summaryrefslogtreecommitdiff
path: root/sepolicy/ims.te
AgeCommit message (Collapse)Author
2018-01-16Mark files in /vendor as vendor_file_type.Tri Vo
The following files and correspoding selinux types need vendor_file_type attribute: /vendor/bin/ATFWD-daemon u:object_r:atfwd_exec:s0 /vendor/bin/cnd u:object_r:cnd_exec:s0 /vendor/bin/imscmservice u:object_r:ims_exec:s0 /vendor/bin/irsc_util u:object_r:irsc_util_exec:s0 /vendor/bin/loc_launcher u:object_r:location_exec:s0 /vendor/bin/mm-qcamera-daemon u:object_r:camera_exec:s0 /vendor/bin/msm_irqbalance u:object_r:irqbalance_exec:s0 /vendor/bin/netmgrd u:object_r:netmgrd_exec:s0 /vendor/bin/perfd u:object_r:perfd_exec:s0 /vendor/bin/pm-proxy u:object_r:per_proxy_exec:s0 /vendor/bin/pm-service u:object_r:per_mgr_exec:s0 /vendor/bin/qmuxd u:object_r:qmux_exec:s0 /vendor/bin/rmt_storage u:object_r:rmt_exec:s0 /vendor/bin/thermal-engine u:object_r:thermald_exec:s0 /vendor/bin/time_daemon u:object_r:time_exec:s0 /vendor/bin/nanoapp_cmd u:object_r:nanoapp_cmd_exec:s0 /vendor/bin/diag_test_server u:object_r:diag_exec:s0 /vendor/bin/InputEventFind u:object_r:inputeventfind_exec:s0 /vendor/bin/oem_qmi_server u:object_r:oem_qmi_server_exec:s0 /vendor/bin/qti u:object_r:qti_exec:s0 /vendor/bin/sensortool\.angler u:object_r:sensortool_exec:s0 Test: build angler sepolicy Change-Id: I5e3cea5f040c7777e452b2af3b660806f4d0b289
2017-04-13Allow ims ioctl commands for SIOCDEVPRIVATE_DBrad Ebinger
The imsdatadaemon has been blocked from doing ioctl commands by SELinux. This has been causing Angler to have IMS issues, such as being unable to register for VoLTE and other IMS capabilities. Test: Build and toggle 4G LTE off->on Bug: 35957889 Merged-In: Ibb6ac1b10473e8e101b8c398d633e2fbbcfee6c6 Change-Id: Ibb6ac1b10473e8e101b8c398d633e2fbbcfee6c6
2016-09-12[DO NOT MERGE] Enforce ioctl command whitelisting on all socketsJeff Vander Stoep
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: Ia259325a6032547035652f4bff0348e03b400870 (cherry picked from commit c9a18ec8df26ca977362b1119ed97ce892bfd0f9)
2016-08-29deprecate domain_deprecatedJeff Vander Stoep
Move device specific policy to a local device_domain_deprecated attribute to focus effort on core policy. (cherry picked from commit 32ae6cf619cc95ef489818314b2e1a3101b54820) Bug: 28760354 Change-Id: I23fe160b13db808e2f09f1653d173a14498e89a8
2015-11-04Grant all processes the domain_deprecated attributeJeff Vander Stoep
Bug: 25433265 Change-Id: I9563b9a4eb26856db021622f8217e4e3ab20f4cd
2015-09-28Update ims self:capability commentEd Tam
Bug: 24479299 Change-Id: I781a100f7335990843a43decad62a8e1d55759c3
2015-09-10Allow ims create permission for netlink_route_socketPavel Zhamaitsiak
Needed for VoLTE and WiFi calling Bug: 23935222 Change-Id: Ibf701f966a9418f8cf69b1e17767768260ae0a9d
2015-09-10Add rules for device-services.dcashman
Address the following denials: avc: denied { add } for service=qti.ims.connectionmanagerservice scontext=u:r:ims:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager avc: denied { find } for service=vendor.qcom.PeripheralManager scontext=u:r:rild:s0 tcontext=u:object_r:per_mgr_service:s0 tclass=service_manager avc: denied { add } for service=qti.ims.connectionmanagerservice scontext=u:r:ims:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager Bug: 23935222 Change-Id: Ia41147328643e2dd9fe63faec2a23e40da718762
2015-09-09Allow ims net_raw and net_admin permissions.dcashman
Needed for wi-fi calling. Bug: 23935222 Change-Id: Ia88d0fd52f77a9cb4845d2c95a7fd9ca2d43c6cb
2015-09-08Move ims into enforcing.dcashman
Bug: 23154090 Change-Id: I0a61dab8dc897ddf10527d86a9c8d84012358689
2015-09-08Allow ims to connect to the world.dcashman
Address the following denials: [ 128.081588] type=1400 audit(1439585677.011:168): avc: denied { write } for pid=7477 comm="imsdatadaemon" name="cnd" dev="tmpfs" ino=16105 scontext=u:r:ims:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file permissive=1 [ 128.082141] type=1400 audit(1439585677.011:169): avc: denied { connectto } for pid=7477 comm="imsdatadaemon" path="/dev/socket/cnd" scontext=u:r:ims:s0 tcontext=u:r:cnd:s0 tclass=unix_stream_socket permissive=1 [ 5.349726] type=1400 audit(2903659.729:23): avc: denied { create } for pid=490 comm="init" name="ims_datad" scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1 [ 5.350106] type=1400 audit(2903659.729:24): avc: denied { setattr } for pid=490 comm="init" name="ims_datad" dev="tmpfs" ino=11388 scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1 [ 8.675646] type=1400 audit(2903663.059:41): avc: denied { write } for pid=864 comm="ims_rtp_daemon" name="ims_datad" dev="tmpfs" ino=11388 