Gitiles
Code Review Sign In
gerrit.omnirom.org / android_device_google_gs-common / 9035c70f0630ef4e01011c790a802803142ee521^! / . / aoc
commit9035c70f0630ef4e01011c790a802803142ee521[log] [tgz]
authorAlex Iacobucci <alexiacobucci@google.com>Thu Nov 09 17:56:06 2023 +0000
committerAlex Iacobucci <alexiacobucci@google.com>Fri Nov 17 16:17:29 2023 +0000
treeb2fb55e72508298f65b3084fca822fc5b0c96d2b
parentf382fb25df1c6ec58f5a1195e12da2442725d495 [diff]
aoc: add permissions for new sysfs node

Resolving the following audit denials:

- [    6.450477] type=1400 audit(1699468821.992:6): avc:  denied
{ read } for comm="aocd" name="notify_timeout_aoc_status"
dev="sysfs" ino=78572 scontext=u:r:aocd:s0
tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=0

- type=1107 audit(0.0:9): uid=0 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='avc: denied  { set } for
property=persist.vendor.aoc.status_request_timed_out
pid=1035 uid=0 gid=0 scontext=u:r:aocd:s0
tcontext=u:object_r:vendor_default_prop:s0
tclass=property_service permissive=0'
(and get for the same node)

Test: on device
Bug: 309950738
Change-Id: I476624a6d95667d47ada765d6fe392eecc615256
Signed-off-by: Alex Iacobucci <alexiacobucci@google.com>

diff --git a/aoc/sepolicy/aocd.te b/aoc/sepolicy/aocd.te
index 69b0af0..b2bfd13 100644
--- a/aoc/sepolicy/aocd.te
+++ b/aoc/sepolicy/aocd.te

@@ -10,6 +10,7 @@
 # sysfs operations
 allow aocd sysfs_aoc:dir search;
 allow aocd sysfs_aoc_firmware:file w_file_perms;
+allow aocd sysfs_aoc_notifytimeout:file r_file_perms;
 
 # dev operations
 allow aocd aoc_device:chr_file rw_file_perms;
@@ -19,3 +20,4 @@
 
 # set properties
 set_prop(aocd, vendor_aoc_prop)
+set_prop(aocd, vendor_timeout_aoc_prop)
\ No newline at end of file

diff --git a/aoc/sepolicy/file.te b/aoc/sepolicy/file.te
index 602c5fe..0b853db 100644
--- a/aoc/sepolicy/file.te
+++ b/aoc/sepolicy/file.te

@@ -4,6 +4,7 @@
 type sysfs_aoc_firmware, sysfs_type, fs_type;
 type sysfs_aoc, sysfs_type, fs_type;
 type sysfs_aoc_reset, sysfs_type, fs_type;
+type sysfs_aoc_notifytimeout, sysfs_type, fs_type;
 
 # persist
 type persist_aoc_file, file_type, vendor_persist_type;

diff --git a/aoc/sepolicy/property.te b/aoc/sepolicy/property.te
index e6f9ddb..c2f5695 100644
--- a/aoc/sepolicy/property.te
+++ b/aoc/sepolicy/property.te

@@ -1,2 +1,3 @@
 # AoC
 vendor_internal_prop(vendor_aoc_prop)
+vendor_internal_prop(vendor_timeout_aoc_prop)
\ No newline at end of file

diff --git a/aoc/sepolicy/property_contexts b/aoc/sepolicy/property_contexts
index 0838873..3c2acb6 100644
--- a/aoc/sepolicy/property_contexts
+++ b/aoc/sepolicy/property_contexts

@@ -1,2 +1,3 @@
 # AoC
 vendor.aoc.firmware.version                     u:object_r:vendor_aoc_prop:s0
+persist.vendor.aoc.status_request_timed_out     u:object_r:vendor_timeout_aoc_prop:s0
\ No newline at end of file