From b0841be5196765a228cac78e145bbe239e0f92b9 Mon Sep 17 00:00:00 2001
From: iusmac <iusico.maxim@libero.it>
Date: Wed, 23 Mar 2022 22:47:28 +0800
Subject: [PATCH] sdm660-common: sepolicy: Adress IORap usap_pool denial

W FinalizerDaemon: type=1400 audit(0.0:532): avc: denied { getopt } for path="/dev/socket/usap_pool_primary" scontext=u:rradios0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket permissive=0

Signed-off-by: pix106 <sbordenave@gmail.com>
---
 sepolicy/private/untrusted_app.te  | 1 +
 sepolicy/vendor/platform_app.te    | 2 ++
 sepolicy/vendor/priv_app.te        | 1 +
 sepolicy/vendor/system_app.te      | 1 +
 sepolicy/vendor/timeservice_app.te | 1 +
 5 files changed, 6 insertions(+)
 create mode 100644 sepolicy/private/untrusted_app.te
 create mode 100644 sepolicy/vendor/timeservice_app.te

diff --git a/sepolicy/private/untrusted_app.te b/sepolicy/private/untrusted_app.te
new file mode 100644
index 00000000..478403a4
--- /dev/null
+++ b/sepolicy/private/untrusted_app.te
@@ -0,0 +1 @@
+allow untrusted_app zygote:unix_stream_socket { getopt };
diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te
index 5d1eb0ba..29fb6c49 100644
--- a/sepolicy/vendor/platform_app.te
+++ b/sepolicy/vendor/platform_app.te
@@ -1 +1,3 @@
+allow platform_app zygote:unix_stream_socket { getopt };
+
 get_prop(platform_app, exported_camera_prop)
diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te
index b830df83..cc7b204e 100644
--- a/sepolicy/vendor/priv_app.te
+++ b/sepolicy/vendor/priv_app.te
@@ -1 +1,2 @@
 allow priv_app sysfs_graphics:file { open read };
+allow priv_app zygote:unix_stream_socket { getopt };
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index bede6c45..69d0d13b 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -14,6 +14,7 @@ allow system_app sysfs_micgain:file rw_file_perms;
 allow system_app sysfs_earpiecegain:file rw_file_perms;
 allow system_app sysfs_zram:dir search;
 allow system_app sysfs_zram:file r_file_perms;
+allow system_app zygote:unix_stream_socket { getopt };
 
 get_prop(system_app, system_prop);
 set_prop(system_app, system_prop);
diff --git a/sepolicy/vendor/timeservice_app.te b/sepolicy/vendor/timeservice_app.te
new file mode 100644
index 00000000..a897ae42
--- /dev/null
+++ b/sepolicy/vendor/timeservice_app.te
@@ -0,0 +1 @@
+allow timeservice_app zygote:unix_stream_socket { getopt };