commit a2e1acc9c396fcc09144d53acfd92ba4b1d9ef62
author Andrew Chant <achant@google.com> Mon May 17 09:24:56 2021 -0700
committer Andrew Chant <achant@google.com> Mon May 17 18:24:00 2021 -0700
tree e31d42550e11e56b236cb5b2fb44f69e7f7d6c90
parent 9e1f66d5b5582ac8e67215cd9479fb18264585b2

rebalance_interrupts sepolicy

Add rebalance_interrupts sepolicy to allow
rebalance_interrupts to modify smp_affinity for IRQs.

Example denials w/o this:
[   43.144107] type=1400 audit(1621271039.800:58): avc: denied { read } for comm="rebalance_inter" name="irq" dev="sysfs" ino=15875 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:sysfs_irq:s0 tclass=dir permissive=1
[   43.144306] type=1400 audit(1621271039.800:59): avc: denied { open } for comm="rebalance_inter" path="/sys/kernel/irq" dev="sysfs" ino=15875 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:sysfs_irq:s0 tclass=dir permissive=1
[   43.144452] type=1400 audit(1621271039.800:60): avc: denied { search } for comm="rebalance_inter" name="irq" dev="sysfs" ino=15875 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:sysfs_irq:s0 tclass=dir permissive=1
[   43.159532] type=1400 audit(1621271039.816:61): avc: denied { search } for comm="rebalance_inter" name="irq" dev="proc" ino=4026531868 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:proc_irq:s0 tclass=dir permissive=1

Bug: 148403062

Change-Id: I0cf7e163d8436f428a53bbb96ff2949753004ac1

rebalance_interrupts/file.te

diff --git a/rebalance_interrupts/file.te b/rebalance_interrupts/file.te
new file mode 100644
index 0000000..4b8bd35
--- /dev/null
+++ b/rebalance_interrupts/file.te
@@ -0,0 +1,2 @@
+type sysfs_irq, fs_type, sysfs_type;
+type proc_irq, fs_type, proc_type;

rebalance_interrupts/file_contexts

diff --git a/rebalance_interrupts/file_contexts b/rebalance_interrupts/file_contexts
new file mode 100644
index 0000000..bb25b5c
--- /dev/null
+++ b/rebalance_interrupts/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/rebalance_interrupts-vendor           u:object_r:rebalance_interrupts_vendor_exec:s0
+

rebalance_interrupts/genfs_contexts

diff --git a/rebalance_interrupts/genfs_contexts b/rebalance_interrupts/genfs_contexts
new file mode 100644
index 0000000..fc264b5
--- /dev/null
+++ b/rebalance_interrupts/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon sysfs /kernel/irq          u:object_r:sysfs_irq:s0
+genfscon proc /irq                  u:object_r:proc_irq:s0

rebalance_interrupts/rebalance_interrupts.te

diff --git a/rebalance_interrupts/rebalance_interrupts.te b/rebalance_interrupts/rebalance_interrupts.te
new file mode 100644
index 0000000..668a696
--- /dev/null
+++ b/rebalance_interrupts/rebalance_interrupts.te
@@ -0,0 +1,10 @@
+# rebalance_interrupts vendor
+type rebalance_interrupts_vendor, domain;
+
+type rebalance_interrupts_vendor_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(rebalance_interrupts_vendor)
+
+allow rebalance_interrupts_vendor sysfs_irq:dir r_dir_perms;
+allow rebalance_interrupts_vendor sysfs_irq:file r_file_perms;
+allow rebalance_interrupts_vendor proc_irq:dir r_dir_perms;
+allow rebalance_interrupts_vendor proc_irq:file rw_file_perms;