sepolicy: allow kernel to search vendor debugfs

audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: Ib25cc13a329b40bebe87fab43e955e2e4395de9e Signed-off-by: Spade Lee <spadelee@google.com>
2024-03-19 07:45:43 +00:00 · 2024-03-19 07:45:43 +00:00 · bac2d41b9c
commit bac2d41b9c
parent 31edc2fa71
3 changed files with 18 additions and 14 deletions
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@ -37,6 +37,17 @@ genfscon sysfs /class/power_supply/wireless/device/fw_rev
 # debugfs
 genfscon debugfs /regmap                                                u:object_r:vendor_regmap_debugfs:s0
 genfscon debugfs /usb                                                   u:object_r:vendor_usb_debugfs:s0
+genfscon debugfs /google_charger                                        u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77729_pmic                                         u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77759_chg                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77779_chg                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77779_pmic                                         u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /gvotables                                             u:object_r:vendor_votable_debugfs:s0
+genfscon debugfs /google_battery                                        u:object_r:vendor_battery_debugfs:s0
+genfscon debugfs /maxfg                                                 u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /max77779fg                                            u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_base                                            u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_secondary                                       u:object_r:vendor_maxfg_debugfs:s0

 # GPU
 genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq              u:object_r:sysfs_gpu:s0
--- a/vendor/kernel.te
+++ b/vendor/kernel.te
@ -8,12 +8,14 @@ allow kernel per_boot_file:file r_file_perms;
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;

-no_debugfs_restriction(`
+userdebug_or_eng(`
  allow kernel vendor_battery_debugfs:dir search;
+  allow kernel vendor_regmap_debugfs:dir search;
+  allow kernel vendor_usb_debugfs:dir search;
+  allow kernel vendor_votable_debugfs:dir search;
+  allow kernel vendor_charger_debugfs:dir search;
+  allow kernel vendor_maxfg_debugfs:dir search;
 ')

-allow kernel vendor_regmap_debugfs:dir search;

-dontaudit kernel vendor_usb_debugfs:dir search;
-dontaudit kernel vendor_votable_debugfs:dir search;
-dontaudit kernel vendor_charger_debugfs:dir search;
+