Age | Commit message (Collapse) | Author |
|
The following files and correspoding selinux types need vendor_file_type
attribute:
/vendor/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
/vendor/bin/cnd u:object_r:cnd_exec:s0
/vendor/bin/imscmservice u:object_r:ims_exec:s0
/vendor/bin/irsc_util u:object_r:irsc_util_exec:s0
/vendor/bin/loc_launcher u:object_r:location_exec:s0
/vendor/bin/mm-qcamera-daemon u:object_r:camera_exec:s0
/vendor/bin/msm_irqbalance u:object_r:irqbalance_exec:s0
/vendor/bin/netmgrd u:object_r:netmgrd_exec:s0
/vendor/bin/perfd u:object_r:perfd_exec:s0
/vendor/bin/pm-proxy u:object_r:per_proxy_exec:s0
/vendor/bin/pm-service u:object_r:per_mgr_exec:s0
/vendor/bin/qmuxd u:object_r:qmux_exec:s0
/vendor/bin/rmt_storage u:object_r:rmt_exec:s0
/vendor/bin/thermal-engine u:object_r:thermald_exec:s0
/vendor/bin/time_daemon u:object_r:time_exec:s0
/vendor/bin/nanoapp_cmd u:object_r:nanoapp_cmd_exec:s0
/vendor/bin/diag_test_server u:object_r:diag_exec:s0
/vendor/bin/InputEventFind u:object_r:inputeventfind_exec:s0
/vendor/bin/oem_qmi_server u:object_r:oem_qmi_server_exec:s0
/vendor/bin/qti u:object_r:qti_exec:s0
/vendor/bin/sensortool\.angler u:object_r:sensortool_exec:s0
Test: build angler sepolicy
Change-Id: I5e3cea5f040c7777e452b2af3b660806f4d0b289
|
|
The imsdatadaemon has been blocked from doing
ioctl commands by SELinux. This has been causing Angler
to have IMS issues, such as being unable to
register for VoLTE and other IMS capabilities.
Test: Build and toggle 4G LTE off->on
Bug: 35957889
Merged-In: Ibb6ac1b10473e8e101b8c398d633e2fbbcfee6c6
Change-Id: Ibb6ac1b10473e8e101b8c398d633e2fbbcfee6c6
|
|
Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: Ia259325a6032547035652f4bff0348e03b400870
(cherry picked from commit c9a18ec8df26ca977362b1119ed97ce892bfd0f9)
|
|
Move device specific policy to a local device_domain_deprecated attribute
to focus effort on core policy.
(cherry picked from commit 32ae6cf619cc95ef489818314b2e1a3101b54820)
Bug: 28760354
Change-Id: I23fe160b13db808e2f09f1653d173a14498e89a8
|
|
Bug: 25433265
Change-Id: I9563b9a4eb26856db021622f8217e4e3ab20f4cd
|
|
Bug: 24479299
Change-Id: I781a100f7335990843a43decad62a8e1d55759c3
|
|
Needed for VoLTE and WiFi calling
Bug: 23935222
Change-Id: Ibf701f966a9418f8cf69b1e17767768260ae0a9d
|
|
Address the following denials:
avc: denied { add } for service=qti.ims.connectionmanagerservice scontext=u:r:ims:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
avc: denied { find } for service=vendor.qcom.PeripheralManager scontext=u:r:rild:s0 tcontext=u:object_r:per_mgr_service:s0 tclass=service_manager
avc: denied { add } for service=qti.ims.connectionmanagerservice scontext=u:r:ims:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
Bug: 23935222
Change-Id: Ia41147328643e2dd9fe63faec2a23e40da718762
|
|
Needed for wi-fi calling.
