From ab5b59745df69364308a9d843fec0aaee3e21362 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Tue, 14 Mar 2017 13:25:53 -0700 Subject: [PATCH] Adding contexts and rules to address denials. These changes address the following denials: denied { read } for pid=560 comm="e2fsck" name="sda43" dev="tmpfs" ino=22736 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { open } for pid=560 comm="e2fsck" path="/dev/block/sda43" dev="tmpfs" ino=22736 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { write } for pid=560 comm="e2fsck" name="sda43" dev="tmpfs" ino=22736 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { read } for pid=666 comm="sensors.qcom" name="name" dev="sysfs" ino=33510 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=666 comm="sensors.qcom" path="/sys/devices/soc/1d0101c.qcom,spss/subsys2/name" dev="sysfs" ino=33510 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { net_raw } for pid=666 comm="sensors.qcom" capability=13 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability denied { read write } for pid=678 comm="sensors.qcom" name="sns.reg" dev="sdd3" ino=33 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file denied { search } for pid=794 comm="thermal-engine" name="msm_subsys" dev="sysfs" ino=16320 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=794 comm="thermal-engine" name="devices" dev="sysfs" ino=16322 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { open } for pid=794 comm="thermal-engine" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16322 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=794 comm="thermal-engine" name="subsys0" dev="sysfs" ino=33422 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { read } for pid=794 comm="thermal-engine" name="name" dev="sysfs" ino=33416 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=794 comm="thermal-engine" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=33416 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=794 comm="thermal-engine" path="/sys/devices" dev="sysfs" ino=4 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=dir denied { read } for pid=794 comm="thermal-engine" name="devices" dev="sysfs" ino=4 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=dir Bug: 34784662 Test: These denials are no longer present Change-Id: I68665950fe7c2b25c11acb36b32a147049fa76e5 --- sepolicy/device.te | 25 +++++++++++++------------ sepolicy/file.te | 9 ++++----- sepolicy/file_contexts | 6 ++++-- sepolicy/fsck.te | 1 + sepolicy/sensors.te | 2 ++ sepolicy/thermal-engine.te | 9 +++++++-- 6 files changed, 31 insertions(+), 21 deletions(-) create mode 100644 sepolicy/fsck.te diff --git a/sepolicy/device.te b/sepolicy/device.te index f407dafc..4e046f10 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,17 +1,18 @@ -type diag_device, dev_type, mlstrustedobject; -type smd_device, dev_type; -type ipa_dev, dev_type; -type rmnet_device, dev_type; type at_device, dev_type; -type qsee_ipc_irq_spss_device, dev_type; -type seemplog_device, dev_type; -type spcom_device, dev_type; -type qdsp_device, dev_type, mlstrustedobject; -type dsp_device, dev_type; type avtimer_device, dev_type; -type ssr_device, dev_type; -type ramdump_device, dev_type; +type diag_device, dev_type, mlstrustedobject; +type dsp_device, dev_type; type hbtp_device, dev_type; -type sg_device, dev_type; +type ipa_dev, dev_type; +type qsee_ipc_irq_spss_device, dev_type; +type qdsp_device, dev_type, mlstrustedobject; +type ramdump_device, dev_type; +type rmnet_device, dev_type; +type sda_block_device, dev_type; type sdd_block_device, dev_type; type sdf_block_device, dev_type; +type seemplog_device, dev_type; +type sg_device, dev_type; +type smd_device, dev_type; +type spcom_device, dev_type; +type ssr_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index f93a8993..e5cbc322 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,12 +1,11 @@ -type sysfs_graphics, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; -type sysfs_soc, sysfs_type, fs_type; -type sysfs_rmtfs, sysfs_type, fs_type; -type sysfs_net, sysfs_type, fs_type; type sysfs_fingerprint, sysfs_type, fs_type; +type sysfs_graphics, sysfs_type, fs_type; type sysfs_msm_subsys, sysfs_type, fs_type; type sysfs_msm_subsys_restart, sysfs_type, fs_type; - +type sysfs_net, sysfs_type, fs_type; +type sysfs_rmtfs, sysfs_type, fs_type; +type sysfs_soc, sysfs_type, fs_type; type debugfs_rmt_storage, debugfs_type, fs_type; type qmuxd_socket, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 0386e653..48ad33e4 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -48,11 +48,13 @@ # dev block nodes /dev/block/sdd[0-9]+ u:object_r:sdd_block_device:s0 /dev/block/sdf[0-9]+ u:object_r:sdf_block_device:s0 +/dev/block/sda[0-9]+ u:object_r:sda_block_device:s0 # files in sysfs /sys/class/uio(/.*)? u:object_r:sysfs_uio:s0 -/sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0 -/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0 +/sys/devices/soc/1d0101c\.qcom,spss(/.*)? u:object_r:sysfs_msm_subsys:s0 +/sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0 /sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/cce0000\.qcom,venus(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)? u:object_r:sysfs_rmtfs:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 00000000..34d49016 --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1 @@ +allow fsck sda_block_device:blk_file rw_file_perms; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index b280949a..78a871da 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -6,6 +6,8 @@ init_daemon_domain(sensors) allow sensors self:socket rw_socket_perms_no_ioctl; +allow sensors persist_sensors_file:file rw_file_perms; + r_dir_file(sensors, sysfs_msm_subsys) userdebug_or_eng(` diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 5ec9ed78..4a799f5d 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -5,11 +5,16 @@ init_daemon_domain(thermal-engine) allow thermal-engine self:capability2 block_suspend; +# to read /sys/devices +allow thermal-engine sysfs:dir r_dir_perms; + allow thermal-engine sysfs_thermal:dir r_dir_perms; allow thermal-engine sysfs_thermal:file rw_file_perms; + allow thermal-engine sysfs_rmtfs:file r_file_perms; -allow thermal-engine sysfs_uio:lnk_file r_file_perms; -allow thermal-engine sysfs_uio:dir r_dir_perms; + +r_dir_file(thermal-engine, sysfs_uio) +r_dir_file(thermal-engine, sysfs_msm_subsys) allow thermal-engine self:socket create_socket_perms; allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;