Modify SEPolicy to support SLCAN

SLCAN setup requires certain ioctls and read/write operations to certain tty's. This change allows the HAL to set up SLCAN devices while complying with SEPolicy. In addition to adding support for SLCAN, I've also included permissions for using setsockopt. In order for the CAN HAL receive error frames from the CAN bus controller, we need to first set the error mask and filter via setsockopt. Test: manual Bug: 144458917 Bug: 144513919 Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
2019-11-14 09:32:32 -08:00 · 2019-11-14 09:32:32 -08:00 · cd40aa0ab7
commit cd40aa0ab7
parent d494872641
4 changed files with 17 additions and 1 deletions
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -36,6 +36,7 @@
    system_jvmti_agent_prop
    system_passwd_file
    timezonedetector_service
+    usb_serial_device
    userspace_reboot_prop
    userspace_reboot_exported_prop
    vendor_apex_file
--- a/private/file_contexts
+++ b/private/file_contexts
@ -164,6 +164,8 @@
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/ttyUSB[0-9]*	u:object_r:usb_serial_device:s0
+/dev/ttyACM[0-9]*	u:object_r:usb_serial_device:s0
 /dev/tun		u:object_r:tun_device:s0
 /dev/uhid		u:object_r:uhid_device:s0
 /dev/uinput		u:object_r:uhid_device:s0
--- a/public/hal_can.te
+++ b/public/hal_can.te
@ -7,3 +7,6 @@ allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager f
 binder_call(hal_can_bus_client, hal_can_bus_server)
 add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
 allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+
+# USB serial type for SLCAN
+type usb_serial_device, dev_type;
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@ -16,7 +16,7 @@ allowxperm hal_can_socketcan self:udp_socket ioctl {
 };

 # Communicating with SocketCAN interfaces and bringing them up/down
-allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
 allowxperm hal_can_socketcan self:can_socket ioctl {
    SIOCGIFFLAGS
    SIOCSIFFLAGS
@ -24,3 +24,13 @@ allowxperm hal_can_socketcan self:can_socket ioctl {

 # Un-publishing ICanBus interfaces
 allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
+
+allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
+allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
+    TCGETS
+    TCSETSW
+    TIOCGSERIAL
+    TIOCSSERIAL
+    TIOCSETD
+    SIOCGIFNAME
+};