Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5f805d057e9386a67b96f32fe3f056628d37ac16^1..5f805d057e9386a67b96f32fe3f056628d37ac16 / .
commit5f805d057e9386a67b96f32fe3f056628d37ac16[log] [tgz]
authorKalesh Singh <kaleshsingh@google.com>Thu May 02 19:38:08 2024 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu May 02 19:38:08 2024 +0000
treedddb369d67565dd798d6ceaf42b826a23b8a3b1b
parentc9b15f596b6e66da825dc2b54e27bae28c66e2c6 [diff]
parent3a4c68dd8335c21275ada7a249190aa3d4afc58f [diff]
Merge "sepolicy: Add rules for /sys/kernel/mm/pgsize_migration/enabled" into main
diff --git a/private/domain.te b/private/domain.te
index 53bcdcf..dfcc740 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -338,6 +338,10 @@
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
+# Allow reading /sys/kernel/mm/pgsize_migration/enabled
+allow domain sysfs_pgsize_migration:dir search;
+allow domain sysfs_pgsize_migration:file r_file_perms;
+
 # Allow everyone to read media server-configurable flags, so that libstagefright can be
 # configured using server-configurable flags
 get_prop(domain, device_config_media_native_prop)
@@ -2217,3 +2221,7 @@
 
 neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
 neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
+
+# Only init/vendor are allowed to write sysfs_pgsize_migration;
+# ueventd needs write access to all sysfs files.
+neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;

diff --git a/private/file.te b/private/file.te
index 09aa02a..54016aa 100644
--- a/private/file.te
+++ b/private/file.te

@@ -171,6 +171,9 @@
 # /data/app-metadata - extracted app metadata bundles from APKs
 type apk_metadata_file, file_type, data_file_type, core_data_file_type;
 
+# Type for /sys/kernel/mm/pgsize_migration/enabled
+type sysfs_pgsize_migration, fs_type, sysfs_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 118f8d9..23d6218 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -170,6 +170,7 @@
 genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
 genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
 genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
+genfscon sysfs /kernel/mm/pgsize_migration/enabled u:object_r:sysfs_pgsize_migration:s0
 genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0

diff --git a/private/init.te b/private/init.te
index 96fd5c5..e4bafd8 100644
--- a/private/init.te
+++ b/private/init.te

@@ -573,6 +573,7 @@
   sysfs_fs_f2fs
   sysfs_dm
   sysfs_lru_gen_enabled
+  sysfs_pgsize_migration
 }:file w_file_perms;
 
 allow init {

diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 1ffcabe..8c1fdcb 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te

@@ -100,6 +100,7 @@
   -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
   -sysfs_fs_fuse_features
   -sysfs_fs_incfs_features
+  -sysfs_pgsize_migration
 }:file no_rw_file_perms;
 
 # No creation of sockets families other than AF_UNIX sockets.