Evolution-x-devices/device_google_walleye
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_walleye synced 2026-02-01 07:33:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,046 Commits 1 Branch 0 Tags
8ffcefd27ef03d280ee75199d05b1f36a138d8bf
Commit Graph

75 Commits

Author SHA1 Message Date
Jeff Vander Stoep
88e5ec1a7f sepolicy: add owners file 
Test: build
Change-Id: Ifdca07d6e652b26e4fbfd25047a8c80c6013717a
 2017-10-05 14:43:45 -07:00
Badhri Jagan Sridharan
e97ce188fb selinux policy for letting the system server set radio config 
Test: Manually verify modem overlay functions for usbradio bootmode
Bug: 31947358
Change-Id: If598b5c464ebf1c24043df331e670f4d7c1af0a9
 2017-03-29 11:28:36 -07:00
Thierry Strudel
14876b88f0 Migrate common files to device/google/wahoo 
Test: boot, basic functionality
Change-Id: I9edff53d7be158a60914335e755ded652d247db8
Signed-off-by: Thierry Strudel <tstrudel@google.com>
 2017-03-05 13:18:44 -08:00
Max Bires
07eb4303e8 Adding allow rules and file contexts to handle denials. 
Added lines address following denials:
denied { search } for pid=1184 comm="thermal-engine" name="uio"
dev="sysfs" ino=38350 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=dir

denied { open } for pid=1184 comm="thermal-engine" path="/sys/class/uio"
dev="sysfs" ino=38350 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=dir

denied { read } for pid=1184 comm="thermal-engine" name="uio"
dev="sysfs" ino=38350 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=dir

denied { write } for pid=977 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_generic_socket

denied { ioctl } for pid=778 comm="port-bridge" path="/dev/at_mdm0"
dev="tmpfs" ino=22203 ioctlcmd=c300 scontext=u:r:port-bridge:s0
tcontext=u:object_r:at_device:s0 tclass=chr_file

denied { open } for pid=689 comm="Binder:669_1"
path="/firmware/image/modem.b13" dev="sda7" ino=51
scontext=u:r:per_mgr:s0 tcontext=u:object_r:firmware_file:s0 tclass=file

denied { read } for pid=689 comm="Binder:669_1" name="modem.b13"
dev="sda7" ino=51 scontext=u:r:per_mgr:s0
tcontext=u:object_r:firmware_file:s0 tclass=file

denied { read } for pid=670 comm="sensors.qcom" name="subsys0"
dev="sysfs" ino=33249 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { open } for pid=670 comm="sensors.qcom"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16197
scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir

denied { read } for pid=670 comm="sensors.qcom" name="devices"
dev="sysfs" ino=16197 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=670 comm="sensors.qcom" name="msm_subsys"
dev="sysfs" ino=16195 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { setpcap } for pid=673 comm="tftp_server" capability=8
scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability

denied { read } for pid=669 comm="pm-service" name="subsys0" dev="sysfs"
ino=33249 scontext=u:r:per_mgr:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { open } for pid=669 comm="pm-service"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16197
scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir

denied { read } for pid=669 comm="pm-service" name="devices" dev="sysfs"
ino=16197 scontext=u:r:per_mgr:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=669 comm="pm-service" name="msm_subsys"
dev="sysfs" ino=16195 scontext=u:r:per_mgr:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { net_bind_service } for pid=688 comm="pm-service" capability=10
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=capability

denied { search } for pid=918 comm="loc_launcher" name="mq" dev="sda43"
ino=622663 scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir

denied { write } for pid=918 comm="loc_launcher" name="mq" dev="sda43"
ino=622663 scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir

denied { add_name } for pid=918 comm="loc_launcher" name="location-mq-s"
scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0
tclass=dir

denied { create } for pid=918 comm="loc_launcher" name="location-mq-s"
scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0
tclass=sock_file

denied { setattr } for pid=918 comm="loc_launcher" name="location-mq-s"
dev="sda43" ino=622681 scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=sock_file

denied { read } for pid=680 comm="android.hardwar" name="u:obj
ect_r:keymaster_prop:s0" dev="tmpfs" ino=22587
scontext=u:r:hal_gatekeeper_default:s0 tcontext=u:object_r:keymaster_
prop:s0 tclass=file

denied { read } for pid=654 comm="sensors.qcom" name="name" dev="sysfs"
ino=33243 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { open } for pid=654 comm="sensors.qcom"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33243 scontext=u:r:sensors:s0 tcontext=u:object_r:sys
fs:s0 tclass=file

denied  { mounton } for  pid=560 comm="init" path="/firmware"
dev="sda21" ino=25 scontext=u:r:init:s0
tcontext=u:object_r:firmware_file:s0 tclass=dir

denied { read } for pid=766 comm="gatekeeperd"
name="u:object_r:keymaster_prop:s0" dev="tmpfs" ino=22203
scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:keymaster_prop:s0
tclass=file

denied { search } for pid=1156 comm="rild" name="netmgr" dev="tmpfs"
ino=22676 scontext=u:r:rild:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=dir

denied { search } for pid=1156 comm="rild" name="netmgr" dev="tmpfs"
ino=22704 scontext=u:r:rild:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=dir

denied { open } for pid=795 comm="gatekeeperd"
path="/dev/__properties__/u:object_r:keymaster_prop:s0" dev="tmpfs"
ino=18420 scontext=u:r:gatekeeperd:s0
tcontext=u:object_r:keymaster_prop:s0 tclass=file

denied  { write } for  pid=549 comm="ueventd" name="uevent" dev="sysfs"
ino=17842 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { open } for pid=661 comm="sensors.qcom"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33243 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=661 comm="sensors.qcom" name="name" dev="sysfs"
ino=33243 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=732 comm="netmgrd" name="name" dev="sysfs"
ino=33243 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { open } for pid=732 comm="netmgrd"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33243 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { open } for pid=732 comm="netmgrd"
path="/sys/devices/soc/cce0000.qcom,venus/subsys1/name" dev="sysfs"
ino=33290 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { create } for pid=732 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_generic_socket

denied { bind } for pid=732 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_generic_socket

