Adding allow rules and contexts to handle the following denials

denied { getattr } for pid=580 comm="ueventd" name="sda20" dev="tmpfs" ino=19514 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file denied { write } for pid=580 comm="ueventd" name="uevent" dev="sysfs" ino=44062 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_bluetooth_writable:s0 tclass=file denied { search } for pid=826 comm="time_daemon" name="msm_subsys" dev="sysfs" ino=16858 scontext=u:r:time_daemon:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { write } for pid=2934 comm="Binder:1189_4" name="timerslack_ns" dev="proc" ino=38677 scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=file denied { write } for pid=3936 comm="Binder:1189_C" name="timerslack_ns" dev="proc" ino=85544 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=file denied { write } for pid=1201 comm="Binder:1189_2" name="timerslack_ns" dev="proc" ino=83223 scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=file denied { write } for pid=1584 comm="Binder:1189_3" name="timerslack_ns" dev="proc" ino=81248 scontext=u:r:system_server:s0 tcontext=u:r:audioserver:s0 tclass=file denied { write } for pid=1201 comm="Binder:1189_2" name="timerslack_ns" dev="proc" ino=38795 scontext=u:r:system_server:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=file denied { write } for pid=1584 comm="Binder:1189_3" name="timerslack_ns" dev="proc" ino=86229 scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=file denied { write } for pid=4624 comm="Binder:1189_E" name="timerslack_ns" dev="proc" ino=105556 scontext=u:r:system_server:s0 tcontext=u:r:radio:s0 tclass=file denied { write } for pid=1201 comm="Binder:1189_2" name="timerslack_ns" dev="proc" ino=26256 scontext=u:r:system_server:s0 tcontext=u:r:hal_audio_default:s0 tclass=file denied { create } for pid=836 comm="perfd" name="default_values" scontext=u:r:perfd:s0 tcontext=u:object_r:system_data_file:s0 tclass=file denied { find } for service=qti.ims.ext pid=3750 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:imscm_service:s0 tclass=service_manager denied { lock } for comm="ip6tables" path="/system/etc/xtables.lock" dev="sda22" ino=968 scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_file:s0 tclass=file denied { getattr } for comm="android.hardwar" path="/sys/devices/soc/c17a000.i2c/i2c-6/6-005a/leds/vibrator/duration" dev="sysfs" ino=46884 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for comm="android.hardwar" path="/sys/devices/soc/c17a000.i2c/i2c-6/6-005a/leds/vibrator/activate" dev="sysfs" ino=46883 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { read } for comm="android.hardwar" name="vibrator" dev="sysfs" ino=41304 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file denied { search } for comm="android.hardwar" name="leds" dev="sysfs" ino=27814 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir denied { add } for service=com.fingerprints.extension.IFingerprintNavigation pid=884 uid=1000 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:fingerprint_service:s0 tclass=service_manager denied { open } for pid=9391 comm="cat" path="/sys/devices/virtual/thermal/cooling_device0/type" dev="sysfs" ino=44002 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file denied { read } for pid=9391 comm="cat" name="type" dev="sysfs" ino=44002 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file denied { search } for pid=9391 comm="cat" name="thermal" dev="sysfs" ino=28795 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir denied { getattr } for pid=9381 comm="ls" path="/sys/kernel/debug/ion/heaps/secure_heap" dev="debugfs" ino=10246 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs:s0 tclass=file denied { open } for pid=9381 comm="ls" path="/sys/kernel/debug/ion/heaps" dev="debugfs" ino=9218 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs:s0 tclass=dir denied { read } for pid=9381 comm="ls" name="heaps" dev="debugfs" ino=9218 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs:s0 tclass=dir denied { search } for pid=5401 comm="surfaceflinger" name="clients" dev="debugfs" ino=8429 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:debugfs_ion:s0 tclass=dir denied { search } for pid=5294 comm="android.hardwar" name="clients" dev="debugfs" ino=8429 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:debugfs_ion:s0 tclass=dir denied { write } for comm="android.hardwar" name="activate" dev="sysfs" ino=46883 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file denied { lock execute_no_trans } for comm="rild" path="/vendor/qcril.db" dev="sda20" ino=1019 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_file:s0 tclass=file Bug: 34784662 Test: The above denials are no longer occuring Change-Id: I7931a8c3ed8bdfb7190d6c5c14a11525dca5be3a
2026-01-29 08:04:44 +00:00 · 2017-04-05 18:34:18 -07:00
parent bfe6ab006c
commit 8bfe8965a2
12 changed files with 35 additions and 3 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -7,9 +7,10 @@ type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 type sysfs_net, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
 type sysfs_soc, sysfs_type, fs_type;
-type debugfs_rmt_storage, debugfs_type, fs_type;
+type debugfs_ion, debugfs_type, fs_type;
 type debugfs_kgsl, debugfs_type, fs_type;
 type debugfs_rpm, debugfs_type, fs_type;
+type debugfs_rmt_storage, debugfs_type, fs_type;

 type smlog_dump_file, file_type, data_file_type;

