From b5f7f28c26249fbd2f173720ecdc0927bd4b8ec9 Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Fri, 29 Jun 2018 14:58:38 -0700
Subject: [PATCH] full_treble: coredomain must not have access to
 sysfs_batteryinfo

... but should do it via health HAL and healthd.

Bug: 110891415
Test: builds
Change-Id: Ib124f82d31f1dfbe99a56475dba04a37f81bdca3
---
 public/domain.te | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 6b00e1264..6f603a6e7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1406,3 +1406,24 @@ neverallow {
   domain
   -coredomain
 } mnt_product_file:dir *;
+
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
+full_treble_only(`
+  neverallow {
+    coredomain
+    -healthd
+    -shell
+    # Generate uevents for health info
+    -ueventd
+    # Recovery uses health HAL passthrough implementation.
+    -recovery
+    # Charger uses health HAL passthrough implementation.
+    -charger
+    # TODO(b/110891300): remove this exception
+    -incidentd
+    # TODO(b/110890430): remove this exception
+    -perfprofd
+    # TODO(b/110891415, b/65643247): remove these exceptions
+    -vold
+  } sysfs_batteryinfo:file { open read };
+')
-- 
GitLab