Adding allows to handle the following denials

denied { write } for pid=10249 comm="secdiscard" name="sda45" dev="tmpfs" ino=19911 scontext=u:r:vold:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file denied { create read } for pid=9183 comm="time_daemon" name="ats_2" scontext=u:r:time_daemon:s0 tcontext=u:object_r:system_data_file:s0 tclass=file denied { read write open } for pid=9183 comm="time_daemon" name="ats_2" dev="sdd3" ino=33 scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_file:s0 tclass=file denied { write add_name } for pid=9183 comm="time_daemon" name="time" dev="sda45" ino=851969 scontext=u:r:time_daemon:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { write } for pid=5959 comm="Binder:1415_9" name="timerslack_ns" dev="proc" ino=138483 scontext=u:r:system_server:s0 tcontext=u:r:isolated_app:s0:c512,c768 tclass=file denied { write } for pid=5365 comm="Binder:1415_8" name="timerslack_ns" dev="proc" ino=123305 scontext=u:r:system_server:s0 tcontext=u:r:logger_app:s0:c112,c256,c512,c768 tclass=file denied { connectto } for pid=9161 comm="omm.timeservice" path=0074696D655F67656E6F6666 scontext=u:r:system_app:s0 tcontext=u:r:time_daemon:s0 tclass=unix_stream_socket denied { read } for pid=5123 comm="m.android.phone" name="vendor" dev="sda22" ino=2749 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_file:s0 tclass=lnk_file denied { getattr read open } for pid=5123 comm="m.android.phone" path="/vendor/framework/qti-vzw-ims-internal.jar" dev="sda20" ino=385 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=file denied { write } for pid=888 comm="perfd" name="default_pwrlevel" dev="sysfs" ino=33408 scontext=u:r:perfd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file denied { read open } for pid=360 comm="kworker/u16:6" name="synaptics_0.img" dev="sda20" ino=360 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_file:s0 tclass=file denied { read } for pid=589 comm="init.power.sh" name="soc:qcom,cpubw" dev="sysfs" ino=44524 scontext=u:r:init_power:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file denied { open read } for pid=668 comm="init.power.sh" path="/sys/class/devfreq" dev="sysfs" ino=28440 scontext=u:r:init_power:s0 tcontext=u:object_r:sysfs:s0 tclass=dir denied { write open } for pid=760 comm="android.hardwar" name="wlan" dev="tmpfs" ino=20256 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file denied { open getattr write } for comm="android.hardwar" path="/sys/devices/soc/c17a000.i2c/i2c-6/6-005a/rtp_input" dev="sysfs" ino=41310 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { ioctl } for pid=880 comm="android.hardwar" path="/dev/uinput" dev="tmpfs" ino=20584 ioctlcmd=5564 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:uhid_device:s0 tclass=chr_file Bug: 34784662 Test: The above denials are no longer present Change-Id: Id259bdcbf4cf7a93b8c98b8a06addb99385d7588
2026-02-01 03:40:35 +00:00 · 2017-04-07 12:24:41 -07:00
parent 1602c1cf13
commit bc99e5b908
9 changed files with 20 additions and 8 deletions
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -107,6 +107,7 @@
 /sys/devices/bt_wcn3990/rfkill(/.*)?                                u:object_r:sysfs_bluetooth_writable:s0
 /sys/devices/bt_wcn3990/extldo                                      u:object_r:sysfs_bluetooth_writable:s0
 /sys/devices/soc/a1800000\.qcom,rmtfs_rtel_sharedmem(/.*)?          u:object_r:sysfs_rmtfs:s0
+/sys/devices/soc/c17a000\.i2c(/.*)?                                 u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/800f000\.qcom,spmi(/.*)?                           u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/4080000\.qcom,mss(/.*)?                            u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/17300000\.qcom,lpass(/.*)?                         u:object_r:sysfs_msm_subsys:s0
--- a/sepolicy/hal_fingerprint.te
+++ b/sepolicy/hal_fingerprint.te
@@ -7,4 +7,4 @@ allow hal_fingerprint sysfs_msm_subsys:dir search;
 allow hal_fingerprint sysfs_msm_subsys:file r_file_perms;
 allow hal_fingerprint tee_device:file rw_file_perms;
 allow hal_fingerprint tee_device:chr_file rw_file_perms;
-allow hal_fingerprint uhid_device:chr_file w_file_perms;
+allow hal_fingerprint uhid_device:chr_file rw_file_perms;
--- a/sepolicy/hal_vibrator_default.te
+++ b/sepolicy/hal_vibrator_default.te
@@ -1,2 +1,3 @@
 r_dir_file(hal_vibrator_default, sysfs_leds)
 allow hal_vibrator_default sysfs_leds:file w_file_perms;
+allow hal_vibrator_default sysfs_msm_subsys:file rw_file_perms;
--- a/sepolicy/hal_wifi_default.te
+++ b/sepolicy/hal_wifi_default.te
@@ -6,5 +6,7 @@ allow hal_wifi_default location_data_file:sock_file write;
 allow hal_wifi_default location_data_file:dir create_dir_perms;
 allow hal_wifi_default location_data_file:{ file fifo_file } create_file_perms;

