From 0ef2f5d6b6911fd1851358dbaba7dc0f47ef9cd2 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Wed, 22 Mar 2017 14:44:16 -0700 Subject: [PATCH] Adding context and allows to handle boot denials Addressing the following selinux denials: denied { relabelto } for pid=1 comm="init" name="sda20" dev="tmpfs" ino=20728 scontext=u:r:init:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { read } for pid=5417 comm="android.hardwar" name="caps" dev="sysfs" ino=31785 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_mdss_mdp_caps:s0 tclass=file denied { search } for pid=579 comm="ueventd" name="firmware" dev="sda22" ino=25 scontext=u:r:ueventd:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir denied { create } for pid=669 comm="ramdump" name="RAMDUMP_STATUS" scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=file denied { setattr } for pid=669 comm="ramdump" name="RAMDUMP_STATUS" dev="sda45" ino=1114114 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=file denied { read write } for pid=669 comm="ramdump" name="sdd1" dev="tmpfs" ino=20938 scontext=u:r:ramdump:s0 tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file denied { open } for pid=669 comm="ramdump" path="/dev/block/sdd1" dev="tmpfs" ino=20938 scontext=u:r:ramdump:s0 tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file denied { getattr } for pid=669 comm="ramdump" path="/dev/block/sdd1" dev="tmpfs" ino=20938 scontext=u:r:ramdump:s0 tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file denied { write } for pid=669 comm="ramdump" name="property_service" dev="tmpfs" ino=19539 scontext=u:r:ramdump:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file denied { connectto } for pid=669 comm="ramdump" path="/dev/socket/property_service" scontext=u:r:ramdump:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket denied { set } for property=debug.htc.hrdump pid=669 uid=0 gid=0 scontext=u:r:ramdump:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service denied { net_bind_service } for pid=691 comm="tftp_server" capability=10 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability denied { open } for pid=690 comm="rmt_storage" path="/sys/devices/soc/a1800000.qcom,rmtfs_rtel_sharedmem/uio/uio1/name" dev="sysfs" ino=40788 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { read } for pid=691 comm="pm-service" name="name" dev="sysfs" ino=32454 scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { read } for pid=692 comm="sensors.qcom" name="name" dev="sysfs" ino=48306 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=692 comm="sensors.qcom" path="/sys/devices/soc/17300000.qcom,lpass/subsys4/name" dev="sysfs" ino=48306 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=691 comm="pm-service" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=32454 scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { ioctl } for pid=694 comm="rmt_storage" path="socket:[24703]" dev="sockfs" ino=24703 ioctlcmd=c304 scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket denied { search } for pid=696 comm="pd-mapper" name="msm_subsys" dev="sysfs" ino=16813 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=696 comm="pd-mapper" name="devices" dev="sysfs" ino=16815 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { open } for pid=696 comm="pd-mapper" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16815 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=696 comm="pd-mapper" name="subsys0" dev="sysfs" ino=32462 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { read } for pid=696 comm="pd-mapper" name="name" dev="sysfs" ino=32454 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=696 comm="pd-mapper" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=32454 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { setpcap } for pid=696 comm="pd-mapper" capability=8 scontext=u:r:pd_mapper:s0 tcontext=u:r:pd_mapper:s0 tclass=capability denied { setgid } for pid=696 comm="pd-mapper" capability=6 scontext=u:r:pd_mapper:s0 tcontext=u:r:pd_mapper:s0 tclass=capability denied { setuid } for pid=696 comm="pd-mapper" capability=7 scontext=u:r:pd_mapper:s0 tcontext=u:r:pd_mapper:s0 tclass=capability denied { read } for pid=731 comm="pd-mapper" name="image" dev="sda7" ino=3 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir denied { open } for pid=731 comm="pd-mapper" path="/firmware/image" dev="sda7" ino=3 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir denied { read } for pid=731 comm="pd-mapper" name="modemr.jsn" dev="sda7" ino=37 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:firmware_file:s0 tclass=file denied { open } for pid=731 comm="pd-mapper" path="/firmware/image/modemr.jsn" dev="sda7" ino=37 scontext=u:r:pd_mapper:s0 tcontext=u:object_r:firmware_file:s0 tclass=file denied { open } for pid=831 comm="update_verifier" path="/dev/block/platform/soc/1da4000.ufshc/by-name" dev="tmpfs" ino=20506 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir denied { read } for pid=831 comm="update_verifier" name="by-name" dev="tmpfs" ino=20506 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir denied { getattr } for pid=831 comm="update_verifier" path="/dev/block/sda9" dev="tmpfs" ino=20550 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { read write } for pid=831 comm="update_verifier" name="sda" dev="tmpfs" ino=20516 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { open } for pid=831 comm="update_verifier" path="/dev/block/sda" dev="tmpfs" ino=20516 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { read } for pid=827 comm="android.hardwar" name="caps" dev="sysfs" ino=31785 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=827 