Bug: 34784662
Test: The above denials are no longer present during boot
Change-Id: I6bccebf51e4b9e6cefda6bbe2331d7216632d1e3
 2017-03-04 14:29:29 -08:00
Max Bires
d03132d274 Adding rules and contexts to fix more denials. 
Fixing following denials:
denied { getattr } for pid=875 comm="thermal-engine"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=38372 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_rmtfs:s0 tclass=file

denied { open } for pid=875 comm="thermal-engine"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=38372 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_rmtfs:s0 tclass=file

denied { read } for pid=875 comm="thermal-engine" name="name"
dev="sysfs" ino=38372 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_rmtfs:s0 tclass=file

denied { read } for pid=875 comm="thermal-engine" name="uio0"
dev="sysfs" ino=38371 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=lnk_file

denied { block_suspend } for pid=873 comm="thermal-engine" capability=36
scontext=u:r:thermal-engine:s0 tcontext=u:r:thermal-engine:s0
tclass=capability2

denied { write } for pid=986 comm="rmt_storage"
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket

denied { read } for pid=672 comm="rmt_storage"
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket

denied { getattr } for pid=791 comm="netmgrd"
path="/sys/module/tcp_cubic/parameters/hystart_detect" dev="sysfs"
ino=25096 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { open } for pid=791 comm="netmgrd"
path="/sys/module/tcp_cubic/parameters/hystart_detect" dev="sysfs"
ino=25096 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { write } for pid=791 comm="netmgrd" name="hystart_detect"
dev="sysfs" ino=25096 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { ioctl } for pid=763 comm="netmgrd" path="socket:[1767]"
dev="sockfs" ino=1767 ioctlcmd=c304 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

denied { ioctl } for pid=908 comm="rild" path="socket:[25980]"
dev="sockfs" ino=25980 ioctlcmd=c304 scontext=u:r:rild:s0
tcontext=u:r:rild:s0 tclass=socket

denied { open } for pid=676 comm="servicemanager"
path="/proc/783/attr/current" dev="proc" ino=25112
scontext=u:r:servicemanager:s0 tcontext=u:r:rild:s0 tclass=file

denied { getattr } for pid=676 comm="servicemanager"
scontext=u:r:servicemanager:s0 tcontext=u:r:rild:s0 tclass=process

denied { read } for pid=676 comm="servicemanager" name="current"
dev="proc" ino=25112 scontext=u:r:servicemanager:s0 tcontext=u:r:rild:s0
tclass=file

denied { call } for pid=783 comm="rild" scontext=u:r:rild:s0
tcontext=u:r:servicemanager:s0 tclass=binder

denied { open } for pid=763 comm="netmgrd"
path="/sys/devices/soc0/soc_id" dev="sysfs" ino=50839
scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { read } for pid=763 comm="netmgrd" name="soc_id" dev="sysfs"
ino=50839 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=file

denied { open } for pid=763 comm="netmgrd"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16197
scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir

denied { read } for pid=763 comm="netmgrd" name="devices" dev="sysfs"
ino=16197 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=763 comm="netmgrd" name="msm_subsys"
dev="sysfs" ino=16195 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { create } for pid=672 comm="rmt_storage"
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket

denied { setuid } for pid=672 comm="rmt_storage" capability=7
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { net_bind_service } for pid=672 comm="rmt_storage" capability=10
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { setpcap } for pid=672 comm="rmt_storage" capability=8
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { open } for pid=672 comm="rmt_storage"
path="/sys/kernel/debug/rmt_storage/rmts" dev="debugfs" ino=19673
scontext=u:r:rmt_storage:s0 tcontext=u:object_r:debugfs:s0 tclass=file

denied { write } for pid=672 comm="rmt_storage" name="rmts"
dev="debugfs" ino=19673 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:debugfs:s0 tclass=file

denied { open } for pid=672 comm="rmt_storage" path="/dev/block/sdd15"
dev="tmpfs" ino=22639 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file

denied { read write } for pid=672 comm="rmt_storage" name="sdd15"
dev="tmpfs" ino=22639 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file

denied { read } for pid=672 comm="rmt_storage" name="uio0" dev="sysfs"
ino=38371 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_uio:s0
tclass=lnk_file

denied { ioctl } for pid=671 comm="irsc_util" path="socket:[1213]"
dev="sockfs" ino=1213 ioctlcmd=c305 scontext=u:r:irsc_util:s0
tcontext=u:r:irsc_util:s0 tclass=socket

denied { create } for pid=671 comm="irsc_util" scontext=u:r:irsc_util:s0
tcontext=u:r:irsc_util:s0 tclass=socket

denied { open } for pid=672 comm="rmt_storage" path="/dev/block/sdf3"
dev="tmpfs" ino=22678 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

denied { read write } for pid=672 comm="rmt_storage" name="sdf3"
dev="tmpfs" ino=22678 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

Test: The above denials are no longer present
Bug: 34784662
Change-Id: I79caf3bef228a1fd84f0f58d4274c2f6a668d203
 2017-03-02 00:15:13 +00:00
Max Bires
4213a37bf1 Added allows to handle following bootup denials 
denials:
avc: denied { read write } for pid=1673 comm="android.hardwar"
name="qseecom" dev="tmpfs" ino=23078
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:tee_device:s0

denied { ioctl } for pid=769 comm="qti" path="socket:[19255]"
dev="sockfs" ino=19255 ioctlcmd=c302 scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { create } for pid=769 comm="qti" scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { create } for pid=767 comm="netmgrd"
name="netmgr_connect_socket" scontext=u:r:netmgrd:s0
tcontext=u:object_r:netmgrd_socket:s0 tclass=sock_file

denied { setattr } for pid=767 comm="netmgrd"
name="netmgr_connect_socket" dev="tmpfs" ino=22393
scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=sock_file

denied { read } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { write } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { bind } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { create } for pid=767 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_socket

denied { getattr } for pid=823 comm="netmgrd"
path="/sys/devices/virtual/net/rmnet_data0/queues/rx-0/rps_cpus"
dev="sysfs" ino=56682 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_net:s0 tclass=file

denied { getattr } for pid=823 comm="netmgrd"
path="/proc/sys/net/ipv6/conf/rmnet_data0/accept_ra" dev="proc"
ino=27240 scontext=u:r:netmgrd:s0 tcontext=u:object_r:proc_net:s0
tclass=file

denied { net_raw } for pid=1197 comm="iptables" capability=13
scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=21783 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=file

