Evolution-x-devices/device_google_walleye
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_walleye synced 2026-02-01 07:09:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added allows to handle following bootup denials

Browse Source 
denials:
avc: denied { read write } for pid=1673 comm="android.hardwar"
name="qseecom" dev="tmpfs" ino=23078
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:tee_device:s0

denied { ioctl } for pid=769 comm="qti" path="socket:[19255]"
dev="sockfs" ino=19255 ioctlcmd=c302 scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { create } for pid=769 comm="qti" scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { create } for pid=767 comm="netmgrd"
name="netmgr_connect_socket" scontext=u:r:netmgrd:s0
tcontext=u:object_r:netmgrd_socket:s0 tclass=sock_file

denied { setattr } for pid=767 comm="netmgrd"
name="netmgr_connect_socket" dev="tmpfs" ino=22393
scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=sock_file

denied { read } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { write } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { bind } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { create } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { getattr } for pid=823 comm="netmgrd"
path="/sys/devices/virtual/net/rmnet_data0/queues/rx-0/rps_cpus"
dev="sysfs" ino=56682 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_net:s0 tclass=file

denied { getattr } for pid=823 comm="netmgrd"
path="/proc/sys/net/ipv6/conf/rmnet_data0/accept_ra" dev="proc"
ino=27240 scontext=u:r:netmgrd:s0 tcontext=u:object_r:proc_net:s0
tclass=file

denied { net_raw } for pid=1197 comm="iptables" capability=13
scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=21783 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=file

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=17707 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=file

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=50864 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=file

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=38138 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_net:s0
tclass=file

denied  { create } for  pid=1 comm="init" name="sdcard"
scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file

denied { read } for pid=1571 comm="android.hardwar"
name="soc:fp_fpc1020" dev="sysfs" ino=21863
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=dir

denied { open } for pid=1571 comm="android.hardwar"
path="/sys/devices/soc/soc:fp_fpc1020" dev="sysfs" ino=21863
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=dir

denied { search } for pid=1571 comm="android.hardwar"
name="soc:fp_fpc1020" dev="sysfs" ino=21863
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=dir

denied { set } for property=persist.net.doxlat pid=749 uid=1001 gid=3003
scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0
tclass=property_service

denied { set } for property=sys.listeners.registered pid=612 uid=1000
gid=1000 scontext=u:r:tee:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

denied { set } for property=sys.keymaster.loaded pid=609 uid=1000
gid=1000 scontext=u:r:tee:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I52434abc526f8458479cf4acd0ff967277887f49
This commit is contained in:
Max Bires
2017-02-22 14:15:44 -08:00
parent e67fa1db09
commit 4213a37bf1
9 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sepolicy/hal_fingerprint.te
View File

@@ -1,2 +1,4 @@
allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
allow hal_fingerprint tee_device:file rw_file_perms;
allow hal_fingerprint tee_device:chr_file rw_file_perms;
allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms;

3
sepolicy/init.te
View File

@@ -1,3 +1,6 @@
# symlink /sdcard to backing block
allow init tmpfs:lnk_file create;
allow init self:capability sys_module;
allow init system_file:system module_load;

1
sepolicy/location.te
View File

@@ -14,6 +14,7 @@ allow location self:capability { setgid setuid };
allow location proc_net:file r_file_perms;
allow location location_data_file:file w_file_perms;
allow location location_data_file:sock_file w_file_perms;
allow location self:netlink_route_socket create_socket_perms_no_ioctl;
allow location self:udp_socket create_socket_perms;

8
sepolicy/netmgrd.te
View File

@@ -11,16 +11,18 @@ unix_socket_connect(netmgrd, netd, netd)
allow netmgrd self:socket create_socket_perms_no_ioctl;
allow netmgrd netmgrd_socket:dir w_dir_perms;
allow netmgrd netmgrd_socket:sock_file { create setattr };
allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
allow netmgrd sysfs_net:file w_file_perms;
allow netmgrd sysfs_net:file rw_file_perms;
allow netmgrd sysfs_net:dir r_dir_perms;
allow netmgrd proc_net:file w_file_perms;
allow netmgrd proc_net:file rw_file_perms;
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd netmgr_data_file:file rw_file_perms;
allow netmgrd system_file:file execute_no_trans;
allow netmgrd self:capability { net_admin setuid };
allow netmgrd self:capability { net_admin net_raw setuid };
allow netmgrd toolbox_exec:file rx_file_perms;

2
sepolicy/property.te
View File

@@ -1,3 +1,5 @@
type wc_prop, property_type;
type camera_prop, property_type;
type ssr_prop, property_type;
type tee_listener_prop, property_type;
type keymaster_prop, property_type;

3
sepolicy/property_contexts
View File

@@ -1,2 +1,5 @@
wc_transport. u:object_r:wc_prop:s0
persist.camera. u:object_r:camera_prop:s0
persist.net.doxlat u:object_r:net_radio_prop:s0
sys.listeners.registered u:object_r:tee_listener_prop:s0
sys.keymaster.loaded u:object_r:keymaster_prop:s0

4
sepolicy/qti.te
View File

@@ -4,8 +4,8 @@ type qti_exec, exec_type, file_type;
init_daemon_domain(qti)
net_domain(qti)
allow qti self:socket { ioctl read };
allowxperm qti self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT;
allow qti self:socket create_socket_perms;
allowxperm qti self:socket ioctl msm_sock_ipc_ioctls;
userdebug_or_eng(`
permissive qti;

3
sepolicy/tee.te
View File

@@ -2,6 +2,9 @@ allow tee self:capability { chown setgid setuid sys_admin sys_rawio };
allow tee device:dir r_dir_perms;
set_prop(tee, tee_listener_prop)
set_prop(tee, keymaster_prop)
allow tee block_device:dir { getattr search };
allow tee sdd_block_device:blk_file rw_file_perms;
allow tee sg_device:chr_file { rw_file_perms setattr };

4
sepolicy/ueventd.te
View File

@@ -1,3 +1,7 @@
allow ueventd sysfs_thermal:file w_file_perms;
allow ueventd sysfs_leds:file w_file_perms;
allow ueventd sysfs_camera:file w_file_perms;
allow ueventd sysfs_fingerprint:file w_file_perms;
allow ueventd sysfs_rmtfs:file w_file_perms;
allow ueventd sysfs_soc:file w_file_perms;
allow ueventd sysfs_net:file w_file_perms;