From 9a7af460a56a92a9ed2bad173d58f40547eb564c Mon Sep 17 00:00:00 2001 From: Chia-Chi Teng Date: Mon, 11 Mar 2024 19:01:57 +0000 Subject: [PATCH] sepolicy: Allow PixelGnss to connect to Chre HAL avc: denied { read } for name="u:object_r:vendor_chre_hal_prop:s0" dev="tmpfs" ino=401 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_chre_hal_prop:s0 tclass=file permissive=0 avc: denied { find } for pid=900 uid=1021 name=android.hardware.contexthub.IContextHub/default scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:hal_contexthub_service:s0 tclass=service_manager permissive=0 avc: denied { call } for scontext=u:r:hal_gnss_pixel:s0 tcontext=u:r:hal_contexthub_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:hal_gnss_pixel:s0 tclass=binder permissive=0 Bug: 316227249 Test: Verify PixelGnss HAL can connect to Chre HAL. Test: Function test verification b/330120749 without disable selinux. Test: No avc error log in logcat. Change-Id: Ia1052dbc14fdbb6287cd0958b30e1a1a116b7a80 --- gps/pixel/sepolicy/hal_gnss_pixel.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te index 512ecc9..0d9a8b5 100644 --- a/gps/pixel/sepolicy/hal_gnss_pixel.te +++ b/gps/pixel/sepolicy/hal_gnss_pixel.te @@ -12,3 +12,10 @@ allow hal_gnss_pixel sysfs_modem_state:file r_file_perms; #Toggle coredump node allow hal_gnss_pixel sysfs_gps:file rw_file_perms; + +# Allow access to CHRE multiclient HAL. +get_prop(hal_gnss_pixel, vendor_chre_hal_prop) + +# Allow binder to CHRE. +binder_call(hal_gnss_pixel, hal_contexthub_default) +allow hal_gnss_pixel hal_contexthub_service:service_manager find;