Suppress firmware_file SELinux denials.
These are occurring because the kernel first attempts to use
the permissions of the calling process to load firmware files,
and only later falls back to using ueventd.
Ueventd is the only one which should be loading these firmware
files, so ignore denials from other sources.
Bug: 29072816
Bug: 35197529
Test: no firmware SELinux denials on boot.
Change-Id: I25d4f1f911d40066004b7eedc068b4892e4824dc
(cherry picked from commit 8f3c00561776034673e0bcfbb1973207fe7ba869)
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index 2bd1329..6652378 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te
@@ -1,5 +1,39 @@
get_prop(domain, camera_prop)
dontaudit domain self:capability sys_module;
+
+# b/29072816
+# Triggered by kernel code which calls request_firmware(), which
+# eventually calls filp_open(), which attempts to look in /firmware
+# for the firmware file itself using the context of the calling
+# domain.
+# This does not occur on other Android builds because the marlin
+# kernel has various references to /firmware paths in the following
+# code:
+#
+# /* direct firmware loading support */
+# static char fw_path_para[256];
+# static const char * const fw_path[] = {
+# fw_path_para,
+# "/lib/firmware/updates/" UTS_RELEASE,
+# "/lib/firmware/updates",
+# "/lib/firmware/" UTS_RELEASE,
+# "/lib/firmware",
+# "/firmware/image",
+# "/firmware/radio",
+# "/firmware/adsp" //HTC_AUD
+# };
+#
+# As described at http://www.makelinux.net/ldd3/chp-14-sect-8 ,
+# the userspace helper (in our case, ueventd) should always be loading
+# these files, not the requesting process itself. It is only due to a
+# hack added by Linus Torvalds that the kernel even attempt to load
+# firmware files directly from the filesystem
+# (https://github.com/torvalds/linux/commit/abb139e75c2cdbb955e840d6331cb5863e409d0e).
+#
+# Suppress these denials for most domains, since ueventd should be doing the
+# opening of the firmware.
+dontaudit domain firmware_file:dir search;
+
allow domain debugfs_ion:dir search;
allow domain debugfs_kgsl:dir search;
diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te
index 04a7b74..3c546bc 100644
--- a/sepolicy/hal_dumpstate_impl.te
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -4,9 +4,6 @@
type hal_dumpstate_impl_exec, exec_type, file_type;
init_daemon_domain(hal_dumpstate_impl)
-# supress audit messages for attempting access to /firmware
-dontaudit hal_dumpstate_impl firmware_file:dir search;
-
# Execute dump scripts
allow hal_dumpstate_impl shell_exec:file rx_file_perms;
allow hal_dumpstate_impl toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/mediadrmserver.te b/sepolicy/mediadrmserver.te
index c1e9f6d..f6dfec0 100644
--- a/sepolicy/mediadrmserver.te
+++ b/sepolicy/mediadrmserver.te
@@ -1,6 +1,3 @@
-# supress audit messages for attempting access to /firmware
-dontaudit mediadrmserver firmware_file:dir search;
-
# communicate with perfd
allow mediadrmserver perfd_data_file:dir search;
allow mediadrmserver perfd:unix_stream_socket connectto;
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index a5951f1..04a1594 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,6 +1,3 @@
allowxperm priv_app self:udp_socket ioctl { SIOCGIWESSID };
-# supress audit messages for attempting access to /firmware
-dontaudit priv_app firmware_file:dir search;
-
r_dir_file(priv_app, sysfs_type)
