From c0e7206c7328409027a2a4635598569275be2f2d Mon Sep 17 00:00:00 2001 From: Chris Ye Date: Fri, 20 Nov 2020 19:17:22 -0800 Subject: [PATCH] Add SePolicy for system_server accessing sysfs uhid. Add SePolicy to allow Android input manager accessing sysfs uhid folder. Bug: 161633432 Test: dumpsys input and watch for input device battery status. Change-Id: I6ed1ab45f1cff409982c36627e12e62667819f37 --- private/compat/30.0/30.0.ignore.cil | 1 + private/genfs_contexts | 1 + private/system_server.te | 11 +++++++++++ public/file.te | 2 +- 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 05d766c43..bc576b27d 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -59,6 +59,7 @@ snapuserd_exec snapuserd_socket sysfs_devices_cs_etm + sysfs_uhid system_server_dumper_service system_suspend_control_internal_service task_profiles_api_file diff --git a/private/genfs_contexts b/private/genfs_contexts index 4c6edd6e0..1aee66986 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -157,6 +157,7 @@ genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0 genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0 genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0 genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 diff --git a/private/system_server.te b/private/system_server.te index 95d7cc77e..7193ffb97 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -355,6 +355,8 @@ allow system_server sysfs_power:dir search; allow system_server sysfs_power:file rw_file_perms; allow system_server sysfs_thermal:dir search; allow system_server sysfs_thermal:file r_file_perms; +allow system_server sysfs_uhid:dir r_dir_perms; +allow system_server sysfs_uhid:file rw_file_perms; # TODO: Remove when HALs are forced into separate processes allow system_server sysfs_vibrator:file { write append }; @@ -1243,6 +1245,15 @@ neverallow { -system_server } wifi_config_prop:file no_rw_file_perms; +# Only allow system server to write uhid sysfs files +neverallow { + domain + -init + -system_server + -ueventd + -vendor_init +} sysfs_uhid:file no_w_file_perms; + # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it # can be accessed by system_server only (b/143717177) # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder diff --git a/public/file.te b/public/file.te index bee8eb4b5..5aa35a1a5 100644 --- a/public/file.te +++ b/public/file.te @@ -119,7 +119,7 @@ type sysfs_lowmemorykiller, fs_type, sysfs_type; # /sys/module/wlan/parameters/fwpath type sysfs_wlan_fwpath, fs_type, sysfs_type; type sysfs_vibrator, fs_type, sysfs_type; - +type sysfs_uhid, fs_type, sysfs_type; type sysfs_thermal, sysfs_type, fs_type; type sysfs_zram, fs_type, sysfs_type;