diff options
| author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-11-05 06:17:03 -0500 |
|---|---|---|
| committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-11-06 06:19:19 -0500 |
| commit | 63af8207d7f014560f366138efaa07982f507b1f (patch) | |
| tree | b0279ca003c502763854d157e85fdb8ce05729a4 | |
| parent | 9ce4b2832e4740ce68d78801ab8129d80468d82e (diff) | |
| download | mako-63af8207d7f014560f366138efaa07982f507b1f.tar.gz | |
Improve sensors selinux policy.
Addressed the following denials.
Allow sensors binary to change its own user and group.
denied { setgid } for pid=201 comm="sensors.qcom" capability=6 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability
denied { setuid } for pid=201 comm="sensors.qcom" capability=7 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability
Change owner of /data/misc/sensors/debug/ to nobody. Also
dontaudit the resulting fsetid.
denied { chown } for pid=201 comm="sensors.qcom" capability=0 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability
Log diagnostic items (/dev/diag)
denied { read write } for pid=208 comm="sensors.qcom" name="diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { open } for pid=208 comm="sensors.qcom" name="diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { ioctl } for pid=208 comm="sensors.qcom" path="/dev/diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
Create socket at /data/app/sensor_ctl_socket
denied { remove_name } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir
denied { unlink } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file
denied { add_name } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir
denied { create } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file
denied { setattr } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file
denied { write } for pid=209 comm="sensors.qcom" name="app" dev="mmcblk0p23" ino=24145 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir
Access /data/misc/sensors and /data/system/sensors
denied { getattr } for pid=204 comm="sensors.qcom" path="/data/misc/sensors" dev="mmcblk0p23" ino=313890 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { setattr } for pid=216 comm="sensors.qcom" name="debug" dev="mmcblk0p23" ino=313897 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { read append } for pid=216 comm="sensors.qcom" name="error_log" dev="mmcblk0p23" ino=313898 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=file
denied { open } for pid=216 comm="sensors.qcom" name="error_log" dev="mmcblk0p23" ino=313898 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=file
denied { write } for pid=204 comm="sensors.qcom" name="sensors" dev="mmcblk0p23" ino=313890 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { add_name } for pid=204 comm="sensors.qcom" name="debug" scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { create } for pid=204 comm="sensors.qcom" name="debug" scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
Access sensors dev nodes (/dev/msm_dsps,...)
denied { read } for pid=208 comm="sensors.qcom" name="msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file
denied { open } for pid=208 comm="sensors.qcom" name="msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file
denied { ioctl } for pid=299 comm="sensors.qcom" path="/dev/msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file
Access to persist files.
denied { search } for pid=328 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
denied { getattr } for pid=328 comm="sensors.qcom" path="/persist/sensors/sns.reg" dev="mmcblk0p20" ino=15 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file
denied { read } for pid=304 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
denied { open } for pid=304 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
denied { write } for pid=304 comm="sensors.qcom" name="sns.reg" dev="mmcblk0p20" ino=15 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file
Write access to power management controls
denied { write } for pid=251 comm="sensors.qcom" name="cpu_dma_latency" dev="tmpfs" ino=7294 scontext=u:r:sensors:s0 tcontext=u:object_r:power_control_device:s0 tclass=chr_file
denied { open } for pid=251 comm="sensors.qcom" name="cpu_dma_latency" dev="tmpfs" ino=7294 scontext=u:r:sensors:s0 tcontext=u:object_r:power_control_device:s0 tclass=chr_file
Wake lock access
denied { append } for pid=208 comm="sensors.qcom" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=227 comm="sensors.qcom" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Give system server access to sensors socket
for PowerManagerService.
denied { connectto } for pid=536 comm="system_server" path="/data/app/sensor_ctl_socket" scontext=u:r:system_server:s0 tcontext=u:r:sensors:s0 tclass=unix_stream_socket
denied { write } for pid=527 comm="system_server" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:system_server:s0 tcontext=u:object_r:sensors_socket:s0 tclass=sock_file
Add groups radio and system to sensors binary. This allows us to
avoid dac_override denials with /dev/diag (radio) and
/sys/power/wake_lock (system). Change the permissions of
/dev/msm_dsps to 0660. This also allows us to avoid a dac_override
denial.
