From 690bfb3a2fe0f0833b09760c6ef60b36e5ab624d Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 31 Jul 2015 10:33:02 -0700
Subject: Add ims daemon.

Address the following denials:
[   20.010522] type=1400 audit(1555967.749:71): avc: denied { write } for pid=562 comm="imsqmidaemon" name="property_service" dev="tmpfs" ino=11387 scontext=u:r:ims:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
[   20.010821] type=1400 audit(1555967.749:72): avc: denied { connectto } for pid=562 comm="imsqmidaemon" path="/dev/socket/property_service" scontext=u:r:ims:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
[   20.247697] init: avc:  denied  { set } for property=sys.ims.QMI_DAEMON_STATUS scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service

[   19.312111] type=1400 audit(1562721.072:87): avc: denied { create } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[   19.327574] type=1400 audit(1562721.072:88): avc: denied { ioctl } for pid=596 comm="imsdatadaemon" path="socket:[16885]" dev="sockfs" ino=16885 ioctlcmd=c304 scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[   19.347022] type=1400 audit(1562721.072:89): avc: denied { bind } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[   19.393905] type=1400 audit(1562721.081:92): avc: denied { read } for pid=596 comm="imsdatadaemon" scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=socket permissive=1
[   20.348567] type=1400 audit(1562722.231:136): avc: denied { call } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1
[   20.363616] type=1400 audit(1562722.231:137): avc: denied { transfer } for pid=567 comm="imscmservice" scontext=u:r:ims:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1
[   20.379616] type=1400 audit(1562722.231:138): avc: denied { search } for pid=409 comm="servicemanager" name="567" dev="proc" ino=17423 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=dir permissive=1
[   20.398690] type=1400 audit(1562722.231:139): avc: denied { read } for pid=409 comm="servicemanager" name="current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1
[   20.417013] type=1400 audit(1562722.231:140): avc: denied { open } for pid=409 comm="servicemanager" path="/proc/567/attr/current" dev="proc" ino=13649 scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=file permissive=1
[   20.437155] type=1400 audit(1562722.231:141): avc: denied { getattr } for pid=409 comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:ims:s0 tclass=process permissive=1

Bug: 21435401
Change-Id: I0d4414550b9496b99b80b4a2a0090997b4cf5f95
---
 sepolicy/ims.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 sepolicy/ims.te

(limited to 'sepolicy/ims.te')

diff --git a/sepolicy/ims.te b/sepolicy/ims.te
new file mode 100644
index 0000000..9ae51de
--- /dev/null
+++ b/sepolicy/ims.te
@@ -0,0 +1,13 @@
+type ims, domain;
+type ims_exec, exec_type, file_type;
+
+init_daemon_domain(ims)
+
+permissive ims;
+
+binder_use(ims)
+set_prop(ims, qcom_ims_prop)
+
+allow ims self:capability net_raw;
+
+allow ims self:socket create_socket_perms;
-- 
cgit v1.2.3