mirror of
https://github.com/Evolution-X-Devices/device_google_wahoo
synced 2026-02-01 03:40:35 +00:00
Wahoo sepolicy changes
Wahoo's sepolicy is changed merged to add Marlin permissions based on compliance test needs. Marlin's sepolicy can be found at device/google/marlin/sepolicy/hal_gnss_default.te Bug: 37409476 Test: Boots with no avc denials or crashes. GNSS incl. post XTRA delete runs well with no denials. Change-Id: Id51197120d142850fe0d7c97f747818e23c178f8
This commit is contained in:
Siddharth Ray
committed by
Wyatt Riley
Wyatt Riley
parent
f128f5c538
commit
078daa1c8b
29
sepolicy/vendor/hal_gnss_qti.te
vendored
29
sepolicy/vendor/hal_gnss_qti.te
vendored
@@ -11,19 +11,34 @@ vndbinder_use(hal_gnss_qti)
|
||||
allow hal_gnss_qti sysfs_soc:dir r_dir_perms;
|
||||
allow hal_gnss_qti sysfs_soc:file r_file_perms;
|
||||
|
||||
binder_call(hal_gnss_qti, per_mgr)
|
||||
allow hal_gnss_qti per_mgr_service:service_manager find;
|
||||
|
||||
# /data/vendor/location
|
||||
allow hal_gnss_qti location_data_file:fifo_file { open read setattr write };
|
||||
allow hal_gnss_qti location_data_file:dir create_dir_perms;
|
||||
allow hal_gnss_qti location_data_file:file create_file_perms;
|
||||
allow hal_gnss_qti location_data_file:sock_file write;
|
||||
|
||||
allow hal_gnss_qti location:unix_stream_socket connectto;
|
||||
|
||||
allow hal_gnss_qti self:socket create_socket_perms;
|
||||
allowxperm hal_gnss_qti self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
||||
unix_socket_connect(hal_gnss_qti, netmgrd, netmgrd)
|
||||
allow hal_gnss_qti netmgrd_socket:dir search;
|
||||
|
||||
allow hal_gnss_qti self:socket create_socket_perms;
|
||||
allowxperm hal_gnss_qti self:socket ioctl msm_sock_ipc_ioctls;
|
||||
allow hal_gnss_qti self:netlink_generic_socket { bind create read };
|
||||
allow hal_gnss_qti self:netlink_route_socket { bind create nlmsg_read read write };
|
||||
|
||||
vndbinder_use(hal_gnss_qti)
|
||||
binder_call(hal_gnss_qti, per_mgr)
|
||||
|
||||
allow hal_gnss_qti per_mgr_service:service_manager find;
|
||||
# Most HALs are not allowed to use network sockets. Qcom library
|
||||
# libqdi is used across multiple processes which are clients of
|
||||
# netmgrd including the GNSS HAL. libqdi first attempts to get the network
|
||||
# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
|
||||
# If that fails, it falls back to using libc's if_nameindex() which requires
|
||||
# a netlink route socket, which HALs may use. Due to the initial
|
||||
# attempt to use a UDP socket, we still see a selinux denial,
|
||||
# but it is safe to ignore.
|
||||
# TODO (b/37730994) Remove udp_socket requirement from
|
||||
# libqdi and have all its clients use netlink route
|
||||
# sockets.
|
||||
dontaudit hal_gnss_qti self:udp_socket create;
|
||||
|
||||
39
sepolicy/vendor/location.te
vendored
39
sepolicy/vendor/location.te
vendored
@@ -1,32 +1,49 @@
|
||||
# loc_launcher service
|
||||
# which launches various other services supporting GPS & Wifi-RTT (LOWI) location
|
||||
type location, domain;
|
||||
type location_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(location)
|
||||
|
||||
# STOPSHIP b/28340421
|
||||
# Temporarily grant this permission and log its use.
|
||||
# Temporarily grant this permission (for LOWI) and log its use.
|
||||
allow location self:capability { net_admin };
|
||||
auditallow location self:capability { net_admin };
|
||||
|
||||
allow location location_exec:file execute_no_trans;
|
||||
|
||||
allow location self:capability { setgid setuid };
|
||||
|
||||
allow location proc_net:file r_file_perms;
|
||||
hwbinder_use(location)
|
||||
get_prop(location, hwservicemanager_prop)
|
||||
allow location fwk_sensor_hwservice:hwservice_manager find;
|
||||
binder_call(location, system_server)
|
||||
allow location hal_wifi:unix_stream_socket { read write };
|
||||
|
||||
allow location location_data_file:dir create_dir_perms;
|
||||
allow location location_data_file:{ file sock_file } create_file_perms;
|
||||
# Enable standard network access (for XTRA download)
|
||||
net_domain(location)
|
||||
|
||||
# And some additional network access
|
||||
allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
allow location self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow location self:socket create_socket_perms;
|
||||
allowxperm location self:udp_socket ioctl { SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
|
||||
allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
|
||||
allowxperm location self:udp_socket ioctl { SIOCGIFINDEX SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
|
||||
|
||||
# Enable network access (for XTRA download)
|
||||
net_domain(location)
|
||||
allow location self:socket create_socket_perms;
|
||||
# whitelist socket ioctl commands
|
||||
allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
||||
# files in /sys
|
||||
r_dir_file(location, sysfs_type)
|
||||
|
||||
dontaudit location kernel:system module_request;
|
||||
|
||||
allow location proc_net:file r_file_perms;
|
||||
|
||||
# execute /vendor/bin/lowi-server
|
||||
allow location location_exec:file rx_file_perms;
|
||||
|
||||
# /data/vendor/location
|
||||
allow location location_data_file:dir create_dir_perms;
|
||||
allow location location_data_file:{ file sock_file } create_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow location diag_device:chr_file rw_file_perms;
|
||||
')
|
||||
Reference in New Issue
Block a user