diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2014-02-12 12:47:42 -0500 |
---|---|---|
committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2014-02-19 19:43:30 -0500 |
commit | 78c3127390dd42c067ec356d1ac7a943317d8c97 (patch) | |
tree | 05b246a60a530d117baf205dde54dbfc5b3021f8 /sepolicy | |
parent | bdcebbb762aca3ae12a35d8f3c246fefb3bb1ece (diff) | |
download | flo-78c3127390dd42c067ec356d1ac7a943317d8c97.tar.gz |
Add SELinux policy for kickstart denials.
Access to m9kefs* block devices.
avc: denied { getattr } for pid=215 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
avc: denied { setattr } for pid=216 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Change owner and perms on /dev/block/platform/msm_sdcc.1/by-name/m9kefs*
avc: denied { chown } for pid=216 comm="chown" capability=0 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
avc: denied { fowner } for pid=220 comm="chmod" capability=3 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
Label and give access to specific rmnet usb files.
avc: denied { write } for pid=182 comm="sh" name="rmnet_data_init" dev="sysfs" ino=4275 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I2a1edda0efdfc57615c56c61ee446c343d7d875b
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/file_contexts | 5 | ||||
-rw-r--r-- | sepolicy/kickstart.te | 11 |
2 files changed, 14 insertions, 2 deletions
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 373d5e3..3a09736 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -23,6 +23,10 @@ /dev/bcm2079x-i2c u:object_r:nfc_device:s0 /dev/diag u:object_r:diag_device:s0 +# efs block labeling +/dev/block/mmcblk0p[567] u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p28 u:object_r:efs_block_device:s0 + # CPU governor controls /dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0 @@ -128,6 +132,7 @@ # Sysfs entry for the RmNet function driver /sys/class/android_usb/f_rmnet_smd_sdio/transport -- u:object_r:sysfs_rmnet:s0 /sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport -- u:object_r:sysfs_rmnet:s0 +/sys/module/rmnet_usb/parameters/rmnet_data_init -- u:object_r:sysfs_rmnet:s0 # Sysfs files used by mpdecision /sys/module/pm2/modes(/.*)? u:object_r:sysfs_mpdecision:s0 diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te index 7f31721..7dac85a 100644 --- a/sepolicy/kickstart.te +++ b/sepolicy/kickstart.te @@ -11,6 +11,10 @@ permissive kickstart; allow kickstart shell_exec:file { entrypoint read }; allow kickstart kickstart_exec:file { getattr open execute_no_trans }; +# kickstart_checker.sh changes block devices +# /dev/block/platform/msm_sdcc.1/by-name/m9kefs* +allow kickstart self:capability { chown fowner }; + # Spawn /system/bin/efsks and /system/bin/ks allow kickstart kickstart_exec:file { open execute_no_trans getattr }; @@ -20,8 +24,8 @@ allow kickstart radio_device:chr_file r_file_perms; # Access USB host ks bridge drivers allow kickstart kickstart_device:chr_file rw_file_perms; -# Read and write to /dev/block/mmcblk0p[89] -allow kickstart efs_block_device:blk_file rw_file_perms; +# Read and write to /dev/block/mmcblk0p[567] +allow kickstart efs_block_device:blk_file { setattr rw_file_perms }; allow kickstart block_device:dir { getattr write search }; # Write contents of block device to kickstart data dir @@ -42,3 +46,6 @@ allow kickstart sysfs_wake_lock:file { open append }; # Set property key gsm.radio.kickstart allow kickstart radio_prop:property_service set; unix_socket_connect(kickstart, property, init) + +# Access /sys/module/rmnet_usb/parameters/rmnet_data_init +allow kickstart sysfs_rmnet:file w_file_perms; |