Run ModuleDetect in dedicated SELinux domain
System apps are not allowed to access sysfs entries anymore. Run
ModuleDetect in its own SELinux context and grant it sysfs access as
required to read camera information.
Issue: FP2P-543
Change-Id: I96924ad411fd03e3e195ac7feff7b1b550ed4e77
diff --git a/sepolicy/moduledetect_app.te b/sepolicy/moduledetect_app.te
new file mode 100644
index 0000000..df42ddf
--- /dev/null
+++ b/sepolicy/moduledetect_app.te
@@ -0,0 +1,9 @@
+type moduledetect_app, domain;
+
+app_domain(moduledetect_app)
+
+allow moduledetect_app activity_service:service_manager find;
+
+# Allow reading name of camera driver from /sys/class/video4linux
+r_dir_file(moduledetect_app, sysfs)
+r_dir_file(moduledetect_app, sysfs_graphics)
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index bfd9aab..fd0e239 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1,3 +1,5 @@
# Assign priv_app domain to Updater when it's signed with the platform keys
# Required for RecoverySystem interaction on Android 7
user=_app seinfo=platform name=com.fairphone.updater domain=priv_app type=app_data_file levelFrom=user
+
+user=_app seinfo=platform name=com.fairphone.moduledetect domain=moduledetect_app levelFrom=user