comm="android.hardwar" path="/sys/devices/soc/c900000.qcom,mdss_mdp/caps" dev="sysfs" ino=31785 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { getattr } for pid=827 comm="android.hardwar" path="/sys/devices/soc/c900000.qcom,mdss_mdp/caps" dev="sysfs" ino=31785 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { search } for pid=827 comm="android.hardwar" name="8c0000.qcom,msm-cam" dev="sysfs" ino=20221 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_camera:s0 tclass=dir denied { read } for pid=827 comm="android.hardwar" name="name" dev="sysfs" ino=41516 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_camera:s0 tclass=file denied { open } for pid=827 comm="android.hardwar" path="/sys/devices/soc/8c0000.qcom,msm-cam/video4linux/video0/name" dev="sysfs" ino=41516 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_camera:s0 tclass=file denied { getattr } for pid=827 comm="android.hardwar" path="/sys/devices/soc/8c0000.qcom,msm-cam/video4linux/video0/name" dev="sysfs" ino=41516 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_camera:s0 tclass=file denied { search } for pid=827 comm="android.hardwar" name="leds" dev="sysfs" ino=27651 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir denied { read } for pid=827 comm="android.hardwar" name="lcd-backlight" dev="sysfs" ino=32041 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file denied { read } for pid=827 comm="android.hardwar" name="max_brightness" dev="sysfs" ino=32043 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file denied { open } for pid=827 comm="android.hardwar" path="/sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight/max_brightness" dev="sysfs" ino=32043 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file denied { getattr } for pid=869 comm="init.radio.sh" path="/system/bin/sh" dev="sda22" ino=466 scontext=u:r:init_radio:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { read } for pid=869 comm="init.radio.sh" path="/system/bin/sh" dev="sda22" ino=466 scontext=u:r:init_radio:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { read } for pid=878 comm="android.hardwar" name="modalias" dev="sysfs" ino=19754 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=878 comm="android.hardwar" path="/sys/devices/soc/1d0101c.qcom,spss/modalias" dev="sysfs" ino=19754 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { write } for pid=678 comm="ramdump" name="ramdump" dev="sda45" ino=1114113 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=dir denied { search } for pid=702 comm="rmt_storage" name="rmt_storage" dev="debugfs" ino=9892 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:debugfs_rmt_storage:s0 tclass=dir denied { setgid } for pid=703 comm="tftp_server" capability=6 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability denied { setuid } for pid=703 comm="tftp_server" capability=7 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability denied { append } for pid=703 comm="tftp_server" name="wake_lock" dev="sysfs" ino=16525 scontext=u:r:rfs_access:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=703 comm="tftp_server" path="/sys/power/wake_lock" dev="sysfs" ino=16525 scontext=u:r:rfs_access:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=700 comm="sensors.qcom" path="/sys/devices/soc/4080000.qcom,mss/subsys6/name" dev="sysfs" ino=48392 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 denied { create } for pid=700 comm="sensors.qcom" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=socket denied { ioctl } for pid=700 comm="sensors.qcom" path="socket:[21942]" dev="sockfs" ino=21942 ioctlcmd=c304 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=socket denied { create } for pid=724 comm="pd-mapper" scontext=u:r:pd_mapper:s0 tcontext=u:r:pd_mapper:s0 tclass=socket denied { ioctl } for pid=724 comm="pd-mapper" path="socket:[11465]" dev="sockfs" ino=11465 ioctlcmd=c304 scontext=u:r:pd_mapper:s0 tcontext=u:r:pd_mapper:s0 tclass=socket denied { net_bind_service } for pid=724 comm="pd-mapper" capability=10 scontext=u:r:pd_mapper:s0 tcontext=u:r:pd_mapper:s0 tclass=capability denied { create } for pid=1 comm="init" name="b.1" scontext=u:r:init:s0 tcontext=u:object_r:configfs:s0 tclass=lnk_file denied { write } for pid=673 comm="ramdump" name="ramdump" dev="sda45" ino=1114113 scontext=u:r:ramdump:s0 tcontext=u:object_r:ramdump_data_file:s0 tclass=dir denied { search } for pid=701 comm="rmt_storage" name="0.qcom,rmtfs_sharedmem" dev="sysfs" ino=18392 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_rmtfs:s0 tclass=dir denied { read } for pid=702 comm="tftp_server" name="rfs" dev="sdd3" ino=17 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0 tclass=dir denied { open } for pid=702 comm="tftp_server" path="/persist/rfs" dev="sdd3" ino=17 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0 tclass=dir denied { search } for pid=714 comm="sensors.qcom" name="sensors" dev="sdd3" ino=12 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir denied { getattr } for pid=714 comm="sensors.qcom" path="/persist" dev="sdd3" ino=2 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_file:s0 tclass=dir denied { read } for pid=714 comm="sensors.qcom" name="sensors" dev="sdd3" ino=12 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir denied { open } for pid=714 comm="sensors.qcom" path="/persist/sensors" dev="sdd3" ino=12 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir denied { read } for pid=714 comm="sensors.qcom" name="sensors" dev="sda20" ino=186 scontext=u:r:sensors:s0 tcontext=u:object_r:system_file:s0 tclass=dir denied { open } for pid=714 