Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / bab989d31583a9bb37260d01877f3ee310a6ac0c^1..bab989d31583a9bb37260d01877f3ee310a6ac0c / .
commitbab989d31583a9bb37260d01877f3ee310a6ac0c[log] [tgz]
authorLinzhao Ye <lzye@google.com>Sat Jan 23 17:08:47 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Sat Jan 23 17:08:47 2021 +0000
treebaf8668c5704cf21bd6815921b4605acaf21abc9
parente2808169e51db8d45b0d2118c9f431ac3be2fff4 [diff]
parentc0e7206c7328409027a2a4635598569275be2f2d [diff]
Merge "Add SePolicy for system_server accessing sysfs uhid."
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 65bcbac..36e9e59 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -76,6 +76,7 @@
     snapuserd_socket
     speech_recognition_service
     sysfs_devices_cs_etm
+    sysfs_uhid
     system_server_dumper_service
     system_suspend_control_internal_service
     task_profiles_api_file

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 4e78804..ecde711 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -159,6 +159,7 @@
 genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
 
 genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0

diff --git a/private/system_server.te b/private/system_server.te
index 98e5fa0..c50d55e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -374,6 +374,8 @@
 allow system_server sysfs_power:file rw_file_perms;
 allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
 
 # TODO: Remove when HALs are forced into separate processes
 allow system_server sysfs_vibrator:file { write append };
@@ -1269,6 +1271,15 @@
   -system_server
 } wifi_config_prop:file no_rw_file_perms;
 
+# Only allow system server to write uhid sysfs files
+neverallow {
+    domain
+    -init
+    -system_server
+    -ueventd
+    -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
 # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
 # can be accessed by system_server only (b/143717177)
 # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder

diff --git a/public/file.te b/public/file.te
index 1092b90..c1c69b9 100644
--- a/public/file.te
+++ b/public/file.te

@@ -121,7 +121,7 @@
 # /sys/module/wlan/parameters/fwpath
 type sysfs_wlan_fwpath, fs_type, sysfs_type;
 type sysfs_vibrator, fs_type, sysfs_type;
-
+type sysfs_uhid, fs_type, sysfs_type;
 type sysfs_thermal, sysfs_type, fs_type;
 
 type sysfs_zram, fs_type, sysfs_type;