Label gpuclk as sysfs_thermal file and add perms.
Current sepolicy grants excessive access to sysfs when in reality
only a small portion need be exposed to apps. Label this small
portion appropriately with a future goal of removing the general
sysfs access.
Address the following denials:
08-15 01:55:29.061 194 194 W surfaceflinger: type=1400 audit(0.0:7): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:55:29.621 365 365 W BootAnimation: type=1400 audit(0.0:8): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:23.580 994 994 W Thread-1: type=1400 audit(0.0:11): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:28.130 1626 1626 W RenderThread: type=1400 audit(0.0:13): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:28.280 1037 1037 W ndroid.systemui: type=1400 audit(0.0:14): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:01:55.481 194 194 W surfaceflinger: type=1400 audit(0.0:7): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:01:55.871 367 367 W BootAnimation: type=1400 audit(0.0:8): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:06.030 908 908 W Thread-1: type=1400 audit(0.0:11): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:09.780 1527 1527 W RenderThread: type=1400 audit(0.0:13): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:10.500 943 943 W ndroid.systemui: type=1400 audit(0.0:14): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 05:22:56.680 3211 3211 W RenderThread: type=1400 audit(0.0:22): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 05:23:13.180 3401 3401 W RenderThread: type=1400 audit(0.0:25): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
Also move radio rule to radio.te from app.te.
Bug: 22032619
Change-Id: I7c2839486ebfaaeaaf34b46125b3dcac5758b882
7 files changed