From 24e6f9d833ab99f41620b6cb0b1b3712459ff57c Mon Sep 17 00:00:00 2001 From: Max Bires Date: Sat, 18 Mar 2017 18:40:16 -0700 Subject: [PATCH] Adding files and allows to handle denials Denials: denied { sys_rawio } for pid=630 comm="ramdump" capability=17 scontext=u:r:ramdump:s0 tcontext=u:r:ramdump:s0 tclass=capability denied { getattr } for pid=630 comm="ramdump" path="/dev/block/sda5" dev="tmpfs" ino=20606 scontext=u:r:ramdump:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { open } for pid=630 comm="ramdump" path="/dev/block/sda5" dev="tmpfs" ino=20606 scontext=u:r:ramdump:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { read write } for pid=630 comm="ramdump" name="sda5" dev="tmpfs" ino=20606 scontext=u:r:ramdump:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { getattr } for pid=630 comm="ramdump" path="/data/ramdump/RAMDUMP_RESERVED" dev="sda10" ino=2342915 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=file denied { open } for pid=630 comm="ramdump" path="/data/ramdump/RAMDUMP_RESERVED" dev="sda10" ino=2342915 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=file denied { read } for pid=630 comm="ramdump" name="RAMDUMP_RESERVED" dev="sda10" ino=2342915 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=file denied { getattr } for pid=630 comm="ramdump" path="/fstab.taimen" dev="sda8" ino=26 scontext=u:r:ramdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file denied { open } for pid=630 comm="ramdump" path="/fstab.taimen" dev="sda8" ino=26 scontext=u:r:ramdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file denied { read } for pid=630 comm="ramdump" name="fstab.taimen" dev="sda8" ino=26 scontext=u:r:ramdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file denied { setattr } for pid=630 comm="ramdump" name="RAMDUMP_RESERVED" dev="sda10" ino=2342915 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=file denied { search } for pid=2350 comm="csbootstraputil" name="msm_subsys" dev="sysfs" ino=16136 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { open } for pid=2350 comm="csbootstraputil" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=33390 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { read } for pid=2350 comm="csbootstraputil" name="name" dev="sysfs" ino=33390 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { read } for pid=2350 comm="csbootstraputil" name="subsys0" dev="sysfs" ino=33398 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { open } for pid=2350 comm="csbootstraputil" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16138 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=2350 comm="csbootstraputil" name="devices" dev="sysfs" ino=16138 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { search } for pid=2350 comm="csbootstraputil" name="msm_subsys" dev="sysfs" ino=16136 scontext=u:r:radio:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { execute_no_trans } for pid=2579 comm="cnss_diag" path="/system/bin/sh" dev="sda8" ino=463 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { getattr } for pid=2579 comm="sh" path="/system/bin/sh" dev="sda8" ino=463 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { read open } for pid=2579 comm="cnss_diag" path="/system/bin/sh" dev="sda8" ino=463 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { execute } for pid=2579 comm="cnss_diag" name="sh" dev="sda8" ino=463 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { getattr } for pid=959 comm="Binder:769_1" path="/sys/devices/soc0/soc_id" dev="sysfs" ino=50550 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { open } for pid=959 comm="Binder:769_1" path="/sys/devices/soc0/soc_id" dev="sysfs" ino=50550 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { read } for pid=959 comm="Binder:769_1" name="soc_id" dev="sysfs" ino=50550 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { search } for pid=959 comm="Binder:769_1" name="soc0" dev="sysfs" ino=50546 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir denied { write } for pid=959 comm="Binder:769_1" name="perfd" dev="tmpfs" ino=18724 scontext=u:r:mediacodec:s0 tcontext=u:object_r:perfd_socket:s0 tclass=sock_file denied { getattr } for pid=2054 comm="wcnss_filter" path="/dev/__properties__/u:object_r:bluetooth_prop:s0" dev="tmpfs" ino=21588 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=file denied { open } for pid=2054 comm="wcnss_filter" path="/dev/__properties__/u:object_r:bluetooth_prop:s0" dev="tmpfs" ino=21588 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=file denied { read } for pid=2054 comm="wcnss_filter" name="u:object_r:bluetooth_prop:s0" dev="tmpfs" ino=21588 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=file Bug: 34784662 Test: The above denials are no longer present Change-Id: I78370d1096f9957a51e0207f14948970e868d079 --- sepolicy/file_contexts | 1 + sepolicy/mediacodec.te | 4 ++++ sepolicy/radio.te | 1 + sepolicy/ramdump.te | 15 ++++++++++++--- sepolicy/wcnss_filter.te | 1 + sepolicy/wcnss_service.te | 1 + 6 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 sepolicy/mediacodec.te create mode 100644 sepolicy/radio.te diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 39d5f8c2..ab922cf9 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -55,6 +55,7 @@ # files in sysfs /sys/class/uio(/.*)? u:object_r:sysfs_uio:s0 /sys/devices/soc/1d0101c\.qcom,spss(/.*)? u:object_r:sysfs_msm_subsys:s0 +/sys/devices/soc/5c00000\.qcom,ssc(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0 /sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0 /sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)? u:object_r:sysfs_msm_subsys:s0 diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 00000000..60c1c4ce --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1,4 @@ +allow mediacodec perfd_socket:sock_file write; + +allow mediacodec sysfs_soc:file r_file_perms; +allow mediacodec sysfs_soc:dir search; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 00000000..324a65da --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1 @@ +r_dir_file(radio, sysfs_msm_subsys) diff --git a/sepolicy/ramdump.te b/sepolicy/ramdump.te index 12b565c4..c5448444 100644 --- a/sepolicy/ramdump.te +++ b/sepolicy/ramdump.te @@ -1,7 +1,16 @@ type ramdump_exec, exec_type, file_type; userdebug_or_eng(` -type ramdump, domain; -init_daemon_domain(ramdump) -permissive ramdump; + type ramdump, domain; + init_daemon_domain(ramdump) + + allow ramdump self:capability sys_rawio; + + allow ramdump sda_block_device:blk_file rw_file_perms; + allow ramdump ramdump_data_file:file r_file_perms; + + # read from /fstab.taimen + allow ramdump rootfs:file r_file_perms; + + permissive ramdump; ') diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te index 1f253d2c..255294c7 100644 --- a/sepolicy/wcnss_filter.te +++ b/sepolicy/wcnss_filter.te @@ -4,6 +4,7 @@ type wcnss_filter_exec, exec_type, file_type; init_daemon_domain(wcnss_filter) set_prop(wcnss_filter, wc_prop) +set_prop(wcnss_filter, bluetooth_prop) userdebug_or_eng(` permissive wcnss_filter; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te index 01ee7336..7e7b259e 100644 --- a/sepolicy/wcnss_service.te +++ b/sepolicy/wcnss_service.te @@ -5,6 +5,7 @@ init_daemon_domain(wcnss_service) net_domain(wcnss_service) allow wcnss_service shell_exec:file rx_file_perms; +allow wcnss_service toolbox_exec:file rx_file_perms; allow wcnss_service self:socket create_socket_perms; allowxperm wcnss_service self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;