comm="sensors.qcom" path="/vendor/etc/sensors" dev="sda20" ino=186 scontext=u:r:sensors:s0 tcontext=u:object_r:system_file:s0 tclass=dir denied { read } for pid=699 comm="sensors.qcom" name="sensors" dev="tmpfs" ino=22609 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file denied { open } for pid=699 comm="sensors.qcom" path="/dev/sensors" dev="tmpfs" ino=22609 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file denied { ioctl } for pid=699 comm="sensors.qcom" path="socket:[18642]" dev="sockfs" ino=18642 ioctlcmd=c302 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=socket denied { setgid } for pid=699 comm="sensors.qcom" capability=6 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability denied { setuid } for pid=699 comm="sensors.qcom" capability=7 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability denied { open } for pid=778 comm="android.hardwar" path="/sys/devices/soc/c900000.qcom,mdss_rotator/video4linux/video3/name" dev="sysfs" ino=42413 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { read } for pid=778 comm="android.hardwar" name="name" dev="sysfs" ino=42413 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=778 comm="android.hardwar" path="/sys/devices/soc/c900000.qcom,mdss_rotator/video4linux/video3/name" dev="sysfs" ino=42413 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { getattr } for pid=778 comm="android.hardwar" path="/sys/devices/soc/c900000.qcom,mdss_rotator/video4linux/video3/name" dev="sysfs" ino=42413 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { create } for pid=834 comm="cnss-daemon" scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=netlink_generic_socket denied { setopt } for pid=834 comm="cnss-daemon" scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=netlink_generic_socket denied { bind } for pid=834 comm="cnss-daemon" scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=netlink_generic_socket denied { getattr } for pid=834 comm="cnss-daemon" scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=netlink_generic_socket denied { search } for pid=705 comm="servicemanager" name="834" dev="proc" ino=24031 scontext=u:r:servicemanager:s0 tcontext=u:r:wcnss_service:s0 tclass=dir denied { read } for pid=705 comm="servicemanager" name="current" dev="proc" ino=25351 scontext=u:r:servicemanager:s0 tcontext=u:r:wcnss_service:s0 tclass=file denied { open } for pid=705 comm="servicemanager" path="/proc/834/attr/current" dev="proc" ino=25351 scontext=u:r:servicemanager:s0 tcontext=u:r:wcnss_service:s0 tclass=file denied { getattr } for pid=705 comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:wcnss_service:s0 tclass=process denied { call } for pid=834 comm="cnss-daemon" scontext=u:r:wcnss_service:s0 tcontext=u:r:per_mgr:s0 tclass=binder denied { ioctl } for pid=925 comm="cnss-daemon" path="socket:[23136]" dev="sockfs" ino=23136 ioctlcmd=c304 scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=socket denied { search } for pid=925 comm="cnss-daemon" name="soc0" dev="sysfs" ino=49100 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir denied { read } for pid=925 comm="cnss-daemon" name="soc_id" dev="sysfs" ino=49104 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { open } for pid=925 comm="cnss-daemon" path="/sys/devices/soc0/soc_id" dev="sysfs" ino=49104 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { search } for pid=840 comm="android.hardwar" name="1d0101c.qcom,spss" dev="sysfs" ino=19751 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { search } for pid=844 comm="imsdatadaemon" name="soc0" dev="sysfs" ino=49100 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir denied { read } for pid=844 comm="imsdatadaemon" name="soc_id" dev="sysfs" ino=49104 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { write } for pid=840 comm="android.hardwar" name="uinput" dev="tmpfs" ino=20491 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:uhid_device:s0 tclass=chr_file denied { open } for pid=840 comm="android.hardwar" path="/dev/uinput" dev="tmpfs" ino=20491 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:uhid_device:s0 tclass=chr_file denied { call } for pid=840 comm="android.hardwar" scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:servicemanager:s0 tclass=binder denied { transfer } for pid=840 comm="android.hardwar" scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:servicemanager:s0 tclass=binder denied { search } for pid=705 comm="servicemanager" name="840" dev="proc" ino=24009 scontext=u:r:servicemanager:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=dir denied { read } for pid=705 comm="servicemanager" name="current" dev="proc" ino=24339 scontext=u:r:servicemanager:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=file denied { open } for pid=705 comm="servicemanager" path="/proc/840/attr/current" dev="proc" ino=24339 scontext=u:r:servicemanager:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=file denied { write } for pid=1 comm="init" name="ipa" dev="tmpfs" ino=23659 scontext=u:r:init:s0 tcontext=u:object_r:ipa_dev:s0 tclass=chr_file denied { ioctl } for pid=844 comm="imsdatadaemon" path="socket:[24380]" dev="sockfs" ino=24380 ioctlcmd=c304 scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket denied { read } for pid=6117 comm="android.hardwar" name="msm_fb_panel_info" dev="sysfs" ino=32082 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { search } for pid=6117 comm="android.hardwar" name="c900000.qcom,mdss_rotator" dev="sysfs" ino=22026 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { write } for pid=5870 comm="lowi-server" scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=netlink_socket denied { create } for pid=1116 comm="lowi-server" scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=netlink_generic_socket denied { bind } for pid=1116 comm="lowi-server" scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=netlink_socket denied { setopt } for pid=1116 comm="lowi-server" scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=netlink_socket denied { create } for pid=1116 comm="lowi-server" scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=netlink_socket denied { create } for pid=1116 comm="lowi-server" scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=netlink_generic_socket denied { read } for pid=785 comm="adsprpcd" name="ion" dev="tmpfs" ino=19881 scontext=u:r:adsprpcd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file denied { open } for pid=785 comm="adsprpcd" path="/dev/ion" dev="tmpfs" ino=19881 scontext=u:r:adsprpcd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file denied { read } for pid=785 comm="adsprpcd" name="adsprpc-smd" dev="tmpfs" ino=19979 scontext=u:r:adsprpcd:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file denied { open } for pid=785 comm="adsprpcd" path="/dev/adsprpc-smd" dev="tmpfs" ino=19979 scontext=u:r:adsprpcd:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file denied { create } for pid=786 comm="cnss_diag" scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=netlink_socket denied { bind } for pid=786 comm="cnss_diag" scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0 tclass=netlink_socket denied { search } for pid=786 comm="cnss_diag" name="wifi" dev="sda45" ino=638991 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir denied { write } for pid=786 comm="cnss_diag" name="wifi" dev="sda45" ino=638991 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir denied { add_name } for pid=786 comm="cnss_diag" name="cnss_diag.conf" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir denied { create } for pid=786 comm="cnss_diag" name="cnss_diag.conf" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file denied { search } for pid=809 comm="cnss-daemon" name="msm_subsys" dev="sysfs" ino=16813 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=809 comm="cnss-daemon" name="devices" dev="sysfs" ino=16815 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { write } for pid=1069 comm="tftp_server" name="mpss" dev="sdd3" ino=20 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0 tclass=dir denied { add_name } for pid=1069 comm="tftp_server" name="server_check.txt.rfs_tmp" scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0 tclass=dir denied { remove_name } for pid=1069 comm="tftp_server" name="server_check.txt.rfs_tmp" dev="sdd3" ino=31 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0 tclass=dir denied { ioctl } for pid=788 comm="cnd" path="socket:[24072]" dev="sockfs" ino=24072 ioctlcmd=c302 scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=socket denied { create } for pid=788 comm="cnd" scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=socket denied { write } for pid=831 comm="imsqmidaemon" name="property_service" dev="tmpfs" ino=20215 scontext=u:r:ims:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file denied { connectto } for pid=831 comm="imsqmidaemon" path="/dev/socket/property_service" scontext=u:r:ims:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket denied { set } for property=sys.ims.QMI_DAEMON_STATUS pid=831 uid=1000 gid=1001 scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service denied { read } for pid=829 comm="adsprpcd" name="dsp" dev="sda20" ino=360 scontext=u:r:adsprpcd:s0 tcontext=u:object_r:system_file:s0 tclass=dir denied { search } for pid=834 comm="qti" name="msm_subsys" dev="sysfs" ino=16813 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=834 comm="qti" name="devices" dev="sysfs" ino=16815 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { open } for pid=834 comm="qti" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16815 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=834 comm="qti" name="name" dev="sysfs" ino=32454 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=834 comm="qti" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=32454 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { read } for pid=834 comm="qti" name="subsys6" dev="sysfs" ino=48400 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { search } for pid=834 comm="qti" name="soc0" dev="sysfs" ino=49100 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir denied { read } for pid=834 comm="qti" name="soc_id" dev="sysfs" ino=49104 scontext=u:r:qti:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { read } for pid=850 comm="adsprpcd" name="dsp" dev="sda20" ino=360 scontext=u:r:adsprpcd:s0 tcontext=u:object_r:system_file:s0 tclass=dir denied { read write } for pid=856 comm="qti" name="rmnet_ctrl" dev="tmpfs" ino=20972 scontext=u:r:qti:s0 tcontext=u:object_r:rmnet_device:s0 tclass=chr_file denied { open } for pid=856 comm="qti" path="/dev/rmnet_ctrl" dev="tmpfs" ino=20972 scontext=u:r:qti:s0 tcontext=u:object_r:rmnet_device:s0 tclass=chr_file denied { read } for pid=871 comm="cnss-daemon" name="subsys0" dev="sysfs" ino=32462 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { read } for pid=871 comm="cnss-daemon" name="name" dev="sysfs" ino=32454 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=871 comm="cnss-daemon" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=32454 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { search } for pid=854 comm="cnd" name="msm_subsys" dev="sysfs" ino=16813 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=854 comm="cnd" name="devices" dev="sysfs" ino=16815 