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=17707 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=file

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=50864 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=file

denied  { write } for  pid=547 comm="ueventd" name="uevent" dev="sysfs"
ino=38138 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_net:s0
tclass=file

denied  { create } for  pid=1 comm="init" name="sdcard"
scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file

denied { read } for pid=1571 comm="android.hardwar"
name="soc:fp_fpc1020" dev="sysfs" ino=21863
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=dir

denied { open } for pid=1571 comm="android.hardwar"
path="/sys/devices/soc/soc:fp_fpc1020" dev="sysfs" ino=21863
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=dir

denied { search } for pid=1571 comm="android.hardwar"
name="soc:fp_fpc1020" dev="sysfs" ino=21863
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs_fingerprint:s0 tclass=dir

denied { set } for property=persist.net.doxlat pid=749 uid=1001 gid=3003
scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0
tclass=property_service

denied { set } for property=sys.listeners.registered pid=612 uid=1000
gid=1000 scontext=u:r:tee:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

denied { set } for property=sys.keymaster.loaded pid=609 uid=1000
gid=1000 scontext=u:r:tee:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I52434abc526f8458479cf4acd0ff967277887f49
 2017-02-28 12:33:20 -08:00
Shawn Yang
ab296f2969 Enable SSRestartDetector in Muskie 
BUG=35138780

Change-Id: I0712462afa800880efbd4d646cd6d3f713318772
 2017-02-27 15:54:51 -08:00
Max Bires
f955e7dfc6 Adding allows and file contexts for multiple domains. 
Adding items to address following list of denials:
denied { read } for pid=1875 comm="qti" scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { create } for pid=734 comm="qti" scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { ioctl } for pid=734 comm="qti" path="socket:[33993]"
dev="sockfs" ino=33993 ioctlcmd=c304 scontext=u:r:qti:s0
tcontext=u:r:qti:s0 tclass=socket

denied { read } for pid=876 comm="cnss-daemon"
scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0
tclass=socket

denied { write } for pid=981 comm="cnss-daemon"
scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0
tclass=socket

denied { create } for pid=981 comm="cnss-daemon"
scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0
tclass=socket

denied { read } for pid=755 comm="cnss-daemon"
scontext=u:r:wcnss_service:s0 tcontext=u:r:wcnss_service:s0
tclass=netlink_socket

denied { ioctl } for pid=982 comm="cnss-daemon" path="socket:[23695]"
dev="sockfs" ino=23695 ioctlcmd=c302 scontext=u:r:wcnss_service:s0
tcontext=u:r:wcnss_service:s0 tclass=socket

denied { read } for pid=853 comm="time_daemon"
scontext=u:r:time_daemon:s0 tcontext=u:r:time_daemon:s0 tclass=socket

denied { write } for pid=840 comm="time_daemon"
scontext=u:r:time_daemon:s0 tcontext=u:r:time_daemon:s0 tclass=socket

denied { create } for pid=840 comm="time_daemon"
scontext=u:r:time_daemon:s0 tcontext=u:r:time_daemon:s0 tclass=socket

denied { ioctl } for pid=840 comm="time_daemon" path="socket:[22165]"
dev="sockfs" ino=22165 ioctlcmd=c302 scontext=u:r:time_daemon:s0
tcontext=u:r:time_daemon:s0 tclass=socket

denied { open read } for pid=754 comm="time_daemon" path="/dev/rtc0"
dev="tmpfs" ino=10130 scontext=u:r:time_daemon:s0
tcontext=u:object_r:rtc_device:s0 tclass=chr_file

denied { ioctl } for pid=754 comm="time_daemon" path="/dev/rtc0"
dev="tmpfs" ino=10130 ioctlcmd=7009 scontext=u:r:time_daemon:s0
tcontext=u:object_r:rtc_device:s0 tclass=chr_file

denied { setuid setgid } for pid=754 comm="time_daemon" capability=7
scontext=u:r:time_daemon:s0 tcontext=u:r:time_daemon:s0
tclass=capability

denied { ioctl } for pid=914 comm="rild" path="socket:[23070]"
dev="sockfs" ino=23070 ioctlcmd=c302 scontext=u:r:rild:s0
tcontext=u:r:rild:s0 tclass=socket

denied { call } for pid=914 comm="rild" scontext=u:r:rild:s0
tcontext=u:r:per_mgr:s0 tclass=binder

denied { write } for pid=1220 comm="lowi-server" name="location-mq-s"
dev="sda41" ino=212664 scontext=u:r:location:s0
tcontext=u:object_r:system_data_file:s0 tclass=sock_file

denied { execute_no_trans } for pid=1220 comm="loc_launcher"
path="/vendor/bin/lowi-server" dev="sda19" ino=37
scontext=u:r:location:s0tcontext=u:object_r:location_exec:s0 tclass=file

denied { open read write } for pid=930 comm="android.hardwar" name="irq"
dev="sysfs" ino=36996 scontext=u:r:hal_fingerprint_default:s1
tcontext=u:object_r:sysfs:s0 tclass=file

denied { open } for pid=758 comm="android.hardwar" path="/dev/qseecom"
dev="tmpfs" ino=21107 scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:tee_device:s0 tclass=chr_file

denied { read write } for pid=758 comm="android.hardwar" name="qseecom"
dev="tmpfs" ino=21107 scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:tee_device:s0 tclass=chr_file