--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -68,6 +68,7 @@

 # files in sysfs
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
+/sys/class/devfreq(/.*)?                                            u:object_r:sysfs_msm_subsys:s0
 /sys/class/rfkill(/.*)?                                             u:object_r:sysfs_bluetooth_writable:s0
 /sys/devices/bt_wcn3990/rfkill(/.*)?                                u:object_r:sysfs_bluetooth_writable:s0
 /sys/devices/bt_wcn3990/extldo                                      u:object_r:sysfs_bluetooth_writable:s0
@@ -79,6 +80,7 @@
 /sys/devices/soc/5c00000\.qcom,ssc(/.*)?                            u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/c900000\.qcom,mdss_rotator(/.*)?                   u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/c900000\.qcom,mdss_mdp/caps                        u:object_r:sysfs_mdss_mdp_caps:s0
+/sys/devices/soc/c17a000\.i2c/i2c-6/6-005a/leds(/.*)?               u:object_r:sysfs_leds:s0
 /sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/5000000\.qcom,kgsl-3d0(/.*)?                       u:object_r:sysfs_msm_subsys:s0
@@ -105,6 +107,7 @@
 # files in debugfs
 /sys/kernel/debug/rpm_stats                      u:object_r:debugfs_rpm:s0
 /sys/kernel/debug/rpm_master_stats               u:object_r:debugfs_rpm:s0
+/sys/kernel/debug/ion(/.*)?                      u:object_r:debugfs_ion:s0

 # files in /system
 /system/bin/init\.power\.sh            u:object_r:init_power_exec:s0
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -3,5 +3,6 @@ genfscon proc /debugdriver/driverdump                 u:object_r:proc_wifi_dbg:s

 genfscon sysfs /devices/soc/soc:qcom,cpubw            u:object_r:sysfs_msm_subsys:s0
 genfscon sysfs /devices/soc/soc:qcom,mincpubw         u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /class/devfreq                         u:object_r:sysfs_msm_subsys:s0

 genfscon debugfs /kgsl/proc                           u:object_r:debugfs_kgsl:s0
--- a/sepolicy/hal_dumpstate_impl.te
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -31,6 +31,12 @@ r_dir_file(hal_dumpstate_impl, sysfs_uio)
 r_dir_file(hal_dumpstate_impl, sysfs_rmtfs)
 r_dir_file(hal_dumpstate_impl, sysfs_msm_subsys)

+allow hal_dumpstate_impl sysfs_thermal:dir search;
+allow hal_dumpstate_impl sysfs_thermal:file r_file_perms;
+
+allow hal_dumpstate_impl debugfs_ion:dir r_dir_perms;
+allow hal_dumpstate_impl debugfs_ion:file r_file_perms;
+
 # Access to files for dumping
 allow hal_dumpstate_impl  sysfs:dir r_dir_perms;
 # rpm stat
--- a/sepolicy/hal_vibrator_default.te
+++ b/sepolicy/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+r_dir_file(hal_vibrator_default, sysfs_leds)
+allow hal_vibrator_default sysfs_leds:file w_file_perms;
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -26,6 +26,8 @@ allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
 allow netmgrd sysfs_msm_subsys:file r_file_perms;

+allow netmgrd system_file:file lock;
+
 r_dir_file(netmgrd, sysfs_msm_subsys)

 wakelock_use(netmgrd)
--- a/sepolicy/radio.te
+++ b/sepolicy/radio.te
@@ -3,7 +3,7 @@ get_prop(radio, ims_prop)
 allow radio qmuxd_socket:dir search;
 allow radio qmuxd_socket:sock_file write;

-allow radio radio_service:service_manager add;
-allow radio imscm_service:service_manager add;
+add_service(radio, radio_service)
+add_service(radio, imscm_service)

 r_dir_file(radio, sysfs_msm_subsys)
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -9,6 +9,8 @@ allow rild qmuxd_socket:sock_file create;

 unix_socket_connect(rild, netmgrd, netmgrd)

+allow rild vendor_file:file { execute_no_trans lock };
+
 allow rild per_mgr_service:service_manager find;
 allow rild audioserver_service:service_manager find;

--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1 +1,2 @@
 dontaudit surfaceflinger firmware_file:dir search;
+allow surfaceflinger debugfs_ion:dir search;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -18,3 +18,14 @@ allow system_server persist_sensors_file:file r_file_perms;
 allow system_server location_data_file:dir create_dir_perms;
 allow system_server location_data_file:file create_file_perms;
 allow system_server wlan_device:chr_file rw_file_perms;
+
+# TODO(b/30675296): Remove following dontaudit's upon resolution of this bug
+# The timerslack_ns denials spam the system really horribly
+dontaudit system_server untrusted_app_25:file write;
+dontaudit system_server platform_app:file write;
+dontaudit system_server system_app:file write;
+dontaudit system_server audioserver:file write;
+dontaudit system_server priv_app:file write;
+dontaudit system_server untrusted_app:file write;
+dontaudit system_server radio:file write;
+dontaudit system_server hal_audio_default:file write;
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -11,6 +11,7 @@ r_dir_file(time_daemon, sysfs_msm_subsys)

 allow time_daemon sysfs_soc:dir search;
 allow time_daemon sysfs_soc:file r_file_perms;
+allow time_daemon sysfs_msm_subsys:dir search;

 allow time_daemon self:socket create_socket_perms;
 allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -6,3 +6,5 @@ allow ueventd sysfs_rmtfs:file w_file_perms;
 allow ueventd sysfs_soc:file w_file_perms;
 allow ueventd sysfs_net:file w_file_perms;
 allow ueventd sysfs_msm_subsys:file w_file_perms;
+allow ueventd sysfs_bluetooth_writable:file w_file_perms;
+allow ueventd tmpfs:blk_file getattr;