scontext=u:r:ims:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1 [ 8.690316] type=1400 audit(2903663.069:44): avc: denied { open } for pid=480 comm="imsqmidaemon" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=4096 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 [ 8.690448] type=1400 audit(2903663.069:45): avc: denied { read } for pid=480 comm="imsqmidaemon" name="subsys0" dev="sysfs" ino=14012 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file permissive=1 [ 127.325690] type=1400 audit(1439585676.261:144): avc: denied { search } for pid=3827 comm="imsdatadaemon" name="msm_subsys" dev="sysfs" ino=4094 scontext=u:r:ims:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 [ 8.690572] type=1400 audit(2903663.069:46): avc: denied { write } for pid=480 comm="imsqmidaemon" name="qmux_radio" dev="tmpfs" ino=14645 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir permissive=1 [ 8.692255] type=1400 audit(2903663.069:47): avc: denied { add_name } for pid=480 comm="imsqmidaemon" name=716D75785F636C69656E745F736F636B657420202020343830 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir permissive=1 [ 8.692333] type=1400 audit(2903663.069:48): avc: denied { create } for pid=480 comm="imsqmidaemon" name=716D75785F636C69656E745F736F636B657420202020343830 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file permissive=1 [ 8.692392] type=1400 audit(2903663.069:49): avc: denied { setattr } for pid=480 comm="imsqmidaemon" name=716D75785F636C69656E745F736F636B657420202020343830 dev="tmpfs" ino=18475 scontext=u:r:ims:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file permissive=1 [ 127.359099] type=1400 audit(1439585676.291:156): avc: denied { create } for pid=3827 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1 [ 127.538798] type=1400 audit(1439585676.291:157): avc: denied { bind } for pid=3827 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1 [ 127.538892] type=1400 audit(1439585676.291:158): avc: denied { write } for pid=7394 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1 [ 127.539942] type=1400 audit(1439585676.291:160): avc: denied { read } for pid=7393 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=netlink_socket permissive=1 Bug: 23154090 Bug: 23224406 Change-Id: Ic90f27dfdb963dbefc2a2c493ab921b73438a174
2015-08-04Add ims daemon.dcashman
Address the following denials: [ 20.010522] type=1400 audit(1555967.749:71): avc: denied { write } for pid=562 comm="imsqmidaemon" name="property_service" dev="tmpfs" ino=11387 scontext=u:r:ims:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 [ 20.010821] type=1400 audit(1555967.749:72): avc: denied { connectto } for pid=562 comm="imsqmidaemon" path="/dev/socket/property_service" scontext=u:r:ims:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 20.247697] init: avc: denied { set } for property=sys.ims.QMI_DAEMON_STATUS scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service [ 19.312111] type=1400 audit(1562721.072:87): avc: denied { create } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 19.327574] type=1400 audit(1562721.072:88): avc: denied { ioctl } for pid=596 comm="imsdatadaemon" path="socket:[16885]" dev="sockfs" ino=16885 ioctlcmd=c304 scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 19.347022] type=1400 audit(1562721.072:89): avc: denied { bind } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 19.393905] type=1400 audit(1562721.081:92): avc: denied { read } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1 [ 20.348567] type=1400 audit(1562722.231:136): avc: denied { call } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 [ 20.363616] type=1400 audit(1562722.231:137): avc: denied { transfer } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 [ 20.379616] type=1400 audit(1562722.231:138): avc: denied { search } for pid=409 comm="servicemanager" name="567" dev="proc" ino=17423 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=dir permissive=1 [ 20.398690] type=1400 audit(1562722.231:139): avc: denied { read } for pid=409 comm="servicemanager" name="current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1 [ 20.417013] type=1400 audit(1562722.231:140): avc: denied { open } for pid=409 comm="servicemanager" path="/proc/567/attr/current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1 [ 20.437155] type=1400 audit(1562722.231:141): avc: denied { getattr } for pid=409 comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=process permissive=1 Bug: 21435401 Change-Id: I0d4414550b9496b99b80b4a2a0090997b4cf5f95
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-24 20:28:39 +0000