Bug: 34784662
Test: The above denials are no longer present on bootup
Change-Id: Iac2e0e0b631769b33f2642c7fe97acb7510704cb
 2017-02-22 10:32:16 -08:00
Max Bires
7c9cbbca18 Adding netmgrd allows and supporting file contexts. 
Added allows to handle following denials:
denied { write } for pid=751 comm="netmgrd" name="netmgr" dev="tmpfs"
ino=20778 scontext=u:r:netmgrd:s0 tcontext=u:object_r:socket_device:s0
tclass=dir

denied { add_name } for pid=751 comm="netmgrd"
name="netmgr_connect_socket" scontext=u:r:netmgrd:s0
tcontext=u:object_r:socket_device:s0 tclass=dir

denied { write } for pid=2035 comm="ndc" name="netd" dev="tmpfs"
ino=23587 scontext=u:r:netmgrd:s0 tcontext=u:object_r:netd_socket:s0
tclass=sock_file

denied { net_admin } for pid=783 comm="netmgrd" capability=12
scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability

denied { connectto } for pid=751 comm="netmgrd"
path="/dev/socket/property_service" scontext=u:r:netmgrd:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { write } for pid=751 comm="netmgrd" name="property_service"
dev="tmpfs" ino=19824 scontext=u:r:netmgrd:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { setuid } for pid=729 comm="netmgrd" capability=7
scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability

denied { getattr } for pid=787 comm="netmgrd"
path="/sys/devices/virtual/net/rmnet_data3/queues/rx-0/rps_cpus"
dev="sysfs" ino=53667 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { write } for pid=787 comm="netmgrd" name="disable_ipv6"
dev="proc" ino=25831 scontext=u:r:netmgrd:s0
tcontext=u:object_r:proc_net:s0 tclass=file

denied { write } for pid=807 comm="netmgrd" name="rps_cpus" dev="sysfs"
ino=54507 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_net:s0
tclass=file

denied { search } for pid=807 comm="netmgrd" name="net" dev="sysfs"
ino=27043 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_net:s0
tclass=dir

denied { getattr } for pid=776 comm="netmgrd"
path="/sys/devices/virtual/net/rmnet_data3/queues/rx-0/rps_cpus"
dev="sysfs" ino=54432 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_net:s0 tclass=file

denied { execute_no_trans } for pid=1107 comm="netmgrd"
path="/system/bin/iptables" dev="sda20" ino=345 scontext=u:r:netmgrd:s0
tcontext=u:object_r:system_file:s0 tclass=file

denied { read } for pid=788 comm="netmgrd" name="net" dev="sda41"
ino=212584 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0
tclass=dir

denied { getattr } for pid=788 comm="netmgrd"
path="/data/misc/netmgr/log.txt" dev="sda41" ino=212657
scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

denied { read write open } for pid=729 comm="netmgrd"
path="/data/misc/netmgr/log.txt" dev="sda41" ino=212657
scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

denied { add_name } for pid=729 comm="netmgrd" name="log.txt"
scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir

denied { write } for pid=729 comm="netmgrd" name="netmgr" dev="sda41"
ino=212635 scontext=u:r:netmgrd:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir

Bug: 34784662
Test: The above denials are no longer present
Change-Id: Ifb22e8ab9af725b7d5b884b10d2e525c248500f8
 2017-02-21 00:29:59 -08:00
Max Bires
4dde676755 Merge "Adding ueventd and rmt_storage allows and file_context" 2017-02-21 08:14:27 +00:00
Max Bires
dea136c7e7 Adding ueventd and rmt_storage allows and file_context 
Added to address following bootup denials:
denied { append } for pid=633 comm="rmt_storage" name="wake_lock"
dev="sysfs" ino=15356 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file

denied { setgid } for pid=633 comm="rmt_storage" capability=6
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { open } for pid=633 comm="rmt_storage" path="/dev/kmsg"
dev="tmpfs" ino=10129 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:kmsg_device:s0 tclass=chr_file

denied { write } for pid=633 comm="rmt_storage" name="kmsg" dev="tmpfs"
ino=10129 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:kmsg_device:s0
tclass=chr_file

denied  { write } for  pid=533 comm="ueventd" name="uevent" dev="sysfs"
ino=19078 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_camera:s0
tclass=file

denied  { write } for  pid=533 comm="ueventd" name="uevent" dev="sysfs"
ino=44296 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_leds:s0
tclass=file

denied { read write } for pid=617 comm="rmt_storage" name="uio0"
dev="tmpfs" ino=22582 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:uio_device:s0 tclass=chr_file

denied { open } for pid=617 comm="rmt_storage"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=37777 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { getattr } for pid=617 comm="rmt_storage"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=37777 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { read } for pid=617 comm="rmt_storage" name="name" dev="sysfs"
ino=37777 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { open } for pid=617 comm="rmt_storage" path="/sys/class/uio"
dev="sysfs" ino=37755 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:sysfs:s0 tclass=dir

denied { read } for pid=617 comm="rmt_storage" name="uio" dev="sysfs"
ino=37755 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs:s0
tclass=dir

denied { open } for pid=640 comm="rmt_storage"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=37777 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=file

denied { read } for pid=640 comm="rmt_storage" name="name" dev="sysfs"
ino=37777 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=file

