diff options
| author | Cosme Domínguez Díaz <cosme.ddiaz@gmail.com> | 2018-02-17 19:01:31 +0100 |
|---|---|---|
| committer | Davide Garberi <dade.garberi@gmail.com> | 2018-02-19 19:54:11 +0100 |
| commit | 239b60acba6a0c1884d415a3951161557d4cd543 (patch) | |
| tree | d72e52ddf1e4c184bbcb57a33cf499c64dc3022a | |
| parent | 4ee3647a319cd52a2aa2575f47b2b74852bba852 (diff) | |
sepolicy: Address some denials
* Also move fingerprint.te to hal_fingerprint_default.te, it helps to track and apply upstream changes.
Fix hal_fingerprint_default sepolicy denials.
* avc: denied { write } for pid=1933 comm=android.hardwar name=/ dev=dm-0 ino=2 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
* avc: denied { add_name } for pid=1946 comm=android.hardwar name=fpc scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
* avc: denied { create } for pid=1981 comm=android.hardwar name=fpc scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
* avc: denied { create } for pid=1935 comm=android.hardwar name=socket scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file permissive=0
* avc: denied { setattr } for pid=1939 comm="android.hardwar" name="socket" dev="dm-0" ino=2908162 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file permissive=0
* avc: denied { read } for pid=1939 comm="android.hardwar" name="fpc" dev="dm-0" ino=2908161 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
* avc: denied { remove_name } for pid=1996 comm="android.hardwar" name="socket" dev="dm-0" ino=2908162 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
* avc: denied { unlink } for pid=1949 comm="android.hardwar" name="socket" dev="dm-0" ino=2908162 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file permissive=0
Fix rild sepolicy denials.
* avc: denied { getattr } for pid=838 comm=sh path=/system/bin/toybox dev=sde18 ino=447 scontext=u:r:rild:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0
* avc: denied { execute_no_trans } for pid=838 comm=sh path=/system/vendor/bin/toybox_vendor dev=sde18 ino=2863 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=0
* avc: denied { execute } for pid=831 comm=sh name=toybox dev=sde18 ino=444 scontext=u:r:rild:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0
* avc: denied { read open } for pid=830 comm="sh" path="/system/bin/toybox" dev="sde18" ino=444 scontext=u:r:rild:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0
* avc: denied { execute_no_trans } for pid=1162 comm="sh" path="/system/bin/toybox" dev="sde18" ino=444 scontext=u:r:rild:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0
Fix adbd sepolicy denial.
* avc: denied { set } for property=ctl.mdnsd pid=5237 uid=2000 gid=2000 scontext=u:r:adbd:s0 tcontext=u:object_r:ctl_mdnsd_prop:s0 tclass=property_service permissive=0\x0a
Fix vold sepolicy denial.
* avc: denied { read } for pid=467 comm=vold name=/ dev=sda2 ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0
* avc: denied { open } for pid=473 comm="vold" path="/persist" dev="sda2" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0
* avc: denied { ioctl } for pid=466 comm="vold" path="/persist" dev="sda2" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0
Fix priv_app sepolicy denial.
* avc: denied { read } for pid=4397 comm=Binder:4397_1 name=modules dev=proc ino=4026532515 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_modules:s0 tclass=file permissive=0
* avc: denied { open } for pid=4309 comm="Binder:4309_2" path="/proc/modules" dev="proc" ino=4026532515 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_modules:s0 tclass=file permissive=0
* avc: denied { getattr } for pid=4543 comm="Binder:4543_4" path="/proc/modules" dev="proc" ino=4026532515 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_modules:s0 tclass=file permissive=0
Fix charger sepolicy denials.
I found them booting from offline charging mode.
* avc: denied { read } for pid=444 comm=charger name=/ dev=tmpfs ino=15050 scontext=u:r:charger:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
* avc: denied { open } for pid=441 comm=charger path=/dev dev=tmpfs ino=14613 scontext=u:r:charger:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
* avc: denied { dac_override } for pid=442 comm="charger" capability=1 scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=capability permissive=0
* avc: denied { dac_read_search } for pid=442 comm="charger" capability=2 scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=capability permissive=0
Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
| -rw-r--r-- | sepolicy/adbd.te | 1 | ||||
| -rw-r--r-- | sepolicy/charger.te | 3 | ||||
| -rw-r--r-- | sepolicy/hal_fingerprint_default.te (renamed from sepolicy/fingerprint.te) | 8 | ||||
| -rw-r--r-- | sepolicy/priv_app.te | 3 | ||||
| -rw-r--r-- | sepolicy/rild.te | 6 | ||||
| -rw-r--r-- | sepolicy/vold.te | 2 |
6 files changed, 23 insertions, 0 deletions
diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te new file mode 100644 index 0000000..01a14f2 --- /dev/null +++ b/sepolicy/adbd.te @@ -0,0 +1 @@ +allow adbd ctl_mdnsd_prop:property_service set; diff --git a/sepolicy/charger.te b/sepolicy/charger.te new file mode 100644 index 0000000..3b261b1 --- /dev/null +++ b/sepolicy/charger.te @@ -0,0 +1,3 @@ +allow charger device:dir read; +allow charger device:dir open; +allow charger self:capability { dac_override dac_read_search }; diff --git a/sepolicy/fingerprint.te b/sepolicy/hal_fingerprint_default.te index 314093c..8749fe8 100644 --- a/sepolicy/fingerprint.te +++ b/sepolicy/hal_fingerprint_default.te @@ -9,3 +9,11 @@ allow hal_fingerprint_default sysfs_fpc_irq:file rw_file_perms; allow hal_fingerprint_default tee_device:chr_file rw_file_perms; allow hal_fingerprint_default firmware_file:dir { search read }; allow hal_fingerprint_default firmware_file:file { read open }; +allow hal_fingerprint_default system_data_file:dir write; +allow hal_fingerprint_default system_data_file:dir add_name; +allow hal_fingerprint_default system_data_file:dir create; +allow hal_fingerprint_default system_data_file:sock_file create; +allow hal_fingerprint_default system_data_file:dir read; +allow hal_fingerprint_default system_data_file:sock_file setattr; +allow hal_fingerprint_default system_data_file:dir { open remove_name }; +allow hal_fingerprint_default system_data_file:sock_file unlink; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index cc3ead2..e65e9c0 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -1,3 +1,6 @@ allow priv_app device:dir { open read }; allow priv_app { camera_prop proc_interrupts }:file { open read }; allow priv_app camera_prop:file getattr; +allow priv_app proc_modules:file read; +allow priv_app proc_modules:file open; +allow priv_app proc_modules:file getattr; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 9ecd3d9..cb1b549 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -10,3 +10,9 @@ allow rild default_android_service:service_manager find; allow rild radio_data_file:file { create getattr ioctl lock open read unlink write }; allow rild radio_data_file:dir { add_name getattr open read remove_name search write }; + +allow rild toolbox_exec:file getattr; +allow rild toolbox_exec:file execute; +allow rild toolbox_exec:file { open read }; +allow rild toolbox_exec:file execute_no_trans; +allow rild vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index 9507e88..175410f 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1 +1,3 @@ allow vold persist_file:dir read; +allow vold persist_file:dir open; +allow vold persist_file:dir ioctl; |