Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding files and allows to handle denials

Browse Source 
Denials:
denied { sys_rawio } for pid=630 comm="ramdump" capability=17
scontext=u:r:ramdump:s0 tcontext=u:r:ramdump:s0 tclass=capability

denied { getattr } for pid=630 comm="ramdump" path="/dev/block/sda5"
dev="tmpfs" ino=20606 scontext=u:r:ramdump:s0
tcontext=u:object_r:sda_block_device:s0 tclass=blk_file

denied { open } for pid=630 comm="ramdump" path="/dev/block/sda5"
dev="tmpfs" ino=20606 scontext=u:r:ramdump:s0
tcontext=u:object_r:sda_block_device:s0 tclass=blk_file

denied { read write } for pid=630 comm="ramdump" name="sda5" dev="tmpfs"
ino=20606 scontext=u:r:ramdump:s0
tcontext=u:object_r:sda_block_device:s0 tclass=blk_file

denied { getattr } for pid=630 comm="ramdump"
path="/data/ramdump/RAMDUMP_RESERVED" dev="sda10" ino=2342915
scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0
tclass=file

denied { open } for pid=630 comm="ramdump"
path="/data/ramdump/RAMDUMP_RESERVED" dev="sda10" ino=2342915
scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0
tclass=file

denied { read } for pid=630 comm="ramdump" name="RAMDUMP_RESERVED"
dev="sda10" ino=2342915 scontext=u:r:ramdump:s0
tcontext=u:object_r:ramdump_data_file:s0 tclass=file

denied { getattr } for pid=630 comm="ramdump" path="/fstab.taimen"
dev="sda8" ino=26 scontext=u:r:ramdump:s0 tcontext=u:object_r:rootfs:s0
tclass=file

denied { open } for pid=630 comm="ramdump" path="/fstab.taimen"
dev="sda8" ino=26 scontext=u:r:ramdump:s0 tcontext=u:object_r:rootfs:s0
tclass=file

denied { read } for pid=630 comm="ramdump" name="fstab.taimen"
dev="sda8" ino=26 scontext=u:r:ramdump:s0 tcontext=u:object_r:rootfs:s0
tclass=file

denied { setattr } for pid=630 comm="ramdump" name="RAMDUMP_RESERVED"
dev="sda10" ino=2342915 scontext=u:r:ramdump:s0
tcontext=u:object_r:ramdump_data_file:s0 tclass=file

denied { search } for pid=2350 comm="csbootstraputil" name="msm_subsys"
dev="sysfs" ino=16136 scontext=u:r:radio:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { open } for pid=2350 comm="csbootstraputil"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33390 scontext=u:r:radio:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=2350 comm="csbootstraputil" name="name"
dev="sysfs" ino=33390 scontext=u:r:radio:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=2350 comm="csbootstraputil" name="subsys0"
dev="sysfs" ino=33398 scontext=u:r:radio:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { open } for pid=2350 comm="csbootstraputil"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16138
scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { read } for pid=2350 comm="csbootstraputil" name="devices"
dev="sysfs" ino=16138 scontext=u:r:radio:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=2350 comm="csbootstraputil" name="msm_subsys"
dev="sysfs" ino=16136 scontext=u:r:radio:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { execute_no_trans } for pid=2579 comm="cnss_diag"
path="/system/bin/sh" dev="sda8" ino=463 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:shell_exec:s0 tclass=file

denied { getattr } for pid=2579 comm="sh" path="/system/bin/sh"
dev="sda8" ino=463 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:shell_exec:s0 tclass=file

denied { read open } for pid=2579 comm="cnss_diag" path="/system/bin/sh"
dev="sda8" ino=463 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:shell_exec:s0 tclass=file

denied { execute } for pid=2579 comm="cnss_diag" name="sh" dev="sda8"
ino=463 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

