diff options
| -rw-r--r-- | sepolicy/domain.te | 39 | ||||
| -rw-r--r-- | sepolicy/file.te | 4 |
2 files changed, 43 insertions, 0 deletions
diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..6652378 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1,39 @@ +get_prop(domain, camera_prop) + +dontaudit domain self:capability sys_module; + +# b/29072816 +# Triggered by kernel code which calls request_firmware(), which +# eventually calls filp_open(), which attempts to look in /firmware +# for the firmware file itself using the context of the calling +# domain. +# This does not occur on other Android builds because the marlin +# kernel has various references to /firmware paths in the following +# code: +# +# /* direct firmware loading support */ +# static char fw_path_para[256]; +# static const char * const fw_path[] = { +# fw_path_para, +# "/lib/firmware/updates/" UTS_RELEASE, +# "/lib/firmware/updates", +# "/lib/firmware/" UTS_RELEASE, +# "/lib/firmware", +# "/firmware/image", +# "/firmware/radio", +# "/firmware/adsp" //HTC_AUD +# }; +# +# As described at http://www.makelinux.net/ldd3/chp-14-sect-8 , +# the userspace helper (in our case, ueventd) should always be loading +# these files, not the requesting process itself. It is only due to a +# hack added by Linus Torvalds that the kernel even attempt to load +# firmware files directly from the filesystem +# (https://github.com/torvalds/linux/commit/abb139e75c2cdbb955e840d6331cb5863e409d0e). +# +# Suppress these denials for most domains, since ueventd should be doing the +# opening of the firmware. +dontaudit domain firmware_file:dir search; + +allow domain debugfs_ion:dir search; +allow domain debugfs_kgsl:dir search; diff --git a/sepolicy/file.te b/sepolicy/file.te index 8a2c9ed..98cda48 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -10,6 +10,10 @@ type sysfs_msm_subsys, sysfs_type, fs_type; type sysfs_msm_subsys_restart, sysfs_type, fs_type; type sysfs_net, sysfs_type, fs_type, mlstrustedobject; +# debugfs +type debugfs_kgsl, debugfs_type, fs_type; +type debugfs_ion, debugfs_type, fs_type; + # /vendor type idc_file, file_type, vendor_file_type; type keylayout_file, file_type, vendor_file_type; |