Adding contexts and rules to address denials.

These changes address the following denials: denied { read } for pid=560 comm="e2fsck" name="sda43" dev="tmpfs" ino=22736 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { open } for pid=560 comm="e2fsck" path="/dev/block/sda43" dev="tmpfs" ino=22736 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { write } for pid=560 comm="e2fsck" name="sda43" dev="tmpfs" ino=22736 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { read } for pid=666 comm="sensors.qcom" name="name" dev="sysfs" ino=33510 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=666 comm="sensors.qcom" path="/sys/devices/soc/1d0101c.qcom,spss/subsys2/name" dev="sysfs" ino=33510 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { net_raw } for pid=666 comm="sensors.qcom" capability=13 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability denied { read write } for pid=678 comm="sensors.qcom" name="sns.reg" dev="sdd3" ino=33 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file denied { search } for pid=794 comm="thermal-engine" name="msm_subsys" dev="sysfs" ino=16320 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=794 comm="thermal-engine" name="devices" dev="sysfs" ino=16322 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { open } for pid=794 comm="thermal-engine" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16322 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir denied { read } for pid=794 comm="thermal-engine" name="subsys0" dev="sysfs" ino=33422 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { read } for pid=794 comm="thermal-engine" name="name" dev="sysfs" ino=33416 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=794 comm="thermal-engine" path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name" dev="sysfs" ino=33416 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { open } for pid=794 comm="thermal-engine" path="/sys/devices" dev="sysfs" ino=4 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=dir denied { read } for pid=794 comm="thermal-engine" name="devices" dev="sysfs" ino=4 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs:s0 tclass=dir Bug: 34784662 Test: These denials are no longer present Change-Id: I68665950fe7c2b25c11acb36b32a147049fa76e5
2026-01-30 05:29:39 +00:00 · 2017-03-14 13:25:53 -07:00
parent 59e8126215
commit ab5b59745d
6 changed files with 31 additions and 21 deletions
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1,17 +1,18 @@
-type diag_device, dev_type, mlstrustedobject;
-type smd_device, dev_type;
-type ipa_dev, dev_type;
-type rmnet_device, dev_type;
 type at_device, dev_type;
-type qsee_ipc_irq_spss_device, dev_type;
-type seemplog_device, dev_type;
-type spcom_device, dev_type;
-type qdsp_device, dev_type, mlstrustedobject;
-type dsp_device, dev_type;
 type avtimer_device, dev_type;
-type ssr_device, dev_type;
-type ramdump_device, dev_type;
+type diag_device, dev_type, mlstrustedobject;
+type dsp_device, dev_type;
 type hbtp_device, dev_type;
-type sg_device, dev_type;
+type ipa_dev, dev_type;
+type qsee_ipc_irq_spss_device, dev_type;
+type qdsp_device, dev_type, mlstrustedobject;
+type ramdump_device, dev_type;
+type rmnet_device, dev_type;
+type sda_block_device, dev_type;
 type sdd_block_device, dev_type;
 type sdf_block_device, dev_type;
+type seemplog_device, dev_type;
+type sg_device, dev_type;
+type smd_device, dev_type;
+type spcom_device, dev_type;
+type ssr_device, dev_type;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,12 +1,11 @@
-type sysfs_graphics, sysfs_type, fs_type;
 type sysfs_camera, sysfs_type, fs_type;
-type sysfs_soc, sysfs_type, fs_type;
-type sysfs_rmtfs, sysfs_type, fs_type;
-type sysfs_net, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
+type sysfs_graphics, sysfs_type, fs_type;
 type sysfs_msm_subsys, sysfs_type, fs_type;
 type sysfs_msm_subsys_restart, sysfs_type, fs_type;
-
+type sysfs_net, sysfs_type, fs_type;
+type sysfs_rmtfs, sysfs_type, fs_type;
+type sysfs_soc, sysfs_type, fs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;

 type qmuxd_socket, file_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -48,11 +48,13 @@
 # dev block nodes
 /dev/block/sdd[0-9]+                            u:object_r:sdd_block_device:s0
 /dev/block/sdf[0-9]+                            u:object_r:sdf_block_device:s0
+/dev/block/sda[0-9]+                            u:object_r:sda_block_device:s0

 # files in sysfs
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
-/sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/1d0101c\.qcom,spss(/.*)?                           u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)?                     u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/cce0000\.qcom,venus(/.*)?                          u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)?                      u:object_r:sysfs_rmtfs:s0
--- a/sepolicy/fsck.te
+++ b/sepolicy/fsck.te
@@ -0,0 +1 @@
+allow fsck sda_block_device:blk_file rw_file_perms;
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -6,6 +6,8 @@ init_daemon_domain(sensors)

 allow sensors self:socket rw_socket_perms_no_ioctl;

+allow sensors persist_sensors_file:file rw_file_perms;
+
 r_dir_file(sensors, sysfs_msm_subsys)

 userdebug_or_eng(`
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -5,11 +5,16 @@ init_daemon_domain(thermal-engine)

 allow thermal-engine self:capability2 block_suspend;

+# to read /sys/devices
+allow thermal-engine sysfs:dir r_dir_perms;
+
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
+
 allow thermal-engine sysfs_rmtfs:file r_file_perms;
-allow thermal-engine sysfs_uio:lnk_file r_file_perms;
-allow thermal-engine sysfs_uio:dir r_dir_perms;
+
+r_dir_file(thermal-engine, sysfs_uio)
+r_dir_file(thermal-engine, sysfs_msm_subsys)

 allow thermal-engine self:socket create_socket_perms;
 allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;
				`@@ -0,0 +1 @@`
				`allow fsck sda_block_device:blk_file rw_file_perms;`