From ed2c442b888064d36471fd9e142b87ee56c5d175 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cosme=20Dom=C3=ADnguez=20D=C3=ADaz?= <cosme.ddiaz@gmail.com>
Date: Sat, 14 Apr 2018 18:32:57 +0200
Subject: msm8996-common: Fix several SELinux denials with firmware loading.

  * The rules came from marlin's sepolicy.
---
 sepolicy/domain.te | 39 +++++++++++++++++++++++++++++++++++++++
 sepolicy/file.te   |  4 ++++
 2 files changed, 43 insertions(+)
 create mode 100644 sepolicy/domain.te

diff --git a/sepolicy/domain.te b/sepolicy/domain.te
new file mode 100644
index 0000000..6652378
--- /dev/null
+++ b/sepolicy/domain.te
@@ -0,0 +1,39 @@
+get_prop(domain, camera_prop)
+
+dontaudit domain self:capability sys_module;
+
+# b/29072816
+# Triggered by kernel code which calls request_firmware(), which
+# eventually calls filp_open(), which attempts to look in /firmware
+# for the firmware file itself using the context of the calling
+# domain.
+# This does not occur on other Android builds because the marlin
+# kernel has various references to /firmware paths in the following
+# code:
+#
+# /* direct firmware loading support */
+# static char fw_path_para[256];
+# static const char * const fw_path[] = {
+#         fw_path_para,
+#         "/lib/firmware/updates/" UTS_RELEASE,
+#         "/lib/firmware/updates",
+#         "/lib/firmware/" UTS_RELEASE,
+#         "/lib/firmware",
+#         "/firmware/image",
+#         "/firmware/radio",
+#         "/firmware/adsp"        //HTC_AUD
+# };
+#
+# As described at http://www.makelinux.net/ldd3/chp-14-sect-8 ,
+# the userspace helper (in our case, ueventd) should always be loading
+# these files, not the requesting process itself. It is only due to a
+# hack added by Linus Torvalds that the kernel even attempt to load
+# firmware files directly from the filesystem
+# (https://github.com/torvalds/linux/commit/abb139e75c2cdbb955e840d6331cb5863e409d0e).
+#
+# Suppress these denials for most domains, since ueventd should be doing the
+# opening of the firmware.
+dontaudit domain firmware_file:dir search;
+
+allow domain debugfs_ion:dir search;
+allow domain debugfs_kgsl:dir search;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 8a2c9ed..98cda48 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -10,6 +10,10 @@ type sysfs_msm_subsys, sysfs_type, fs_type;
 type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 type sysfs_net, sysfs_type, fs_type, mlstrustedobject;
 
+# debugfs
+type debugfs_kgsl, debugfs_type, fs_type;
+type debugfs_ion, debugfs_type, fs_type;
+
 # /vendor
 type idc_file, file_type, vendor_file_type;
 type keylayout_file, file_type, vendor_file_type;
-- 
cgit v1.2.3