Improve kickstart selinux policy.

Addressed the following denials. * Allow kickstart binary (/system/bin/qcks) to start both efsks and ks binaries. denied { execute_no_trans } for pid=169 comm="qcks" path="/system/bin/ks" dev="mmcblk0p21" ino=191 scontext=u:r:kickstart:s0 tcontext=u:object_r:kickstart_exec:s0 tclass=file * Access modem driver (/dev/mdm) denied { getattr } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { read } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { open } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { ioctl } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file * Read and write access to USB bridge driver * Read and write to block device (mmcblk0p[89]) denied { getattr } for pid=170 comm="qcks" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { read } for pid=170 comm="qcks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { write } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { open } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { getattr } for pid=543 comm="ks" path="/dev/block/mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { write } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { open } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { getattr } for pid=546 comm="ks" path="/dev/block/platform/msm_sdcc.1/by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir denied { write } for pid=546 comm="ks" name="by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir * Run dd from toolbox then write to /data/qcks denied { execute } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { read open } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { execute_no_trans } for pid=510 comm="qcks" path="/system/bin/mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file * Read radio firmware files (/persist) denied { getattr } for pid=170 comm="qcks" path="/firmware/image/efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file denied { read } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file denied { open } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file * Wake lock access denied { append } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file Change-Id: I689323422f9c5dd7898c385c9ce575bb5a9fd3af Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
author: Robert Craig <rpcraig@tycho.ncsc.mil> 2013-10-22 08:10:14 -0400
committer: Robert Craig <rpcraig@tycho.ncsc.mil> 2013-10-30 11:37:23 -0400
commit: 14cd1b2d3abc3f33c431ca202868bf3c2714a015 (patch)
tree: e3a97ab4200e9345309b9b65c096d6e2108a070b /sepolicy/file.te
parent: d86e0c23edf97b436bfe15cf207e9dee3714c644 (diff)
download: mako-14cd1b2d3abc3f33c431ca202868bf3c2714a015.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 6a7b06d..089d03c 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,6 +1,8 @@
 # Qualcomm MSM Interface (QMI) socket
 type qmuxd_socket, file_type;
 
+type kickstart_data_file, file_type, data_file_type;
+
 type mpdecision_socket, file_type;
 
 type audio_firmware_file, file_type;
author	Robert Craig <rpcraig@tycho.ncsc.mil>	2013-10-22 08:10:14 -0400
committer	Robert Craig <rpcraig@tycho.ncsc.mil>	2013-10-30 11:37:23 -0400
commit	14cd1b2d3abc3f33c431ca202868bf3c2714a015 (patch)
tree	e3a97ab4200e9345309b9b65c096d6e2108a070b /sepolicy/file.te
parent	d86e0c23edf97b436bfe15cf207e9dee3714c644 (diff)
download	mako-14cd1b2d3abc3f33c431ca202868bf3c2714a015.tar.gz