From aac2240ca4e3106531479149ccc30ce9120012ff Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Tue, 19 Mar 2024 07:45:43 +0000
Subject: [PATCH] sepolicy: allow kernel to search vendor debugfs

audit: type=1400 audit(1710259012.824:4): avc:  denied  { search } for  pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0
audit: type=1400 audit(1710427790.680:2): avc:  denied  { search } for  pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1
audit: type=1400 audit(1710427790.680:3): avc:  denied  { search } for  pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1

Bug: 328016570
Bug: 329317898
Test: check all debugfs folders are correctly mounted
Change-Id: Ib25cc13a329b40bebe87fab43e955e2e4395de9e
Signed-off-by: Spade Lee <spadelee@google.com>
---
 tracking_denials/genfs_contexts |  9 ---------
 vendor/genfs_contexts           | 11 +++++++++++
 vendor/kernel.te                | 12 +++++++-----
 3 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/tracking_denials/genfs_contexts b/tracking_denials/genfs_contexts
index e76d01e..b28f508 100644
--- a/tracking_denials/genfs_contexts
+++ b/tracking_denials/genfs_contexts
@@ -27,16 +27,7 @@ genfscon sysfs /devices/platform/2bf40000.etm    u:object_r:sysfs_devices_cs_etm
 genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq               u:object_r:sysfs_devfreq_cur:s0
 
 # debugfs
-genfscon debugfs /google_charger                                        u:object_r:vendor_charger_debugfs:s0
-genfscon debugfs /max77729_pmic                                         u:object_r:vendor_charger_debugfs:s0
-genfscon debugfs /max77759_chg                                          u:object_r:vendor_charger_debugfs:s0
-genfscon debugfs /max77779_chg                                          u:object_r:vendor_charger_debugfs:s0
-genfscon debugfs /max77779_pmic                                         u:object_r:vendor_charger_debugfs:s0
-genfscon debugfs /gvotables                                             u:object_r:vendor_votable_debugfs:s0
-genfscon debugfs /google_battery                                        u:object_r:vendor_battery_debugfs:s0
 genfscon debugfs /pm_genpd/pm_genpd_summary                             u:object_r:vendor_pm_genpd_debugfs:s0
-genfscon debugfs /maxfg                                                 u:object_r:vendor_maxfg_debugfs:s0
-genfscon debugfs /max77779fg                                            u:object_r:vendor_maxfg_debugfs:s0
 
 # Storage
 genfscon sysfs /devices/platform/13200000.ufs/hibern8_on_idle_enable    u:object_r:sysfs_scsi_devices_0000:s0
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index b73dc26..62d0a28 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -37,6 +37,17 @@ genfscon sysfs /class/power_supply/wireless/device/fw_rev
 # debugfs
 genfscon debugfs /regmap                                                u:object_r:vendor_regmap_debugfs:s0
 genfscon debugfs /usb                                                   u:object_r:vendor_usb_debugfs:s0
+genfscon debugfs /google_charger                                        u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77729_pmic                                         u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77759_chg                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77779_chg                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77779_pmic                                         u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /gvotables                                             u:object_r:vendor_votable_debugfs:s0
+genfscon debugfs /google_battery                                        u:object_r:vendor_battery_debugfs:s0
+genfscon debugfs /maxfg                                                 u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /max77779fg                                            u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_base                                            u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_secondary                                       u:object_r:vendor_maxfg_debugfs:s0
 
 # GPU
 genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq              u:object_r:sysfs_gpu:s0
diff --git a/vendor/kernel.te b/vendor/kernel.te
index 32cbe0f..ea36a06 100644
--- a/vendor/kernel.te
+++ b/vendor/kernel.te
@@ -8,12 +8,14 @@ allow kernel per_boot_file:file r_file_perms;
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
 
-no_debugfs_restriction(`
+userdebug_or_eng(`
   allow kernel vendor_battery_debugfs:dir search;
+  allow kernel vendor_regmap_debugfs:dir search;
+  allow kernel vendor_usb_debugfs:dir search;
+  allow kernel vendor_votable_debugfs:dir search;
+  allow kernel vendor_charger_debugfs:dir search;
+  allow kernel vendor_maxfg_debugfs:dir search;
 ')
 
-allow kernel vendor_regmap_debugfs:dir search;
 
-dontaudit kernel vendor_usb_debugfs:dir search;
-dontaudit kernel vendor_votable_debugfs:dir search;
-dontaudit kernel vendor_charger_debugfs:dir search;
+