Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add sepolicy for CHRE

Browse Source 
Add SELinux domain for CHRE daemon, and grant permissions based on the
following audit output:

type=1400 audit(5568588.679:16): avc: denied { read } for pid=707
comm="chre" name="ion" dev="tmpfs" ino=21569 scontext=u:r:chre:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

type=1400 audit(5568588.679:17): avc: denied { open } for pid=707
comm="chre" path="/dev/ion" dev="tmpfs" ino=21569 scontext=u:r:chre:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

type=1400 audit(5568588.679:18): avc: denied { read } for pid=707
comm="chre" name="adsprpc-smd" dev="tmpfs" ino=21668
scontext=u:r:chre:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file
permissive=1

type=1400 audit(5568588.679:19): avc: denied { open } for pid=707
comm="chre" path="/dev/adsprpc-smd" dev="tmpfs" ino=21668
scontext=u:r:chre:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file
permissive=1

type=1400 audit(5568588.679:20): avc: denied { ioctl } for pid=707
comm="chre" path="/dev/adsprpc-smd" dev="tmpfs" ino=21668 ioctlcmd=5208
scontext=u:r:chre:s0 tcontext=u:object_r:qdsp_device:s0 tclass=chr_file
permissive=1

type=1400 audit(5568588.729:24): avc: denied { read } for pid=707
comm="chre" name="dsp" dev="sda20" ino=381 scontext=u:r:chre:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Test: run chre, confirm no denials in log
Change-Id: Ibd61dfa3d286e17561feffeef7afbc2bfec867ce
This commit is contained in:
Brian Duddie
2017-03-28 16:52:59 -07:00
parent c25557a7dd
commit 4efae5dab1
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
sepolicy/chre.te Normal file
View File

@@ -0,0 +1,11 @@
# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules
# onto the SLPI using FastRPC, and exposes a sockets interface for clients on
# the applications processor to interact CHRE
type chre, domain;
type chre_exec, exec_type, file_type;
init_daemon_domain(chre)
allow chre ion_device:chr_file { open read };
allow chre qdsp_device:chr_file { ioctl open read };
allow chre system_file:dir read;

1
sepolicy/file_contexts
View File

@@ -129,6 +129,7 @@
/vendor/bin/qmuxd u:object_r:qmuxd_exec:s0
/vendor/bin/cnd u:object_r:cnd_exec:s0
/vendor/bin/hw/android\.hardware\.usb@1\.0-service.device u:object_r:hal_usb_default_exec:s0
/vendor/bin/chre u:object_r:chre_exec:s0
# data files
/data/misc/radio(/.*)? u:object_r:radio_data_file:s0