diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-11-22 08:43:52 -0500 |
---|---|---|
committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-11-25 06:27:10 -0500 |
commit | 381b2e0a0d6f33fb7c277f57efdc3a74bfb5c7cc (patch) | |
tree | 60baa17286e8d874348c4bfdbc94ea816182b5d3 /sepolicy/system_server.te | |
parent | d6a74d4cb5e23fef871bc908d64cb730595426da (diff) | |
download | mako-381b2e0a0d6f33fb7c277f57efdc3a74bfb5c7cc.tar.gz |
Resolve new selinux denials.
* Add tee policy. Label /data/misc/playready and
allow tee access to persist file system.
denied { read } for pid=265 comm="qseecomd" name="/" dev="mmcblk0p23" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { open } for pid=265 comm="qseecomd" name="/" dev="mmcblk0p23" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { write } for pid=265 comm="qseecomd" name="misc" dev="mmcblk0p23" ino=313873 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { add_name } for pid=265 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { create } for pid=265 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
denied { read write open } for pid=265 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p23" ino=313909 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
denied { create } for pid=221 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { write } for pid=221 comm="qseecomd" name="playready" dev="mmcblk0p23" ino=313907 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { add_name } for pid=221 comm="qseecomd" name="logs" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { search } for pid=241 comm="qseecomd" name="widevine" dev="mmcblk0p20" ino=13 scontext=u:r:tee:s0 tcontext=u:object_r:persist_drm_file:s0 tclass=dir
denied { getattr } for pid=241 comm="qseecomd" path="/persist/widevine/5dsokxEEDXgQhkN50bp-Z2K5InM_/RXFABDUxyT6Q+Zwx9ZhPGOq2Bq8_" dev="mmcblk0p20" ino=20 scontext=u:r:tee:s0 tcontext=u:object_r:persist_drm_file:s0 tclass=file
denied { read } for pid=269 comm="qseecomd" name="RXFABDUxyT6Q+Zwx9ZhPGOq2Bq8_" dev="mmcblk0p20" ino=20 scontext=u:r:tee:s0 tcontext=u:object_r:persist_drm_file:s0 tclass=file
denied { open } for pid=269 comm="qseecomd" name="RXFABDUxyT6Q+Zwx9ZhPGOq2Bq8_" dev="mmcblk0p20" ino=20 scontext=u:r:tee:s0 tcontext=u:object_r:persist_drm_file:s0 tclass=file
* Allow system_server (ActivityManager) access to radio nodes
denied { read } for pid=656 comm="ActivityManager" name="mdm" dev="tmpfs" ino=8302 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { open } for pid=656 comm="ActivityManager" name="mdm" dev="tmpfs" ino=8302 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { getattr } for pid=656 comm="ActivityManager" path="/dev/mdm" dev="tmpfs" ino=8302 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { ioctl } for pid=656 comm="ActivityManager" path="/dev/mdm" dev="tmpfs" ino=8302 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
* Allow system_server to create netlink sockets
denied { create } for pid=657 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket
denied { bind } for pid=657 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket
denied { write } for pid=1241 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket
denied { read } for pid=1238 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket
* Allow all apps r/w access to the world writable gpu device by making
the gpu_device a trusted object.
denied { write } for pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
* Add dontaudit for rmt_storage to /dev/mem. The denials
just flood the logs.
Change-Id: Ic4f220a521caa6fa9d4d119f22e0e6d378bbc562
Diffstat (limited to 'sepolicy/system_server.te')
-rw-r--r-- | sepolicy/system_server.te | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index b9689e0..cf4a746 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -17,3 +17,8 @@ unix_socket_connect(system_server, mpdecision, mpdecision) unix_socket_send(system_server, mpdecision, mpdecision) allow system_server mpdecision:unix_stream_socket sendto; allow system_server mpdecision_socket:dir search; + +# Access /dev/mdm +allow system_server radio_device:chr_file r_file_perms; + +allow system_server self:netlink_socket create_socket_perms; |