Label system_server's dependencies in sysfs.
New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons
Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons
Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.
Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5
diff --git a/private/system_server.te b/private/system_server.te
index 8f9091d..260d6ce 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -273,11 +273,20 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
+r_dir_file(system_server, sysfs_android_usb)
+allow system_server sysfs_android_usb:file w_file_perms;
+
+r_dir_file(system_server, sysfs_ipv4)
+allow system_server sysfs_ipv4:file w_file_perms;
+
+r_dir_file(system_server, sysfs_rtc)
+r_dir_file(system_server, sysfs_switch)
+r_dir_file(system_server, sysfs_wakeup_reasons)
+
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
@@ -683,7 +692,6 @@
r_dir_file(system_server, proc_version)
r_dir_file(system_server, proc_vmallocinfo)
r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.