Bug: 34784662
Test: The above denials are no longer present on bootup
Change-Id: Iba358af7bcf5e7361467e071a3feabf184d4c921
 2017-02-16 10:35:13 -08:00
TreeHugger Robot
0bc8b504af Merge "Added file_contexts for more sysfs_camera files." 2017-02-16 18:12:27 +00:00
Max Bires
57c2f7e538 Merge "Adding allows for audioserver.te" 2017-02-16 17:11:04 +00:00
Max Bires
f34b903cf8 Added file_contexts for more sysfs_camera files. 
These should finish up the camera denials during boot:
denied { read } for pid=760 comm="cameraserver" name="name" dev="sysfs"
ino=42189 scontext=u:r:cameraserver:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { open } for pid=757 comm="cameraserver"
path="/sys/devices/soc/caa4000.qcom,fd/video4linux/video2/name"
dev="sysfs" ino=42231 scontext=u:r:cameraserver:s0
tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 34784662
Test: The above denials no longer appear during boot
Change-Id: I1ecf20215be36c2d34663cfa329988cf40422ae1
 2017-02-16 09:09:50 -08:00
Max Bires
0bbdcc41f5 Added allows for rfs_access.te 
More selinux boot denials of the following type and allows added
accordingly:

avc: denied { getattr } for pid=614 comm="tftp_server"
path="/persist/rfs" dev="sdd3" ino=19 scontext=u:r:rfs_access:s0
tcontext=u:object_r:persist_file:s0 tclass=dir

avc: denied { setattr } for pid=614 comm="tftp_server" name="rfs"
dev="sdd3" ino=19 scontext=u:r:rfs_access:s0
tcontext=u:object_r:persist_file:s0 tclass=dir

denied { remove_name } for pid=2675 comm="tftp_server"
name="mcfg.tmp.rfs_tmp" dev="sdd3" ino=35 scontext=u:r:rfs_access:s0
tcontext=u:object_r:persist_file:s0 tclass=dir

denied { add_name } for pid=2675 comm="tftp_server"
name="mcfg.tmp.rfs_tmp" scontext=u:r:rfs_access:s0
tcontext=u:object_r:persist_file:s0 tclass=dir

denied { write } for pid=2675 comm="tftp_server" name="mpss" dev="sdd3"
ino=22 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=dir

denied { block_suspend } for pid=641 comm="tftp_server" capability=36
scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability2

denied { getattr } for pid=1170 comm="tftp_server"
path="/persist/rfs/msm/mpss/server_check.txt" dev="sdd3" ino=35
scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=file

denied { open } for pid=1170 comm="tftp_server"
path="/persist/rfs/msm/mpss/server_check.txt" dev="sdd3" ino=35
scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=file

denied { read } for pid=1170 comm="tftp_server" name="server_check.txt"
dev="sdd3" ino=35 scontext=u:r:rfs_access:s0
tcontext=u:object_r:persist_file:s0 tclass=file

denied { search } for pid=1170 comm="tftp_server" name="/" dev="sdd3"
ino=2 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=dir

denied { connect } for pid=1170 comm="tftp_server"
scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=socket

denied { create } for pid=1170 comm="tftp_server"
scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=socket

denied { read } for pid=641 comm="tftp_server"
scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=socket

denied { rename } for pid=2050 comm="tftp_server"
name="mcfg.tmp.rfs_tmp" dev="sdd3" ino=39 scontext=u:r:rfs_access:s0
tcontext=u:object_r:persist_file:s0 tclass=file

denied { write } for pid=2050 comm="tftp_server"
path="/persist/rfs/msm/mpss/mcfg.tmp.rfs_tmp" dev="sdd3" ino=39
scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=file

denied { unlink } for pid=2050 comm="tftp_server"
path="/persist/rfs/msm/mpss/mcfg.tmp.rfs_tmp" dev="sdd3" ino=39
scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=file

Bug: 34784662
Test: The above denials are not found in bootup logs
Change-Id: I9a52589e0a3de99cb26660f2e4e60d2a61d1632c
 2017-02-15 19:02:50 -08:00
Max Bires
998fa7f5c8 Adding allows for audioserver.te 
Address following denials:
denied { read } for pid=746 comm="audioserver" name="hw_platform"
dev="sysfs" ino=50308 scontext=u:r:audioserver:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { search } for pid=757 comm="audioserver" name="soc0" dev="sysfs"
ino=50280 scontext=u:r:audioserver:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

Bug: 34784662
Test: The above denials are no longer present during boot
Change-Id: I8448bdb5fdf692fda342c11500c0bc45419ae6e9
 2017-02-15 18:14:27 -08:00
TreeHugger Robot
b48a769451 Merge "lights hal: fully binderized" 2017-02-15 23:45:51 +00:00
Max Bires
5e84c2774f Adding init_power allows and supporting file_context/file.te changes. 
Adding allows to address the following list of bootup denials:

denied { search } for pid=629 comm="init.power.sh" name="msm_thermal"
dev="sysfs" ino=24282 scontext=u:r:init_power:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir

denied { open } for pid=630 comm="cat" path="/sys/devices/soc0/revision"
dev="sysfs" ino=50285 scontext=u:r:init_power:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { read } for pid=630 comm="cat" name="revision" dev="sysfs"
ino=50285 scontext=u:r:init_power:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { execute_no_trans } for pid=630 comm="init.power.sh"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:init_power:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { read open } for pid=630 comm="init.power.sh"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:init_power:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { execute } for pid=630 comm="init.power.sh" name="toybox"
dev="sda20" ino=509 scontext=u:r:init_power:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { getattr } for pid=630 comm="init.power.sh"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:init_power:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { read } for pid=629 comm="init.power.sh" path="/system/bin/sh"
dev="sda20" ino=469 scontext=u:r:init_power:s0
tcontext=u:object_r:shell_exec:s0 tclass=file

denied { getattr } for pid=629 comm="init.power.sh"
path="/system/bin/sh" dev="sda20" ino=469 scontext=u:r:init_power:s0
tcontext=u:object_r:shell_exec:s0 tclass=file

denied { write } for pid=629 comm="init.power.sh" name="online"
dev="sysfs" ino=15416 scontext=u:r:init_power:s0
tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

denied { open } for pid=629 comm="init.power.sh"
path="/sys/module/msm_thermal/core_control/enabled" dev="sysfs"
ino=50644 scontext=u:r:init_power:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file

denied { write } for pid=629 comm="init.power.sh" name="enabled"
dev="sysfs" ino=50644 scontext=u:r:init_power:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file

denied { search } for pid=630 comm="cat" name="soc0" dev="sysfs"
ino=50280 scontext=u:r:init_power:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

