sdm710-common: sepolicy: Address thermal-engine denials

* <Q blobs require broader sysfs access and we don't want to relabel stuff like /sys/class/kgsl. Resolves: I auditd : type=1400 audit(0.0:37): avc: denied { read } for comm="thermal-engine" name="kgsl" dev="sysfs" ino=45578 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Change-Id: I6a821da53686eba33990ae231ccae700de2d7391
2026-01-27 18:28:08 +00:00 · 2020-03-28 17:08:22 +01:00
parent 17dda4226e
commit 0e6d050fdd
1 changed files with 4 additions and 0 deletions
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -4,4 +4,8 @@ allow thermal-engine thermal_data_file:file create_file_perms;
 allow thermal-engine self:capability { chown fowner };
 allow thermal-engine sysfs_devfreq:dir r_dir_perms;

+# Allow thermal-engine to read files in /sys because <Q blobs require broader
+# sysfs access and we don't want to relabel stuff like /sys/class/kgsl
+r_dir_file(thermal-engine, sysfs)
+
 set_prop(thermal-engine, vendor_thermal_normal_prop)