From 28511cb3df9d63809be5fdf9095cce57050016dd Mon Sep 17 00:00:00 2001 From: Sunmeet Gill Date: Wed, 21 Jun 2017 16:05:39 -0700 Subject: [PATCH 1/2] sepolicy: Separate system partition sepolicy and hal macros from vendor partition Test: VoLTE, VT & VoWiFi on Vzw and T-Mobile SIM cards Bug: 62574674 Change-Id: Icf764bf353bbdfb7831f5ea8528414a271525c63 --- sepolicy/private/dataservice_app.te | 21 +++++++++++++++++++++ sepolicy/private/radio.te | 1 + sepolicy/private/service.te | 2 ++ sepolicy/private/service_contexts | 2 ++ sepolicy/public/dataservice_app.te | 1 + sepolicy/public/hwservice.te | 2 ++ sepolicy/vendor/dataservice_app.te | 17 ----------------- sepolicy/vendor/hwservice.te | 4 +--- sepolicy/vendor/radio.te | 1 - sepolicy/vendor/service.te | 2 -- sepolicy/vendor/service_contexts | 2 -- 11 files changed, 30 insertions(+), 25 deletions(-) create mode 100644 sepolicy/private/dataservice_app.te create mode 100644 sepolicy/private/radio.te create mode 100644 sepolicy/private/service.te create mode 100644 sepolicy/public/dataservice_app.te create mode 100644 sepolicy/public/hwservice.te diff --git a/sepolicy/private/dataservice_app.te b/sepolicy/private/dataservice_app.te new file mode 100644 index 00000000..cb3d0693 --- /dev/null +++ b/sepolicy/private/dataservice_app.te @@ -0,0 +1,21 @@ +typeattribute dataservice_app coredomain; +app_domain(dataservice_app) +net_domain(dataservice_app) + +add_service(dataservice_app, cne_service) +add_service(dataservice_app, uce_service) +allow dataservice_app { + app_api_service + system_api_service + audioserver_service + radio_service +}:service_manager find; + +allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find; +allow dataservice_app hal_cne_hwservice:hwservice_manager find; + +allow dataservice_app system_app_data_file:dir create_dir_perms; +allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms; + +hwbinder_use(dataservice_app) + diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te new file mode 100644 index 00000000..9e505223 --- /dev/null +++ b/sepolicy/private/radio.te @@ -0,0 +1 @@ +allow radio uce_service:service_manager find; diff --git a/sepolicy/private/service.te b/sepolicy/private/service.te new file mode 100644 index 00000000..d6581237 --- /dev/null +++ b/sepolicy/private/service.te @@ -0,0 +1,2 @@ +type cne_service, service_manager_type; +type uce_service, service_manager_type; diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts index 5a25d1ef..3e53f9a5 100644 --- a/sepolicy/private/service_contexts +++ b/sepolicy/private/service_contexts @@ -1 +1,3 @@ qti.ims.ext u:object_r:radio_service:s0 +cneservice u:object_r:cne_service:s0 +uce u:object_r:uce_service:s0 diff --git a/sepolicy/public/dataservice_app.te b/sepolicy/public/dataservice_app.te new file mode 100644 index 00000000..8c8d82fa --- /dev/null +++ b/sepolicy/public/dataservice_app.te @@ -0,0 +1 @@ +type dataservice_app, domain; \ No newline at end of file diff --git a/sepolicy/public/hwservice.te b/sepolicy/public/hwservice.te new file mode 100644 index 00000000..73653011 --- /dev/null +++ b/sepolicy/public/hwservice.te @@ -0,0 +1,2 @@ +type hal_cne_hwservice, hwservice_manager_type; +type hal_imsrcsd_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/dataservice_app.te b/sepolicy/vendor/dataservice_app.te index 62156586..1cb94e3c 100644 --- a/sepolicy/vendor/dataservice_app.te +++ b/sepolicy/vendor/dataservice_app.te @@ -1,25 +1,8 @@ -#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674) -type dataservice_app, domain, coredomain; -app_domain(dataservice_app) -net_domain(dataservice_app) - get_prop(dataservice_app, cnd_prop) -add_service(dataservice_app, cne_service) -add_service(dataservice_app, uce_service) -allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find; r_dir_file(dataservice_app, sysfs_msm_subsys) -#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674) -allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find; -#TODO