From 26aecc34520a196d2c72de9a92baed77452c87ca Mon Sep 17 00:00:00 2001 From: Max Bires Date: Wed, 8 Feb 2017 18:05:06 -0800 Subject: [PATCH] Added thermal engine allow rule and defined sysfs_thermal files Added the allow and relevant sysfs_thermal specifications to handle the following bootup denials: denied { read write } for pid=795 comm="thermal-engine" name="trip_point_1_temp" dev="sysfs" ino=43298 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file denied { ioctl write } for pid=761 comm="thermal-engine" path="socket:[18584]" dev="sockfs" ino=18584 ioctlcmd=c302 scontext=u:r:thermal-engine:s0 tcontext=u:r:thermal-engine:s0 tclass=socket denied { read } for pid=729 comm="thermal-engine" name="thermal_zone11" dev="sysfs" ino=43236 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir denied { search } for pid=783 comm="thermal-engine" name="thermal" dev="sysfs" ino=42709 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir Bug: 34784662 Test: The above denials no longer appear during boot Change-Id: If6fd93e10a85968a16b1266d148b0303ac0e09dd --- sepolicy/file_contexts | 2 ++ sepolicy/thermal-engine.te | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 0bef9f3..4a07dd7 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -38,6 +38,8 @@ /dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0 # files in sysfs +/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 +/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0 /sys/devices/virtual/graphics/fb([0-2])+/idle_time u:object_r:sysfs_graphics:s0 # files in /system diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 4a2e138..132abda 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -3,6 +3,12 @@ type thermal-engine_exec, exec_type, file_type; init_daemon_domain(thermal-engine) +allow thermal-engine sysfs_thermal:dir r_dir_perms; +allow thermal-engine sysfs_thermal:file rw_file_perms; + +allow thermal-engine self:socket create_socket_perms; +allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls; + userdebug_or_eng(` permissive thermal-engine; ')