| get_prop(domain, camera_prop) |
| |
| dontaudit domain self:capability sys_module; |
| dontaudit domain kernel:system module_request; |
| |
| # b/29072816 |
| # Triggered by kernel code which calls request_firmware(), which |
| # eventually calls filp_open(), which attempts to look in /firmware |
| # for the firmware file itself using the context of the calling |
| # domain. |
| # This does not occur on other Android builds because the marlin |
| # kernel has various references to /firmware paths in the following |
| # code: |
| # |
| # /* direct firmware loading support */ |
| # static char fw_path_para[256]; |
| # static const char * const fw_path[] = { |
| # fw_path_para, |
| # "/lib/firmware/updates/" UTS_RELEASE, |
| # "/lib/firmware/updates", |
| # "/lib/firmware/" UTS_RELEASE, |
| # "/lib/firmware", |
| # "/firmware/image", |
| # "/firmware/radio", |
| # "/firmware/adsp" //HTC_AUD |
| # }; |
| # |
| # As described at http://www.makelinux.net/ldd3/chp-14-sect-8 , |
| # the userspace helper (in our case, ueventd) should always be loading |
| # these files, not the requesting process itself. It is only due to a |
| # hack added by Linus Torvalds that the kernel even attempt to load |
| # firmware files directly from the filesystem |
| # (https://github.com/torvalds/linux/commit/abb139e75c2cdbb955e840d6331cb5863e409d0e). |
| # |
| # Suppress these denials for most domains, since ueventd should be doing the |
| # opening of the firmware. |
| dontaudit domain firmware_file:dir search; |
| |
| allow domain debugfs_ion:dir search; |
| allow domain debugfs_kgsl:dir search; |
