Allow recovery to read thermal info

We want to track temperature metrics during an OTA update. denial message: denied { search } for pid=349 comm="recovery" name="thermal" dev="sysfs" ino=18029 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 denied { read } for pid=326 comm="recovery" name="temp" dev="sysfs" ino=18479 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 36920500 Bug: 32518487 Test: temperature logs on angler Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e (cherry picked from commit 3da2f21f)

Allow recovery to read thermal info
We want to track temperature metrics during an OTA update. denial message: denied { search } for pid=349 comm="recovery" name="thermal" dev="sysfs" ino=18029 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 denied { read } for pid=326 comm="recovery" name="temp" dev="sysfs" ino=18479 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 36920500 Bug: 32518487 Test: temperature logs on angler Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e (cherry picked from commit 3da2f21f)
15bf1b52 · Tianjie Xu · 9337a4dd · 15bf1b52
Commit 15bf1b52 authored 7 years ago by Tianjie Xu
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,10 @@ recovery_only(`
  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+  # Read /sys/class/thermal/*/temp for thermal info.
+  allow recovery sysfs_thermal:dir search;
+  allow recovery sysfs_thermal:file r_file_perms;
  # Read files on /oem.
  r_dir_file(recovery, oemfs);