From 4daa4aee1ef78179c0125a49d48afb49e8ac2d1a Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Tue, 2 May 2017 15:39:07 -0700
Subject: [PATCH] Adding allows and contexts to address the following denials

denied  { write } for  pid=530 comm="ueventd" name="uevent" dev="sysfs"
ino=43389 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_laser:s0
tclass=file

denied { read } for pid=908 comm="perfd" name="modes" dev="sysfs"
ino=34248 scontext=u:r:perfd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

denied  { relabelto } for  pid=1 comm="init" name="boot_b" dev="tmpfs"
ino=21880 scontext=u:r:init:s0 tcontext=u:object_r:boot_block_device:s0
tclass=lnk_file

denied  { write } for  pid=1 comm="init" name="debug_suspend"
dev="debugfs" ino=997 scontext=u:r:init:s0
tcontext=u:object_r:debugfs:s0 tclass=file

denied  { relabelto } for  pid=1 comm="init" name="vbmeta_b" dev="tmpfs"
ino=21885 scontext=u:r:init:s0 tcontext=u:object_r:ab_block_device:s0
tclass=lnk_file

denied { write } for pid=695 comm="light@2.0-servi" name="on_off_ms"
dev="sysfs" ino=46423 scontext=u:r:hal_light_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { search } for pid=916 comm="gnss@1.0-servic" name="soc0"
dev="sysfs" ino=51314 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=dir

denied { ioctl } for pid=798 comm="Loc_hal" path="socket:[64664]"
dev="sockfs" ino=64664 ioctlcmd=c302 scontext=u:r:hal_gnss_qti:s0
tcontext=u:r:hal_gnss_qti:s0 tclass=socket

denied { create } for pid=916 comm="Loc_hal"
scontext=u:r:hal_gnss_qti:s0 tcontext=u:r:hal_gnss_qti:s0 tclass=socket

denied { read } for pid=916 comm="gnss@1.0-servic" name="name"
dev="sysfs" ino=34701 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=916 comm="gnss@1.0-servic" name="subsys0"
dev="sysfs" ino=34709 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { read } for pid=916 comm="gnss@1.0-servic" name="hw_platform"
dev="sysfs" ino=51342 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { search } for pid=916 comm="gnss@1.0-servic" name="msm_subsys"
dev="sysfs" ino=19076 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

Bug: 34784662
Test: The above denials are no longer appearing in the logs
Change-Id: I3fbcc4686ceaf88194ca65d9c7c463a4d59e4c6f
---
 sepolicy/file_contexts   |  3 ++-
 sepolicy/hal_gnss_qti.te | 10 ++++++++++
 sepolicy/ueventd.te      |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index f8a183ac..55ae52cc 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -122,6 +122,7 @@
 /sys/devices/soc/c900000\.qcom,mdss_rotator(/.*)?                   u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/c900000\.qcom,mdss_mdp/caps                        u:object_r:sysfs_mdss_mdp_caps:s0
 /sys/devices/soc/c17a000\.i2c/i2c-6/6-005a/leds(/.*)?               u:object_r:sysfs_leds:s0
+/sys/devices/soc/c1b5000\.i2c/i2c-7/7-0030/leds(/.*)?               u:object_r:sysfs_leds:s0
 /sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/5000000\.qcom,kgsl-3d0(/.*)?                       u:object_r:sysfs_msm_subsys:s0
@@ -135,7 +136,7 @@
 /sys/kernel/debug/rmt_storage(/.*)?                                 u:object_r:debugfs_rmt_storage:s0
 /sys/module/msm_thermal(/.*)?                                       u:object_r:sysfs_thermal:s0
 /sys/module/tcp_cubic/parameters(/.*)?                              u:object_r:sysfs_net:s0
-/sys/devices/virtual/graphics/fb([0-2])+/idle_time                  u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-2])+(/.*)?                      u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/net(/.*)?                                      u:object_r:sysfs_net:s0
 /sys/devices/soc/8c0000\.qcom,msm-cam(/.*)?                         u:object_r:sysfs_camera:s0
 /sys/devices/soc0(/.*)?                                             u:object_r:sysfs_soc:s0
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
index 733d1aa7..21102124 100644
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -4,6 +4,16 @@ hal_server_domain(hal_gnss_qti, hal_gnss)
 type hal_gnss_qti_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gnss_qti)
 
+r_dir_file(hal_gnss_qti, sysfs_msm_subsys)
+
+allow hal_gnss_qti sysfs_soc:dir search;
+allow hal_gnss_qti sysfs_soc:file r_file_perms;
+
+allow hal_gnss_qti location_data_file:dir w_dir_perms;
+
+allow hal_gnss_qti self:socket create_socket_perms;
+allowxperm hal_gnss_qti self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
+
 userdebug_or_eng(`
   permissive hal_gnss_qti;
 ')
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
index 621f28f0..f5cb92a7 100644
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -2,6 +2,7 @@ allow ueventd sysfs_thermal:file w_file_perms;
 allow ueventd sysfs_leds:file w_file_perms;
 allow ueventd sysfs_camera:file w_file_perms;
 allow ueventd sysfs_fingerprint:file w_file_perms;
+allow ueventd sysfs_laser:file w_file_perms;
 allow ueventd sysfs_rmtfs:file w_file_perms;
 allow ueventd sysfs_soc:file w_file_perms;
 allow ueventd sysfs_net:file w_file_perms;