Change-Id: I9a8a5f1b981336db02d0a3e397d2f0791406fa9e
| -rw-r--r-- | init.mako.rc | 4 | ||||
| -rw-r--r-- | sepolicy/device.te | 2 | ||||
| -rw-r--r-- | sepolicy/file.te | 3 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 4 | ||||
| -rw-r--r-- | sepolicy/sensors.te | 42 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 6 | ||||
| -rw-r--r-- | ueventd.mako.rc | 2 |
7 files changed, 60 insertions, 3 deletions
diff --git a/init.mako.rc b/init.mako.rc index 767f0b0..97f96f5 100644 --- a/init.mako.rc +++ b/init.mako.rc @@ -177,12 +177,14 @@ on post-fs-data #Create directory used by sensor subsystem(dsps) mkdir /data/system/sensors chmod 665 /data/system/sensors + restorecon_recursive /data/system/sensors write /data/system/sensors/settings 1 chmod 660 /data/system/sensors/settings # AKM setting data mkdir /data/misc/sensors chmod 775 /data/misc/sensors + restorecon_recursive /data/misc/sensors mkdir /persist/sensors chmod 775 /persist/sensors @@ -307,7 +309,7 @@ service netmgrd /system/bin/netmgrd service sensors /system/bin/sensors.qcom class late_start user root - group root + group root radio system service wpa_supplicant /system/bin/wpa_supplicant \ -iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf \ diff --git a/sepolicy/device.te b/sepolicy/device.te index f6b6bd9..8334b50 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -21,3 +21,5 @@ type efs_block_device, dev_type; # Shared memory logger type shared_log_device, dev_type; + +type power_control_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index 427e991..7cff3b7 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,5 +1,8 @@ # Qualcomm MSM Interface (QMI) socket type qmuxd_socket, file_type; +type sensors_socket, file_type; + +type sensors_data_file, file_type, data_file_type; type kickstart_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 5760ca1..6729e0d 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -69,6 +69,8 @@ # Sensors shared Memory Packet Interface /dev/smd_sns_dsps u:object_r:sensors_device:s0 +/dev/cpu_dma_latency u:object_r:power_control_device:s0 + # Qualcomm audio firmware files /data/misc/audio/* u:object_r:audio_firmware_file:s0 @@ -84,6 +86,8 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/qcks(/.*)? u:object_r:kickstart_data_file:s0 +/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0 +/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 /system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 /system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0 diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te index c81a60f..f977fae 100644 --- a/sepolicy/sensors.te +++ b/sepolicy/sensors.te @@ -5,4 +5,44 @@ type sensors_exec, exec_type, file_type; # Started by init init_daemon_domain(sensors) -unconfined_domain(sensors) +permissive sensors; + +# Change own perms to (nobody,nobody) +allow sensors self:capability { setuid setgid }; +# Chown /data/misc/sensors/debug/ to nobody +allow sensors self:capability chown; +dontaudit sensors self:capability fsetid; + +# Access /data/misc/sensors/debug and /data/system/sensors/settings +allow sensors self:capability dac_read_search; +dontaudit sensors self:capability dac_override; + +# Log diagnostic items (/dev/diag) +allow sensors diag_device:chr_file rw_file_perms; + +# Create /data/app/sensor_ctl_socket (Might want to change location). +type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket"; +allow sensors sensors_socket:sock_file create_file_perms; +# Trying to be restrictive with perms on apk_data_file +allow sensors apk_data_file:dir { add_name write }; +# Socket can be deleted. So might have to keep in order to work. +allow sensors apk_data_file:dir remove_name; + +# Create directories and files under /data/misc/sensors +# and /data/system/sensors. Allow generic r/w file access. +allow sensors sensors_data_file:dir create_dir_perms; +allow sensors sensors_data_file:file create_file_perms; + +# Access sensor nodes (/dev/msm_dsps) +allow sensors sensors_device:chr_file rw_file_perms; + +# Access power management controls +allow sensors power_control_device:chr_file w_file_perms; + +# Access to /persist/sensors +allow sensors persist_file:dir r_dir_perms; +allow sensors persist_sensors_file:dir r_dir_perms; +allow sensors persist_sensors_file:file rw_file_perms; + +# Wake lock access +allow sensors sysfs_wake_lock:file { open append }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index e72aa6f..b9689e0 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -6,6 +6,12 @@ allow system_server diag_device:chr_file rw_file_perms; # (e.g., LocationManager) qmux_socket(system_server) +# PowerManagerService access to sensors socket +unix_socket_connect(system_server, sensors, sensors) +unix_socket_send(system_server, sensors, sensors) +allow system_server sensors:unix_stream_socket sendto; +allow system_server sensors_socket:sock_file r_file_perms; + # mpdecision socket access unix_socket_connect(system_server, mpdecision, mpdecision) unix_socket_send(system_server, mpdecision, mpdecision) diff --git a/ueventd.mako.rc b/ueventd.mako.rc index dd5da1f..5b9e90d 100644 --- a/ueventd.mako.rc +++ b/ueventd.mako.rc @@ -34,7 +34,7 @@ /dev/v4l-subdev* 0660 system camera /dev/msm_camera/* 0660 system camera /dev/gemini* 0660 system camera -/dev/msm_dsps 0600 system system +/dev/msm_dsps 0660 system system /dev/bcm2079x-i2c 0660 nfc nfc /dev/qseecom 0660 system drmrpc /dev/mdm 0660 system radio |