From 892c70989bfb31eac3e2ef49ea5011af7e29e66f Mon Sep 17 00:00:00 2001 From: Brian Duddie Date: Wed, 19 Apr 2017 13:45:02 -0700 Subject: [PATCH] Add binderized sensors HAL Make the sensors HAL binderized, and add the necessary sepolicy entries to grant it permissions for these denials: type=1400 audit(5246168.379:61): avc: denied { search } for pid=7558 comm="android.hardwar" name="/" dev="sdd3" ino=2 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0 type=1400 audit(1493161320.949:152): avc: denied { search } for pid=7558 comm="android.hardwar" name="msm_subsys" dev="sysfs" ino=19027 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 type=1400 audit(1493161320.949:153): avc: denied { read } for pid=7558 comm="android.hardwar" name="devices" dev="sysfs" ino=19029 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 type=1400 audit(1493161320.949:154): avc: denied { open } for pid=7558 comm="android.hardwar" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=19029 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 type=1400 audit(1493161320.949:155): avc: denied { read } for pid=7558 comm="android.hardwar" name="subsys0" dev="sysfs" ino=34647 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file permissive=1 type=1400 audit(1493161320.949:156): avc: denied { read } for pid=7558 comm="android.hardwar" name="name" dev="sysfs" ino=34639 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1 type=1400 audit(1493161320.949:157): avc: denied { open } for pid=7558 comm="android.hardwar" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=34639 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1 type=1400 audit(1493161320.959:158): avc: denied { search } for pid=7558 comm="android.hardwar" name="sensors" dev="sdd3" ino=12 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir permissive=1 type=1400 audit(1493161320.959:159): avc: denied { read } for pid=7558 comm="android.hardwar" name="sensors_settings" dev="sdd3" ino=13 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1 type=1400 audit(1493161320.959:160): avc: denied { open } for pid=7558 comm="android.hardwar" path="/persist/sensors/sensors_settings" dev="sdd3" ino=13 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1 type=1400 audit(1493161320.959:161): avc: denied { create } for pid=7558 comm="android.hardwar" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1 type=1400 audit(1493161320.959:162): avc: denied { ioctl } for pid=7558 comm="android.hardwar" path="socket:[85874]" dev="sockfs" ino=85874 ioctlcmd=c304 scontext=u:r:hal_sensors_default:s0 tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1 type=1400 audit(1493161320.959:163): avc: denied { write } for pid=7558 comm="android.hardwar" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1 type=1400 audit(1493161320.979:164): avc: denied { read } for pid=7558 comm="android.hardwar" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1 type=1400 audit(1493161346.039:168): avc: denied { ioctl } for pid=7558 comm="sensors@1.0-ser" path="socket:[85876]" dev="sockfs" ino=85876 ioctlcmd=c302 scontext=u:r:hal_sensors_default:s0 tcontext=u:r:hal_sensors_default:s0 tclass=socket permissive=1 Bug: 36097227 Test: load on device, confirm sensors stack comes up, perform screen orientation sanity test, check no selinux denials in kernel log, run VTS using: vts-tradefed run commandAndExit vts --module VtsHalSensorsV1_0Target Note that there are known VTS failures tracked under bug 37710268. This change does not introduce any new failures. Change-Id: I8f6017f3d080cde7ec009182f0f5fbb90980d424 --- device.mk | 3 ++- manifest.xml | 9 +++++++++ sepolicy/hal_sensors_default.te | 8 ++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 sepolicy/hal_sensors_default.te diff --git a/device.mk b/device.mk index f77b634b..99973e44 100644 --- a/device.mk +++ b/device.mk @@ -308,7 +308,8 @@ PRODUCT_PACKAGES += \ PRODUCT_PACKAGES += \ sensors.$(PRODUCT_HARDWARE) \ - android.hardware.sensors@1.0-impl + android.hardware.sensors@1.0-impl \ + android.hardware.sensors@1.0-service PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/sensors/hals.conf:system/etc/sensors/hals.conf diff --git a/manifest.xml b/manifest.xml index 04a11def..18e987a0 100644 --- a/manifest.xml +++ b/manifest.xml @@ -235,4 +235,13 @@ default + + android.hardware.sensors + hwbinder + 1.0 + + ISensors + default + + diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 00000000..7472493c --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1,8 @@ +# read factory calibration and sensor configuration data +allow hal_sensors_default persist_file:dir search; +r_dir_file(hal_sensors_default, persist_sensors_file) + +# interact with the sensors low power island (SLPI) CPU +allow hal_sensors_default self:socket { create ioctl read write }; +allowxperm hal_sensors_default self:socket ioctl msm_sock_ipc_ioctls; +r_dir_file(hal_sensors_default, sysfs_msm_subsys);