Adding userdebug/eng diag access for following domains
World access to diag_device for userdebug/eng builds was revoked due to
potential for dangerous use from 3rd party code so this
CL grants access back to the domains that requested it.
denied { read write } for pid=832 comm="qti" name="diag" dev="tmpfs" ino
=9583 scontext=u:r:qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_
file
denied { read write } for pid=808 comm="thermal-engine" name="diag" dev=
"tmpfs" ino=9583 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:diag
_device:s0 tclass=chr_file
denied { read write } for pid=877 comm="cnss_diag" name="diag" dev="tmpf
s" ino=9583 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file
denied { read write } for pid=816 comm="imsqmidaemon" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:ims:s0 tcontext=u:object_r:diag_device:s0 tc
lass=chr_file
denied { read write } for pid=753 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_
r:diag_device:s0 tclass=chr_file
denied { read write } for pid=772 comm="sensors.qcom" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s
0 tclass=chr_file
denied { read write } for pid=677 comm="time_daemon" name="diag" dev="tm
pfs" ino=9583 scontext=u:r:time_daemon:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file
denied { read write } for pid=618 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_graphics_composer_default:s0 tcontext
=u:object_r:diag_device:s0 tclass=chr_file
denied { read write } for pid=854 comm="rild" name="diag" dev="tmpfs" in
o=10642 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=c
hr_file
denied { read write } for pid=828 comm="netmgrd" name="diag" dev="tmpfs"
ino=10642 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tcl
ass=chr_file
denied { read write } for pid=826 comm="cnd" name="diag" dev="tmpfs" ino
=10642 scontext=u:r:cnd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr
_file
denied { read write } for pid=1559 comm="iptables-wrappe" path="/dev/dia
g" dev="tmpfs" ino=17555 scontext=u:r:netutils_wrapper:s0 tcontext=u:obj
ect_r:diag_device:s0 tclass=chr_file
Test: domains that need diag_device access can get access to it
Change-Id: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e
diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te
index ca562c9..d7aa810 100644
--- a/sepolicy/vendor/cnd.te
+++ b/sepolicy/vendor/cnd.te
@@ -29,3 +29,8 @@
get_prop(cnd, hwservicemanager_prop)
binder_call(cnd, dataservice_app)
binder_call(cnd, ims)
+
+userdebug_or_eng(`
+ allow cnd diag_device:chr_file rw_file_perms;
+')
+dontaudit cnd diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index 7bea2e1..d9cb26a 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -31,4 +31,6 @@
userdebug_or_eng(`
allow hal_graphics_composer_default debugfs_mdp:dir r_dir_perms;
allow hal_graphics_composer_default debugfs_mdp:file r_file_perms;
+ allow hal_graphics_composer_default diag_device:chr_file rw_file_perms;
')
+dontaudit hal_graphics_composer_default diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index fa473a8..ec60451 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -12,4 +12,6 @@
userdebug_or_eng(`
r_dir_file(hal_sensors_default, sysfs_diag)
allow hal_sensors_default sysfs_timestamp_switch:file r_file_perms;
+ allow hal_sensors_default diag_device:chr_file rw_file_perms;
')
+dontaudit hal_sensors_default diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/ims.te b/sepolicy/vendor/ims.te
index a229417..4a11d74 100644
--- a/sepolicy/vendor/ims.te
+++ b/sepolicy/vendor/ims.te
@@ -33,3 +33,8 @@
hwbinder_use(ims)
allow ims hal_cne_hwservice:hwservice_manager find;
binder_call(ims, cnd)
+
+userdebug_or_eng(`
+ allow ims diag_device:chr_file rw_file_perms;
+')
+dontaudit ims diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te
index adbc4b6..197f672 100644
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -40,7 +40,9 @@
allow netmgrd sysfs_timestamp_switch:file { read open };
userdebug_or_eng(`
r_dir_file(netmgrd, sysfs_diag)
+ allow netmgrd diag_device:chr_file rw_file_perms;
')
+dontaudit netmgrd diag_device:chr_file rw_file_perms;
#Ignore if device loading for private IOCTL failed
dontaudit netmgrd kernel:system { module_request };
diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te
index ec34fd3..f8c6f80 100644
--- a/sepolicy/vendor/netutils_wrapper.te
+++ b/sepolicy/vendor/netutils_wrapper.te
@@ -5,3 +5,8 @@
dontaudit netutils_wrapper netmgrd:netlink_socket { getattr read write append };
dontaudit netutils_wrapper kernel:system module_request;
dontaudit netutils_wrapper self:capability sys_module;
+
+userdebug_or_eng(`
+ allow netutils_wrapper diag_device:chr_file rw_file_perms;
+')
+dontaudit netutils_wrapper diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/qti.te b/sepolicy/vendor/qti.te
index a5d1aa8..e71ac82 100644
--- a/sepolicy/vendor/qti.te
+++ b/sepolicy/vendor/qti.te
@@ -14,3 +14,8 @@
allowxperm qti self:socket ioctl msm_sock_ipc_ioctls;
r_dir_file(qti, sysfs_msm_subsys)
+
+userdebug_or_eng(`
+ allow qti diag_device:chr_file rw_file_perms;
+')
+dontaudit qti diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index 15d084c..ff643af 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -21,7 +21,9 @@
userdebug_or_eng(`
domain_auto_trans(rild, smlog_dump_exec, smlog_dump)
+ allow rild diag_device:chr_file rw_file_perms;
')
+dontaudit rild diag_device:chr_file rw_file_perms;
allow rild radio_vendor_data_file:dir rw_dir_perms;
allow rild radio_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
index fb4cf3a..a313993 100644
--- a/sepolicy/vendor/sensors.te
+++ b/sepolicy/vendor/sensors.te
@@ -29,4 +29,6 @@
userdebug_or_eng(`
r_dir_file(sensors, sysfs_diag)
allow sensors sysfs_timestamp_switch:file r_file_perms;
+ allow sensors diag_device:chr_file rw_file_perms;
')
+dontaudit sensors diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index 8009959..e69c189 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -33,3 +33,8 @@
# reboot/shutdown for thermal limits exceeded
set_prop(thermal-engine, powerctl_prop)
+
+userdebug_or_eng(`
+ allow thermal-engine diag_device:chr_file rw_file_perms;
+')
+dontaudit thermal-engine diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/time_daemon.te b/sepolicy/vendor/time_daemon.te
index 82a62e2..d58bc23 100644
--- a/sepolicy/vendor/time_daemon.te
+++ b/sepolicy/vendor/time_daemon.te
@@ -23,3 +23,8 @@
allow time_daemon self:socket create_socket_perms;
allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
+
+userdebug_or_eng(`
+ allow time_daemon diag_device:chr_file rw_file_perms;
+')
+dontaudit time_daemon diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te
index aebd86f..db2d129 100644
--- a/sepolicy/vendor/wcnss_service.te
+++ b/sepolicy/vendor/wcnss_service.te
@@ -31,7 +31,9 @@
r_dir_file(wcnss_service, proc_wifi_dbg)
r_dir_file(wcnss_service, sysfs_diag)
allow wcnss_service sysfs_timestamp_switch:file r_file_perms;
+ allow wcnss_service diag_device:chr_file rw_file_perms;
')
+dontaudit wcnss_service diag_device:chr_file rw_file_perms;
allow wcnss_service sysfs_soc:dir search;
allow wcnss_service sysfs_soc:file r_file_perms;
