commit c0e7206c7328409027a2a4635598569275be2f2d
author Chris Ye <lzye@google.com> Fri Nov 20 19:17:22 2020 -0800
committer Chris Ye <lzye@google.com> Fri Jan 22 17:56:45 2021 +0000
tree f4b6b1138b2d05f9adf9ec583a1c0fa84de2fb7b
parent 553afe724201aae1c858a3a6d87e79c3183e6dbc

Add SePolicy for system_server accessing sysfs uhid.

Add SePolicy to allow Android input manager accessing sysfs uhid folder.

Bug: 161633432
Test: dumpsys input and watch for input device battery status.
Change-Id: I6ed1ab45f1cff409982c36627e12e62667819f37

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 05d766c..bc576b2 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -59,6 +59,7 @@
     snapuserd_exec
     snapuserd_socket
     sysfs_devices_cs_etm
+    sysfs_uhid
     system_server_dumper_service
     system_suspend_control_internal_service
     task_profiles_api_file

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 4c6edd6..1aee669 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -157,6 +157,7 @@
 genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
 
 genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 95d7cc7..7193ffb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -355,6 +355,8 @@
 allow system_server sysfs_power:file rw_file_perms;
 allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
 
 # TODO: Remove when HALs are forced into separate processes
 allow system_server sysfs_vibrator:file { write append };
@@ -1243,6 +1245,15 @@
   -system_server
 } wifi_config_prop:file no_rw_file_perms;
 
+# Only allow system server to write uhid sysfs files
+neverallow {
+    domain
+    -init
+    -system_server
+    -ueventd
+    -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
 # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
 # can be accessed by system_server only (b/143717177)
 # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder