commit 30a532a1bf10ee41ed49f4b95d79abd3cca1c4dd
author Tri Vo <trong@google.com> Wed Jan 24 10:58:41 2018 -0800
committer Tri Vo <trong@google.com> Wed Jan 24 11:13:22 2018 -0800
tree 5d67d9f0864f3a09f6aaa9869a909604b2089ba1
parent 37cc632f8185c14afe28fa57a9b9e3cb9ca63970

healthd: fix /sys denials.

Label /sys/class/power_supply/* appropriately and give healthd read
permissions to that directory.

Fixes this denial:
avc: denied { read } for pid=1386 comm="healthd" name="power_supply"
dev="sysfs" ino=2562 scontext=u:r:healthd:s0
tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0

Bug: 72437093
Test: emulator boots with no denials from healthd
Change-Id: Ie3853cb5e9167fcd70f393ff589971ad6212c580

target/board/generic/sepolicy/genfs_contexts

diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts
index bdcead1..3b077a6 100644
--- a/target/board/generic/sepolicy/genfs_contexts
+++ b/target/board/generic/sepolicy/genfs_contexts
@@ -2,3 +2,7 @@
 # /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to
 # /sys/devices/platform/ANDR0001:00/properties/android/
 genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0
+
+# We expect /sys/class/power_supply/* and everything it links to to be labeled
+# as sysfs_batteryinfo.
+genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0

target/board/generic/sepolicy/healthd.te

diff --git a/target/board/generic/sepolicy/healthd.te b/target/board/generic/sepolicy/healthd.te
new file mode 100644
index 0000000..ced6704
--- /dev/null
+++ b/target/board/generic/sepolicy/healthd.te
@@ -0,0 +1,2 @@
+# Allow to read /sys/class/power_supply directory
+allow healthd sysfs:dir r_dir_perms;