mirror of
https://github.com/Evolution-X-Devices/device_google_wahoo
synced 2026-02-01 07:50:47 +00:00
2d76a6ac61
Leaving in the binder call until I can independently verify that none of
these domains are running anything through binder, and if they are then
file bug reports on it.
Some of these domains don't seem to use the transfer/call permissions,
so refraining from adding the full vndbinder_use statement until those
are apparent
Denials:
denied { getattr } for pid=556 comm="vndservicemanag"
scontext=u:r:vndservicemanager:s0 tcontext=u:r:hal_gnss_qti:s0
tclass=process
denied { open } for pid=556 comm="vndservicemanag"
path="/proc/744/attr/current" dev="proc" ino=25957
scontext=u:r:vndservicemanager:s0 tcontext=u:r:hal_gnss_qti:s0
tclass=file
denied { read } for pid=556 comm="vndservicemanag" name="current"
dev="proc" ino=25957 scontext=u:r:vndservicemanager:s0
tcontext=u:r:hal_gnss_qti:s0 tclass=file
denied { call } for pid=744 comm="Loc_hal" scontext=u:r:hal_gnss_qti:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder
denied { ioctl open read write } for pid=744 comm="Loc_hal"
path="/dev/vndbinder" dev="tmpfs" ino=19167 ioctlcmd=6209
scontext=u:r:hal_gnss_qti:s0 tcontext=u:object_r:vndbinder_device:s0
tclass=chr_file
denied { ioctl } for pid=770 comm="Binder:770_2" path="/dev/vndbinder"
dev="tmpfs" ino=19167 ioctlcmd=6201 scontext=u:r:per_mgr:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
denied { getattr } for pid=556 comm="vndservicemanag"
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_mgr:s0 tclass=process
denied { open } for pid=556 comm="vndservicemanag"
path="/proc/770/attr/current" dev="proc" ino=24336
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_mgr:s0 tclass=file
denied { read } for pid=556 comm="vndservicemanag" name="current"
dev="proc" ino=24336 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_mgr:s0 tclass=file
denied { search } for pid=556 comm="vndservicemanag" name="770"
dev="proc" ino=8315 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_mgr:s0 tclass=dir
denied { transfer } for pid=770 comm="pm-service"
scontext=u:r:per_mgr:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder
denied { call } for pid=770 comm="pm-service" scontext=u:r:per_mgr:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder
denied { ioctl open read write } for pid=770 comm="pm-service"
path="/dev/vndbinder" dev="tmpfs" ino=19167 ioctlcmd=6209
scontext=u:r:per_mgr:s0 tcontext=u:object_r:vndbinder_device:s0
tclass=chr_file
denied { read write } for pid=886 comm="cnss-daemon" name="vndbinder"
dev="tmpfs" ino=19167 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
denied { ioctl } for pid=886 comm="cnss-daemon" path="/dev/vndbinder"
dev="tmpfs" ino=19167 ioctlcmd=6201 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
denied { ioctl } for pid=875 comm="rild" path="/dev/vndbinder"
dev="tmpfs" ino=19167 ioctlcmd=6201 scontext=u:r:rild:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
denied { ioctl open read write } for pid=853 comm="pm-proxy"
name="vndbinder" dev="tmpfs" ino=19167 scontext=u:r:per_proxy:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
denied { call } for pid=853 comm="pm-proxy" scontext=u:r:per_proxy:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder
denied { search } for pid=556 comm="vndservicemanag" name="853"
dev="proc" ino=28401 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_proxy:s0 tclass=dir
denied { read } for pid=556 comm="vndservicemanag" name="current"
dev="proc" ino=28421 scontext=u:r:vndservicemanager:s0
tcontext=u:r:per_proxy:s0 tclass=file
denied { open } for pid=556 comm="vndservicemanag"
path="/proc/853/attr/current" dev="proc" ino=28421
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_proxy:s0 tclass=file
denied { getattr } for pid=556 comm="vndservicemanag"
scontext=u:r:vndservicemanager:s0 tcontext=u:r:per_proxy:s0
tclass=process
denied { add } for interface=vendor.qti.qcril.am::IQcRilAudio pid=875
scontext=u:r:rild:s0 tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager
denied { find } for service=vendor.qcom.PeripheralManager pid=774
uid=1001 scontext=u:r:rild:s0
tcontext=u:object_r:default_android_vndservice:s0 tclass=service_manager
denied { call } for pid=792 comm="cnss-daemon"
scontext=u:r:wcnss_service:s0 tcontext=u:r:vndservicemanager:s0
tclass=binder
denied { read write } for pid=1197 comm="rild" name="vndbinder"
dev="tmpfs" ino=19957 scontext=u:r:rild:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
denied { call } for pid=773 comm="rild" scontext=u:r:rild:s0
tcontext=u:r:vndservicemanager:s0 tclass=binder
Bug: 34784662
Test: vndbinder functionality for these domains is working
Change-Id: Ife7d4b4734ab4aca1d314b1b6cbac3203b216adc
32 lines
1.3 KiB
Plaintext
32 lines
1.3 KiB
Plaintext
allow system_server self:socket ioctl;
|
|
allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
|
|
|
|
# TODO(b/36867326): Remove this once system_server no longer communicates over binder
|
|
binder_call(system_server, per_mgr)
|
|
binder_call(system_server, folio_daemon)
|
|
|
|
binder_call(system_server, hal_camera_default)
|
|
|
|
# TODO(b/36613917): Remove this once system_server no longer communicates with netmgrd over sockets.
|
|
typeattribute netmgrd socket_between_core_and_vendor_violators;
|
|
unix_socket_connect(system_server, netmgrd, netmgrd)
|
|
|
|
allow system_server netmgrd_socket:dir search;
|
|
allow system_server persist_file:dir search;
|
|
allow system_server persist_sensors_file:dir search;
|
|
allow system_server persist_sensors_file:file r_file_perms;
|
|
allow system_server location_data_file:dir create_dir_perms;
|
|
allow system_server location_data_file:file create_file_perms;
|
|
allow system_server wlan_device:chr_file rw_file_perms;
|
|
|
|
userdebug_or_eng(`
|
|
permissive system_server;
|
|
')
|
|
|
|
# TODO(b/30675296): Remove following dontaudit's upon resolution of this bug
|
|
# The timerslack_ns denials spam the system really horribly
|
|
dontaudit system_server audioserver:file write;
|
|
dontaudit system_server untrusted_app:file write;
|
|
dontaudit system_server hal_audio_default:file write;
|
|
dontaudit system_server appdomain:file write;
|