remove the following 2 if dataservice is moved out of system as part of b/38043081 -allow dataservice_app system_app_data_file:dir create_dir_perms; -allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms; - -#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674) -allow dataservice_app hal_cne_hwservice:hwservice_manager find; binder_call(dataservice_app, cnd) -hwbinder_use(dataservice_app) # imsrcsd to bind with UceShimService.apk binder_call(dataservice_app, hal_rcsservice) diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te index 91901c7d..4a1ae5f8 100644 --- a/sepolicy/vendor/hwservice.te +++ b/sepolicy/vendor/hwservice.te @@ -1,6 +1,4 @@ type vnd_ims_radio_hwservice, hwservice_manager_type; type vnd_qcrilhook_hwservice, hwservice_manager_type; type hal_imsrtp_hwservice, hwservice_manager_type; -#TODO Move the following 2 types public SE policy (b/62574674) -type hal_cne_hwservice, hwservice_manager_type; -type hal_imsrcsd_hwservice, hwservice_manager_type; +type hal_ipacm_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index 36c9050c..2beb473c 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -15,7 +15,6 @@ allow radio hal_imsrtp_hwservice:hwservice_manager find; add_service(radio, radio_service) allow radio { - uce_service mediaextractor_service mediacodec_service }:service_manager find; diff --git a/sepolicy/vendor/service.te b/sepolicy/vendor/service.te index 5e9b4c13..2b24fe4b 100644 --- a/sepolicy/vendor/service.te +++ b/sepolicy/vendor/service.te @@ -1,3 +1 @@ -type cne_service, service_manager_type; -type uce_service, service_manager_type; type imsuce_service, service_manager_type; diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts index ac1da934..ad75ea18 100644 --- a/sepolicy/vendor/service_contexts +++ b/sepolicy/vendor/service_contexts @@ -1,5 +1,3 @@ rcs u:object_r:radio_service:s0 -cneservice u:object_r:cne_service:s0 com.fingerprints.extension.IFingerprintNavigation u:object_r:fingerprint_service:s0 -uce u:object_r:uce_service:s0 com.qualcomm.qti.uceservice u:object_r:imsuce_service:s0 From 06f2fdfb7e2d21a41dc1d59d6adb91f0d55fbddd Mon Sep 17 00:00:00 2001 From: Jayachandran C Date: Wed, 5 Jul 2017 18:45:49 -0700 Subject: [PATCH 2/2] Fix netmgrd crash recovery denials This change fixes the following denials auditd : type=1400 audit(0.0:30032): avc: denied { unlink } for comm="netmgrd" name="netmgr_connect_socket" dev="tmpfs" ino=31621 scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgrd_socket:s0 tclass=sock_file permissive=0 auditd : type=1400 audit(0.0:35887): avc: denied { search } for comm="netmgrd" name="diagchar" dev="sysfs" ino=26926 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=0 Test: Force crashed netmgrd and validated data working Bug: 63360347 Change-Id: I45a49628b486cb264e07037cfa8397e381f72a00 --- sepolicy/vendor/netmgrd.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te index 41c3c4f7..af09105a 100644 --- a/sepolicy/vendor/netmgrd.te +++ b/sepolicy/vendor/netmgrd.te @@ -11,7 +11,7 @@ set_prop(netmgrd, net_rmnet_prop) unix_socket_connect(netmgrd, netd, netd) allow netmgrd netmgrd_socket:dir w_dir_perms; -allow netmgrd netmgrd_socket:sock_file { create setattr }; +allow netmgrd netmgrd_socket:sock_file create_file_perms; allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write }; allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl; allow netmgrd self:netlink_route_socket nlmsg_write; @@ -38,6 +38,9 @@ domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) #Allow diag logging allow netmgrd sysfs_timestamp_switch:file { read open }; +userdebug_or_eng(` + r_dir_file(netmgrd, sysfs_diag) +') #Ignore if device loading for private IOCTL failed dontaudit netmgrd kernel:system { module_request };