Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / cd40aa0ab7aa2a54b2fe8f3b20c85e6f64b5b291^! / .
commitcd40aa0ab7aa2a54b2fe8f3b20c85e6f64b5b291[log] [tgz]
authorchrisweir <chrisweir@google.com>Thu Nov 14 09:32:32 2019 -0800
committerchrisweir <chrisweir@google.com>Wed Dec 04 14:06:09 2019 -0800
tree852f62f949f270fa223e8c576482bf9272b031af
parentd4948726416c936ce6165428e611ac37d14c0a22 [diff]
Modify SEPolicy to support SLCAN

SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.

In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.

Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88e6efd..a9864d3 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -36,6 +36,7 @@
     system_jvmti_agent_prop
     system_passwd_file
     timezonedetector_service
+    usb_serial_device
     userspace_reboot_prop
     userspace_reboot_exported_prop
     vendor_apex_file

diff --git a/private/file_contexts b/private/file_contexts
index 2ec5b2f..2b19fd5 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -164,6 +164,8 @@
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/ttyUSB[0-9]*	u:object_r:usb_serial_device:s0
+/dev/ttyACM[0-9]*	u:object_r:usb_serial_device:s0
 /dev/tun		u:object_r:tun_device:s0
 /dev/uhid		u:object_r:uhid_device:s0
 /dev/uinput		u:object_r:uhid_device:s0

diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..eb68e46 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te

@@ -7,3 +7,6 @@
 binder_call(hal_can_bus_client, hal_can_bus_server)
 add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
 allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+
+# USB serial type for SLCAN
+type usb_serial_device, dev_type;

diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 9ee37fd..afa1311 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te

@@ -16,7 +16,7 @@
 };
 
 # Communicating with SocketCAN interfaces and bringing them up/down
-allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
 allowxperm hal_can_socketcan self:can_socket ioctl {
     SIOCGIFFLAGS
     SIOCSIFFLAGS
@@ -24,3 +24,13 @@
 
 # Un-publishing ICanBus interfaces
 allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
+
+allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
+allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
+    TCGETS
+    TCSETSW
+    TIOCGSERIAL
+    TIOCSSERIAL
+    TIOCSETD
+    SIOCGIFNAME
+};