sepolicy: Allow PixelGnss implement PPS function
avc: denied { read } for name="u:object_r:vendor_chre_hal_prop:s0" dev="tmpfs" ino=401 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_chre_hal_prop:s0 tclass=file
avc: denied { find } for pid=900 uid=1021 name=android.hardware.contexthub.IContextHub/default scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:hal_contexthub_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:hal_gnss_pixel:s0 tcontext=u:r:hal_contexthub_default:s0 tclass=binder
avc: denied { call } for scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:hal_gnss_pixel:s0 tclass=binder
avc: denied { search } for name="gps" dev="dm-54" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc: denied { write } for name="gps" dev="dm-54" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc: denied { add_name } for name=".pps_pipe" scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc: denied { create } for name=".pps_pipe" scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc: denied { read } for name=".pps_pipe" dev="dm-54" ino=11418 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc: denied { open } for path="/data/vendor/gps/.pps_pipe" dev="dm-54" ino=11418 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file permissive=1
avc: denied { write } for name=".pps_pipe" dev="dm-54" ino=11418 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc: denied { search } for name="gps" dev="dm-49" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc: denied { write } for name=".ppspipe" dev="dm-49" ino=18610 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc: denied { write } for name="gps" dev="dm-54" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc: denied { open } for path="/data/vendor/gps/.ppspipe" dev="dm-49" ino=18610 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc: denied { remove_name } for name=".pps_pipe" dev="dm-54" ino=11712 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc: denied { unlink } for name=".pps_pipe" dev="dm-59" ino=6600 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
Bug: 330120749
Test: Verify PixelGnss HAL can connect to Chre HAL.
Test: Function test verification b/330120749.
Test: b/330120749#comment24 health boot check.
Test: b/330120749#comment25 health boot check.
Change-Id: I100ae061cfcbba17a26ece79eb552d60aa782d79
diff --git a/gps/lsi/sepolicy/hal_gnss_default.te b/gps/lsi/sepolicy/hal_gnss_default.te
index 7d363f0..0294a93 100644
--- a/gps/lsi/sepolicy/hal_gnss_default.te
+++ b/gps/lsi/sepolicy/hal_gnss_default.te
@@ -11,3 +11,6 @@
#IPC between pixel and vendor HAL
binder_call(hal_gnss_default, hal_gnss_pixel)
+
+# Allow connect to gnss service
+allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;
diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te
index 512ecc9..9a0b648 100644
--- a/gps/pixel/sepolicy/hal_gnss_pixel.te
+++ b/gps/pixel/sepolicy/hal_gnss_pixel.te
@@ -12,3 +12,15 @@
#Toggle coredump node
allow hal_gnss_pixel sysfs_gps:file rw_file_perms;
+
+# Allow access to CHRE multiclient HAL.
+get_prop(hal_gnss_pixel, vendor_chre_hal_prop)
+
+# Allow binder to CHRE.
+binder_call(hal_gnss_pixel, hal_contexthub_default)
+allow hal_gnss_pixel hal_contexthub_service:service_manager find;
+
+# Allow connect to gnss service
+allow hal_gnss_pixel vendor_gps_file:dir create_dir_perms;
+allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms;
+