Label gpuclk as sysfs_thermal file and add perms.

Current sepolicy grants excessive access to sysfs when in reality
only a small portion need be exposed to apps.  Label this small
portion appropriately with a future goal of removing the general
sysfs access.

Address the following denials:
08-15 01:55:29.061   194   194 W surfaceflinger: type=1400 audit(0.0:7): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:55:29.621   365   365 W BootAnimation: type=1400 audit(0.0:8): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:23.580   994   994 W Thread-1: type=1400 audit(0.0:11): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:28.130  1626  1626 W RenderThread: type=1400 audit(0.0:13): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 01:56:28.280  1037  1037 W ndroid.systemui: type=1400 audit(0.0:14): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:01:55.481   194   194 W surfaceflinger: type=1400 audit(0.0:7): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:01:55.871   367   367 W BootAnimation: type=1400 audit(0.0:8): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:06.030   908   908 W Thread-1: type=1400 audit(0.0:11): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:09.780  1527  1527 W RenderThread: type=1400 audit(0.0:13): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 04:02:10.500   943   943 W ndroid.systemui: type=1400 audit(0.0:14): avc: denied { open } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 05:22:56.680  3211  3211 W RenderThread: type=1400 audit(0.0:22): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
08-15 05:23:13.180  3401  3401 W RenderThread: type=1400 audit(0.0:25): avc: denied { read } for name="gpuclk" dev="sysfs" ino=11974 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0

Also move radio rule to radio.te from app.te.

Bug: 22032619
Change-Id: I7c2839486ebfaaeaaf34b46125b3dcac5758b882

5 files changed, 12 insertions, 6 deletions

diff --git a/sepolicy/app.te b/sepolicy/app.te
index be505dc..a184cf6 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -1,2 +1 @@
-# Grant access to qmux socket that is created by rild
-allow radio qmuxd_socket:sock_file rw_file_perms;
+allow appdomain sysfs_thermal:file r_file_perms;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644
index 0000000..8e44660
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1 @@
+allow bootanim sysfs_thermal:file r_file_perms;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7179095..cf8b659 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -25,10 +25,12 @@
 ###################################
 # sysfs files
 #
-/sys/class/android_usb/f_rmnet_smd_sdio/transport                    -- u:object_r:sysfs_rmnet:s0
-/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport -- u:object_r:sysfs_rmnet:s0
-/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state          -- u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/virtual/timed_output/vibrator/amp                       -- u:object_r:sysfs_hardware:s0
+/sys/class/android_usb/f_rmnet_smd_sdio/transport                       u:object_r:sysfs_rmnet:s0
+/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport    u:object_r:sysfs_rmnet:s0
+/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state             u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/virtual/timed_output/vibrator/amp                          u:object_r:sysfs_hardware:s0
+/sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk               u:object_r:sysfs_thermal:s0
+/sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk           u:object_r:sysfs_thermal:s0
 
 ###################################
 # data files
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 3b61d83..4477be2 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,2 +1,4 @@
 allow surfaceflinger mpctl_socket:dir r_dir_perms;
 allow surfaceflinger mpctl_socket:sock_file rw_file_perms;
+
+allow surfaceflinger sysfs_thermal:file r_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 2ee5d60..dbb2532 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -17,6 +17,8 @@ allow system_server persist_file:dir rw_file_perms;
 allow system_server sysfs_usb_supply:dir search;
 allow system_server sysfs_usb_supply:file r_file_perms;
 
+allow system_server sysfs_thermal:file r_file_perms;
+
 # Perfd
 allow system_server mpctl_socket:dir r_dir_perms;
 allow system_server mpctl_socket:sock_file rw_file_perms;