Add sepolicy for init-thermal-symlinks-sh
Bug: 169261083
Test: thermal symlinks can be created in dev folder
Change-Id: Iaaf7133a1231494b41afe36579f35f53dacdae19
Signed-off-by: TeYuan Wang <kamewang@google.com>
diff --git a/thermal/file.te b/thermal/file.te
new file mode 100644
index 0000000..5676e77
--- /dev/null
+++ b/thermal/file.te
@@ -0,0 +1 @@
+type thermal_link_device, dev_type;
diff --git a/thermal/file_contexts b/thermal/file_contexts
index e88d6f5..40e00a9 100644
--- a/thermal/file_contexts
+++ b/thermal/file_contexts
@@ -1,2 +1,4 @@
/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0
+/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0
+/dev/thermal(/.*)? u:object_r:thermal_link_device:s0
diff --git a/thermal/init-thermal-symlinks.sh.te b/thermal/init-thermal-symlinks.sh.te
new file mode 100644
index 0000000..3da9763
--- /dev/null
+++ b/thermal/init-thermal-symlinks.sh.te
@@ -0,0 +1,11 @@
+type init-thermal-symlinks-sh, domain;
+type init-thermal-symlinks-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-thermal-symlinks-sh)
+
+allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms;
+allow init-thermal-symlinks-sh thermal_link_device:dir w_dir_perms;
+allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:dir r_dir_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:file r_file_perms;
+set_prop(init-thermal-symlinks-sh, vendor_thermal_prop)