sensors: move /data/app/sensor_ctl_socket
In c89d7dcd63de492e37617b17348fbca7de9c08c2 , /data/app/sensor_ctl_socket
moved to /dev/socket/sensor_ctl_socket . Add rules to allow this
behavior.
For compatibility with AOSP, retain the old rules until the change is
public.
Addresses the following denials:
<5>[ 9.752728] type=1400 audit(1393360878.146:11): avc: denied { write } for pid=197 comm="sensors.qcom" name="socket" dev="tmpfs" ino=6148 scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
<5>[ 9.752985] type=1400 audit(1393360878.146:12): avc: denied { add_name } for pid=197 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
<5>[ 9.753234] type=1400 audit(1393360878.146:13): avc: denied { create } for pid=197 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 9.753456] type=1400 audit(1393360878.146:14): avc: denied { getattr } for pid=197 comm="sensors.qcom" path="/dev/socket/sensor_ctl_socket" dev="tmpfs" ino=9443 scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 9.753700] type=1400 audit(1393360878.146:15): avc: denied { setattr } for pid=197 comm="sensors.qcom" name="sensor_ctl_socket" dev="tmpfs" ino=9443 scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 9.754254] type=1400 audit(1393360878.146:16): avc: denied { write } for pid=197 comm="sensors.qcom" name="sensor_ctl_socket" dev="tmpfs" ino=9443 scontext=u:r:sensors:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
Bug: 12570192
Change-Id: I20ac1f1fa6acf355d96de51cc9a2e8ec5d127fb0
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index c5eec0c..b3c497e 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -24,6 +24,11 @@
# Socket can be deleted. So might have to keep in order to work.
allow sensors apk_data_file:dir remove_name;
+# In a future release of Android, /data/app/sensor_ctl_socket moved
+# to /dev/socket/sensor_ctl_socket .
+type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
+allow sensors socket_device:dir { write add_name };
+
# Create directories and files under /data/misc/sensors
# and /data/system/sensors. Allow generic r/w file access.
allow sensors sensors_data_file:dir create_dir_perms;