Adding system_server.te / file_contexts to handle some boot denials.

Allow rules added to address the following denials: denied { ioctl } for pid=3488 comm="system-server-i" path="socket:[56767]" dev="sockfs" ino=56767 ioctlcmd=c304 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=socket denied { open read } for pid=3488 comm="system-server-i" path="/persist/sensors/sensors_settings" dev="sdd3" ino=17 scontext=u:r:system_server:s0 tcontext=u:object_r:persist_file:s0 tclass=file Bug: 34784662 Test: The above denials don't appear during bootup Change-Id: Iadc31855906dedb0adaaaed6e483122c3e175567
2026-02-01 07:33:36 +00:00 · 2017-02-08 17:11:53 -08:00
parent 83d2188a36
commit fcaa05bcab
3 changed files with 9 additions and 3 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -8,3 +8,4 @@ type firmware_file, fs_type, contextmount_type;
 type persist_file, file_type;
 type persist_data_file, file_type;
 type persist_display_file, file_type;
+type persist_sensors_file, file_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -81,6 +81,7 @@
 /firmware(/.*)?         u:object_r:firmware_file:s0

 # /persist
-/persist(/.*)?          u:object_r:persist_file:s0
-/persist/data(/.*)?     u:object_r:persist_data_file:s0
-/persist/display(/.*)?  u:object_r:persist_display_file:s0
+/persist(/.*)?            u:object_r:persist_file:s0
+/persist/data(/.*)?       u:object_r:persist_data_file:s0
+/persist/display(/.*)?    u:object_r:persist_display_file:s0
+/persist/sensors(/.*)?    u:object_r:persist_sensors_file:s0
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -0,0 +1,4 @@
+allow system_server self:socket ioctl;
+allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
+
+allow system_server persist_sensors_file:file r_file_perms;