diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2015-09-04 07:54:21 -0700 |
---|---|---|
committer | Jeff Vander Stoep <jeffv@google.com> | 2015-09-04 09:55:46 -0700 |
commit | 31e7ef7df914216e4c235f01c63d15fd13e7594c (patch) | |
tree | 628eef0b72caf279bef0879ddceeae3085a4b760 /sepolicy | |
parent | 40885f73a6172745688e4c936a9dc8cca8a4ed4f (diff) | |
download | bullhead-31e7ef7df914216e4c235f01c63d15fd13e7594c.tar.gz |
selinux: perfd: allow access to sleep_disabled
Get rid of socket type transistion.
avc: denied { write } for name="sleep_disabled" dev="sysfs" ino=6801 scontext=u:r:perfd:s0 tcontext=u:object_r:sysfs_power_management:s0 tclass=file permissive=0
Bug: 23790107
Change-Id: I9b180ba9dded150cca078473a122ea7ed93f79bf
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/file.te | 3 | ||||
-rw-r--r-- | sepolicy/file_contexts | 3 | ||||
-rw-r--r-- | sepolicy/mediaserver.te | 8 | ||||
-rw-r--r-- | sepolicy/perfd.te | 10 | ||||
-rw-r--r-- | sepolicy/system_server.te | 7 |
5 files changed, 16 insertions, 15 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 0548407..f2ab8f1 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -23,8 +23,7 @@ type ims_socket, file_type; type ramdump_data_file, file_type, data_file_type; type diag_logs, file_type, data_file_type, mlstrustedobject; -type mpctl_data_file, file_type, data_file_type; -type mpctl_socket, file_type; +type perfd_data_file, file_type, data_file_type; type cnd_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index acf6432..0dda892 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -3,8 +3,7 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 # Data files -/data/misc/perfd(/.*)? u:object_r:mpctl_data_file:s0 -/data/misc/perfd/mpctl u:object_r:mpctl_socket:s0 +/data/misc/perfd(/.*)? u:object_r:perfd_data_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/time(/.*)? u:object_r:time_data_file:s0 diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index aaeace5..bb53b12 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -4,6 +4,8 @@ allow mediaserver thermal_socket:sock_file w_file_perms; allow mediaserver camera:unix_dgram_socket sendto; allow mediaserver camera_data_file:sock_file write; -allow mediaserver mpctl_data_file:dir search; -unix_socket_connect(mediaserver, mpctl, perfd) -unix_socket_send(mediaserver, mpctl, perfd) +# allow communication w/perfd +allow mediaserver perfd_data_file:dir search; +allow mediaserver perfd_data_file:sock_file write; +allow mediaserver perfd:unix_dgram_socket sendto; +allow mediaserver perfd:unix_stream_socket connectto; diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te index 39b5525..122f046 100644 --- a/sepolicy/perfd.te +++ b/sepolicy/perfd.te @@ -12,12 +12,11 @@ init_daemon_domain(perfd) dontaudit perfd self:capability fsetid; # Data file accesses. -allow perfd mpctl_data_file:dir create_dir_perms; -allow perfd mpctl_data_file:file create_file_perms; +allow perfd perfd_data_file:dir create_dir_perms; +allow perfd perfd_data_file:file create_file_perms; # Socket creation under /data/misc/perfd -type_transition perfd mpctl_data_file:sock_file mpctl_socket; -allow perfd mpctl_socket:sock_file create_file_perms; +allow perfd perfd_data_file:sock_file create_file_perms; allow perfd sysfs_performance:dir search; allow perfd sysfs_performance:file rw_file_perms; @@ -29,3 +28,6 @@ allow perfd proc_kernel_sched:file r_file_perms; # allow writing to /sys/devices/system/cpu/* allow perfd sysfs_devices_system_cpu:file rw_file_perms; + +# access to /sys/module/lpm_levels/parameters/sleep_disabled +allow perfd sysfs_power_management:file w_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index d294985..dc9569d 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -25,11 +25,10 @@ allow system_server location_data_file:{ file fifo_file } create_file_perms; allow system_server location_data_file:dir rw_dir_perms; allow system_server location_data_file:sock_file create_file_perms; - -allow system_server mpctl_data_file:dir search; - # talk to perfd -unix_socket_connect(system_server, mpctl, perfd) +allow system_server perfd_data_file:dir search; +allow system_server perfd_data_file:sock_file write; +allow system_server perfd:unix_stream_socket connectto; # hubconnection to get and set sensors.contexthub.* properties set_prop(system_server, contexthub_prop); |