Fixing the following denials in order to prep ims for enforcing

If there is no security issue with having ims write to ims_socket, then I am fine with granting the permission in order to hurry up the enforcing status of this domain. denied { read } for pid=888 comm="imsdatadaemon" name="timestamp_switch" dev="sysfs" ino=27246 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=888 comm="imsdatadaemon" path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs" ino=27246 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { read } for pid=1326 comm="imsrcsd" name="timestamp_switch" dev="sysfs" ino=27246 scontext=u:r:hal_rcsservice:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { write } for pid=1077 comm="ims_rtp_daemon" name="ims_datad" dev="tmpfs" ino=27069 scontext=u:r:ims:s0 tcontext=u:object_r:ims_socket:s0 tclass=sock_file Bug: 34784662 Test: These denials no longer appear Change-Id: I95d8b62d73fae35fca5e292e6927c4663db76e6f
2026-02-01 07:50:47 +00:00 · 2017-05-21 18:28:48 -07:00
parent 55217df527
commit b387500a64
4 changed files with 6 additions and 0 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -9,6 +9,7 @@ type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 type sysfs_net, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
 type sysfs_soc, sysfs_type, fs_type;
+type sysfs_timestamp_switch, sysfs_type, fs_type;
 type sysfs_usb_c, sysfs_type, fs_type;

 type debugfs_clk, debugfs_type, fs_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -145,6 +145,7 @@
 /sys/kernel/debug/rmt_storage(/.*)?                                 u:object_r:debugfs_rmt_storage:s0
 /sys/module/msm_thermal(/.*)?                                       u:object_r:sysfs_thermal:s0
 /sys/module/tcp_cubic/parameters(/.*)?                              u:object_r:sysfs_net:s0
+/sys/module/diagchar/parameters/timestamp_switch                    u:object_r:sysfs_timestamp_switch:s0
 /sys/devices/virtual/graphics/fb([0-2])+(/.*)?                      u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/net(/.*)?                                      u:object_r:sysfs_net:s0
 /sys/devices/soc/8c0000\.qcom,msm-cam(/.*)?                         u:object_r:sysfs_camera:s0
--- a/sepolicy/hal_rcsservice.te
+++ b/sepolicy/hal_rcsservice.te
@@ -16,6 +16,8 @@ get_prop(hal_rcsservice, hwservicemanager_prop)
 # allow hal to read sysfs file
 r_dir_file(hal_rcsservice, sysfs_msm_subsys)

+allow hal_rcsservice sysfs_timestamp_switch:file r_file_perms;
+
 unix_socket_connect(hal_rcsservice, ims, ims)

 # imsrcsd to bind with UceShimService.apk
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -10,6 +10,7 @@ unix_socket_connect(ims, netmgrd, netmgrd)

 allow ims sysfs_soc:dir search;
 allow ims sysfs_soc:file r_file_perms;
+allow ims sysfs_timestamp_switch:file r_file_perms;

 # TODO(b/38228603): Remove net_raw upon resolution of this bug
 allow ims self:capability { net_raw net_bind_service};
@@ -19,6 +20,7 @@ allow ims ion_device:chr_file r_file_perms;
 unix_socket_connect(ims, cnd, cnd)

 allow ims self:socket create_socket_perms;
+allow ims ims_socket:sock_file write;
 allow ims self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow ims netmgrd_socket:dir search;
 allow ims netmgrd_socket:sock_file w_file_perms;