Bug: 34784662
Test: The above denials no longer appear during bootup
Change-Id: I38c7d115e8afe66a5eaa1e9b3a70acebbb806010
 2017-02-15 13:12:50 -08:00
TreeHugger Robot
e64551091e Merge "Added audioserver.te and some allow rules and perfd_socket type" 2017-02-15 19:02:56 +00:00
TreeHugger Robot
288ec289c5 Merge "Adding init allows and supporting file_context." 2017-02-15 18:39:16 +00:00
Max Bires
0c479addf2 Added audioserver.te and some allow rules and perfd_socket type 
Added allow rules for the following denials:
denied { call } for pid=2460 comm="AudioOut_D"
scontext=u:r:audioserver:s0 tcontext=u:r:bootanim:s0 tclass=binder

denied { write } for pid=1464 comm="writer" name="perfd" dev="tmpfs"
ino=11825 scontext=u:r:audioserver:s0
tcontext=u:object_r:socket_device:s0 tclass=sock_file

Bug: 34784662
Test: The above denials are no longer seen in the selinux logs
Change-Id: I4dc7c054d14e8a06d42167194cf211e0822bb3a9
 2017-02-15 09:02:32 -08:00
TreeHugger Robot
cf6a9b54e8 Merge "Added init_radio allows and corresponding file_context changes." 2017-02-15 16:58:29 +00:00
Max Bires
566afc1cac Adding init allows and supporting file_context. 
Adding allows to address following boot denials:
denied { open } for pid=1 comm="init" path="/dev/ttyMSM0" dev="tmpfs"
ino=20828 scontext=u:r:init:s0 tcontext=u:object_r:device:s0
tclass=chr_file

denied { read write } for pid=1 comm="init" name="ttyMSM0" dev="tmpfs"
ino=20828 scontext=u:r:init:s0 tcontext=u:object_r:device:s0
tclass=chr_file

denied { write } for pid=1 comm="init" name="b_vendor_code"
dev="configfs" ino=21093 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=file

Bug: 34784662
Test: The above denials are not present during boot
Change-Id: I5cc2daecf5b2a54d21ae17f6d88ffc174b5b8a12
 2017-02-15 08:53:37 -08:00
Max Bires
9f8096c41e Merge "Adding sysfs_thermal write file permissions to ueventd.te" 2017-02-15 16:38:50 +00:00
Max Bires
9da5ddb04a Merge "Added sysfs_camera file type and cameraserver allow rules." 2017-02-15 16:38:30 +00:00
Max Bires
fe1569e713 Merge "Adding search dir permission to system_server." 2017-02-15 16:38:18 +00:00
Max Bires
bdd4bfe746 Merge "Adding self socket allow rule for sensors.te" 2017-02-15 16:38:02 +00:00
Max Bires
7e1e794bdf Adding search dir permission to system_server. 
Added allow rule to address following bootup denial:
denied { search } for pid=3491 comm="system-server-i" name="sensors"
dev="sdd3" ino=16 scontext=u:r:system_server:s0
tcontext=u:object_r:persist_sensors_file:s0 tclass=dir

Bug: 34784662
Test: Above denial no longer appears in denial logs
Change-Id: Id2a42d3dff150cd7e6f1120902d4d41f0e34e626
 2017-02-14 18:00:32 -08:00
Max Bires
c4bbe07c7a Added sysfs_camera file type and cameraserver allow rules. 
Added allow rules to address the following denials:
denied { open } for pid=754 comm="cameraserver"
path="/sys/devices/soc/8c0000.qcom,msm-cam/video4linux/video0/name"
dev="sysfs" ino=41699 scontext=u:r:cameraserver:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { read } for pid=754 comm="cameraserver" name="name" dev="sysfs"
ino=41699 scontext=u:r:cameraserver:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { search } for pid=757 comm="cameraserver"
name="8c0000.qcom,msm-cam" dev="sysfs" ino=19077
scontext=u:r:cameraserver:s0 tcontext=u:object_r:sysfs_camera:s0
tclass=dir

Bug: 34784662
Test: The above denials are no longer present during bootup
Change-Id: I967ee7c4147eb3328fcbcf524eb6c4759f70c59b
 2017-02-14 17:51:11 -08:00
Max Bires
0c2c343024 Adding sysfs_thermal write file permissions to ueventd.te 
This addresses the following bootup denial:
denied  { write } for  pid=529 comm="ueventd" name="uevent" dev="sysfs"
ino=43198 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_thermal:s0
tclass=file

Bug: 34784662
Test: The above denial is no longer shown during bootup
Change-Id: I6eaa291e3338ba177dd73263823dec41a850514c
 2017-02-14 17:25:13 -08:00
Max Bires
b49931036c Adding self socket allow rule for sensors.te 
Adding rule to address following denials:
denied { write } for pid=666 comm="sensors.qcom" scontext=u:r:sensors:s0
tcontext=u:r:sensors:s0 tclass=socket

denied { read } for pid=666 comm="sensors.qcom" scontext=u:r:sensors:s0
tcontext=u:r:sensors:s0 tclass=socket