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { open } for pid=854 comm="cnd" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16815 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=854 comm="cnd" name="subsys0" dev="sysfs" ino=32462 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { read } for pid=854 comm="cnd" name="name" dev="sysfs" ino=32454 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { search } for pid=799 comm="thermal-engine" name="soc0" dev="sysfs" ino=49100 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir denied { read } for pid=799 comm="thermal-engine" name="soc_id" dev="sysfs" ino=49104 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { open } for pid=799 comm="thermal-engine" path="/sys/devices/soc0/soc_id" dev="sysfs" ino=49104 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { getattr } for pid=799 comm="thermal-engine" path="/sys/devices/soc0/soc_id" dev="sysfs" ino=49104 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file denied { read write } for pid=799 comm="thermal-engine" name="msm_thermal_query" dev="tmpfs" ino=20974 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:audio_device:s0 tclass=chr_file denied { open } for pid=799 comm="thermal-engine" path="/dev/msm_thermal_query" dev="tmpfs" ino=20974 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:audio_device:s0 tclass=chr_file denied { read } for pid=799 comm="thermal-engine" name="gpu_available_frequencies" dev="sysfs" ino=33232 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=799 comm="thermal-engine" path="/sys/devices/soc/5000000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_available_frequencies" dev="sysfs" ino=33232 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { getattr } for pid=799 comm="thermal-engine" path="/sys/devices/soc/5000000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_available_frequencies" dev="sysfs" ino=33232 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { search } for pid=799 comm="thermal-engine" name="leds" dev="sysfs" ino=27651 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir denied { read } for pid=799 comm="thermal-engine" name="lcd-backlight" dev="sysfs" ino=32041 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file denied { read } for pid=799 comm="thermal-engine" name="max_brightness" dev="sysfs" ino=32043 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file denied { open } for pid=799 comm="thermal-engine" path="/sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight/max_brightness" dev="sysfs" ino=32043 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file denied { getattr } for pid=799 comm="thermal-engine" path="/sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight/max_brightness" dev="sysfs" ino=32043 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file denied { read write } for pid=804 comm="thermal-engine" name="system_temp_level" dev="sysfs" ino=48764 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { setuid } for pid=808 comm="cnd" capability=7 scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability denied { read } for pid=809 comm="netmgrd" name="subsys0" dev="sysfs" ino=32462 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { setgid } for pid=809 comm="netmgrd" capability=6 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability denied { setgid } for pid=808 comm="cnd" capability=6 scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability denied { setpcap } for pid=809 comm="netmgrd" capability=8 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability denied { search } for pid=809 comm="netmgrd" name="netmgr" dev="sda45" ino=639036 scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgr_data_file:s0 tclass=dir denied { write } for pid=809 comm="netmgrd" name="netmgr" dev="sda45" ino=639036 scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgr_data_file:s0 tclass=dir denied { add_name } for pid=809 comm="netmgrd" name="log.txt" scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgr_data_file:s0 tclass=dir denied { create } for pid=809 comm="netmgrd" name="log.txt" scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgr_data_file:s0 tclass=file denied { read } for pid=808 comm="cnd" name="meminfo" dev="proc" ino=4026532074 scontext=u:r:cnd:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file denied { getattr } for pid=803 comm="android.hardwar" path="/dev/block/sda9" dev="tmpfs" ino=20515 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { read write } for pid=803 comm="android.hardwar" name="sda" dev="tmpfs" ino=20381 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { open } for pid=803 comm="android.hardwar" path="/dev/block/sda" dev="tmpfs" ino=20381 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { getattr } for pid=803 comm="android.hardwar" path="/dev/block/sda3" dev="tmpfs" ino=20491 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { read write } for pid=803 comm="android.hardwar" name="sda" dev="tmpfs" ino=20381 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { open } for pid=803 comm="android.hardwar" path="/dev/block/sda" dev="tmpfs" ino=20381 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file Bug: 34784662 Test: The above denials are no longer present Change-Id: Id13fa6e775fe3a50dd677fc46b2c7c36306a5330 --- sepolicy/adsprpcd.te | 5 +++++ sepolicy/cnd.te | 6 ++++++ sepolicy/device.te | 2 +- sepolicy/file.te | 1 + sepolicy/file_contexts | 9 ++++++++- sepolicy/hal_bluetooth_default.te | 3 +-- sepolicy/hal_bootctl_default.te | 1 + sepolicy/hal_fingerprint.te | 3 ++- sepolicy/hal_graphics_composer_default.te | 11 +++++++++++ sepolicy/ims.te | 5 ++++- sepolicy/init.te | 3 +++ sepolicy/init_radio.te | 2 ++ sepolicy/location.te | 4 ++-- sepolicy/netmgrd.te | 11 +++++++++-- sepolicy/pd_services.te | 10 +++++++++- sepolicy/per_mgr.te | 3 +-- sepolicy/qti.te | 7 +++++++ sepolicy/ramdump.te | 3 ++- sepolicy/rfs_access.te | 7 ++----- sepolicy/rmt_storage.te | 6 +++++- sepolicy/sensors.te | 10 ++++++++-- sepolicy/thermal-engine.te | 9 ++++++++- sepolicy/update_verifier.te | 2 ++ sepolicy/wcnss_service.te | 16 ++++++++++++++-- 24 files changed, 114 insertions(+), 25 deletions(-) create mode 100644 sepolicy/hal_bootctl_default.te create mode 100644 sepolicy/update_verifier.te diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te index 350a1e28..bbf69eab 100644 --- a/sepolicy/adsprpcd.te +++ b/sepolicy/adsprpcd.te @@ -3,6 +3,11 @@ type adsprpcd_exec, exec_type, file_type; init_daemon_domain(adsprpcd) +allow adsprpcd ion_device:chr_file r_file_perms; +allow adsprpcd qdsp_device:chr_file r_file_perms; + +allow adsprpcd system_file:dir r_dir_perms; + userdebug_or_eng(` permissive adsprpcd; ') diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te index 6598f9ad..7bb165f2 100644 --- a/sepolicy/cnd.te +++ b/sepolicy/cnd.te @@ -3,6 +3,12 @@ type cnd_exec, exec_type, file_type; file_type_auto_trans(cnd, socket_device, cnd_socket); +allow cnd self:capability { setgid setuid }; + +allow cnd proc_meminfo:file r_file_perms; + +r_dir_file(cnd, sysfs_msm_subsys) + allow cnd self:socket create_socket_perms; allowxperm cnd self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER; diff --git a/sepolicy/device.te b/sepolicy/device.te index 17d06f9d..f699f253 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,6 +1,6 @@ type at_device, dev_type; -type bt_device, dev_type; type avtimer_device, dev_type; +type bt_device, dev_type; type diag_device, dev_type, mlstrustedobject; type dsp_device, dev_type; type hbtp_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index 046a8020..3d321e09 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,6 +1,7 @@ type sysfs_camera, sysfs_type, fs_type; type sysfs_fingerprint, sysfs_type, fs_type; type sysfs_graphics, sysfs_type, fs_type; +type sysfs_mdss_mdp_caps, sysfs_type, fs_type; type sysfs_msm_subsys, sysfs_type, fs_type; type sysfs_msm_subsys_restart, sysfs_type, fs_type; type sysfs_net, sysfs_type, fs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 52779586..90f86eb0 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -51,14 +51,21 @@ # dev block nodes /dev/block/sdd[0-9]+ u:object_r:sdd_block_device:s0 /dev/block/sdf[0-9]+ u:object_r:sdf_block_device:s0 -/dev/block/sda[0-9]+ u:object_r:sda_block_device:s0 +/dev/block/sda[0-9]* u:object_r:sda_block_device:s0 # files in sysfs /sys/class/uio(/.*)? u:object_r:sysfs_uio:s0 +/sys/devices/soc/a1800000\.qcom,rmtfs_rtel_sharedmem(/.*)? u:object_r:sysfs_rmtfs:s0 +/sys/devices/soc/800f000\.qcom,spmi(/.*)? u:object_r:sysfs_msm_subsys:s0 +/sys/devices/soc/4080000\.qcom,mss(/.*)? u:object_r:sysfs_msm_subsys:s0 +/sys/devices/soc/17300000\.qcom,lpass(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/1d0101c\.qcom,spss(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/5c00000\.qcom,ssc(/.*)? u:object_r:sysfs_msm_subsys:s0 +/sys/devices/soc/c900000\.qcom,mdss_rotator(/.*)? u:object_r:sysfs_msm_subsys:s0 +/sys/devices/soc/c900000\.qcom,mdss_mdp/caps u:object_r:sysfs_mdss_mdp_caps:s0 /sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0 /sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0 +/sys/devices/soc/5000000\.qcom,kgsl-3d0(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/soc:qcom,kgsl-hyp(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)? u:object_r:sysfs_msm_subsys:s0 /sys/devices/soc/cce0000\.qcom,venus(/.*)? u:object_r:sysfs_msm_subsys:s0 diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te index 70a197d0..231afd0b 100644 --- a/sepolicy/hal_bluetooth_default.te +++ b/sepolicy/hal_bluetooth_default.te @@ -1,3 +1,2 @@ -get_prop(hal_bluetooth_default, wc_prop) - allow hal_bluetooth_default bt_device:chr_file rw_file_perms; +set_prop(hal_bluetooth_default, wc_prop) diff --git a/sepolicy/hal_bootctl_default.te b/sepolicy/hal_bootctl_default.te new file mode 100644 index 00000000..63741aed --- /dev/null +++ b/sepolicy/hal_bootctl_default.te @@ -0,0 +1 @@ +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; diff --git a/sepolicy/hal_fingerprint.te b/sepolicy/hal_fingerprint.te index 452c0d22..26d03a73 100644 --- a/sepolicy/hal_fingerprint.te +++ b/sepolicy/hal_fingerprint.te @@ -1,8 +1,9 @@ binder_use(hal_fingerprint) -allow hal_fingerprint sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint sysfs_msm_subsys:dir search; +allow hal_fingerprint sysfs_msm_subsys:file r_file_perms; allow hal_fingerprint tee_device:file rw_file_perms; allow hal_fingerprint tee_device:chr_file rw_file_perms; allow hal_fingerprint uhid_device:chr_file w_file_perms; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 0113981e..8e1e9fd8 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -4,5 +4,16 @@ binder_service(hal_graphics_composer_default) binder_use(hal_graphics_composer_default) allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find }; +allow hal_graphics_composer_default sysfs_camera:dir search; +allow hal_graphics_composer_default sysfs_camera:file r_file_perms; +allow hal_graphics_composer_default sysfs_msm_subsys:dir search; +allow hal_graphics_composer_default sysfs_msm_subsys:file r_file_perms; +allow hal_graphics_composer_default sysfs_mdss_mdp_caps:file r_file_perms; + +r_dir_file(hal_graphics_composer_default, sysfs_leds) + # HWC_UeventThread allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Access /sys/devices/virtual/graphics/fb0 +r_dir_file(hal_graphics_composer_default, sysfs_type) diff --git a/sepolicy/ims.te b/sepolicy/ims.te index f834e163..56140ff9 100644 --- a/sepolicy/ims.te +++ b/sepolicy/ims.te @@ -4,10 +4,13 @@ type ims_exec, exec_type, file_type; init_daemon_domain(ims) net_domain(ims) +allow ims sysfs_soc:dir search; +allow ims sysfs_soc:file r_file_perms; + allow ims self:socket create_socket_perms; allow ims self:netlink_generic_socket create_socket_perms_no_ioctl; allow ims netmgrd_socket:sock_file w_file_perms; allowxperm ims self:socket ioctl msm_sock_ipc_ioctls; allowxperm ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED; -r_dir_file(ims, sysfs_msm_subsys); +r_dir_file(ims, sysfs_msm_subsys) diff --git a/sepolicy/init.te b/sepolicy/init.te index 0a74d3be..4d0e636d 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,5 +1,6 @@ # symlink /sdcard to backing block allow init tmpfs:lnk_file create; +allow init configfs:lnk_file create; allow init configfs:lnk_file create; @@ -7,6 +8,8 @@ allow init self:capability sys_module; allow init system_file:system module_load; allow init firmware_file:dir mounton; allow init configfs:file w_file_perms; + allow init tty_device:chr_file rw_file_perms; +allow init ipa_dev:chr_file w_file_perms; allow init persist_file:dir mounton; diff --git a/sepolicy/init_radio.te b/sepolicy/init_radio.te index 178828d0..a464f6bd 100644 --- a/sepolicy/init_radio.te +++ b/sepolicy/init_radio.te @@ -4,7 +4,9 @@ type init_radio_exec, exec_type, file_type; init_daemon_domain(init_radio) +allow init_radio shell_exec:file r_file_perms; allow init_radio toolbox_exec:file rx_file_perms; + allow init_radio radio_data_file:dir create_dir_perms; allow init_radio radio_data_file:file create_file_perms; diff --git a/sepolicy/location.te b/sepolicy/location.te index dc862410..b3c34d05 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -18,8 +18,8 @@ allow location location_data_file:dir w_dir_perms; allow location location_data_file:sock_file create_file_perms; allow location self:netlink_route_socket create_socket_perms_no_ioctl; -allow location self:netlink_generic_socket rw_socket_perms_no_ioctl; -allow location self:netlink_socket read; +allow location self:netlink_generic_socket create_socket_perms_no_ioctl; +allow location self:netlink_socket create_socket_perms_no_ioctl; allow location self:socket create_socket_perms; allow location self:udp_socket create_socket_perms; allowxperm location self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index a5f2f0cf..e6c16a6f 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -13,6 +13,7 @@ allow netmgrd netmgrd_socket:dir w_dir_perms; allow netmgrd netmgrd_socket:sock_file { create setattr }; allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write }; allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl; +allow netmgrd self:netlink_route_socket nlmsg_write; allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; allow netmgrd self:socket create_socket_perms; allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; @@ -24,12 +25,18 @@ allow netmgrd sysfs_soc:file r_file_perms; allow netmgrd sysfs_msm_subsys:dir r_dir_perms; allow netmgrd sysfs_msm_subsys:file r_file_perms; +r_dir_file(netmgrd, sysfs_msm_subsys) + +wakelock_use(netmgrd) + allow netmgrd proc_net:file rw_file_perms; allow netmgrd net_data_file:dir r_dir_perms; -allow netmgrd netmgr_data_file:file rw_file_perms; +allow netmgrd net_data_file:file r_file_perms; +allow netmgrd netmgr_data_file:dir rw_dir_perms; +allow netmgrd netmgr_data_file:file create_file_perms; allow netmgrd system_file:file execute_no_trans; -allow netmgrd self:capability { net_admin net_raw setuid }; +allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; allow netmgrd toolbox_exec:file rx_file_perms; diff --git a/sepolicy/pd_services.te b/sepolicy/pd_services.te index 5f41e178..6cfcec28 100644 --- a/sepolicy/pd_services.te +++ b/sepolicy/pd_services.te @@ -3,7 +3,15 @@ type pd_mapper, domain; type pd_mapper_exec, exec_type, file_type; init_daemon_domain(pd_mapper); -allow pd_mapper self:socket rw_socket_perms_no_ioctl; +allow pd_mapper self:capability { setgid setpcap setuid net_bind_service }; + +allow pd_mapper firmware_file:dir r_dir_perms; +allow pd_mapper firmware_file:file r_file_perms; + +allow pd_mapper self:socket create_socket_perms; +allowxperm pd_mapper self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT; + +r_dir_file(pd_mapper, sysfs_msm_subsys) userdebug_or_eng(` permissive pd_mapper; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te index 6cba2eb1..b37d1cc0 100644 --- a/sepolicy/per_mgr.te +++ b/sepolicy/per_mgr.te @@ -13,13 +13,12 @@ allow per_mgr self:capability net_bind_service; allow per_mgr firmware_file:file r_file_perms; allow per_mgr firmware_file:dir search; -allow per_mgr sysfs_msm_subsys:lnk_file r_file_perms; -allow per_mgr sysfs_msm_subsys:dir r_dir_perms; allow per_mgr self:socket create_socket_perms; allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls; allow per_mgr ssr_device:chr_file { open read }; +r_dir_file(per_mgr, sysfs_msm_subsys) r_dir_file(per_mgr, sysfs) userdebug_or_eng(` diff --git a/sepolicy/qti.te b/sepolicy/qti.te index d8f2e98e..bcebc2ff 100644 --- a/sepolicy/qti.te +++ b/sepolicy/qti.te @@ -4,9 +4,16 @@ type qti_exec, exec_type, file_type; init_daemon_domain(qti) net_domain(qti) +allow qti sysfs_soc:dir search; +allow qti sysfs_soc:file r_file_perms; + +allow qti rmnet_device:chr_file rw_file_perms; + allow qti self:socket create_socket_perms; allowxperm qti self:socket ioctl