From b387500a64c3e89f18d75e3c9a4e47741cef2eda Mon Sep 17 00:00:00 2001 From: Max Bires Date: Sun, 21 May 2017 18:28:48 -0700 Subject: [PATCH] Fixing the following denials in order to prep ims for enforcing If there is no security issue with having ims write to ims_socket, then I am fine with granting the permission in order to hurry up the enforcing status of this domain. denied { read } for pid=888 comm="imsdatadaemon" name="timestamp_switch" dev="sysfs" ino=27246 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { open } for pid=888 comm="imsdatadaemon" path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs" ino=27246 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { read } for pid=1326 comm="imsrcsd" name="timestamp_switch" dev="sysfs" ino=27246 scontext=u:r:hal_rcsservice:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { write } for pid=1077 comm="ims_rtp_daemon" name="ims_datad" dev="tmpfs" ino=27069 scontext=u:r:ims:s0 tcontext=u:object_r:ims_socket:s0 tclass=sock_file Bug: 34784662 Test: These denials no longer appear Change-Id: I95d8b62d73fae35fca5e292e6927c4663db76e6f --- sepolicy/file.te | 1 + sepolicy/file_contexts | 1 + sepolicy/hal_rcsservice.te | 2 ++ sepolicy/ims.te | 2 ++ 4 files changed, 6 insertions(+) diff --git a/sepolicy/file.te b/sepolicy/file.te index 47862b43..9345ce8f 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -9,6 +9,7 @@ type sysfs_msm_subsys_restart, sysfs_type, fs_type; type sysfs_net, sysfs_type, fs_type; type sysfs_rmtfs, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; +type sysfs_timestamp_switch, sysfs_type, fs_type; type sysfs_usb_c, sysfs_type, fs_type; type debugfs_clk, debugfs_type, fs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 516bc026..8ee87542 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -145,6 +145,7 @@ /sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0 /sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0 /sys/module/tcp_cubic/parameters(/.*)? u:object_r:sysfs_net:s0 +/sys/module/diagchar/parameters/timestamp_switch u:object_r:sysfs_timestamp_switch:s0 /sys/devices/virtual/graphics/fb([0-2])+(/.*)? u:object_r:sysfs_graphics:s0 /sys/devices/virtual/net(/.*)? u:object_r:sysfs_net:s0 /sys/devices/soc/8c0000\.qcom,msm-cam(/.*)? u:object_r:sysfs_camera:s0 diff --git a/sepolicy/hal_rcsservice.te b/sepolicy/hal_rcsservice.te index 75dd4147..6452eb42 100644 --- a/sepolicy/hal_rcsservice.te +++ b/sepolicy/hal_rcsservice.te @@ -16,6 +16,8 @@ get_prop(hal_rcsservice, hwservicemanager_prop) # allow hal to read sysfs file r_dir_file(hal_rcsservice, sysfs_msm_subsys) +allow hal_rcsservice sysfs_timestamp_switch:file r_file_perms; + unix_socket_connect(hal_rcsservice, ims, ims) # imsrcsd to bind with UceShimService.apk diff --git a/sepolicy/ims.te b/sepolicy/ims.te index c665de05..8a82cf5b 100644 --- a/sepolicy/ims.te +++ b/sepolicy/ims.te @@ -10,6 +10,7 @@ unix_socket_connect(ims, netmgrd, netmgrd) allow ims sysfs_soc:dir search; allow ims sysfs_soc:file r_file_perms; +allow ims sysfs_timestamp_switch:file r_file_perms; # TODO(b/38228603): Remove net_raw upon resolution of this bug allow ims self:capability { net_raw net_bind_service}; @@ -19,6 +20,7 @@ allow ims ion_device:chr_file r_file_perms; unix_socket_connect(ims, cnd, cnd) allow ims self:socket create_socket_perms; +allow ims ims_socket:sock_file write; allow ims self:netlink_generic_socket create_socket_perms_no_ioctl; allow ims netmgrd_socket:dir search; allow ims netmgrd_socket:sock_file w_file_perms;