Skip to content
Snippets Groups Projects
Commit d276b434 authored by Tri Vo's avatar Tri Vo
Browse files

Remove access to 'sysfs' files from healtd and charger. 

We rely on vendors to label all dependencies of healthd/charger under
/sys/class/power_supply with sysfs_batteryinfo type.

Bug: 65643247
Bug: 32659667
Test: boots without denials from healthd, to sysfs_batteryinfo or to
sysfs_msm_subsys.
Test: charging with device turned off works without /sys denials.

Change-Id: I893f309ecad8a0caf7d0b81f5f945725907255c2
parent 3dbe6f25
Hide whitespace changes
Inline Side-by-side
private/domain.te
+ 0
2
View file @ d276b434
...@@ -35,9 +35,7 @@ full_treble_only(` ...@@ -35,9 +35,7 @@ full_treble_only(`
# /sys # /sys
neverallow { neverallow {
coredomain coredomain
-charger
-dumpstate -dumpstate
-healthd
-init -init
-priv_app -priv_app
-storaged -storaged
......
public/charger.te
+ 2
2
View file @ d276b434
...@@ -6,7 +6,7 @@ type charger, domain; ...@@ -6,7 +6,7 @@ type charger, domain;
allow charger kmsg_device:chr_file rw_file_perms; allow charger kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems. # Read access to pseudo filesystems.
r_dir_file(charger, sysfs_type) allow charger sysfs_type:dir search;
r_dir_file(charger, rootfs) r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup) r_dir_file(charger, cgroup)
...@@ -20,7 +20,7 @@ allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; ...@@ -20,7 +20,7 @@ allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Read/write to /sys/power/state # Read/write to /sys/power/state
allow charger sysfs_power:file rw_file_perms; allow charger sysfs_power:file rw_file_perms;
allow charger sysfs_batteryinfo:file r_file_perms; r_dir_file(charger, sysfs_batteryinfo)
# Read /sys/fs/pstore/console-ramoops # Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's # Don't worry about overly broad permissions for now, as there's
......
public/healthd.te
+ 4
7
View file @ d276b434
...@@ -6,7 +6,7 @@ type healthd_exec, exec_type, file_type; ...@@ -6,7 +6,7 @@ type healthd_exec, exec_type, file_type;
allow healthd kmsg_device:chr_file rw_file_perms; allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems. # Read access to pseudo filesystems.
r_dir_file(healthd, sysfs_type) allow healthd sysfs_type:dir search;
r_dir_file(healthd, rootfs) r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup) r_dir_file(healthd, cgroup)
...@@ -26,16 +26,13 @@ binder_service(healthd) ...@@ -26,16 +26,13 @@ binder_service(healthd)
binder_call(healthd, system_server) binder_call(healthd, system_server)
hal_client_domain(healthd, hal_health) hal_client_domain(healthd, hal_health)
# Write to state file. # Read/write to /sys/power/state
# TODO: Split into a separate type? allow healthd sysfs_power:file rw_file_perms;
allow healthd sysfs:file write;
# TODO: added to match above sysfs rule. Remove me? # TODO: added to match above sysfs rule. Remove me?
allow healthd sysfs_usb:file write; allow healthd sysfs_usb:file write;
allow healthd sysfs_batteryinfo:file r_file_perms; r_dir_file(healthd, sysfs_batteryinfo)
r_dir_file(healthd, sysfs_type)
### ###
### healthd: charger mode ### healthd: charger mode
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment