jacinto6evm: sepolicy: update rules for N

- Allow pvrinit to access sysfs
- Add configfs rules that are not covered in core policies
- allow mediacodec to access rpmsg device

Change-Id: Ib6e046955adaa4e58b1c76e953bb8c8eacbf85f1
Signed-off-by: Vishal Mahaveer <vishalm@ti.com>

4 files changed, 8 insertions, 1 deletions

diff --git a/sepolicy/init-cpuset-sh.te b/sepolicy/init-cpuset-sh.te
index 4547c45..2216660 100644
--- a/sepolicy/init-cpuset-sh.te
+++ b/sepolicy/init-cpuset-sh.te
@@ -4,4 +4,4 @@ type init-cpuset-sh_exec, exec_type, file_type;
 init_daemon_domain(init-cpuset-sh)
 
 allow init-cpuset-sh system_file:file execute_no_trans;
-allow init-cpuset-sh shell_exec:file read;
+allow init-cpuset-sh shell_exec:file { read getattr };
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 554ddb2..06da5fe 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -4,3 +4,6 @@ allow init self:capability sys_module;
 allow init tmpfs:lnk_file create_file_perms;
 # Allow module insertion
 allow init system_file:system module_load;
+# Configfs
+allow init configfs:file write;
+allow init configfs:lnk_file { create unlink } ;
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
new file mode 100644
index 0000000..290055e
--- /dev/null
+++ b/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec rpmsg_device:chr_file { rw_file_perms };
diff --git a/sepolicy/pvr.te b/sepolicy/pvr.te
index 1e9cfa8..747ee36 100644
--- a/sepolicy/pvr.te
+++ b/sepolicy/pvr.te
@@ -10,3 +10,6 @@ allow pvr gpu_device:chr_file rw_file_perms;
 # allow graphics driver initialization
 allow pvr self:capability sys_module;
 allow pvr system_file:system module_load;
+
+# allow reading /sys/devices/soc0/machine
+allow pvr sysfs:file { r_file_perms };