sepolicy: align sepolicy of pixelstats-vendor from b5/r3

[   37.704632] type=1400 audit(1603335521.238:4): avc: denied { read } for comm="pixelstats-vend" name="codec_state" dev="sysfs" ino=81844 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_pixelstats:s0 tclass=file permissive=1
[   37.704952] type=1400 audit(1603335521.238:5): avc: denied { open } for comm="pixelstats-vend" path="/sys/devices/platform/codec_detect/codec_state" dev="sysfs" ino=81844 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_pixelstats:s0 tclass=file permissive=1
[   37.705095] type=1400 audit(1603335521.238:6): avc: denied { getattr } for comm="pixelstats-vend" path="/sys/devices/platform/codec_detect/codec_state" dev="sysfs" ino=81844 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_pixelstats:s0 tclass=file permissive=1
[   37.712791] type=1400 audit(1603335521.242:7): avc: denied { write } for comm="pixelstats-vend" name="slowio_read_cnt" dev="sysfs" ino=60180 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1

Bug: 170189925
Test: manually. no "avc: denied" log patterns.

Signed-off-by: Roger Fang <rogerfang@google.com>
Change-Id: I5ff5b8051c7d9b230de62262c2f28b18dcd68608

2 files changed, 21 insertions, 20 deletions

diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
deleted file mode 100644
index 577e81b..0000000
--- a/tracking_denials/pixelstats_vendor.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# b/170189925
-dontaudit pixelstats_vendor pixelstats_vendor:netlink_kobject_uevent_socket read ;
-dontaudit pixelstats_vendor chre_socket:sock_file write ;
-dontaudit pixelstats_vendor hwservicemanager_prop:file getattr ;
-dontaudit pixelstats_vendor chre:unix_stream_socket connectto ;
-dontaudit pixelstats_vendor sysfs_batteryinfo:dir search ;
-dontaudit pixelstats_vendor pixelstats_vendor:netlink_kobject_uevent_socket bind ;
-dontaudit pixelstats_vendor pixelstats_vendor:netlink_kobject_uevent_socket getopt ;
-dontaudit pixelstats_vendor pixelstats_vendor:netlink_kobject_uevent_socket setopt ;
-dontaudit pixelstats_vendor pixelstats_vendor:netlink_kobject_uevent_socket create ;
-dontaudit pixelstats_vendor hwservicemanager_prop:file map ;
-dontaudit pixelstats_vendor hwservicemanager:binder call ;
-dontaudit pixelstats_vendor hwservicemanager_prop:file read ;
-dontaudit pixelstats_vendor hwservicemanager_prop:file open ;
-
-userdebug_or_eng(`
-  permissive pixelstats_vendor;
-  allow hwservicemanager pixelstats_vendor:binder transfer;
-')
-
diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te
index 1832dd5..4522965 100644
--- a/vendor/google/pixelstats_vendor.te
+++ b/vendor/google/pixelstats_vendor.te
@@ -3,4 +3,25 @@ type pixelstats_vendor, domain;
 
 type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(pixelstats_vendor)
+r_dir_file(pixelstats_vendor, sysfs_pixelstats)
+
+unix_socket_connect(pixelstats_vendor, chre, chre)
+
+get_prop(pixelstats_vendor, hwservicemanager_prop)
+hwbinder_use(pixelstats_vendor)
+allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find;
+
+allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
+binder_call(pixelstats_vendor, statsd)
+
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
+r_dir_file(pixelstats_vendor, sysfs_batteryinfo)
+# UeventListener
+allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# wlc
+allow pixelstats_vendor sysfs_wlc:dir search;
+
+# OrientationCollector
+allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
+binder_call(pixelstats_vendor, system_server)