From 566afc1cac46b2576058a00e5e32453ef12d9762 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Tue, 14 Feb 2017 17:05:34 -0800 Subject: [PATCH] Adding init allows and supporting file_context. Adding allows to address following boot denials: denied { open } for pid=1 comm="init" path="/dev/ttyMSM0" dev="tmpfs" ino=20828 scontext=u:r:init:s0 tcontext=u:object_r:device:s0 tclass=chr_file denied { read write } for pid=1 comm="init" name="ttyMSM0" dev="tmpfs" ino=20828 scontext=u:r:init:s0 tcontext=u:object_r:device:s0 tclass=chr_file denied { write } for pid=1 comm="init" name="b_vendor_code" dev="configfs" ino=21093 scontext=u:r:init:s0 tcontext=u:object_r:configfs:s0 tclass=file Bug: 34784662 Test: The above denials are not present during boot Change-Id: I5cc2daecf5b2a54d21ae17f6d88ffc174b5b8a12 --- sepolicy/file_contexts | 2 ++ sepolicy/init.te | 3 +++ 2 files changed, 5 insertions(+) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 04da4e7..0b8d558 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -3,6 +3,8 @@ /dev/kgsl-3d0 u:object_r:gpu_device:s0 /dev/rtc0 u:object_r:rtc_device:s0 /dev/smd.* u:object_r:smd_device:s0 +# TODO: does ttyMSM0 need to be more specific +/dev/ttyMSM0 u:object_r:tty_device:s0 /dev/ipa u:object_r:ipa_dev:s0 /dev/wwan_ioctl u:object_r:ipa_dev:s0 /dev/ipaNatTable u:object_r:ipa_dev:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te index 5382906..7871abf 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,4 +1,7 @@ allow init self:capability sys_module; allow init system_file:system module_load; +allow init configfs:file w_file_perms; +allow init tty_device:chr_file rw_file_perms; + allow init persist_file:dir mounton;