diff options
| author | Hongbo Zeng <hongbozeng@google.com> | 2019-05-24 18:49:59 +0800 |
|---|---|---|
| committer | Hongbo Zeng <hongbozeng@google.com> | 2019-05-25 00:30:39 +0800 |
| commit | 204f1e81ce224feec1ef3a185dfdfee7f94a6185 (patch) | |
| tree | a79a37b8a7e05ad04a9f356a4719f9a9d3adcdc8 /private | |
| parent | a37fcde4af00e301e5388f31e1a2d0dac10d7290 (diff) | |
| download | coral-sepolicy-204f1e81ce224feec1ef3a185dfdfee7f94a6185.tar.gz | |
Fix denials for irsc_util/netmgrd/netutils_wrapper/radio/rild during bootup
Bug:
b/130587338, for irsc_util
b/129668946, for netmgrd
b/129668268, for netutils_wrapper
b/129455852, for radio
b/129438948, for rild
Test: after apply these rules and reboot, the original avc denials are gone.
Note:
(1) irsc_util
denied { create } for scontext=u:r:irsc_util:s0 tcontext=u:r:irsc_util:s0 tclass=socket permissive=1 b/130587338
denied { module_request } for kmod="net-pf-27" scontext=u:r:irsc_util:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
==
(2) netmgrd
denied { search } for name="soc:qcom,faceauth_fws" dev="sysfs" ino=42370 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_faceauth:s0 tclass=dir permissive=1 b/129668946
denied { read } for name="name" dev="sysfs" ino=56616 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_faceauth:s0 tclass=file permissive=1
denied { open } for path="/sys/devices/platform/soc/soc:qcom,faceauth_fws/subsys9/name" dev="sysfs" ino=56616 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_faceauth:s0 tclass=file permissive=1
denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=22886 scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 b/129668946
denied { open } for path="/dev/__properties__/u:object_r:default_prop:s0" dev="tmpfs" ino=22886 scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 b/129668946
denied { getattr } for path="/dev/__properties__/u:object_r:default_prop:s0" dev="tmpfs" ino=22886 scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 b/129668946
denied { map } for path="/dev/__properties__/u:object_r:default_prop:s0" dev="tmpfs" ino=22886 scontext=u:r:netmgrd:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 b/129668946
denied { read write } for name="diag" dev="tmpfs" ino=14894 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1 b/129668946
denied { open } for path="/dev/diag" dev="tmpfs" ino=14894 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1 b/129668946
denied { ioctl } for path="/dev/diag" dev="tmpfs" ino=14894 ioctlcmd=0x20 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1 b/129668946
denied { create } for scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket permissive=1 b/129668946
denied { bind } for scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket permissive=1 b/129668946
==
(3) netutils_wrapper
denied { read write } for path="/dev/diag" dev="tmpfs" ino=14894 scontext=u:r:netutils_wrapper:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
denied { module_request } for kmod="crypto-echainiv(authenc(xcbc(aes),cbc(aes)))" scontext=u:r:netutils_wrapper:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
==
(4) radio
denied { read } for name="u:object_r:vendor_radio_prop:s0" dev="tmpfs" ino=22987 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_radio_prop:s0 tclass=file permissive=1 b/129455852
denied { open } for path="/dev/__properties__/u:object_r:vendor_radio_prop:s0" dev="tmpfs" ino=22987 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_radio_prop:s0 tclass=file permissive=1 b/129455852
denied { getattr } for path="/dev/__properties__/u:object_r:vendor_radio_prop:s0" dev="tmpfs" ino=22987 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_radio_prop:s0 tclass=file permissive=1 b/129455852
denied { map } for path="/dev/__properties__/u:object_r:vendor_radio_prop:s0" dev="tmpfs" ino=22987 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_radio_prop:s0 tclass=file permissive=1 b/129455852
denied { read } for name="u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=22979 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 b/129455852
denied { open } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=22979 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 b/129455852
denied { getattr } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=22979 scontext=u:r:radio:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 b/129455852
denied { find } for interface=com.qualcomm.qti.uceservice::IUceService sid=u:r:radio:s0 pid=2137 scontext=u:r:radio:s0 tcontext=u:object_r:hal_imsrcsd_hwservice:s0 tclass=hwservice_manager permissive=1
denied { add } for service=uce pid=2137 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:uce_service:s0 tclass=service_manager permissive=1
denied { find } for service=uce pid=3082 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:uce_service:s0 tclass=service_manager permissive=1
denied { read write } for name="diag" dev="tmpfs" ino=28125 scontext=u:r:radio:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
denied { open } for path="/dev/diag" dev="tmpfs" ino=28125 scontext=u:r:radio:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
denied { getattr } for path="/dev/diag" dev="tmpfs" ino=28125 scontext=u:r:radio:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
denied { ioctl } for path="/dev/diag" dev="tmpfs" ino=28125 ioctlcmd=0x9 scontext=u:r:radio:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
denied { find } for service=media.extractor pid=2225 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:mediaextractor_service:s0 tclass=service_manager permissive=0
==
(5) rild
denied { add } for interface=vendor.qti.hardware.data.connection::IDataConnection sid=u:r:rild:s0 pid=1051 scontext=u:r:rild:s0 tcontext=u:object_r:hal_dataconnection_hwservice:s0 tclass=hwservice_manager permissive=1
denied { connectto } for path=0074696D655F67656E6F6666 scontext=u:r:rild:s0 tcontext=u:r:time_daemon:s0 tclass=unix_stream_socket permissive=1
denied { set } for property=persist.vendor.net.doxlat pid=1051 uid=1001 gid=1001 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_xlat_prop:s0 tclass=property_service permissive=1
Change-Id: I41e7a8deaec6a0cc89e820f5edbbeead0580f023
Diffstat (limited to 'private')
| -rw-r--r-- | private/radio.te | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/private/radio.te b/private/radio.te index 7986425..2d8a603 100644 --- a/private/radio.te +++ b/private/radio.te @@ -1 +1,2 @@ add_service(radio, qchook_service) +add_service(radio, uce_service)
\ No newline at end of file |