From cd40aa0ab7aa2a54b2fe8f3b20c85e6f64b5b291 Mon Sep 17 00:00:00 2001 From: chrisweir Date: Thu, 14 Nov 2019 09:32:32 -0800 Subject: [PATCH] Modify SEPolicy to support SLCAN SLCAN setup requires certain ioctls and read/write operations to certain tty's. This change allows the HAL to set up SLCAN devices while complying with SEPolicy. In addition to adding support for SLCAN, I've also included permissions for using setsockopt. In order for the CAN HAL receive error frames from the CAN bus controller, we need to first set the error mask and filter via setsockopt. Test: manual Bug: 144458917 Bug: 144513919 Change-Id: I63a48ad6677a22f05d50d665a81868011c027898 --- private/compat/29.0/29.0.ignore.cil | 1 + private/file_contexts | 2 ++ public/hal_can.te | 3 +++ vendor/hal_can_socketcan.te | 12 +++++++++++- 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 88e6efd9a..a9864d31b 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -36,6 +36,7 @@ system_jvmti_agent_prop system_passwd_file timezonedetector_service + usb_serial_device userspace_reboot_prop userspace_reboot_exported_prop vendor_apex_file diff --git a/private/file_contexts b/private/file_contexts index 2ec5b2f0f..2b19fd5bb 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -164,6 +164,8 @@ /dev/tty u:object_r:owntty_device:s0 /dev/tty[0-9]* u:object_r:tty_device:s0 /dev/ttyS[0-9]* u:object_r:serial_device:s0 +/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0 +/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0 /dev/tun u:object_r:tun_device:s0 /dev/uhid u:object_r:uhid_device:s0 /dev/uinput u:object_r:uhid_device:s0 diff --git a/public/hal_can.te b/public/hal_can.te index c75495b36..eb68e461d 100644 --- a/public/hal_can.te +++ b/public/hal_can.te @@ -7,3 +7,6 @@ allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager f binder_call(hal_can_bus_client, hal_can_bus_server) add_hwservice(hal_can_bus_server, hal_can_bus_hwservice) allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find; + +# USB serial type for SLCAN +type usb_serial_device, dev_type; diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te index 9ee37fd61..afa1311b2 100644 --- a/vendor/hal_can_socketcan.te +++ b/vendor/hal_can_socketcan.te @@ -16,7 +16,7 @@ allowxperm hal_can_socketcan self:udp_socket ioctl { }; # Communicating with SocketCAN interfaces and bringing them up/down -allow hal_can_socketcan self:can_socket { bind create read write ioctl }; +allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt }; allowxperm hal_can_socketcan self:can_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS @@ -24,3 +24,13 @@ allowxperm hal_can_socketcan self:can_socket ioctl { # Un-publishing ICanBus interfaces allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find; + +allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open }; +allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl { + TCGETS + TCSETSW + TIOCGSERIAL + TIOCSSERIAL + TIOCSETD + SIOCGIFNAME +};