From 8d6d6a1f00a493fff3045a02a674d02dce4ea8d8 Mon Sep 17 00:00:00 2001
From: "Kevin F. Haggerty" <haggertk@lineageos.org>
Date: Fri, 16 Nov 2018 07:25:43 -0700
Subject: [PATCH] msm8974-common: sepolicy: Label sysfs_iio, resolve denials

* avc: denied { read } for name="devices" dev="sysfs" ino=7783
  scontext=u:r:hal_sensors_default:s0
  tcontext=u:object_r:sysfs_iio:s0 tclass=dir permissive=0
* avc: denied { open } for name="devices" dev="sysfs" ino=7783
  scontext=u:r:hal_sensors_default:s0
  tcontext=u:object_r:sysfs_iio:s0 tclass=dir permissive=0
* avc: denied { write } for name="length" dev="sysfs" ino=26482
  scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_iio:s0
  tclass=file permissive=0
* avc: denied { read } for name="iio:device1" dev="sysfs" ino=26489
  scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_iio:s0
  tclass=lnk_file permissive=0
* avc: denied { read } for name="iio:device0" dev="sysfs" ino=26350
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_iio:s0
  tclass=lnk_file permissive=1
* avc: denied { setattr } for name="length" dev="sysfs" ino=26343
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_iio:s0 tclass=file
  permissive=1

Change-Id: If9b3e9efe4f7c6eec3faf973e0b7aebd96d76ef3
---
 sepolicy/common/file.te                | 1 +
 sepolicy/common/file_contexts          | 4 ++++
 sepolicy/common/hal_sensors_default.te | 4 ++++
 sepolicy/common/init.te                | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
index 2e2036d..2fc0794 100644
--- a/sepolicy/common/file.te
+++ b/sepolicy/common/file.te
@@ -2,6 +2,7 @@ type proc_bt_sleep, fs_type;
 
 type sysfs_camera, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;
+type sysfs_iio, fs_type, sysfs_type;
 type sysfs_mdnie, fs_type, sysfs_type;
 type sysfs_sec, fs_type, sysfs_type;
 type sysfs_wifi_writeable, fs_type, sysfs_type;
diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts
index 38350b2..98c7f5a 100644
--- a/sepolicy/common/file_contexts
+++ b/sepolicy/common/file_contexts
@@ -43,5 +43,9 @@
 /sys/devices/virtual/graphics/fb0/csc_cfg               u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/lcd/panel(/.*)?                    u:object_r:sysfs_graphics:s0
 
+# sysfs - iio
+/sys/bus/iio/devices(/.*)?                                                          u:object_r:sysfs_iio:s0
+/sys/devices/[a-f0-9]+\.spi/spi_master/spi[0-9]+/spi[0-9]+\.0/iio:device[0-9](/.*)? u:object_r:sysfs_iio:s0
+
 # sysfs - mdnie
 /sys/devices/virtual/mdnie/mdnie(/.*)?                  u:object_r:sysfs_mdnie:s0
diff --git a/sepolicy/common/hal_sensors_default.te b/sepolicy/common/hal_sensors_default.te
index 8c87d8e..f42fff7 100644
--- a/sepolicy/common/hal_sensors_default.te
+++ b/sepolicy/common/hal_sensors_default.te
@@ -1,2 +1,6 @@
 allow hal_sensors_default sysfs_graphics:dir search;
 allow hal_sensors_default sysfs_graphics:file r_file_perms;
+
+allow hal_sensors_default sysfs_iio:dir r_dir_perms;
+allow hal_sensors_default sysfs_iio:file rw_file_perms;
+allow hal_sensors_default sysfs_iio:lnk_file read;
diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te
index 3b46b63..785a676 100644
--- a/sepolicy/common/init.te
+++ b/sepolicy/common/init.te
@@ -1,6 +1,9 @@
+allow init sysfs_iio:lnk_file read;
+
 allow init sysfs_graphics:file r_file_perms;
 
 allow init {
     sysfs_graphics
+    sysfs_iio
     sysfs_mdnie
 }:file setattr;