sensors: add socket_device:dir remove_name
When an encrypted device boots up, it first starts every service,
prompts the user for their password, and then restarts every service.
When the sensors service restarts, it tries to delete
/dev/socket/sensor_ctl_socket, fails, and can't access the socket
which already exists.
This prevents the sensor service from being usable on encrypted devices.
Allow sensors to remove entries from /dev/socket.
Addresses the following denial:
<5>[ 66.326016] type=1400 audit(1393616977.711:21): avc: denied { remove_name } for pid=1600 comm="sensors.qcom" name="sensor_ctl_socket" dev="tmpfs" ino=7370 scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
Bug: 13246219
Change-Id: I75c852ff94cc54435f1e281683f5a8b3c3e087e1
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index b3c497e..1edb67f 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -19,15 +19,12 @@
# Create /data/app/sensor_ctl_socket (Might want to change location).
type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket";
allow sensors sensors_socket:sock_file create_file_perms;
-# Trying to be restrictive with perms on apk_data_file
-allow sensors apk_data_file:dir { add_name write };
-# Socket can be deleted. So might have to keep in order to work.
-allow sensors apk_data_file:dir remove_name;
+allow sensors apk_data_file:dir rw_dir_perms;
# In a future release of Android, /data/app/sensor_ctl_socket moved
# to /dev/socket/sensor_ctl_socket .
type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
-allow sensors socket_device:dir { write add_name };
+allow sensors socket_device:dir rw_dir_perms;
# Create directories and files under /data/misc/sensors
# and /data/system/sensors. Allow generic r/w file access.
