android_device_google_gs-co.../aoc/sepolicy/aocd.te

type aocd, domain;
type aocd_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(aocd)

# access persist files
allow aocd mnt_vendor_file:dir search;
allow aocd persist_file:dir search;
r_dir_file(aocd, persist_aoc_file);

# sysfs operations
allow aocd sysfs_aoc:dir search;
allow aocd sysfs_aoc_firmware:file w_file_perms;
allow aocd sysfs_aoc_notifytimeout:file r_file_perms;

# dev operations
allow aocd aoc_device:chr_file rw_file_perms;

# allow inotify to watch for additions/removals from /dev
allow aocd device:dir r_dir_perms;

# set properties
set_prop(aocd, vendor_aoc_prop)
set_prop(aocd, vendor_timeout_aoc_prop)
get_prop(aocd, vendor_volte_mif_off)
move aoc settings to gs-common Bug: 248426917 Test: boot with aoc launched Change-Id: I7f3e65f9b27510bff657ca46c9688932a0352437 2022-10-20 11:23:26 +08:00			`type aocd, domain;`
			`type aocd_exec, vendor_file_type, exec_type, file_type;`
			`init_daemon_domain(aocd)`

			`# access persist files`
			`allow aocd mnt_vendor_file:dir search;`
			`allow aocd persist_file:dir search;`
			`r_dir_file(aocd, persist_aoc_file);`

			`# sysfs operations`
			`allow aocd sysfs_aoc:dir search;`
			`allow aocd sysfs_aoc_firmware:file w_file_perms;`
aoc: add permissions for new sysfs node Resolving the following audit denials: - [ 6.450477] type=1400 audit(1699468821.992:6): avc: denied { read } for comm="aocd" name="notify_timeout_aoc_status" dev="sysfs" ino=78572 scontext=u:r:aocd:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=0 - type=1107 audit(0.0:9): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.aoc.status_request_timed_out pid=1035 uid=0 gid=0 scontext=u:r:aocd:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0' (and get for the same node) Test: on device Bug: 309950738 Change-Id: I476624a6d95667d47ada765d6fe392eecc615256 Signed-off-by: Alex Iacobucci <alexiacobucci@google.com> 2023-11-09 17:56:06 +00:00			`allow aocd sysfs_aoc_notifytimeout:file r_file_perms;`
move aoc settings to gs-common Bug: 248426917 Test: boot with aoc launched Change-Id: I7f3e65f9b27510bff657ca46c9688932a0352437 2022-10-20 11:23:26 +08:00
			`# dev operations`
			`allow aocd aoc_device:chr_file rw_file_perms;`

			`# allow inotify to watch for additions/removals from /dev`
			`allow aocd device:dir r_dir_perms;`

			`# set properties`
			`set_prop(aocd, vendor_aoc_prop)`
aoc: add policy to read system property Solves error: 1 2-13 18:33:15.860000 root 1019 1019 I auditd : type=1400 audit(0.0:7): avc: denied { read } for comm="aocd" name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=404 scontext=u:r:aocd:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=0 Test: on device Bug: 207711097 Change-Id: Ia28e1622746cca973ca66f437e0e655bbcaf7d66 Signed-off-by: Alex Iacobucci <alexiacobucci@google.com> 2023-12-13 19:22:28 +00:00			`set_prop(aocd, vendor_timeout_aoc_prop)`
			`get_prop(aocd, vendor_volte_mif_off)`