Bug: 34784662
Test: The above denials no longer appear during boot
Change-Id: Icdc585ac80a30ce193708a43409e061e92b9028f
 2017-02-14 17:19:36 -08:00
Max Bires
77ab10b75c Added init_radio allows and corresponding file_context changes. 
Added allows and changed file_contexts to cover the following denials:

denied { execute_no_trans } for pid=879 comm="init.radio.sh"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:init_radio:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { getattr } for pid=879 comm="cp" path="/system/bin/toybox"
dev="sda20" ino=509 scontext=u:r:init_radio:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { read open } for pid=879 comm="init.radio.sh"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:init_radio:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { execute } for pid=790 comm="init.radio.sh" name="toybox"
dev="sda20" ino=509 scontext=u:r:init_radio:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { setattr } for pid=876 comm="chmod" name="modem_config"
dev="sda41" ino=212662 scontext=u:r:init_radio:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir

denied { create } for pid=875 comm="mkdir" name="modem_config"
scontext=u:r:init_radio:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir

denied { add_name } for pid=875 comm="mkdir" name="modem_config"
scontext=u:r:init_radio:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir

denied { write } for pid=875 comm="mkdir" name="radio" dev="sda41"
ino=212585 scontext=u:r:init_radio:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir

denied { create } for pid=778 comm="cp" name="qcril.db"
scontext=u:r:init_radio:s0 tcontext=u:object_r:radio_data_file:s0
tclass=file

denied { read write open } for pid=778 comm="cp"
path="/data/misc/radio/qcril.db" dev="sda41" ino=212661
scontext=u:r:init_radio:s0 tcontext=u:object_r:radio_data_file:s0
tclass=file

Bug: 34784662
Test: The above denials are no longer present on bootup
Change-Id: If6830fb7d0ba432916884c660e72094a4cced467
 2017-02-14 15:53:23 -08:00
Steven Moreland
5e9b3914a7 lights hal: fully binderized 
Muskie device will have all hals binderized.

Bug: 32022100
Bug: 35356977
Test: led lights work
Change-Id: I4a1a7b54af5b7d92b4ed167bcf9d517fbff70111
 2017-02-14 14:44:30 -08:00
Max Bires
d1c7c88427 Adding rild.te and associated allows for bootup denials 
Allows address following denials:
denied { add_name } for pid=1407 comm="rild" name="rild_ims0"
scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir

denied { write } for pid=1445 comm="rild" name="netmgr_connect_socket"
dev="tmpfs" ino=25017
scontext=u:r:rild:s0tcontext=u:object_r:socket_device:s0
tclass=sock_file

denied { connectto } for pid=1445 comm="rild"
path="/dev/socket/netmgr/netmgr_connect_socket" scontext=u:r:rild:s0
tcontext=u:r:netmgrd:s0tclass=unix_stream_socket

denied { create } for pid=1406 comm="rild" name="rild_ims0"
scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0
tclass=sock_file

denied { write } for pid=1406 comm="rild" name="qmux_radio"
dev="tmpfs"ino=21385 scontext=u:r:rild:s0
tcontext=u:object_r:qmuxd_socket:s0 tclass=dir

denied { create } for pid=1367 comm="rild" name="rild_ims0"
scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0
tclass=sock_file

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I72766073640c620cc74a02f3578d5fda2d0133ab
 2017-02-14 13:36:12 -08:00
TreeHugger Robot
b814cceb3e Merge "Added some allows to netmgrd.te" 2017-02-10 23:55:42 +00:00
TreeHugger Robot
33c25b5ff9 Merge "Adding cameraserver.te and appropriate camera_prop" 2017-02-10 23:29:19 +00:00
TreeHugger Robot
559b0b3dff Merge "Added sdd_block_device so tee could access what was a generic blk_file" 2017-02-10 22:52:47 +00:00
Max Bires
f432d5d39b Added some allows to netmgrd.te 
Added allows to address the following denials. More to follow.

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27886]"
dev="sockfs" ino=27886 ioctlcmd=8946 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=1295 comm="ifconfig" path="socket:[27883]"
dev="sockfs" ino=27883 ioctlcmd=8914 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27292]"
dev="sockfs" ino=27292 ioctlcmd=89f8 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27290]"
dev="sockfs" ino=27290 ioctlcmd=89f2 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27868]"
dev="sockfs" ino=27868 ioctlcmd=89fd scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { getattr } for pid=1295 comm="ifconfig"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:netmgrd:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { execute_no_trans } for pid=1295 comm="netmgrd"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:netmgrd:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { read open } for pid=1295 comm="netmgrd"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:netmgrd:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { execute } for pid=1295 comm="netmgrd" name="toybox" dev="sda20"
ino=509 scontext=u:r:netmgrd:s0 tcontext=u:object_r:toolbox_exec:s0
tclass=file

denied { read } for pid=1293 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

denied { write } for pid=747 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

denied { create } for pid=747 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

Bug: 34784662
Test: The above denials are no longer present during boot
Change-Id: I7b32552f96f2ee1cb79d8e4415823992d2d957da
 2017-02-10 14:40:13 -08:00
Max Bires
19d80ab29a Adding cameraserver.te and appropriate camera_prop 
Clearing up all the following denials for cameraserver during boot:

denied { ioctl } for pid=732 comm="cameraserver" path="/dev/kgsl-3d0"
dev="tmpfs" ino=20140 ioctlcmd=945 scontext=u:r:cameraserver:s0
tcontext=u:object_r:gpu_device:s0 tclass=chr_file

denied { read write } for pid=732 comm="cameraserver"
path="/dev/kgsl-3d0" dev="tmpfs" ino=20140 scontext=u:r:cameraserver:s0
tcontext=u:object_r:gpu_device:s0 tclass=chr_file

denied { open } for pid=732 comm="cameraserver" path="/dev/kgsl-3d0"
dev="tmpfs" ino=20140 scontext=u:r:cameraserver:s0
tcontext=u:object_r:gpu_device:s0 tclass=chr_file

denied { write } for pid=732 comm="cameraserver" name="property_service"
dev="tmpfs" ino=20580 scontext=u:r:cameraserver:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=732 comm="cameraserver"
path="/dev/socket/property_service" scontext=u:r:cameraserver:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=persist.camera.debug.logfile pid=753
uid=1047 gid=1005 scontext=u:r:cameraserver:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service

