What are the correct sepolicy entries for GPIO access

[Dave McLaughlin]

I can set the GPIO manually from the command line through the debug port by going to SU mode.

I can't get access to the GPIO from the Android JNI. I get permission denied in the debug output. Setting the GPIO in export works as the new GPIO folder for that pin appears in /sys/class/gpio but any attempt to access the underlying directories to set the direction of value has permission denied.

I've even tried to create the GPIO in the init.rc file and setting suitable access but this still fails to work. Selinux seems to be the culprit.

The following is the output from debug when I try to export GPIO32 and then set direction.

[  532.695168] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

[  532.695984] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

[  532.696053] type=1400 audit(1590299645.070:44): avc: denied { open } for pid=4246 comm="on.torquelogger" path="/sys/class/gpio/export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

I tried to add the following to untrsusted_app.te but it fails to build. Using the 

allow untrusted_app sysfs:file {read write open};

This gives a build error (neverallow base_typeattr_197 sysfs (file (write))

Any clues on how to create the policy to allow GPIO access from the user program. This will run on dedicated hardware and not user phones. 

[Jerry Naidoo]

What changes you made to the unit.rc and did you insert them into the "on boot" segment?
Also you may want to add androidboot.selinux=permissive" to kernel command line.

[Channing You]

The kernel message "permissive=1" shows that the selinux is running in permissive mode, so it may not be selinux that block your operation.

For sepolicy conflict, the build error message should looked like this:

libsepol.report failure: neverallow on line 489 of system/sepolicy/private/app.te (or line 22022 of policy.conf) violated by allow system_app sysfs:file { write ); 

libsepol.check_assertions: 1 neverallow failures occurred 

Error while expanding policy

 

which tells you the exact location of neverallow rules you broke, then you could remove  app domain from the rule if you insist, like this:

neverallow { -appdomain -bluetooth -nfc } sysfs:dir_file_class_set write;

Or just disable selinux for test.

[Dave McLaughlin]

Thanks for the reply. I was able to get it working by changing the permissions in the on boot segment for /sys/class/gpio to 0666 instead of 0660 and now I can control the GPIO from user space.

SELINUX was in permissive mode so the messages I was seeing where for debugging only. Didn't spot that at first. Oops.  

I did have an issue with one of the GPIO pins but checking /sys/kernel/debug/gpio I found that the camera was taking that for the flash trigger control. Changing the XML sorted that one out. There is no camera flash anyway.