SELinux rules for i2c files in sysfs in Android

Question

I created kernel driver as loadable module for one of my I2C devices. The driver creates few sysfs file under I2C corresponding folder (/sys/devices/i2c/i2c-0/0-0008/) using instantiation through new_device file (/sys/devices/i2c/i2c-0/new_device).

Lollipop enforced SELinux so I need to create rules for my applications that need access to the device's sysfs file. Mostly these are system applications (they fall into definition of platform_app in the Android SELinux). Problem is that applications in any application domain are not allowed to write to sysfs files:

neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;

So I decided to create file context exclusively for my device:

file_context:

/sys/devices/i2c-0/0-0008(/.*)?                     u:object_r:sysfs_mydeviceic:s0

The result is interesting: default driver files and folders like name and uevent etc. get the proper context but not the files created by the sysfs part of the I2C driver:

root@android:/sys/devices/i2c-0/0-0008 # ls -Z
--w--w--w- root     root              u:object_r:sysfs:s0 data
lrwxrwxrwx root     root              u:object_r:sysfs_mydeviceic:s0 driver -> ../../../bus/i2c/drivers/mydevice
-rw-rw-rw- root     root              u:object_r:sysfs:s0 locked
-r--r--r-- root     root              u:object_r:sysfs_mydeviceic:s0 modalias
-r--r--r-- root     root              u:object_r:sysfs_mydeviceic:s0 name
drwxr-xr-x root     root              u:object_r:sysfs_mydeviceic:s0 power
-rw-rw-rw- root     root              u:object_r:sysfs:s0 protection
-rw-rw-rw- root     root              u:object_r:sysfs:s0 state
lrwxrwxrwx root     root              u:object_r:sysfs_mydeviceic:s0 subsystem -> ../../../bus/i2c
-rw-r--r-- root     root              u:object_r:sysfs_mydeviceic:s0 uevent

I'm looking for help how to proceed with this problem: if I still want to convert sysfs context into sysfs_mydeviceic for the rest of the files, then how to do this? Or is there other way to enable writing to sysfs files by the applications?

Answer 1

I ran into the same problem when porting some drivers to Android 5. It seems that not all sysfs files are put into the correct selinux context. This only seems to happen for devices instantiated dynamically though new_device.

The solution for me was to trigger selinux to restore the file contexts using restorecon(8). In the same script you use to instantiate your device, execute the following command:

restorecon -r /sys/devices/i2c-2/

The -r flags tells restorecon to work recursively. If you prefer, you can also list every file individually.

If you use tha Android init scripts (such as /init.rc), there is another command available:

restorecon_recursive /sys/devices/i2c-2/

Again, there is the restorecon command which only restores single files. See the SEAndroid documentation for details.