From 7e3f9a566dbed2a2638ce1aeb84fb5fa82d553b7 Mon Sep 17 00:00:00 2001
From: "Kevin F. Haggerty" <haggertk@lineageos.org>
Date: Sun, 21 Oct 2018 09:00:54 -0600
Subject: [PATCH] msm8974-common: sepolicy: Resolve init denials

* avc: denied { write } for name="enable_adaptive_lmk" dev="sysfs"
  ino=6724 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file permissive=1
* avc: denied { open } for name="enable_adaptive_lmk" dev="sysfs"
  ino=6724 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file
  permissive=1
* avc: denied { setattr } for name="firmware_path" dev="sysfs"
  ino=6423 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_wifi_writeable:s0 tclass=file
  permissive=1
* avc: denied { write } for name="l2" dev="sysfs" ino=29063
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_msm_power:s0
  tclass=file permissive=1
* avc: denied { open } for name="l2" dev="sysfs" ino=29063
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_msm_power:s0
  tclass=file permissive=1
* avc: denied { write } for name="enabled" dev="sysfs" ino=29716
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_thermal:s0
  tclass=file permissive=1
* avc: denied { write } for name="online" dev="sysfs" ino=5871
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
  tclass=file permissive=1
* avc: denied { write } for name="boost_ms" dev="sysfs" ino=6652
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_cpu_boost:s0
  tclass=file permissive=1
* avc: denied { open } for name="boost_ms" dev="sysfs" ino=6652
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_cpu_boost:s0
  tclass=file permissive=1
* avc: denied { setattr } for name="min_pwrlevel" dev="sysfs"
  ino=19546 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_kgsl:s0
  tclass=file permissive=0
* avc: denied { setattr } for name="enabled" dev="sysfs" ino=23417
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_hal_pwr:s0
  tclass=file permissive=1
* avc: denied { setattr } for name="rear_camfw" dev="sysfs" ino=24404
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_camera:s0
  tclass=file permissive=1
* avc: denied { check_context } for scontext=u:r:init:s0
  tcontext=u:object_r:kernel:s0 tclass=security permissive=0

Change-Id: Id7f78abedea2209f84527b1b83259574d06a0900
---
 sepolicy/common/init.te | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te
index b5b4a6e..e1b5374 100644
--- a/sepolicy/common/init.te
+++ b/sepolicy/common/init.te
@@ -1,3 +1,9 @@
+# This really is necessary for init.qcom.rc to manually restorecon the
+# /data/data/com.android.providers.telephony/(databases|shared_prefs)
+# symlinks. Without the manual restorecon, we would have to allow rild
+# to read any system_data_file:lnk_file.
+selinux_check_context(init)
+
 allow init {
     sysfs_iio
     sysfs_sec_tsp
@@ -9,11 +15,15 @@ allow init sysfs_input:file rw_file_perms;
 allow init sysfs_graphics:file r_file_perms;
 
 allow init {
+    sysfs_audio
     sysfs_batteryinfo
     sysfs_bluetooth_writable
+    sysfs_camera
     sysfs_graphics
+    sysfs_hal_pwr
     sysfs_iio
     sysfs_input
+    sysfs_kgsl
     sysfs_leds
     sysfs_mdnie
     sysfs_msmuart_file
@@ -31,10 +41,16 @@ allow init {
     sysfs_socinfo
     sysfs_usb_otg
     sysfs_usb_storage_gadget
+    sysfs_wifi_writeable
 }:file setattr;
 
 allow init {
+    sysfs_cpu_boost
+    sysfs_devices_system_cpu
+    sysfs_lowmemorykiller
     sysfs_mmc_host
     sysfs_msm_perf
+    sysfs_msm_power
     sysfs_sec_key
+    sysfs_thermal
 }:file w_file_perms;