Label and allow access to /sys/kernel/debug/nvmap
system_server needs read access to /sys/kernel/debug/nvmap.
Allow it.
Other random processes need search access within the directory.
Allow it. This isn't a regression from older Android releases,
since we've always allowed search access to debugfs. This makes
it no worse.
Addresses the following denial:
avc: denied { read } for comm="android.bg" name="nvmap" dev="debugfs" ino=4658 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0
Change-Id: Ie55808f1d52086b15bbf04ed85e9a11d5f559acb
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index 4ec9a02..1558e2a 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te
@@ -1 +1,4 @@
r_dir_file(domain, sysfs_tegra_fuse)
+
+# Why?
+allow domain debugfs_nvmap:dir search;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 79224c2..ab4c950 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -17,3 +17,5 @@
type sysfs_socinfo, sysfs_type, fs_type;
type sysfs_tegra_fuse, sysfs_type, fs_type;
+
+type debugfs_nvmap, debugfs_type, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 5c71ee9..5cf34b5 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -78,6 +78,9 @@
# Factory reset protection block device
/dev/block/mmcblk0p27 u:object_r:frp_block_device:s0
+# debugfs files
+/sys/kernel/debug/nvmap(/.*)? u:object_r:debugfs_nvmap:s0
+
# Didim file
/sys/devices/platform/host1x/tegradc.0/smartdimmer/aggressiveness u:object_r:sysfs_didim:s0
/sys/devices/platform/host1x/tegradc.0/smartdimmer/enable u:object_r:sysfs_didim:s0
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 450b684..b7272a5 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -8,6 +8,8 @@
# Grant access to Qualcomm MSM Interface (QMI) radio sockets for GPS
qmux_socket(system_server)
+r_dir_file(system_server, debugfs_nvmap)
+
allow system_server sysfs_gpu:file r_file_perms;
allow system_server sysfs_socinfo:file r_file_perms;
allow system_server sysfs_swap:file r_file_perms;