Added allow rules for the following denials:
denied { call } for pid=2460 comm="AudioOut_D"
scontext=u:r:audioserver:s0 tcontext=u:r:bootanim:s0 tclass=binder
denied { write } for pid=1464 comm="writer" name="perfd" dev="tmpfs"
ino=11825 scontext=u:r:audioserver:s0
tcontext=u:object_r:socket_device:s0 tclass=sock_file
Bug: 34784662
Test: The above denials are no longer seen in the selinux logs
Change-Id: I4dc7c054d14e8a06d42167194cf211e0822bb3a9
tee was attempting to access an sdd device as per the following denial,
but access to generic block devices can't be granted due to a neverallow
rule. The device was granted its own type and tee was granted the
appropriate allow rules
avc: denied { getattr read write } for pid=790 comm="qseecomd"
name="sdd2" dev="tmpfs" ino=18294 scontext=u:r:tee:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file
Bug: 34784662
Test: The above denials are no longer present
Change-Id: Idebb7c7aa5c2001f643f4d617eaa3ee8cab8ad28
This behavior is the result of a bug detailed here:
https://buganizer.corp.google.com/issues/29072816#comment52
Bug: 34784662
Test: The surfaceflinger search denial is no longer present during
bootup
Change-Id: I6ae41e953a21b988cdf303db2b059f59dcc711a5
Added allow rule to make binder call to hwservicemanager due to denial
on call appearing in boot logs.
avc: denied { call } for pid=682 comm="BootAnimation"
scontext=u:r:bootanim:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder
Bug: 34784662
Test: The call denials are no longer seen on bootup
Change-Id: I5a2976989c60f6d4fb92af1167bc6b545cd81e65
Addressed following denial on generic device that needed to be
relabeled:
avc: denied { ioctl } for pid=711 comm="sensors.qcom"
path="/dev/sensors" dev="tmpfs" ino=22661 ioctlcmd=6403
scontext=u:r:sensors:s0 tcontext=u:object_r:device:s0 tclass=chr_file
Bug: 34784662
Test: Above denial no longer present in bootup logs
Change-Id: I2738a90422fc0cd5075414b0bdc466535aecde82
Allows take care of following denials:
denied { create } for pid=6 comm="kworker/u16:0"
scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=socket
denied { mounton } for pid=1 comm="init" path="/persist" dev="sda20"
ino=44 scontext=u:r:init:s0 tcontext=u:object_r:persist_file:s0
tclass=dir
Bug: 34784662
Test: The above denials no longer appear in bootup logs
Change-Id: I1a0db919938e4d56d60e07dad65db064a5f38d45
There was a generic character file device that needed to be given its
own device type. Accordingly to the following denial, tee was given
several permissions to access this type
avc: denied { ioctl write setattr read } for pid=733 comm="qseecomd"
name="sg2" dev="tmpfs" ino=21736 scontext=u:r:tee:s0
tcontext=u:object_r:sg_device:s0 tclass=chr_file
According to the following denial type, tee was also given access actions
relating to tee capabilities
avc: denied { sys_admin } for pid=733 comm="qseecomd" capability=21
scontext=u:r:tee:s0 tcontext=u:r:tee:s0 tclass=capability
Bug: 34784662
Test: The above denials no longer appear in bootup logs
Change-Id: I26a63655597191da566f1ed1e290c6572abb0476
Starting off by adding in allow rules for per_mgr, it was clear that
per_proxy was lumped in as a per_mgr_exec class, though looking at
marlin it was shown that the two had been separated. In keeping with
convention, per_proxy was also split out into its own class and .te
file. This policy change was motivated by the following sedenials on
per_mgr
avc: denied { read } for pid=625 comm="pm-service"
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=socket
avc: denied { transfer } for pid=654 comm="pm-proxy"
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=binder
avc: denied { read } for pid=654 comm="pm-proxy" name="name" dev="sysfs"
ino=32744 scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs:s0
tclass=file
avc: denied { read } for pid=623 comm="Binder:604_1" name="subsys_modem"
dev="tmpfs" ino=20191 scontext=u:r:per_mgr:s0
tcontext=u:object_r:ssr_device:s0 tclass=chr_file
avc: denied { open } for pid=623 comm="Binder:604_1"
path="/dev/subsys_modem" dev="tmpfs" ino=20191 scontext=u:r:per_mgr:s0
tcontext=u:object_r:ssr_device:s0 tclass=chr_file
Bug: 34784662
Test: The above denials are cleaned up in the boot logs
Change-Id: I4929c870f860c2e0fa7ea1d7412f960923fea602
The allow rules added are in response to the following types of denials.
avc: denied { getattr search } for pid=732 comm="qseecomd"
path="/dev/block/platform/soc/1da4000.ufshc" dev="tmpfs" ino=19964
scontext=u:r:tee:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { read open } for pid=721 comm="qseecomd" name="/"
dev="tmpfs" ino=21664 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0
tclass=dir
Further restrictions will require labeling more device nodes, otherwise
they will conflict with a neverallow restricting access to generic
device character files, so this commit should cover some of the most
basic denials, but will be expanded upon.
Bug: 34784662
Test: The denials mentioned are no longer seen
Change-Id: I3f25d7b301c86fc69e10934b50fe1093ddac7019
Install the touch driver kernel modules to muskie vendor image and
insert them once filesystem is ready. Also enable insmod sepolicy for
init process.
Bug: 32574003
Change-Id: I2ad9969816e5ebd98b53d07bd3b55c533b8997b2
Signed-off-by: David Lin <dtwlin@google.com>
Added access to diag_device for userdebug/eng builds in
domain.te under the expectation that a good number of other types might
need it as access. Also added access to search persist_file directories
in surfaceflinger.te to address selinux denials.
Bug: 34784662
Test: surfaceflinger search denials absent from boot logs
Change-Id: I5546f6204bbe4ce2cbd26b9a9269aa9bb33d9508
Allowed per_mgr access to per_mgr_service and defined per_mgr_service.
Bug: 34784662
Test: per_mgr search denials no longer appear in SELinux denials
Change-Id: Ia561870b613fdd85c94d51c5b2dcaf0632ec6e24
Fixes sepolicy labeling and capabilities now that vendor is not part of system
image anymore.
Change-Id: Ic1529990b18779bddeeffeb4cd69b6cdfb84a62b
Signed-off-by: Thierry Strudel <tstrudel@google.com>