Bug: 34784662
Test: The above denials are no longer present during bootup
Change-Id: I50945ad3fcea74554c767c867e603f80e18f115e
 2017-02-10 14:09:20 -08:00
TreeHugger Robot
b1cede296a Merge "Added thermal engine allow rule and defined sysfs_thermal files" 2017-02-10 22:08:43 +00:00
Max Bires
6b49f17b55 Added sdd_block_device so tee could access what was a generic blk_file 
tee was attempting to access an sdd device as per the following denial,
but access to generic block devices can't be granted due to a neverallow
rule. The device was granted its own type and tee was granted the
appropriate allow rules

avc: denied { getattr read write } for pid=790 comm="qseecomd"
name="sdd2" dev="tmpfs" ino=18294 scontext=u:r:tee:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

Bug: 34784662
Test: The above denials are no longer present
Change-Id: Idebb7c7aa5c2001f643f4d617eaa3ee8cab8ad28
 2017-02-10 13:33:11 -08:00
TreeHugger Robot
0b7c49f33a Merge "Added dontaudit to surfaceflinger for firmware file dir search" 2017-02-10 19:56:39 +00:00
TreeHugger Robot
e81ff5b975 Merge "Added location allow rules and corresponding file contexts" 2017-02-10 19:08:08 +00:00
Max Bires
a6bcc8d98b Added dontaudit to surfaceflinger for firmware file dir search 
This behavior is the result of a bug detailed here:
https://buganizer.corp.google.com/issues/29072816#comment52

Bug: 34784662
Test: The surfaceflinger search denial is no longer present during
bootup

Change-Id: I6ae41e953a21b988cdf303db2b059f59dcc711a5
 2017-02-10 10:44:36 -08:00
Max Bires
e242bd566e Added location allow rules and corresponding file contexts 
Added allow rules to cover the following bootup denials:

denied { create } for pid=1192 comm="lowi-server"
scontext=u:r:location:s0 tcontext=u:r:location:s0
tclass=netlink_route_socket

denied { bind } for pid=1192 comm="lowi-server" scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=netlink_route_socket

denied { create } for pid=1179 comm="lowi-server"
scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=1179 comm="lowi-server" path="socket:[23752]"
dev="sockfs" ino=23752 ioctlcmd=8913 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_sock

denied { open } for pid=1179 comm="lowi-server"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=32744 scontext=u:r:location:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { read } for pid=1179 comm="lowi-server" name="name" dev="sysfs"
ino=32744 scontext=u:r:location:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { getattr } for pid=1179 comm="lowi-server"
path="/proc/1179/net/psched" dev="proc" ino=4026532035
scontext=u:r:location:s0 tcontext=u:object_r:proc_net:s0 tclass=file

denied { setuid } for pid=1179 comm="loc_launcher" capability=7
scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=capability

denied { net_admin } for pid=1225 comm="lowi-server" capability=12
scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=capability

denied { open } for pid=1225 comm="lowi-server"
path="/proc/1225/net/psched" dev="proc" ino=4026532035
scontext=u:r:location:s0 tcontext=u:object_r:proc_net:s0 tclass=file

denied { setgid } for pid=1235 comm="loc_launcher" capability=6
scontext=u:r:location:s0 tcontext=u:r:location:s0 tclass=capability

Bug: 34784662
Test: The above denials are no longer seen during boot
Change-Id: I34438e4862622aa5fc89c668fd395c1dd4a1456a
 2017-02-10 09:58:01 -08:00
Max Bires
26aecc3452 Added thermal engine allow rule and defined sysfs_thermal files 
Added the allow and relevant sysfs_thermal specifications to handle the
following bootup denials:

denied { read write } for pid=795 comm="thermal-engine"
name="trip_point_1_temp" dev="sysfs" ino=43298
scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_thermal:s0
tclass=file

denied { ioctl write } for pid=761 comm="thermal-engine" path="socket:[18584]"
dev="sockfs" ino=18584 ioctlcmd=c302 scontext=u:r:thermal-engine:s0
tcontext=u:r:thermal-engine:s0 tclass=socket

denied { read } for pid=729 comm="thermal-engine" name="thermal_zone11"
dev="sysfs" ino=43236 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir

denied { search } for pid=783 comm="thermal-engine" name="thermal"
dev="sysfs" ino=42709 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir

Bug: 34784662
Test: The above denials no longer appear during boot
Change-Id: If6fd93e10a85968a16b1266d148b0303ac0e09dd
 2017-02-09 23:07:08 +00:00
Max Bires
fcaa05bcab Adding system_server.te / file_contexts to handle some boot denials. 
Allow rules added to address the following denials:

denied { ioctl } for pid=3488 comm="system-server-i"
path="socket:[56767]" dev="sockfs" ino=56767 ioctlcmd=c304
scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0
tclass=socket

denied { open read } for pid=3488 comm="system-server-i"
path="/persist/sensors/sensors_settings" dev="sdd3" ino=17
scontext=u:r:system_server:s0 tcontext=u:object_r:persist_file:s0
tclass=file

Bug: 34784662
Test: The above denials don't appear during bootup
Change-Id: Iadc31855906dedb0adaaaed6e483122c3e175567
 2017-02-09 14:52:34 -08:00
Max Bires
83d2188a36 Merge "Adding allows to init.te and kernel.te to address boot logs." 2017-02-08 04:47:39 +00:00
Max Bires
82558694a0 Merge "Added bootanim.te to add an extra allow rule for muskie" 2017-02-08 04:46:27 +00:00
Max Bires
8aea191b9b Added bootanim.te to add an extra allow rule for muskie 
Added allow rule to make binder call to hwservicemanager due to denial
on call appearing in boot logs.

avc: denied { call } for pid=682 comm="BootAnimation"
scontext=u:r:bootanim:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder

Bug: 34784662
Test: The call denials are no longer seen on bootup
Change-Id: I5a2976989c60f6d4fb92af1167bc6b545cd81e65
 2017-02-07 20:41:31 -08:00