From b32b4a112f8b0013115ab50c5022554108c07452 Mon Sep 17 00:00:00 2001
From: Prashant Malani <pmalani@google.com>
Date: Tue, 11 Oct 2016 11:01:49 -0700
Subject: [PATCH] sepolicy: Add policy for vibrator HIDL service
Fixes the following denials:
avc: denied { open } for pid=7530 comm="android.hardwar" path="/sys/devices/virtual/timed_output/vibrator/enable" dev="sysfs" ino=20519 scontext=u:r:android_hardware_vibrator_1_0_service:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { call } for pid=9173 comm="Binder:7735_C" scontext=u:r:system_server:s0 tcontext=u:r:android_hardware_vibrator_1_0_service:s0 tclass=binder permissive=1
Test: m
Bug: 32021191
Change-Id: I243a86b449794e3c2f0abf91ddcf405eff548d0c
---
private/android_hardware_vibrator_1_0_service.te | 2 ++
private/file_contexts | 2 ++
public/android_hardware_vibrator_1_0_service.te | 9 +++++++++
public/file.te | 1 +
public/system_server.te | 1 +
5 files changed, 15 insertions(+)
create mode 100644 private/android_hardware_vibrator_1_0_service.te
create mode 100644 public/android_hardware_vibrator_1_0_service.te
diff --git a/private/android_hardware_vibrator_1_0_service.te b/private/android_hardware_vibrator_1_0_service.te
new file mode 100644
index 000000000..1c99d233a
--- /dev/null
+++ b/private/android_hardware_vibrator_1_0_service.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(android_hardware_vibrator_1_0_service)
diff --git a/private/file_contexts b/private/file_contexts
index 934de2f72..a4a8770c4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -222,6 +222,7 @@
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android.hardware.nfc@1.0-service u:object_r:android_hardware_nfc_1_0_service_exec:s0
+/system/bin/hw/android.hardware.vibrator@1.0-service u:object_r:android_hardware_vibrator_1_0_service_exec:s0
#############################
# Vendor files
@@ -384,6 +385,7 @@
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
#############################
# debugfs files
diff --git a/public/android_hardware_vibrator_1_0_service.te b/public/android_hardware_vibrator_1_0_service.te
new file mode 100644
index 000000000..17336a51c
--- /dev/null
+++ b/public/android_hardware_vibrator_1_0_service.te
@@ -0,0 +1,9 @@
+# vibrator subsystem
+type android_hardware_vibrator_1_0_service, domain;
+type android_hardware_vibrator_1_0_service_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(android_hardware_vibrator_1_0_service)
+
+# vibrator sysfs rw access
+allow android_hardware_vibrator_1_0_service sysfs_vibrator:file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 529ab1511..b622c875a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -41,6 +41,7 @@ type sysfs_devices_system_cpu, fs_type, sysfs_type;
type sysfs_lowmemorykiller, fs_type, sysfs_type;
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
diff --git a/public/system_server.te b/public/system_server.te
index 2d479afff..54b3fa8c4 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -155,6 +155,7 @@ binder_call(system_server, dumpstate)
binder_call(system_server, netd)
binder_call(system_server, wificond)
binder_service(system_server)
+binder_call(system_server, android_hardware_vibrator_1_0_service)
# Ask debuggerd to dump backtraces for native stacks of interest.
#
--
GitLab