Hi All,
I am trying to write sepolicy for denials,these are the denials for spidev
01-01 07:05:02.329 19402 19402 I Thread-6: type=1400 audit(0.0:2125): avc: denied { read write } for name="spidev0.0" dev="tmpfs" ino=9555 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
01-01 07:05:02.329 19402 19402 I Thread-6: type=1400 audit(0.0:2126): avc: denied { open } for path="/dev/spidev0.0" dev="tmpfs" ino=9555 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
01-01 07:05:02.329 19402 19402 I Thread-6: type=1400 audit(0.0:2127): avc: denied { ioctl } for path="/dev/spidev0.0" dev="tmpfs" ino=9555 ioctlcmd=6b01 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
these are the patches that i made for those
--- a/common/device.te
+++ b/common/device.te
@@ -75,7 +75,8 @@ type logdump_partition, dev_type;
#Bootselect partition
type bootselect_device, dev_type;
-#define usb_uicc_device for usb_uicc daemon
+#define usb_uicc_device for usb_uicc daemonecho 1009 >/sys/class/gpio/export
+
type usb_uicc_device, dev_type;
# Define IPA devices
@@ -147,3 +148,6 @@ type at_device, dev_type;
#define Bluetooth device
type bt_device, dev_type;
+
+#define spidev for fingerprint sensors
+type spi_device, dev_type;
diff --git a/common/file_contexts b/common/file_contexts
index 8e27239..8ff434a 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -31,6 +31,7 @@
/dev/smem_log u:object_r:smem_log_device:s0
/dev/ttyHSL0 u:object_r:console_device:s0
/dev/ttyHSL1 u:object_r:selfdefined_device:s0
+/dev/spidev0.0 u:object_r:spi_device:s0
/dev/ttyMSM0 u:object_r:console_device:s0
/dev/ttyHS[0-9]* u:object_r:serial_device:s0
/dev/ttyGS0 u:object_r:gadget_serial_device:s0
diff --git a/common/platform_app.te b/common/platform_app.te
index 0edfee5..1ebdaaf 100644
--- a/common/platform_app.te
+++ b/common/platform_app.te
@@ -35,3 +35,5 @@ allow platform_app dpmservice:service_manager find;
#allow ttyHSL1 to interact
allow platform_app selfdefined_device:chr_file { write };
+
+allow {system_server untrusted_app shell system_app platform_app} spi_device:chr_file {read write open ioctl } ;
but it is not working
please support for writting sepolicy…