From 3da2f21fbfa943b408c01d4db2468c7d05b311f9 Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Wed, 5 Apr 2017 12:43:33 -0700
Subject: [PATCH] Allow recovery to read thermal info

We want to track temperature metrics during an OTA update.

denial message:
denied  { search } for  pid=349 comm="recovery" name="thermal"
dev="sysfs" ino=18029 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

denied  { read } for  pid=326 comm="recovery" name="temp"
dev="sysfs" ino=18479 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0

Bug: 36920500
Bug: 32518487
Test: temperature logs on angler
Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e
---
 public/recovery.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5ad..6bbc2ab86 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -90,6 +90,10 @@ recovery_only(`
   allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
   allow recovery { cache_file cache_recovery_file }:file create_file_perms;
 
+  # Read /sys/class/thermal/*/temp for thermal info.
+  allow recovery sysfs_thermal:dir search;
+  allow recovery sysfs_thermal:file r_file_perms;
+
   # Read files on /oem.
   r_dir_file(recovery, oemfs);
 
-- 
GitLab