From 80e5c0bfa3e23f3e332366ee139510c98c6bcafe Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 27 Jul 2017 07:08:24 -0700
Subject: Move sysfs access from domain_deprecated to radio

This permission appears to only be needed for radio on
Marlin/Sailfish. Moving these permissions with a TODO to reduce
the scope.

Bug: 28760354
Test: build
Merged-In: I62ab0e9315826387b8916a0a4213f63739e22fa2
Change-Id: I62ab0e9315826387b8916a0a4213f63739e22fa2
(cherry picked from commit b241130f040cab519df30425ae99d59f77524608)
---
 sepolicy/radio.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sepolicy/radio.te b/sepolicy/radio.te
index 767e0a71..8d6fa235 100644
--- a/sepolicy/radio.te
+++ b/sepolicy/radio.te
@@ -17,3 +17,8 @@ userdebug_or_eng(`
 allow radio avtimer_device:chr_file rw_file_perms;
 
 allowxperm radio self:udp_socket ioctl priv_sock_ioctls;
+
+# TODO scope this down. Granting these here is not granting new permissions,
+# just moving existing permissions from domain_deprecated to radio as part of
+# b/28760354 in order to deprivilege other processes which do not need access.
+r_dir_file(radio, sysfs)
-- 
cgit v1.2.3