Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_google_pixel-sepolicy / eead7e0e6142bbcea7c11f2e6736f17941ded375^! / .
commiteead7e0e6142bbcea7c11f2e6736f17941ded375[log] [tgz]
authorChiawei Wang <chiaweiwang@google.com>Mon Mar 22 10:31:01 2021 +0800
committerChiawei Wang <chiaweiwang@google.com>Mon Mar 22 03:28:42 2021 +0000
treec786422346aa2dd39082ae0adebc2280bb27c1d0
parent82877559f0bab119a078b6af4631b49bb5475ce9 [diff]
pixelstats: allow to access /proc/vmstat, sysfs ion and dma_heap

1. allow to access /sys/kernel/dma_heap for userdebug_or_eng
2. change the access to /proc/vmstat and /sys/kernel/ion/
   for userdebug_or_eng

[   35.559846] type=1400 audit(1616377125.092:909): avc: denied { search } for comm="pixelstats-vend" name="dma_heap" dev="sysfs" ino=27055 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_dma_heap:s0 tclass=dir permissive=1
[   35.560046] type=1400 audit(1616377125.092:910): avc: denied { read } for comm="pixelstats-vend" name="total_pools_kb" dev="sysfs" ino=27056 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_dma_heap:s0 tclass=file permissive=1
[   35.560167] type=1400 audit(1616377125.092:911): avc: denied { open } for comm="pixelstats-vend" path="/sys/kernel/dma_heap/total_pools_kb" dev="sysfs" ino=27056 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_dma_heap:s0 tclass=file permissive=1
[   35.560244] type=1400 audit(1616377125.092:912): avc: denied { getattr } for comm="pixelstats-vend" path="/sys/kernel/dma_heap/total_pools_kb" dev="sysfs" ino=27056 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_dma_heap:s0 tclass=file permissive=1

Bug: 173101018
Bug: 183338421
Test: no avc denied log when pixelstats reads the file nodes.

Signed-off-by: Chiawei Wang <chiaweiwang@google.com>
Change-Id: I57f15671cf8611d244030cabb686368a57be28e0

diff --git a/pixelstats/pixelstats_vendor.te b/pixelstats/pixelstats_vendor.te
index 3fc0d36..a8c15a6 100644
--- a/pixelstats/pixelstats_vendor.te
+++ b/pixelstats/pixelstats_vendor.te

@@ -10,6 +10,10 @@
 allow pixelstats_vendor sysfs_zram:dir search;
 allow pixelstats_vendor sysfs_zram:file r_file_perms;
 
-allow pixelstats_vendor proc_vmstat:file r_file_perms;
-allow pixelstats_vendor sysfs_ion:dir search;
-allow pixelstats_vendor sysfs_ion:file r_file_perms;
+userdebug_or_eng(`
+  allow pixelstats_vendor proc_vmstat:file r_file_perms;
+  allow pixelstats_vendor sysfs_ion:dir search;
+  allow pixelstats_vendor sysfs_ion:file r_file_perms;
+  allow pixelstats_vendor sysfs_dma_heap:dir search;
+  allow pixelstats_vendor sysfs_dma_heap:file r_file_perms;
+')