diff options
author | Tai Kuo <taikuo@google.com> | 2023-09-12 15:34:16 +0800 |
---|---|---|
committer | Tai Kuo <taikuo@google.com> | 2023-09-12 16:45:09 +0800 |
commit | 1a65e5d5e43de3bb18c01b44243dd6d8103f2e33 (patch) | |
tree | 9304df04f5f9eab8e1bd92a35ef69af246ac2318 | |
parent | 4bb847b815de442b4e8e74a6f115dbd0bbfef200 (diff) | |
download | zuma-sepolicy-1a65e5d5e43de3bb18c01b44243dd6d8103f2e33.tar.gz |
Allow regmap debugfs for drivers probed by insmod
auditd : type=1400 audit(0.0:731): avc: denied { search } for
comm="modprobe" name="regmap" dev="debugfs" ino=2057
scontext=u:r:insmod-sh:s0 tcontext=u:object_r:vendor_regmap_debugfs:s0
tclass=dir permissive=1 bug=b/274727542
vendor_kernel_boot and vendor_dlkm modules probe by insmod need this.
Move regmap debugfs from legacy/whitechapel_pro/ to vendor/.
Bug: 274727542
Bug: 289012421
Test: ls -d /sys/kernel/debug/regmap/*-0043
Change-Id: I2bd35a6bc942536505f62d4122f0de892f243802
-rw-r--r-- | legacy/whitechapel_pro/file.te | 3 | ||||
-rw-r--r-- | legacy/whitechapel_pro/genfs_contexts | 3 | ||||
-rw-r--r-- | tracking_denials/bug_map | 1 | ||||
-rw-r--r-- | vendor/file.te | 1 | ||||
-rw-r--r-- | vendor/genfs_contexts | 1 | ||||
-rw-r--r-- | vendor/insmod-sh.te | 1 |
6 files changed, 3 insertions, 7 deletions
diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index f59a80b..db0b31f 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -12,9 +12,6 @@ type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; -# debugfs -type vendor_regmap_debugfs, fs_type, debugfs_type; - # persist type persist_ss_file, file_type, vendor_persist_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index dccae4e..34f9ee4 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -30,9 +30,6 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 -# debugfs -genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 - # Haptics genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 74f2fbb..7c532ac 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,7 +4,6 @@ hal_uwb_default debugfs file b/288049522 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 -insmod-sh vendor_regmap_debugfs dir b/274727542 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 vendor_init proc file b/289856761 diff --git a/vendor/file.te b/vendor/file.te index c87d37c..ce20aa0 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -29,6 +29,7 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 254baa0..35a4aff 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -35,6 +35,7 @@ genfscon debugfs /google_battery u:object genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 # Extcon genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 diff --git a/vendor/insmod-sh.te b/vendor/insmod-sh.te index e09c248..f80660c 100644 --- a/vendor/insmod-sh.te +++ b/vendor/insmod-sh.te @@ -1,2 +1,3 @@ allow insmod-sh self:capability sys_nice; allow insmod-sh kernel:process setsched; +allow insmod-sh vendor_regmap_debugfs:dir search; |