From ab8704311758d52659c0a34bd1dc3779af3c7f2b Mon Sep 17 00:00:00 2001 From: Steve Pfetsch Date: Wed, 20 Sep 2023 13:05:11 -0700 Subject: DiagnosticsTool permissions for accessing touch calibration interface Grant the DiagnosticsTool (priv_app domain) access to the GTI touch driver's interactive_calibration interface. This patch does not create a domain for the DaignosticsTool (see b/301300623). Fixes these denials: avc: denied { write } for comm="diagnosticstool" name="interactive_calibrate" dev="sysfs" ino=105273 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 app=com.google.android.apps.diagnosticstool avc: denied { open } for comm="diagnosticstool" path="/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate" dev="sysfs" ino=105273 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 app=com.google.android.apps.diagnosticstool avc: denied { getattr } for comm="diagnosticstool" path="/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate" dev="sysfs" ino=105273 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 app=com.google.android.apps.diagnosticstool avc: denied { read } for comm="diagnosticstool" name="interactive_calibrate" dev="sysfs" ino=105273 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 app=com.google.android.apps.diagnosticstool Without mlstrustedobject, this denial occurs: avc: denied { write } for comm="diagnosticstool" name="interactive_calibrate" dev="sysfs" ino=106943 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=0 app=com.google.android.apps.diagnosticstool Bug: 230050981 Change-Id: I6acbb83c5b4100cb1ae332412b2e4d7f163d300a Signed-off-by: Steve Pfetsch --- husky-sepolicy.mk | 2 ++ shiba-sepolicy.mk | 2 ++ tracking_denials/file.te | 2 ++ tracking_denials/priv_app.te | 4 ++++ 4 files changed, 10 insertions(+) create mode 100644 tracking_denials/file.te create mode 100644 tracking_denials/priv_app.te diff --git a/husky-sepolicy.mk b/husky-sepolicy.mk index 1a8c79b..73742a8 100644 --- a/husky-sepolicy.mk +++ b/husky-sepolicy.mk @@ -1,3 +1,5 @@ # sepolicy exclusively for husky. BOARD_SEPOLICY_DIRS += device/google/shusky-sepolicy/husky +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/shusky-sepolicy/tracking_denials diff --git a/shiba-sepolicy.mk b/shiba-sepolicy.mk index 23f811f..114c114 100644 --- a/shiba-sepolicy.mk +++ b/shiba-sepolicy.mk @@ -1,3 +1,5 @@ # sepolicy exclusively for shiba. BOARD_SEPOLICY_DIRS += device/google/shusky-sepolicy/shiba +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/shusky-sepolicy/tracking_denials diff --git a/tracking_denials/file.te b/tracking_denials/file.te new file mode 100644 index 0000000..e348a15 --- /dev/null +++ b/tracking_denials/file.te @@ -0,0 +1,2 @@ +# b/301300623 +typeattribute sysfs_touch_gti mlstrustedobject; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 0000000..6e25d2e --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,4 @@ +# b/301300623 +allow priv_app app_api_service:service_manager find; +allow priv_app sysfs_touch_gti:file rw_file_perms; +allow priv_app sysfs_touch_gti:file { getattr open read write }; -- cgit v1.2.3