Google Git
Sign in
android / device / htc / flounder / 45189c4^! / .
commit45189c44215878f874a3ce7cf1b2b77e5479131c[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Dec 23 11:21:39 2015 -0800
committerNick Kralevich <nnk@google.com>Wed Dec 23 11:24:25 2015 -0800
tree4277eeabda8842e50704a355898724ea92971c2d
parentb96be1aef79c234c8054e11d03752e9c64940a59 [diff]
Label and allow access to /sys/kernel/debug/nvmap

system_server needs read access to /sys/kernel/debug/nvmap.
Allow it.

Other random processes need search access within the directory.
Allow it. This isn't a regression from older Android releases,
since we've always allowed search access to debugfs. This makes
it no worse.

Addresses the following denial:

  avc: denied { read } for comm="android.bg" name="nvmap" dev="debugfs" ino=4658 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0

Change-Id: Ie55808f1d52086b15bbf04ed85e9a11d5f559acb

diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index 4ec9a02..1558e2a 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te

@@ -1 +1,4 @@
 r_dir_file(domain, sysfs_tegra_fuse)
+
+# Why?
+allow domain debugfs_nvmap:dir search;

diff --git a/sepolicy/file.te b/sepolicy/file.te
index 79224c2..ab4c950 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te

@@ -17,3 +17,5 @@
 type sysfs_socinfo, sysfs_type, fs_type;
 
 type sysfs_tegra_fuse, sysfs_type, fs_type;
+
+type debugfs_nvmap, debugfs_type, fs_type;

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 5c71ee9..5cf34b5 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts

@@ -78,6 +78,9 @@
 # Factory reset protection block device
 /dev/block/mmcblk0p27 u:object_r:frp_block_device:s0
 
+# debugfs files
+/sys/kernel/debug/nvmap(/.*)?          u:object_r:debugfs_nvmap:s0
+
 # Didim file
 /sys/devices/platform/host1x/tegradc.0/smartdimmer/aggressiveness    u:object_r:sysfs_didim:s0
 /sys/devices/platform/host1x/tegradc.0/smartdimmer/enable            u:object_r:sysfs_didim:s0

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 450b684..b7272a5 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te

@@ -8,6 +8,8 @@
 # Grant access to Qualcomm MSM Interface (QMI) radio sockets for GPS
 qmux_socket(system_server)
 
+r_dir_file(system_server, debugfs_nvmap)
+
 allow system_server sysfs_gpu:file r_file_perms;
 allow system_server sysfs_socinfo:file r_file_perms;
 allow system_server sysfs_swap:file r_file_perms;