Gitiles
Code Review Sign In
gerrit.omnirom.org / android_device_google_gs-common / 1f83bb110e61799fdd0e00ff0d79957569eed848^! / . / input / gia / sepolicy / gia.te
commit1f83bb110e61799fdd0e00ff0d79957569eed848[log] [tgz]
authorKai Hsieh <kaihsieh@google.com>Sat Sep 21 13:38:00 2024 +0800
committerKai Hsieh <kaihsieh@google.com>Thu Oct 31 00:57:56 2024 +0000
treecc72410e6144290f0b6b4664ca662e06fde97cea
parentd9f390d180c5aee6362378231da554c4623fd4e5 [diff] [blame]
Add GIA (Google Input interface Abstraction layer) related SEPolicy rules and AIDL compatibility matrices.

AVC evidences:
10-29 16:53:50.756  1305  1305 I binder:1305_2: type=1400 audit(0.0:24): avc:  denied  { search } for  name="goog_touch_interface" dev="sysfs" ino=110634 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=dir permissive=1
10-29 16:53:50.756  1305  1305 I binder:1305_2: type=1400 audit(0.0:25): avc:  denied  { read } for  name="interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1
10-29 16:53:50.756  1305  1305 I binder:1305_2: type=1400 audit(0.0:26): avc:  denied  { open } for  path="/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1
10-29 16:53:50.756  1305  1305 I binder:1305_2: type=1400 audit(0.0:27): avc:  denied  { getattr } for  path="/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1
10-29 16:53:50.756  1305  1305 I binder:1305_2: type=1400 audit(0.0:28): avc:  denied  { write } for  name="interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1

Test: Build succeed.
Test: Manually, checked whether GIA service is started successfully via command `service list`.
Bug: 367881686
Flag: build.RELEASE_PIXEL_GIA_ENABLED
Change-Id: I8069521425ff1e830d759252bf8bf460f4dc6f32
Signed-off-by: Kai Hsieh <kaihsieh@google.com>

diff --git a/input/gia/sepolicy/gia.te b/input/gia/sepolicy/gia.te
new file mode 100644
index 0000000..2c84e7c
--- /dev/null
+++ b/input/gia/sepolicy/gia.te

@@ -0,0 +1,18 @@
+# SEPolicies for GIA (Google Input interface Abstraction layer)
+type gia, domain;
+type gia_exec, exec_type, vendor_file_type, file_type;
+
+# Macro transferring gia_exec to the gia domain
+init_daemon_domain(gia)
+
+# let this domain use the hal service
+hal_client_domain(gia, hal_gia)
+# allow binder communication with service_manager
+binder_use(gia)
+
+# let this domain serve the hal service
+hal_server_domain(gia, hal_gia)
+
+# allow gia for accessing touch related system file-nodes
+allow gia sysfs_touch_gti:dir r_dir_perms;
+allow gia sysfs_touch_gti:file rw_file_perms;