2988c4bc40830671d6227125b9a2268fefb9b1c2 - device/lge/hammerhead

commit	2988c4bc40830671d6227125b9a2268fefb9b1c2	[log] [tgz]
author	dcashman <dcashman@google.com>	Fri Dec 11 14:58:17 2015 -0800
committer	dcashman <dcashman@google.com>	Fri Dec 11 14:58:17 2015 -0800
tree	a7d79287e1400e21df02f5b087dd18c009c137e8
parent	1561f418fc40613bf63b988b1980e7950d157c42 [diff]

Label gpuclk as sysfs_thermal file and add perms.

Current sepolicy grants excessive access to sysfs when in reality
only a small portion need be exposed to apps.  Label this small
portion appropriately with a future goal of removing the general
sysfs access.

Address the following denials:
08-15 01:55:29.061   194   194 W surfaceflinger: type=1400 audit(0.0:7): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:55:29.621   365   365 W BootAnimation: type=1400 audit(0.0:8): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:23.580   994   994 W Thread-1: type=1400 audit(0.0:11): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:28.130  1626  1626 W RenderThread: type=1400 audit(0.0:13): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:28.280  1037  1037 W ndroid.systemui: type=1400 audit(0.0:14): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:01:55.481   194   194 W surfaceflinger: type=1400 audit(0.0:7): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:01:55.871   367   367 W BootAnimation: type=1400 audit(0.0:8): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:06.030   908   908 W Thread-1: type=1400 audit(0.0:11): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:09.780  1527  1527 W RenderThread: type=1400 audit(0.0:13): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:10.500   943   943 W ndroid.systemui: type=1400 audit(0.0:14): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 05:22:56.680  3211  3211 W RenderThread: type=1400 audit(0.0:22): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 05:23:13.180  3401  3401 W RenderThread: type=1400 audit(0.0:25): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0

Also move radio rule to radio.te from app.te.

Bug: 22032619
Change-Id: I7c2839486ebfaaeaaf34b46125b3dcac5758b882

7 files changed

tree: a7d79287e1400e21df02f5b087dd18c009c137e8