diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-10-22 08:10:14 -0400 |
---|---|---|
committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-10-30 11:37:23 -0400 |
commit | 14cd1b2d3abc3f33c431ca202868bf3c2714a015 (patch) | |
tree | e3a97ab4200e9345309b9b65c096d6e2108a070b /sepolicy/file.te | |
parent | d86e0c23edf97b436bfe15cf207e9dee3714c644 (diff) | |
download | mako-14cd1b2d3abc3f33c431ca202868bf3c2714a015.tar.gz |
Improve kickstart selinux policy.
Addressed the following denials.
* Allow kickstart binary (/system/bin/qcks) to start
both efsks and ks binaries.
denied { execute_no_trans } for pid=169 comm="qcks" path="/system/bin/ks" dev="mmcblk0p21" ino=191 scontext=u:r:kickstart:s0 tcontext=u:object_r:kickstart_exec:s0 tclass=file
* Access modem driver (/dev/mdm)
denied { getattr } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { read } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { open } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { ioctl } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
* Read and write access to USB bridge driver
* Read and write to block device (mmcblk0p[89])
denied { getattr } for pid=170 comm="qcks" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { read } for pid=170 comm="qcks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { write } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { open } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { getattr } for pid=543 comm="ks" path="/dev/block/mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { write } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { open } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { getattr } for pid=546 comm="ks" path="/dev/block/platform/msm_sdcc.1/by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir
denied { write } for pid=546 comm="ks" name="by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir
* Run dd from toolbox then write to /data/qcks
denied { execute } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { read open } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=510 comm="qcks" path="/system/bin/mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
* Read radio firmware files (/persist)
denied { getattr } for pid=170 comm="qcks" path="/firmware/image/efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
denied { read } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
denied { open } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
* Wake lock access
denied { append } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Change-Id: I689323422f9c5dd7898c385c9ce575bb5a9fd3af
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'sepolicy/file.te')
-rw-r--r-- | sepolicy/file.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 6a7b06d..089d03c 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,6 +1,8 @@ # Qualcomm MSM Interface (QMI) socket type qmuxd_socket, file_type; +type kickstart_data_file, file_type, data_file_type; + type mpdecision_socket, file_type; type audio_firmware_file, file_type; |