denied { getattr } for pid=959 comm="Binder:769_1"
path="/sys/devices/soc0/soc_id" dev="sysfs" ino=50550
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { open } for pid=959 comm="Binder:769_1"
path="/sys/devices/soc0/soc_id" dev="sysfs" ino=50550
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { read } for pid=959 comm="Binder:769_1" name="soc_id"
dev="sysfs" ino=50550 scontext=u:r:mediacodec:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { search } for pid=959 comm="Binder:769_1" name="soc0"
dev="sysfs" ino=50546 scontext=u:r:mediacodec:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=dir

denied { write } for pid=959 comm="Binder:769_1" name="perfd"
dev="tmpfs" ino=18724 scontext=u:r:mediacodec:s0
tcontext=u:object_r:perfd_socket:s0 tclass=sock_file

denied { getattr } for pid=2054 comm="wcnss_filter"
path="/dev/__properties__/u:object_r:bluetooth_prop:s0" dev="tmpfs"
ino=21588 scontext=u:r:wcnss_filter:s0
tcontext=u:object_r:bluetooth_prop:s0 tclass=file

denied { open } for pid=2054 comm="wcnss_filter"
path="/dev/__properties__/u:object_r:bluetooth_prop:s0" dev="tmpfs"
ino=21588 scontext=u:r:wcnss_filter:s0
tcontext=u:object_r:bluetooth_prop:s0 tclass=file

denied { read } for pid=2054 comm="wcnss_filter"
name="u:object_r:bluetooth_prop:s0" dev="tmpfs" ino=21588
scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:bluetooth_prop:s0
tclass=file

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I78370d1096f9957a51e0207f14948970e868d079
This commit is contained in:
Max Bires
2017-03-18 18:40:16 -07:00
parent 33d688e9af
commit 24e6f9d833
6 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
sepolicy/file_contexts
View File

@@ -55,6 +55,7 @@
# files in sysfs
/sys/class/uio(/.*)? u:object_r:sysfs_uio:s0
/sys/devices/soc/1d0101c\.qcom,spss(/.*)? u:object_r:sysfs_msm_subsys:s0
/sys/devices/soc/5c00000\.qcom,ssc(/.*)? u:object_r:sysfs_msm_subsys:s0
/sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
/sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)? u:object_r:sysfs_msm_subsys:s0

4
sepolicy/mediacodec.te Normal file
View File

@@ -0,0 +1,4 @@
allow mediacodec perfd_socket:sock_file write;
allow mediacodec sysfs_soc:file r_file_perms;
allow mediacodec sysfs_soc:dir search;

1
sepolicy/radio.te Normal file
View File

@@ -0,0 +1 @@
r_dir_file(radio, sysfs_msm_subsys)

15
sepolicy/ramdump.te
View File

@@ -1,7 +1,16 @@
type ramdump_exec, exec_type, file_type;
userdebug_or_eng(`
type ramdump, domain;
init_daemon_domain(ramdump)
permissive ramdump;
type ramdump, domain;
init_daemon_domain(ramdump)
allow ramdump self:capability sys_rawio;
allow ramdump sda_block_device:blk_file rw_file_perms;
allow ramdump ramdump_data_file:file r_file_perms;
# read from /fstab.taimen
allow ramdump rootfs:file r_file_perms;
permissive ramdump;
')

1
sepolicy/wcnss_filter.te
View File

@@ -4,6 +4,7 @@ type wcnss_filter_exec, exec_type, file_type;
init_daemon_domain(wcnss_filter)
set_prop(wcnss_filter, wc_prop)
set_prop(wcnss_filter, bluetooth_prop)
userdebug_or_eng(`
permissive wcnss_filter;

1
sepolicy/wcnss_service.te
View File

@@ -5,6 +5,7 @@ init_daemon_domain(wcnss_service)
net_domain(wcnss_service)
allow wcnss_service shell_exec:file rx_file_perms;
allow wcnss_service toolbox_exec:file rx_file_perms;
allow wcnss_service self:socket create_socket_perms;
allowxperm wcnss_service self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;