Handle some diag-related denials.
This allows the behavior on userdebug and eng builds and hides it on
user builds.
Test: Boot device.
Change-Id: I936f08283bcd03ef88c55b3849f54d2dab5a5d64
diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te
index d2638af..2264399 100644
--- a/sepolicy/vendor/hal_gnss_qti.te
+++ b/sepolicy/vendor/hal_gnss_qti.te
@@ -32,8 +32,10 @@
userdebug_or_eng(`
allow hal_gnss_qti diag_device:chr_file rw_file_perms;
+ r_dir_file(hal_gnss_qti, sysfs_diag)
')
dontaudit hal_gnss_qti diag_device:chr_file rw_file_perms;
+dontaudit hal_gnss_qti sysfs_diag:dir search;
# Most HALs are not allowed to use network sockets. Qcom library
# libqdi is used across multiple processes which are clients of
diff --git a/sepolicy/vendor/qti.te b/sepolicy/vendor/qti.te
index e71ac82..be32d8c 100644
--- a/sepolicy/vendor/qti.te
+++ b/sepolicy/vendor/qti.te
@@ -17,5 +17,7 @@
userdebug_or_eng(`
allow qti diag_device:chr_file rw_file_perms;
+ r_dir_file(qti, sysfs_diag)
')
dontaudit qti diag_device:chr_file rw_file_perms;
+dontaudit qti sysfs_diag:dir search;
diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
index 5e3bdd8..0cb6607 100644
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -25,6 +25,11 @@
binder_call(radio, hal_imsrtp)
+userdebug_or_eng(`
+ allow radio diag_device:chr_file rw_file_perms;
+')
+dontaudit radio diag_device:chr_file rw_file_perms;
+
# read /proc/cmdline
allow radio proc_cmdline:file r_file_perms;