diff options
| author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2014-02-07 16:36:13 -0500 |
|---|---|---|
| committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2014-02-19 20:31:35 -0500 |
| commit | 9a5556ff390f4f1466390940e2b95cccab256dc4 (patch) | |
| tree | 2073df529d2030185e9e5234864bb83971e0d67d /sepolicy | |
| parent | 8f736d1cb30806529ce6910e18672e4c6aa20407 (diff) | |
| download | flo-9a5556ff390f4f1466390940e2b95cccab256dc4.tar.gz | |
SELinux policy for rmt_storage process.
Initial policy helps address some of the following denials:
Wake lock access:
avc: denied { append } for pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
avc: denied { open } for pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Capabilities (dropping uid and gid):
avc: denied { setgid } for pid=171 comm="rmt_storage" capability=6 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
avc: denied { setuid } for pid=171 comm="rmt_storage" capability=7 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
Cgroup controls:
avc: denied { add_name } for pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
avc: denied { create } for pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
Socket creation:
avc: denied { read } for pid=209 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { create } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { ioctl } for pid=169 comm="rmt_storage" path="socket:[7463]" dev="sockfs" ino=7463 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { setopt } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { bind } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { read } for pid=210 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
Access to certian modem and root block devices:
avc: denied { read } for pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
avc: denied { open } for pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Change-Id: Ia01257891eb2315632cef45dde7a099c3c042432
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/device.te | 1 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 5 | ||||
| -rw-r--r-- | sepolicy/rmt.te | 22 |
3 files changed, 26 insertions, 2 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te index b6e993a..83d0b06 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -10,6 +10,7 @@ type smd_device, dev_type; # Radio related block device type efs_block_device, dev_type; +type modem_block_device, dev_type; # Shared memory logger type shared_log_device, dev_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 3a09736..7f9a144 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -26,6 +26,11 @@ # efs block labeling /dev/block/mmcblk0p[567] u:object_r:efs_block_device:s0 /dev/block/mmcblk0p28 u:object_r:efs_block_device:s0 +# Root block labeling +/dev/block/mmcblk0 u:object_r:root_block_device:s0 +# modemst1, modemst2, fsg, ssd labeling +/dev/block/mmcblk0p[238] u:object_r:modem_block_device:s0 +/dev/block/mmcblk0p27 u:object_r:modem_block_device:s0 # CPU governor controls /dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0 diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te index 8cb6b17..9e644cb 100644 --- a/sepolicy/rmt.te +++ b/sepolicy/rmt.te @@ -1,4 +1,4 @@ -# remote storage process +# remote storage process (runs as nobody) type rmt, domain; type rmt_exec, exec_type, file_type; @@ -6,4 +6,22 @@ type rmt_exec, exec_type, file_type; init_daemon_domain(rmt) permissive rmt; -unconfined_domain(rmt) + +# Drop (user, group) to (nobody, nobody) +allow rmt self:capability { setuid setgid }; + +# opens and reads /dev/block/mmcblk0 +allow rmt root_block_device:blk_file r_file_perms; +allow rmt root_block_device:dir r_dir_perms; + +# Allow reads/writes to modem related block devices +allow rmt modem_block_device:blk_file rw_file_perms; + +# Allow shared memory logging access +allow rmt shared_log_device:chr_file rw_file_perms; + +allow rmt self:socket create_socket_perms; +allow rmt cgroup:dir { create add_name }; + +# Wake lock access +allow rmt sysfs_wake_lock:file { open append }; |