diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te new file mode 100644 index 00000000..faf164b8 --- /dev/null +++ b/sepolicy/cnss_diag.te @@ -0,0 +1,19 @@ +# Policy for /vendor/bin/cnss_diag +type cnss_diag, domain; +type cnss_diag_exec, exec_type, file_type; + +init_daemon_domain(cnss_diag) + +allow cnss_diag self:capability { setgid setuid }; + +allow cnss_diag self:netlink_socket create_socket_perms_no_ioctl; +allow cnss_diag sysfs:file r_file_perms; + +# b/35877764 suppress the udp_socket denial message temproarily +dontaudit cnss_diag self:udp_socket create; + +userdebug_or_eng(` + allow cnss_diag diag_device:chr_file rw_file_perms; + allow cnss_diag cnss_vendor_data_file:dir create_dir_perms; + allow cnss_diag cnss_vendor_data_file:file create_file_perms; +') diff --git a/sepolicy/logger_app.te b/sepolicy/logger_app.te index 70607dfc..1f4e03e6 100644 --- a/sepolicy/logger_app.te +++ b/sepolicy/logger_app.te @@ -14,4 +14,5 @@ userdebug_or_eng(` allow logger_app cnss_vendor_data_file:dir create_dir_perms; allow logger_app cnss_vendor_data_file:file create_file_perms; + set_prop(logger_app, cnss_diag_prop); ') diff --git a/sepolicy/property.te b/sepolicy/property.te index e109221d..e9149331 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -5,5 +5,6 @@ type keymaster_prop, property_type; type ramdump_prop, property_type; type post_boot_prop, property_type; type ssr_prop, property_type; +type cnss_diag_prop, property_type; type tee_listener_prop, property_type; type wc_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 6bda2eb2..4e71679b 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -8,5 +8,6 @@ sys.post_boot. u:object_r:post_boot_prop:s0 radio. u:object_r:radio_prop:s0 debug.htc.hrdump u:object_r:ramdump_prop:s0 debug.ssrdump u:object_r:ssr_prop:s0 +persist.sys.cnss. u:object_r:cnss_diag_prop:s0 sys.listeners.registered u:object_r:tee_listener_prop:s0 wc_transport. u:object_r:wc_prop:s0