selinux: perfd: allow access to sleep_disabled

Get rid of socket type transistion.

avc: denied { write } for name="sleep_disabled" dev="sysfs" ino=6801 scontext=u:r:perfd:s0 tcontext=u:object_r:sysfs_power_management:s0 tclass=file permissive=0

Bug: 23790107
Change-Id: I9b180ba9dded150cca078473a122ea7ed93f79bf

5 files changed, 16 insertions, 15 deletions

diff --git a/sepolicy/file.te b/sepolicy/file.te
index 0548407..f2ab8f1 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -23,8 +23,7 @@ type ims_socket, file_type;
 type ramdump_data_file, file_type, data_file_type;
 type diag_logs, file_type, data_file_type, mlstrustedobject;
 
-type mpctl_data_file, file_type, data_file_type;
-type mpctl_socket, file_type;
+type perfd_data_file, file_type, data_file_type;
 
 type cnd_data_file, file_type, data_file_type;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index acf6432..0dda892 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -3,8 +3,7 @@
 /data/nfc(/.*)?     u:object_r:nfc_data_file:s0
 
 # Data files
-/data/misc/perfd(/.*)?         u:object_r:mpctl_data_file:s0
-/data/misc/perfd/mpctl         u:object_r:mpctl_socket:s0
+/data/misc/perfd(/.*)?         u:object_r:perfd_data_file:s0
 /data/misc/radio(/.*)?         u:object_r:radio_data_file:s0
 /data/misc/location(/.*)?      u:object_r:location_data_file:s0
 /data/time(/.*)?               u:object_r:time_data_file:s0
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index aaeace5..bb53b12 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -4,6 +4,8 @@ allow mediaserver thermal_socket:sock_file w_file_perms;
 allow mediaserver camera:unix_dgram_socket sendto;
 allow mediaserver camera_data_file:sock_file write;
 
-allow mediaserver mpctl_data_file:dir search;
-unix_socket_connect(mediaserver, mpctl, perfd)
-unix_socket_send(mediaserver, mpctl, perfd)
+# allow communication w/perfd
+allow mediaserver perfd_data_file:dir search;
+allow mediaserver perfd_data_file:sock_file write;
+allow mediaserver perfd:unix_dgram_socket sendto;
+allow mediaserver perfd:unix_stream_socket connectto;
diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
index 39b5525..122f046 100644
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te
@@ -12,12 +12,11 @@ init_daemon_domain(perfd)
 dontaudit perfd self:capability fsetid;
 
 # Data file accesses.
-allow perfd mpctl_data_file:dir create_dir_perms;
-allow perfd mpctl_data_file:file create_file_perms;
+allow perfd perfd_data_file:dir create_dir_perms;
+allow perfd perfd_data_file:file create_file_perms;
 
 # Socket creation under /data/misc/perfd
-type_transition perfd mpctl_data_file:sock_file mpctl_socket;
-allow perfd mpctl_socket:sock_file create_file_perms;
+allow perfd perfd_data_file:sock_file create_file_perms;
 
 allow perfd sysfs_performance:dir search;
 allow perfd sysfs_performance:file rw_file_perms;
@@ -29,3 +28,6 @@ allow perfd proc_kernel_sched:file r_file_perms;
 
 # allow writing to /sys/devices/system/cpu/*
 allow perfd sysfs_devices_system_cpu:file rw_file_perms;
+
+# access to /sys/module/lpm_levels/parameters/sleep_disabled
+allow perfd sysfs_power_management:file w_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index d294985..dc9569d 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -25,11 +25,10 @@ allow system_server location_data_file:{ file fifo_file } create_file_perms;
 allow system_server location_data_file:dir rw_dir_perms;
 allow system_server location_data_file:sock_file create_file_perms;
 
-
-allow system_server mpctl_data_file:dir search;
-
 # talk to perfd
-unix_socket_connect(system_server, mpctl, perfd)
+allow system_server perfd_data_file:dir search;
+allow system_server perfd_data_file:sock_file write;
+allow system_server perfd:unix_stream_socket connectto;
 
 # hubconnection to get and set sensors.contexthub.* properties
 set_prop(system_server, contexthub_prop);