msm_sock_ipc_ioctls; +r_dir_file(qti, sysfs_msm_subsys) + userdebug_or_eng(` permissive qti; ') diff --git a/sepolicy/ramdump.te b/sepolicy/ramdump.te index 2559f4cb..62a98b82 100644 --- a/sepolicy/ramdump.te +++ b/sepolicy/ramdump.te @@ -7,8 +7,9 @@ userdebug_or_eng(` allow ramdump self:capability sys_rawio; allow ramdump sda_block_device:blk_file rw_file_perms; - allow ramdump ramdump_data_file:file rw_file_perms; + allow ramdump sdd_block_device:blk_file rw_file_perms; allow ramdump ramdump_data_file:dir w_dir_perms; + allow ramdump ramdump_data_file:file create_file_perms; # read from /fstab.taimen allow ramdump rootfs:file r_file_perms; diff --git a/sepolicy/rfs_access.te b/sepolicy/rfs_access.te index fda7a3cf..389775c2 100644 --- a/sepolicy/rfs_access.te +++ b/sepolicy/rfs_access.te @@ -4,9 +4,9 @@ type rfs_access_exec, exec_type, file_type; init_daemon_domain(rfs_access) #For tftp server -allow rfs_access self:capability { setgid setuid }; +allow rfs_access self:capability { chown setgid setpcap setuid net_bind_service }; -allow rfs_access sysfs_wake_lock:file w_file_perms; +wakelock_use(rfs_access) # For tftp server file access allow rfs_access firmware_file:file r_file_perms; @@ -14,9 +14,6 @@ allow rfs_access firmware_file:dir search; allow rfs_access persist_file:file create_file_perms; allow rfs_access persist_file:dir rw_dir_perms; -allow rfs_access self:capability { chown setpcap }; -allow rfs_access self:capability2 { block_suspend }; - allow rfs_access self:socket create_socket_perms_no_ioctl; userdebug_or_eng(` diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te index 06d72e69..ad7dc991 100644 --- a/sepolicy/rmt_storage.te +++ b/sepolicy/rmt_storage.te @@ -13,12 +13,16 @@ allow rmt_storage uio_device:chr_file rw_file_perms; allow rmt_storage sysfs_uio:dir r_dir_perms; allow rmt_storage sysfs_uio:lnk_file r_file_perms; + +allow rmt_storage sysfs_rmtfs:dir search; allow rmt_storage sysfs_rmtfs:file r_file_perms; allow rmt_storage sysfs_rmtfs:dir search; +allow rmt_storage debugfs_rmt_storage:dir search; allow rmt_storage debugfs_rmt_storage:file w_file_perms; -allow rmt_storage self:socket create_socket_perms_no_ioctl; +allow rmt_storage self:socket create_socket_perms; +allowxperm rmt_storage self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT; userdebug_or_eng(` permissive rmt_storage; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index 9c1c508a..78b32012 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -4,13 +4,19 @@ type sensors_exec, exec_type, file_type; init_daemon_domain(sensors) -allow sensors self:socket create_socket_perms; -allowxperm sensors self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT; +allow sensors self:capability { setgid setuid }; +allow sensors self:socket create_socket_perms; +allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls; + +allow sensors persist_sensors_file:dir r_dir_perms; allow sensors persist_sensors_file:file rw_file_perms; allow sensors persist_sensors_file:dir r_dir_perms; allow sensors persist_file:dir getattr; +allow sensors system_file:dir r_dir_perms; +allow sensors sensors_device:chr_file r_file_perms; + r_dir_file(sensors, sysfs_msm_subsys) userdebug_or_eng(` diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index 4a799f5d..7e7df228 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -8,13 +8,20 @@ allow thermal-engine self:capability2 block_suspend; # to read /sys/devices allow thermal-engine sysfs:dir r_dir_perms; +allow thermal-engine sysfs_msm_subsys:file r_file_perms; +allow thermal-engine sysfs_msm_subsys:file rw_file_perms; +allow thermal-engine sysfs_soc:dir search; +allow thermal-engine sysfs_soc:file r_file_perms; allow thermal-engine sysfs_thermal:dir r_dir_perms; allow thermal-engine sysfs_thermal:file rw_file_perms; allow thermal-engine sysfs_rmtfs:file r_file_perms; -r_dir_file(thermal-engine, sysfs_uio) +allow thermal-engine audio_device:chr_file rw_file_perms; + +r_dir_file(thermal-engine, sysfs_leds) r_dir_file(thermal-engine, sysfs_msm_subsys) +r_dir_file(thermal-engine, sysfs_uio) allow thermal-engine self:socket create_socket_perms; allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls; diff --git a/sepolicy/update_verifier.te b/sepolicy/update_verifier.te new file mode 100644 index 00000000..b7021a99 --- /dev/null +++ b/sepolicy/update_verifier.te @@ -0,0 +1,2 @@ +allow update_verifier block_device:dir r_dir_perms; +allow update_verifier sda_block_device:blk_file rw_file_perms; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te index 45dfa811..ff5ffb76 100644 --- a/sepolicy/wcnss_service.te +++ b/sepolicy/wcnss_service.te @@ -4,14 +4,26 @@ type wcnss_service_exec, exec_type, file_type; init_daemon_domain(wcnss_service) net_domain(wcnss_service) +binder_use(wcnss_service) +binder_call(wcnss_service, per_mgr) + allow wcnss_service shell_exec:file rx_file_perms; allow wcnss_service toolbox_exec:file rx_file_perms; allow wcnss_service proc_net:file w_file_perms; allow wcnss_service self:socket create_socket_perms; -allowxperm wcnss_service self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER; -allow wcnss_service self:netlink_socket read; +allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls; +allow wcnss_service self:netlink_generic_socket create_socket_perms_no_ioctl; +allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl; + +allow wcnss_service wifi_data_file:dir rw_dir_perms; +allow wcnss_service wifi_data_file:file create_file_perms; + +r_dir_file(wcnss_service, sysfs_msm_subsys) + +allow wcnss_service sysfs_soc:dir search; +allow wcnss_service sysfs_soc:file r_file_perms; userdebug_or_eng(` permissive wcnss_service;