Bug: 23935222
Change-Id: Ia88d0fd52f77a9cb4845d2c95a7fd9ca2d43c6cb
|
|
Bug: 23154090
Change-Id: I0a61dab8dc897ddf10527d86a9c8d84012358689
|
|
Address the following denials:
[ 128.081588] type=1400 audit(1439585677.011:168): avc: denied { write } for pid=7477 comm="imsdatadaemon" name="cnd" dev="tmpfs" ino=16105 scontext=u:r:ims:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file permissive=1
[ 128.082141] type=1400 audit(1439585677.011:169): avc: denied { connectto } for pid=7477 comm="imsdatadaemon" path="/dev/socket/cnd" scontext=u:r:ims:s0 tcontext=u:r:cnd:s0 tclass=unix_stream_socket permissive=1
[ 5.349726] type=1400 audit(2903659.729:23): avc: denied { create } for pid=490 comm="init" name="ims_datad" scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1
[ 5.350106] type=1400 audit(2903659.729:24): avc: denied { setattr } for pid=490 comm="init" name="ims_datad" dev="tmpfs" ino=11388 scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1
[ 8.675646] type=1400 audit(2903663.059:41): avc: denied { write } for pid=864 comm="ims_rtp_daemon" name="ims_datad" dev="tmpfs" ino=11388 scontext=u:r:ims:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1
[ 8.690316] type=1400 audit(2903663.069:44): avc: denied { open } for pid=480 comm="imsqmidaemon" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=4096 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
[ 8.690448] type=1400 audit(2903663.069:45): avc: denied { read } for pid=480 comm="imsqmidaemon" name="subsys0" dev="sysfs" ino=14012 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file permissive=1
[ 127.325690] type=1400 audit(1439585676.261:144): avc: denied { search } for pid=3827 comm="imsdatadaemon" name="msm_subsys" dev="sysfs" ino=4094 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
[ 8.690572] type=1400 audit(2903663.069:46): avc: denied { write } for pid=480 comm="imsqmidaemon" name="qmux_radio" dev="tmpfs" ino=14645 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir permissive=1
[ 8.692255] type=1400 audit(2903663.069:47): avc: denied { add_name } for pid=480 comm="imsqmidaemon" name=716D75785F636C69656E745F736F636B657420202020343830 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir permissive=1
[ 8.692333] type=1400 audit(2903663.069:48): avc: denied { create } for pid=480 comm="imsqmidaemon" name=716D75785F636C69656E745F736F636B657420202020343830 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file permissive=1
[ 8.692392] type=1400 audit(2903663.069:49): avc: denied { setattr } for pid=480 comm="imsqmidaemon" name=716D75785F636C69656E745F736F636B657420202020343830 dev="tmpfs" ino=18475 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file permissive=1
[ 127.359099] type=1400 audit(1439585676.291:156): avc: denied { create } for pid=3827 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1
[ 127.538798] type=1400 audit(1439585676.291:157): avc: denied { bind } for pid=3827 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1
[ 127.538892] type=1400 audit(1439585676.291:158): avc: denied { write } for pid=7394 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1
[ 127.539942] type=1400 audit(1439585676.291:160): avc: denied { read } for pid=7393 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1
Bug: 23154090
Bug: 23224406
Change-Id: Ic90f27dfdb963dbefc2a2c493ab921b73438a174
|
|
Address the following denials:
[ 20.010522] type=1400 audit(1555967.749:71): avc: denied { write } for pid=562 comm="imsqmidaemon" name="property_service" dev="tmpfs" ino=11387 scontext=u:r:ims:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
[ 20.010821] type=1400 audit(1555967.749:72): avc: denied { connectto } for pid=562 comm="imsqmidaemon" path="/dev/socket/property_service" scontext=u:r:ims:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
[ 20.247697] init: avc: denied { set } for property=sys.ims.QMI_DAEMON_STATUS scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
[ 19.312111] type=1400 audit(1562721.072:87): avc: denied { create } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[ 19.327574] type=1400 audit(1562721.072:88): avc: denied { ioctl } for pid=596 comm="imsdatadaemon" path="socket:[16885]" dev="sockfs" ino=16885 ioctlcmd=c304 scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[ 19.347022] type=1400 audit(1562721.072:89): avc: denied { bind } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[ 19.393905] type=1400 audit(1562721.081:92): avc: denied { read } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[ 20.348567] type=1400 audit(1562722.231:136): avc: denied { call } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1
[ 20.363616] type=1400 audit(1562722.231:137): avc: denied { transfer } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1
[ 20.379616] type=1400 audit(1562722.231:138): avc: denied { search } for pid=409 comm="servicemanager" name="567" dev="proc" ino=17423 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=dir permissive=1
[ 20.398690] type=1400 audit(1562722.231:139): avc: denied { read } for pid=409 comm="servicemanager" name="current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1
[ 20.417013] type=1400 audit(1562722.231:140): avc: denied { open } for pid=409 comm="servicemanager" path="/proc/567/attr/current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1
[ 20.437155] type=1400 audit(1562722.231:141): avc: denied { getattr } for pid=409 comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=process permissive=1
Bug: 21435401
Change-Id: I0d4414550b9496b99b80b4a2a0090997b4cf5f95
|