I want witch /dev/i2c-1 device to be outside the SELinux security policy on Android 10.
I have the source code for Android 10. I tried creating a .te file in /device/thales/mt8768q/sepolicy/edgelab.te
In foo.te, I added a similar example to the site: https://source.android.com/security/selinux/customize.
allow domain i2c-1_device:chr_file rw_file_perms
But, in compilation, this line generates an error.
UPDATE:
I add new line on /device/manufacturer/device-name/BoardConfig.mk:
BOARD_SEPOLICY_DIRS += device/thales/mt8768q/sepolicy
The error is:
#line 206
device/mediatek/mt6765/sepolicy/bsp/mnld.te:8:ERROR 'syntax error' at token 'role' on line 97225:
#line 2 "device/thales/mt8768q/sepolicy/edgelab.te"
allow domain i2c-1_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } }role r;
checkpolicy: error(s) encountered while parsing configuration
Maybe i2c-1_device is not a valid name, but I don't know how to refer to /dev/i2c-1 in .te file.
Your should define your domain and label.
Define your dev_type (device/"manufacturer"/"device-name"/sepolicy/"your-filename".te):
type i2c-1_device, dev_type;
Label file with your type (device/"manufacturer"/"device-name"/sepolicy/file_contexts):
/dev/i2c-1/* u:object_r:i2c-1_device:s0
Define your rule (device/"manufacturer"/"device-name"/"your-filename".te):
allow domain i2c-1_device:chr_file rw_file_perms
You'd better define your domain and restrict only your domain can access i2c-1_device. The example define an dhcp domain, it's an good example.