From df72abb3a2c11591bbb77535f06e3c11192acb86 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 24 Mar 2016 09:23:54 -0700
Subject: [PATCH] Move sysfs_thermal to global policy and grant access.

sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

(cherry-pick of internal commit: 98eff7c3d46abe2db996c0718b7386a3e368f344)

Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f
---
 file.te          | 3 +++
 system_server.te | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/file.te b/file.te
index d8bbdc40a..3dfa4fecd 100644
--- a/file.te
+++ b/file.te
@@ -33,6 +33,9 @@ type sysfs_mac_address, fs_type, sysfs_type;
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
 type sysfs_lowmemorykiller, fs_type, sysfs_type;
+
+type sysfs_thermal, sysfs_type, fs_type;
+
 type sysfs_zram, fs_type, sysfs_type;
 type sysfs_zram_uevent, fs_type, sysfs_type;
 type inotify, fs_type, mlstrustedobject;
diff --git a/system_server.te b/system_server.te
index 5a3573a91..6ab48e76b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -158,6 +158,8 @@ allow system_server sysfs:file rw_file_perms;
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
 allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
 
 # Access devices.
 allow system_server device:dir r_dir_perms;
-- 
GitLab