Merge "Handle some diag-related denials."android-o-mr1-iot-preview-8o-mr1-iot-preview-8

3 files changed, 9 insertions, 0 deletions

diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te
index d2638aff..2264399b 100644
--- a/sepolicy/vendor/hal_gnss_qti.te
+++ b/sepolicy/vendor/hal_gnss_qti.te
@@ -32,8 +32,10 @@ allow hal_gnss_qti self:netlink_route_socket { bind create nlmsg_read read write
 
 userdebug_or_eng(`
   allow hal_gnss_qti diag_device:chr_file rw_file_perms;
+  r_dir_file(hal_gnss_qti, sysfs_diag)
 ')
 dontaudit hal_gnss_qti diag_device:chr_file rw_file_perms;
+dontaudit hal_gnss_qti sysfs_diag:dir search;
 
 # Most HALs are not allowed to use network sockets. Qcom library
 # libqdi is used across multiple processes which are clients of
diff --git a/sepolicy/vendor/qti.te b/sepolicy/vendor/qti.te
index e71ac822..be32d8c1 100644
--- a/sepolicy/vendor/qti.te
+++ b/sepolicy/vendor/qti.te
@@ -17,5 +17,7 @@ r_dir_file(qti, sysfs_msm_subsys)
 
 userdebug_or_eng(`
   allow qti diag_device:chr_file rw_file_perms;
+  r_dir_file(qti, sysfs_diag)
 ')
 dontaudit qti diag_device:chr_file rw_file_perms;
+dontaudit qti sysfs_diag:dir search;
diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
index bd704c21..b301da2d 100644
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -24,3 +24,8 @@ r_dir_file(radio, sysfs_msm_subsys)
 allow radio avtimer_device:chr_file r_file_perms;
 
 binder_call(radio, hal_imsrtp)
+
+userdebug_or_eng(`
+  allow radio diag_device:chr_file rw_file_perms;
+')
+dontaudit radio diag_device:chr_file rw_file_perms;