mirror of
https://github.com/Evolution-X-Devices/device_google_walleye
synced 2026-02-01 07:33:36 +00:00
e15c33e473
Starting off by adding in allow rules for per_mgr, it was clear that
per_proxy was lumped in as a per_mgr_exec class, though looking at
marlin it was shown that the two had been separated. In keeping with
convention, per_proxy was also split out into its own class and .te
file. This policy change was motivated by the following sedenials on
per_mgr
avc: denied { read } for pid=625 comm="pm-service"
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=socket
avc: denied { transfer } for pid=654 comm="pm-proxy"
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=binder
avc: denied { read } for pid=654 comm="pm-proxy" name="name" dev="sysfs"
ino=32744 scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs:s0
tclass=file
avc: denied { read } for pid=623 comm="Binder:604_1" name="subsys_modem"
dev="tmpfs" ino=20191 scontext=u:r:per_mgr:s0
tcontext=u:object_r:ssr_device:s0 tclass=chr_file
avc: denied { open } for pid=623 comm="Binder:604_1"
path="/dev/subsys_modem" dev="tmpfs" ino=20191 scontext=u:r:per_mgr:s0
tcontext=u:object_r:ssr_device:s0 tclass=chr_file
Bug: 34784662
Test: The above denials are cleaned up in the boot logs
Change-Id: I4929c870f860c2e0fa7ea1d7412f960923fea602
9 lines
226 B
Plaintext
9 lines
226 B
Plaintext
define(`msm_sock_ipc_ioctls', `{
|
|
IPC_ROUTER_IOCTL_GET_VERSION
|
|
IPC_ROUTER_IOCTL_GET_MTU
|
|
IPC_ROUTER_IOCTL_LOOKUP_SERVER
|
|
IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
|
|
IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
|
|
IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
|
|
}')
|