysfs_leds:file r_file_perms;
|
|
|
|
# Allow sensor HAL to reset AOC.
|
|
allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
|