display: dontaudit various domains for read/search sysfs_msm_subsys
Graphics drivers gfx promo #0415 adds dependency on gpu_model sysfs
node. This needs various domains to have sepolicy to read and search the
sysfs node. Dontaudit these domains for read/search into sysfs_msm_subsys
Bug: 140869429
Test: device logs does not throw selinux denials, pass pre-submit checks
Change-Id: I6c152d0b56f1f940de5217b117df538d8dd5b233
diff --git a/vendor/qcom/common/app.te b/vendor/qcom/common/app.te
index 567c115..163e0fd 100644
--- a/vendor/qcom/common/app.te
+++ b/vendor/qcom/common/app.te
@@ -2,3 +2,6 @@
get_prop(appdomain, vendor_camera_prop)
get_prop(appdomain, vendor_display_prop)
+
+dontaudit appdomain sysfs_msm_subsys:dir search;
+dontaudit appdomain sysfs_msm_subsys:file r_file_perms;
diff --git a/vendor/qcom/common/bootanim.te b/vendor/qcom/common/bootanim.te
index 0125ef0..913a70b 100644
--- a/vendor/qcom/common/bootanim.te
+++ b/vendor/qcom/common/bootanim.te
@@ -10,3 +10,6 @@
dontaudit bootanim kernel:system module_request;
get_prop(bootanim, vendor_display_prop)
+
+dontaudit bootanim sysfs_msm_subsys:dir search;
+dontaudit bootanim sysfs_msm_subsys:file r_file_perms;
diff --git a/vendor/qcom/common/hal_graphics_allocator_default.te b/vendor/qcom/common/hal_graphics_allocator_default.te
index 646fc81..97dfb5c 100644
--- a/vendor/qcom/common/hal_graphics_allocator_default.te
+++ b/vendor/qcom/common/hal_graphics_allocator_default.te
@@ -1,2 +1,4 @@
dontaudit hal_graphics_allocator_default vendor_display_prop:file r_file_perms;
+dontaudit hal_graphics_allocator_default sysfs_msm_subsys:dir search;
+dontaudit hal_graphics_allocator_default sysfs_msm_subsys:file r_file_perms;
diff --git a/vendor/qcom/common/surfaceflinger.te b/vendor/qcom/common/surfaceflinger.te
index 79c6a9d..f77b604 100644
--- a/vendor/qcom/common/surfaceflinger.te
+++ b/vendor/qcom/common/surfaceflinger.te
@@ -3,3 +3,6 @@
dontaudit surfaceflinger vendor_default_prop:file read;
userdebug_or_eng(`get_prop(surfaceflinger, vendor_display_prop)')
allow surfaceflinger debugfs_ion:dir search;
+
+dontaudit surfaceflinger sysfs_msm_subsys:dir search;
+dontaudit surfaceflinger sysfs_msm_subsys:file r_file_perms;
diff --git a/vendor/qcom/common/system_server.te b/vendor/qcom/common/system_server.te
index 16c0c92..1a0c2e2 100644
--- a/vendor/qcom/common/system_server.te
+++ b/vendor/qcom/common/system_server.te
@@ -12,3 +12,6 @@
dontaudit system_server self:capability sys_module;
dontaudit system_server vendor_display_prop:file r_file_perms;
+
+dontaudit system_server sysfs_msm_subsys:dir search;
+dontaudit system_server sysfs_msm_subsys:file r_file_perms;