From e44dd6e62ca4c28d81a195f59eec1e1c3543c4ec Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 7 Apr 2017 17:50:14 -0700
Subject: msm8996-common: Grant system_server access to idc and keylayot dirs

system_server is configured to access idc and keylayout files in
/vendor/usr/idc and /vendor/usr/keylayout. This explicitly grants this
access to system_server, instead of relying on overly broad access
granted by hal_client_domain(system_server, ...) macros which is no
longer going to grant this overly broad access soon.

Test: Modify hal_client_domain to no longer associate hal_x_client with
      hal_x, observe that there are no violations form system_server
      trying to read /vendor/usr/idc and /vendor/usr/keylayouts.
Bug: 37160141

Change-Id: I136df8713f2f9ff03096e5f6cf35e3e804733040
---
 sepolicy/system_server.te | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'sepolicy/system_server.te')

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index ef21160..975336c 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,3 +1,8 @@
 allow system_server alarm_boot_prop:file { read open getattr };
 allow system_server persist_file:dir write;
 allow system_server sysfs_fpc_utouch_disable:file rw_file_perms;
+
+# /vendor/usr/keylayout
+r_dir_file(system_server, idc_file)
+# /vendor/usr/idc
+r_dir_file(system_server, keylayout_file)
-- 
cgit v1.2.3