From cd761300c1cc67cb2be3e001b95317e8a865c5fe Mon Sep 17 00:00:00 2001 From: Joel Galenson Date: Thu, 12 Apr 2018 17:06:49 -0700 Subject: [PATCH] Allow some denials we have seen. This addresses the following denials: avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 avc: denied { module_request } for comm="allocator@2.0-s" kmod="crypto-heh(aes)" scontext=u:r:hal_graphics_allocator_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 avc: denied { module_request } for comm="android.hardwar" kmod="crypto-hmac(sha256)" scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 avc: denied { sigkill } for comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netutils_wrapper:s0 tclass=process permissive=0 avc: denied { sys_module } for comm="android.fg" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=0 avc: denied { search } for comm="cnss-daemon" name="net" dev="sysfs" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Test: Build. Change-Id: I7e201147271a32ea8420406af221aa7678374d78 --- sepolicy/vendor/dnsmasq.te | 1 + sepolicy/vendor/hal_graphics_allocator_default.te | 1 + sepolicy/vendor/hal_graphics_composer_default.te | 2 ++ sepolicy/vendor/netmgrd.te | 1 + sepolicy/vendor/system_server.te | 2 ++ sepolicy/vendor/wcnss_service.te | 2 ++ 6 files changed, 9 insertions(+) create mode 100644 sepolicy/vendor/dnsmasq.te create mode 100644 sepolicy/vendor/hal_graphics_allocator_default.te diff --git a/sepolicy/vendor/dnsmasq.te b/sepolicy/vendor/dnsmasq.te new file mode 100644 index 00000000..35f58fb6 --- /dev/null +++ b/sepolicy/vendor/dnsmasq.te @@ -0,0 +1 @@ +dontaudit dnsmasq kernel:system module_request; diff --git a/sepolicy/vendor/hal_graphics_allocator_default.te b/sepolicy/vendor/hal_graphics_allocator_default.te new file mode 100644 index 00000000..102fe8b3 --- /dev/null +++ b/sepolicy/vendor/hal_graphics_allocator_default.te @@ -0,0 +1 @@ +dontaudit hal_graphics_allocator_default kernel:system module_request; diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te index d9cb26aa..42aa3935 100644 --- a/sepolicy/vendor/hal_graphics_composer_default.te +++ b/sepolicy/vendor/hal_graphics_composer_default.te @@ -34,3 +34,5 @@ userdebug_or_eng(` allow hal_graphics_composer_default diag_device:chr_file rw_file_perms; ') dontaudit hal_graphics_composer_default diag_device:chr_file rw_file_perms; + +dontaudit hal_graphics_composer_default kernel:system module_request; diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te index 32fc7ec0..c2454527 100644 --- a/sepolicy/vendor/netmgrd.te +++ b/sepolicy/vendor/netmgrd.te @@ -35,6 +35,7 @@ wakelock_use(netmgrd) #Allow netutils usage domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) +allow netmgrd netutils_wrapper:process sigkill; #Allow diag logging allow netmgrd sysfs_timestamp_switch:file { read open }; diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index d8a99b71..8e38725d 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -24,3 +24,5 @@ dontaudit system_server hal_audio_default:file write; dontaudit system_server appdomain:file write; set_prop(system_server, public_vendor_system_prop) + +dontaudit system_server self:capability sys_module; diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index db2d1292..a6f143c2 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -40,3 +40,5 @@ allow wcnss_service sysfs_soc:file r_file_perms; # request_firmware causes a denial for /firmware. It can be safely ignored dontaudit wcnss_service firmware_file:dir search; + +r_dir_file(wcnss_service, sysfs_net)