Add SePolicy for system_server accessing sysfs uhid. Add SePolicy to allow Android input manager accessing sysfs uhid folder. Bug: 161633432 Test: dumpsys input and watch for input device battery status. Change-Id: I6ed1ab45f1cff409982c36627e12e62667819f37

commit: c0e7206c7328409027a2a4635598569275be2f2d [log] [tgz]
author: Chris Ye <lzye@google.com> Fri Nov 20 19:17:22 2020 -0800
committer: Chris Ye <lzye@google.com> Fri Jan 22 17:56:45 2021 +0000
tree: f4b6b1138b2d05f9adf9ec583a1c0fa84de2fb7b
parent: 553afe724201aae1c858a3a6d87e79c3183e6dbc [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 95d7cc7..7193ffb 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -355,6 +355,8 @@
 allow system_server sysfs_power:file rw_file_perms;
 allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
 
 # TODO: Remove when HALs are forced into separate processes
 allow system_server sysfs_vibrator:file { write append };
@@ -1243,6 +1245,15 @@
   -system_server
 } wifi_config_prop:file no_rw_file_perms;
 
+# Only allow system server to write uhid sysfs files
+neverallow {
+    domain
+    -init
+    -system_server
+    -ueventd
+    -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
 # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
 # can be accessed by system_server only (b/143717177)
 # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
commit	c0e7206c7328409027a2a4635598569275be2f2d	[log] [tgz]
author	Chris Ye <lzye@google.com>	Fri Nov 20 19:17:22 2020 -0800
committer	Chris Ye <lzye@google.com>	Fri Jan 22 17:56:45 2021 +0000
tree	f4b6b1138b2d05f9adf9ec583a1c0fa84de2fb7b
parent	553afe724201aae1c858a3a6d87e79c3183e6dbc [diff] [blame]