From 4efae5dab129b1e6cd14f1b40ad863ee41cb42b3 Mon Sep 17 00:00:00 2001
From: Brian Duddie <bduddie@google.com>
Date: Tue, 28 Mar 2017 16:52:59 -0700
Subject: [PATCH] Add sepolicy for CHRE

Add SELinux domain for CHRE daemon, and grant permissions based on the
following audit output:

type=1400 audit(5568588.679:16): avc: denied { read } for pid=707
comm="chre" name="ion" dev="tmpfs" ino=21569 scontext=u:r:chre:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

type=1400 audit(5568588.679:17): avc: denied { open } for pid=707
comm="chre" path="/dev/ion" dev="tmpfs" ino=21569 scontext=u:r:chre:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

type=1400 audit(5568588.679:18): avc: denied { read } for pid=707
comm="chre" name="adsprpc-smd" dev="tmpfs" ino=21668
scontext=u:r:chre:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file
permissive=1

type=1400 audit(5568588.679:19): avc: denied { open } for pid=707
comm="chre" path="/dev/adsprpc-smd" dev="tmpfs" ino=21668
scontext=u:r:chre:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file
permissive=1

type=1400 audit(5568588.679:20): avc: denied { ioctl } for pid=707
comm="chre" path="/dev/adsprpc-smd" dev="tmpfs" ino=21668 ioctlcmd=5208
scontext=u:r:chre:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file
permissive=1

type=1400 audit(5568588.729:24): avc: denied { read } for pid=707
comm="chre" name="dsp" dev="sda20" ino=381 scontext=u:r:chre:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Test: run chre, confirm no denials in log
Change-Id: Ibd61dfa3d286e17561feffeef7afbc2bfec867ce
---
 sepolicy/chre.te       | 11 +++++++++++
 sepolicy/file_contexts |  1 +
 2 files changed, 12 insertions(+)
 create mode 100644 sepolicy/chre.te

diff --git a/sepolicy/chre.te b/sepolicy/chre.te
new file mode 100644
index 00000000..96219c11
--- /dev/null
+++ b/sepolicy/chre.te
@@ -0,0 +1,11 @@
+# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules
+# onto the SLPI using FastRPC, and exposes a sockets interface for clients on
+# the applications processor to interact CHRE
+type chre, domain;
+type chre_exec, exec_type, file_type;
+
+init_daemon_domain(chre)
+
+allow chre ion_device:chr_file { open read };
+allow chre qdsp_device:chr_file { ioctl open read };
+allow chre system_file:dir read;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index b23b0b2c..905923ad 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -129,6 +129,7 @@
 /vendor/bin/qmuxd               u:object_r:qmuxd_exec:s0
 /vendor/bin/cnd                 u:object_r:cnd_exec:s0
 /vendor/bin/hw/android\.hardware\.usb@1\.0-service.device            u:object_r:hal_usb_default_exec:s0
+/vendor/bin/chre                u:object_r:chre_exec:s0
 
 # data files
 /data/misc/radio(/.*)?                 u:object_r:radio_data_file:s0