From 9cfb921e7da9a68c964713e907276b00afb4c6c6 Mon Sep 17 00:00:00 2001 From: chaptsand Date: Sun, 30 Mar 2025 19:49:36 +0800 Subject: [PATCH] sm8550-common: sepolicy: Allow hermesd to use wake_alarm capability Fix an issue where the hermesd process is denied access to wake_alarm by SELinux, causing authentication failures even with correct credentials. When enters the wrong password 5 times, the device refuses to unlock even after the correct password is provided. avc: denied { wake_alarm } for capability=35 scontext=u:r:hermesd:s0 tcontext=u:r:hermesd:s0 tclass=capability2 permissive=0 Change-Id: I0461346ceb10ae482a30bf72429b2eca10ac091b --- sepolicy/vendor/hermesd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sepolicy/vendor/hermesd.te b/sepolicy/vendor/hermesd.te index 14f1ec9..75443d4 100644 --- a/sepolicy/vendor/hermesd.te +++ b/sepolicy/vendor/hermesd.te @@ -23,6 +23,8 @@ allow hermesd vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms; allow hermesd vendor_gatekeeper_data_file:dir create_dir_perms; allow hermesd vendor_gatekeeper_data_file:file create_file_perms; +allow hermesd self:capability2 wake_alarm; + allow hermesd vendor_hal_keymint_qti:binder transfer; set_prop(hermesd, vendor_securenvm_prop)