From ee8cd6b127fc1563d27a656cfa5647674b7790e4 Mon Sep 17 00:00:00 2001
From: Brian Duddie <bduddie@google.com>
Date: Fri, 23 Jun 2017 15:50:54 -0700
Subject: [PATCH] Allow sensors daemon to create vendor data files

Add an entry to init.hardware.rc to create /data/vendor/sensors at
startup, and sepolicy entries that allow the sensors daemon to create
files in that directory. These will be used to persist runtime
calibration across reboot, but not across factory reset.

denied { getattr } for pid=14080 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { write } for pid=14113 comm="sensors.qcom" name="vendor"
dev="sda45" ino=2179073 scontext=u:r:sensors:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
denied { add_name } for pid=14113 comm="sensors.qcom" name="sensors"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir permissive=1
denied { create } for pid=14113 comm="sensors.qcom" name="sensors"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir permissive=1
denied { create } for pid=14113 comm="sensors.qcom" name="cal.bin"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { write open } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.bin" dev="sda45" ino=2179115
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { read } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { getattr } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1

Bug: 38425697
Test: confirm folder is created on boot, and calibration files are
created, updated, and read successfully by sensors daemon
Change-Id: Ie23cafe4f43b3335e07cf0d13dde0c5d06b69f80
---
 init.hardware.rc              | 2 ++
 sepolicy/vendor/file.te       | 1 +
 sepolicy/vendor/file_contexts | 1 +
 sepolicy/vendor/sensors.te    | 3 +++
 4 files changed, 7 insertions(+)

diff --git a/init.hardware.rc b/init.hardware.rc
index a2f4ea37..5e556a00 100644
--- a/init.hardware.rc
+++ b/init.hardware.rc
@@ -330,6 +330,8 @@ on zygote-start
     mkdir /data/misc/sensors
     chmod 775 /data/misc/sensors
 
+    mkdir /data/vendor/sensors 0770
+
     # Mark the copy complete flag to not completed
     write /data/vendor/radio/copy_complete 0
     chown radio radio /data/vendor/radio/copy_complete
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index f64def5a..d292bc8c 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -66,6 +66,7 @@ type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type modem_dump_file, file_type, data_file_type;
 type ese_vendor_data_file, file_type, data_file_type;
 type time_vendor_data_file, file_type, data_file_type;
+type sensors_vendor_data_file, file_type, data_file_type;
 
 type vendor_firmware_file, vendor_file_type, file_type;
 
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 264cec3c..f034a49a 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -241,6 +241,7 @@
 /data/vendor/ese(/.*)?                 u:object_r:ese_vendor_data_file:s0
 /data/vendor/ipa(/.*)?                 u:object_r:ipa_vendor_data_file:s0
 /data/vendor/time(/.*)?                u:object_r:time_vendor_data_file:s0
+/data/vendor/sensors(/.*)?             u:object_r:sensors_vendor_data_file:s0
 
 # /
 /tombstones             u:object_r:rootfs:s0
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
index 3439cb67..d1a6f89d 100644
--- a/sepolicy/vendor/sensors.te
+++ b/sepolicy/vendor/sensors.te
@@ -17,6 +17,9 @@ allow sensors persist_sensors_file:dir rw_dir_perms;
 allow sensors persist_sensors_file:file create_file_perms;
 allow sensors persist_file:dir { getattr search };
 
+allow sensors sensors_vendor_data_file:dir create_dir_perms;
+allow sensors sensors_vendor_data_file:file create_file_perms;
+
 allow sensors system_file:dir r_dir_perms;
 allow sensors sensors_device:chr_file rw_file_perms;