Diff - dacc76cb63b778e0852ab91c13daf0e8b15a33ac^! - android_hardware_google_pixel-sepolicy

commit	dacc76cb63b778e0852ab91c13daf0e8b15a33ac	[log] [tgz]
author	Chiawei Wang <chiaweiwang@google.com>	Thu Mar 11 00:32:32 2021 +0800
committer	Chiawei Wang <chiaweiwang@google.com>	Mon Mar 22 07:08:51 2021 +0000
tree	2f8c1f4a298cee8ad862e1a3cfb273e3366bd6d1
parent	eead7e0e6142bbcea7c11f2e6736f17941ded375 [diff] [blame]

pixelstats: allow to access /proc, some sysfs and debugfs

pixelstats would like to collect metrics from the
following path:
1. collect the total GPU pages
  /sys/kernel/debug/physical-memory-group-manager
2. collect stime of kswapd0 and kcompactd0
  /proc
  /proc/<pid>/comm
  /proc/<pid>/stat
3. collect pixel specific metrics
  /sys/kernel/pixel_stat/mm

avc denial logs:
03-10 06:39:54.476   680   680 I pixelstats-vend: type=1400 audit(0.0:33): avc: denied { read } for name="physical-memory-group-manager" dev="debugfs" ino=26563 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=1
03-10 06:39:54.476   680   680 I pixelstats-vend: type=1400 audit(0.0:34): avc: denied { open } for path="/sys/kernel/debug/physical-memory-group-manager" dev="debugfs" ino=26563 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=1

03-10 07:17:17.752   680   680 I pixelstats-vend: type=1400 audit(0.0:75): avc: denied { search } for name="128" dev="proc" ino=60795 scontext=u:r:pixelstats_vendor:s0 tcontext=u:r:kernel:s0 tclass=dir permissive=1
03-10 07:21:17.752   680   680 I pixelstats-vend: type=1400 audit(0.0:115): avc: denied { read } for name="comm" dev="proc" ino=84496 scontext=u:r:pixelstats_vendor:s0 tcontext=u:r:kernel:s0 tclass=file permissive=1
03-10 07:21:17.752   680   680 I pixelstats-vend: type=1400 audit(0.0:116): avc: denied { open } for path="/proc/128/comm" dev="proc" ino=84496 scontext=u:r:pixelstats_vendor:s0 tcontext=u:r:kernel:s0 tclass=file permissive=1
03-10 07:21:17.752   680   680 I pixelstats-vend: type=1400 audit(0.0:117): avc: denied { getattr } for path="/proc/128/comm" dev="proc" ino=84496 scontext=u:r:pixelstats_vendor:s0 tcontext=u:r:kernel:s0 tclass=file permissive=1

03-10 19:50:34.120   698   698 I pixelstats-vend: type=1400 audit(0.0:48): avc: denied { read } for name="vmstat" dev="sysfs" ino=49572 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
03-10 19:50:34.124   698   698 I pixelstats-vend: type=1400 audit(0.0:49): avc: denied { open } for path="/sys/kernel/pixel_stat/mm/vmstat" dev="sysfs" ino=49572 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
03-10 19:50:34.124   698   698 I pixelstats-vend: type=1400 audit(0.0:50): avc: denied { getattr } for path="/sys/kernel/pixel_stat/mm/vmstat" dev="sysfs" ino=49572 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 173101018
Test: no avc denied log when pixelstats reads the file nodes.

Signed-off-by: Chiawei Wang <chiaweiwang@google.com>
Change-Id: I2fe664c0d823a92acce9ad8c0a3cb1c720da1fd4

diff --git a/pixelstats/file.te b/pixelstats/file.te
new file mode 100644
index 0000000..76f87a2
--- /dev/null
+++ b/pixelstats/file.te

@@ -0,0 +1,2 @@
+type debugfs_mgm, debugfs_type, fs_type;
+type sysfs_pixel_stat, fs_type, sysfs_type;