Add ims daemon.

Address the following denials: [ 20.010522] type=1400 audit(1555967.749:71): avc: denied { write } for pid=562 comm="imsqmidaemon" name="property_service" dev="tmpfs" ino=11387 scontext=u:r:ims:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 [ 20.010821] type=1400 audit(1555967.749:72): avc: denied { connectto } for pid=562 comm="imsqmidaemon" path="/dev/socket/property_service" scontext=u:r:ims:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 20.247697] init: avc: denied { set } for property=sys.ims.QMI_DAEMON_STATUS scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service [ 19.312111] type=1400 audit(1562721.072:87): avc: denied { create } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 19.327574] type=1400 audit(1562721.072:88): avc: denied { ioctl } for pid=596 comm="imsdatadaemon" path="socket:[16885]" dev="sockfs" ino=16885 ioctlcmd=c304 scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 19.347022] type=1400 audit(1562721.072:89): avc: denied { bind } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 19.393905] type=1400 audit(1562721.081:92): avc: denied { read } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 20.348567] type=1400 audit(1562722.231:136): avc: denied { call } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 [ 20.363616] type=1400 audit(1562722.231:137): avc: denied { transfer } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 [ 20.379616] type=1400 audit(1562722.231:138): avc: denied { search } for pid=409 comm="servicemanager" name="567" dev="proc" ino=17423 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=dir permissive=1 [ 20.398690] type=1400 audit(1562722.231:139): avc: denied { read } for pid=409 comm="servicemanager" name="current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1 [ 20.417013] type=1400 audit(1562722.231:140): avc: denied { open } for pid=409 comm="servicemanager" path="/proc/567/attr/current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1 [ 20.437155] type=1400 audit(1562722.231:141): avc: denied { getattr } for pid=409 comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=process permissive=1 Bug: 21435401 Change-Id: I0d4414550b9496b99b80b4a2a0090997b4cf5f95
author: dcashman <dcashman@google.com> 2015-07-31 10:33:02 -0700
committer: dcashman <dcashman@google.com> 2015-08-04 11:16:11 -0700
commit: 690bfb3a2fe0f0833b09760c6ef60b36e5ab624d (patch)
tree: 4ee7936434bc9017615fadcf7f18a9c03cf0c2ba /sepolicy/ims.te
parent: 891096f3917b682e31eaf1e1ae095737b1c41799 (diff)
download: angler-690bfb3a2fe0f0833b09760c6ef60b36e5ab624d.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
new file mode 100644
index 0000000..9ae51de
--- /dev/null
+++ b/sepolicy/ims.te
@@ -0,0 +1,13 @@
+type ims, domain;
+type ims_exec, exec_type, file_type;
+
+init_daemon_domain(ims)
+
+permissive ims;
+
+binder_use(ims)
+set_prop(ims, qcom_ims_prop)
+
+allow ims self:capability net_raw;
+
+allow ims self:socket create_socket_perms;
author	dcashman <dcashman@google.com>	2015-07-31 10:33:02 -0700
committer	dcashman <dcashman@google.com>	2015-08-04 11:16:11 -0700
commit	690bfb3a2fe0f0833b09760c6ef60b36e5ab624d (patch)
tree	4ee7936434bc9017615fadcf7f18a9c03cf0c2ba /sepolicy/ims.te
parent	891096f3917b682e31eaf1e1ae095737b1c41799 (diff)
download	angler-690bfb3a2fe0f0833b09760c6ef60b36e5ab624d.tar.gz