Merge "Adding allows to handle boot and runtime denials" into oc-dev

2026-02-01 07:50:47 +00:00 · 2017-03-29 19:57:16 +00:00
parent 5182fda3a2 6dd9019412
commit 69c0497447
11 changed files with 37 additions and 13 deletions
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -3,14 +3,23 @@ type cnd_exec, exec_type, file_type;

 file_type_auto_trans(cnd, socket_device, cnd_socket);

-allow cnd self:capability { setgid setuid };
+allow cnd self:capability { chown fsetid setgid setuid };
+
+allow cnd self:udp_socket create_socket_perms;
+allowxperm cnd self:udp_socket ioctl SIOCGIFMTU;
+
+allow cnd wpa_socket:dir w_dir_perms;
+allow cnd wpa_socket:sock_file create_file_perms;
+
+allow cnd sysfs_soc:dir search;
+allow cnd sysfs_soc:file r_file_perms;

 allow cnd proc_meminfo:file r_file_perms;

 r_dir_file(cnd, sysfs_msm_subsys)

 allow cnd self:socket create_socket_perms;
-allowxperm cnd self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
+allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;

 init_daemon_domain(cnd)

--- a/sepolicy/hal_camera.te
+++ b/sepolicy/hal_camera.te
@@ -12,6 +12,8 @@ allow hal_camera self:capability sys_nice;

 allow hal_camera gpu_device:chr_file rw_file_perms;

+allow hal_camera perfd_socket:sock_file w_file_perms;
+
 # access to /dev/input/event{5,10}
 allow hal_camera input_device:dir r_dir_perms;
 allow hal_camera input_device:chr_file r_file_perms;
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -4,6 +4,8 @@ type ims_exec, exec_type, file_type;
 init_daemon_domain(ims)
 net_domain(ims)

+set_prop(ims, ims_prop)
+
 allow ims sysfs_soc:dir search;
 allow ims sysfs_soc:file r_file_perms;

--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -22,7 +22,9 @@ allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow location self:netlink_socket create_socket_perms_no_ioctl;
 allow location self:socket create_socket_perms;
 allow location self:udp_socket create_socket_perms;
-allowxperm location self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
+allow location self:udp_socket create_socket_perms;
+allowxperm location self:udp_socket ioctl { SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
+allowxperm location self:socket ioctl msm_sock_ipc_ioctls;

 # files in /sys
 r_dir_file(location, sysfs_type)
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -19,8 +19,9 @@ allow netmgrd self:socket create_socket_perms;
 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;

-allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_net:dir r_dir_perms;
+allow netmgrd sysfs_net:file rw_file_perms;
+allow netmgrd sysfs_soc:dir search;
 allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
 allow netmgrd sysfs_msm_subsys:file r_file_perms;
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1,5 +1,7 @@
-type wc_prop, property_type;
 type camera_prop, property_type;
+type ims_prop, property_type;
+type keymaster_prop, property_type;
+type ramdump_prop, property_type;
 type ssr_prop, property_type;
 type tee_listener_prop, property_type;
-type keymaster_prop, property_type;
+type wc_prop, property_type;
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,6 +1,8 @@
-wc_transport.              u:object_r:wc_prop:s0
 persist.camera.            u:object_r:camera_prop:s0
-persist.net.doxlat         u:object_r:net_radio_prop:s0
-sys.listeners.registered   u:object_r:tee_listener_prop:s0
+sys.ims.                   u:object_r:ims_prop:s0
 sys.keymaster.loaded       u:object_r:keymaster_prop:s0
+persist.net.doxlat         u:object_r:net_radio_prop:s0
+debug.htc.hrdump           u:object_r:ramdump_prop:s0
 debug.ssrdump              u:object_r:ssr_prop:s0
+sys.listeners.registered   u:object_r:tee_listener_prop:s0
+wc_transport.              u:object_r:wc_prop:s0
--- a/sepolicy/radio.te
+++ b/sepolicy/radio.te
@@ -1 +1,3 @@
+get_prop(radio, ims_prop)
+
 r_dir_file(radio, sysfs_msm_subsys)
--- a/sepolicy/ramdump.te
+++ b/sepolicy/ramdump.te
@@ -4,6 +4,8 @@ userdebug_or_eng(`
  type ramdump, domain;
  init_daemon_domain(ramdump)

+  set_prop(ramdump, ramdump_prop)
+
  allow ramdump self:capability sys_rawio;

  allow ramdump sda_block_device:blk_file rw_file_perms;
--- a/sepolicy/rfs_access.te
+++ b/sepolicy/rfs_access.te
@@ -9,10 +9,10 @@ allow rfs_access self:capability { chown setgid setpcap setuid net_bind_service
 wakelock_use(rfs_access)

 # For tftp server file access
-allow rfs_access firmware_file:file r_file_perms;
 allow rfs_access firmware_file:dir search;
+allow rfs_access firmware_file:file r_file_perms;
+allow rfs_access persist_file:dir { rw_dir_perms setattr };
 allow rfs_access persist_file:file create_file_perms;
-allow rfs_access persist_file:dir rw_dir_perms;

 allow rfs_access self:socket create_socket_perms_no_ioctl;

--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -8,13 +8,13 @@ allow thermal-engine self:capability2 block_suspend;
 # to read /sys/devices
 allow thermal-engine sysfs:dir r_dir_perms;

-allow thermal-engine sysfs_msm_subsys:file r_file_perms;
+allow thermal-engine sysfs_msm_subsys:dir r_dir_perms;
 allow thermal-engine sysfs_msm_subsys:file rw_file_perms;
 allow thermal-engine sysfs_soc:dir search;
 allow thermal-engine sysfs_soc:file r_file_perms;
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
-
+allow thermal-engine sysfs_rmtfs:dir search;
 allow thermal-engine sysfs_rmtfs:file r_file_perms;

 allow thermal-engine audio_device:chr_file rw_file_perms;