Move sysfs_thermal to global policy and grant access.
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.
Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
(cherry-pick of internal commit: 98eff7c3d46abe2db996c0718b7386a3e368f344)
Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f
diff --git a/file.te b/file.te
index d8bbdc4..3dfa4fe 100644
--- a/file.te
+++ b/file.te
@@ -33,6 +33,9 @@
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
type sysfs_lowmemorykiller, fs_type, sysfs_type;
+
+type sysfs_thermal, sysfs_type, fs_type;
+
type sysfs_zram, fs_type, sysfs_type;
type sysfs_zram_uevent, fs_type, sysfs_type;
type inotify, fs_type, mlstrustedobject;
diff --git a/system_server.te b/system_server.te
index 5a3573a..6ab48e7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -158,6 +158,8 @@
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
# Access devices.
allow system_server device:dir r_dir_perms;