+allow hal_wifi_default wlan_device:chr_file w_file_perms;
+
 # Allow wifi hal to read debug info from the driver.
 r_dir_file(hal_wifi_default, proc_wifi_dbg)
--- a/sepolicy/init_power.te
+++ b/sepolicy/init_power.te
@@ -8,8 +8,9 @@ set_prop(init_power, post_boot_prop)
 allow init_power shell_exec:file rx_file_perms;
 allow init_power toolbox_exec:file rx_file_perms;

-allow init_power sysfs_msm_subsys:dir r_dir_perms;
-allow init_power sysfs_msm_subsys:file w_file_perms;
+r_dir_file(init_power, sysfs_msm_subsys)
+
+allow init_power sysfs_msm_subsys:file write;
 allow init_power sysfs_thermal:dir search;
 allow init_power sysfs_thermal:file w_file_perms;
 allow init_power sysfs_devices_system_cpu:file w_file_perms;
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te
@@ -18,6 +18,7 @@ allow perfd post_boot_prop:file r_file_perms;
 allow perfd proc:file rw_file_perms;
 allow perfd sysfs_soc:dir search;
 allow perfd sysfs_soc:file r_file_perms;
+allow perfd sysfs_msm_subsys:file w_file_perms;

 allow perfd perfd_socket:sock_file write;

--- a/sepolicy/radio.te
+++ b/sepolicy/radio.te
@@ -3,7 +3,14 @@ get_prop(radio, ims_prop)
 allow radio qmuxd_socket:dir search;
 allow radio qmuxd_socket:sock_file write;

+allow radio vendor_file:lnk_file r_file_perms;
+allow radio vendor_framework_file:file r_file_perms;
+
 add_service(radio, radio_service)
+
+# TODO(b/37212952): Remove this once imscm_service switches over to using
+# vendorservicemanager
 add_service(radio, imscm_service)
+auditallow radio imscm_service:service_manager { add find };

 r_dir_file(radio, sysfs_msm_subsys)
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -21,11 +21,7 @@ allow system_server wlan_device:chr_file rw_file_perms;

 # TODO(b/30675296): Remove following dontaudit's upon resolution of this bug
 # The timerslack_ns denials spam the system really horribly
-dontaudit system_server untrusted_app_25:file write;
-dontaudit system_server platform_app:file write;
-dontaudit system_server system_app:file write;
 dontaudit system_server audioserver:file write;
-dontaudit system_server priv_app:file write;
 dontaudit system_server untrusted_app:file write;
-dontaudit system_server radio:file write;
 dontaudit system_server hal_audio_default:file write;
+dontaudit system_server appdomain:file write;
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -13,5 +13,8 @@ allow time_daemon sysfs_soc:dir search;
 allow time_daemon sysfs_soc:file r_file_perms;
 allow time_daemon sysfs_msm_subsys:dir search;

+allow time_daemon persist_file:dir w_dir_perms;
+allow time_daemon persist_file:file rw_file_perms;
+
 allow time_daemon self:socket create_socket_perms;
 allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;