diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-10-08 07:38:07 -0400 |
---|---|---|
committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-10-08 09:08:04 -0400 |
commit | 5d98167a758eb5d410119d00ab0043d762c9db21 (patch) | |
tree | f64828e8adbe665aa3e3fdc7d8ccddb9c3aa2d15 /sepolicy/system_server.te | |
parent | 2582f9513d566da5903eeb3fa624221c5c2ff873 (diff) | |
download | mako-5d98167a758eb5d410119d00ab0043d762c9db21.tar.gz |
Complete qmux selinux policy.
First, relabeled qmux socket directories using a common label
which helped reduce the number of labels policy writers had to
follow. Then, introduced a macro to allow domains to easily
create and connect to qmux sockets under each qmux directory.
The macro creates a new type for each domain requesting a
qmux socket independent of the actual directory location.
Having a derived type from the creator of each socket will
slightly increasing the total number of new types, but this
will also ensure that each domain can only delete their own
created socket. The following class of denials are addressed
by this switch.
denied { write } for pid=176 comm="mediaserver" name="qmux_connect_socket" dev="tmpfs" ino=6888 scontext=u:r:mediaserver:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { connectto } for pid=176 comm="mediaserver" path="/dev/socket/qmux_audio/qmux_connect_socket" scontext=u:r:mediaserver:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
Removed the unconfined constraint from qmux policy and
addressed the following denials.
* Allow qmux to create a connect socket under each
/dev/socket/qmux_* directory.
denied { write } for pid=179 comm="qmuxd" name="qmux_radio" dev="tmpfs" ino=7607 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { add_name } for pid=179 comm="qmuxd" name="qmux_connect_socket" scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { remove_name } for pid=179 comm="qmuxd" name=716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { create } for pid=179 comm="qmuxd" name="qmux_connect_socket" scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { setattr } for pid=179 comm="qmuxd" name="qmux_connect_socket" dev="tmpfs" ino=6656 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { getattr } for pid=179 comm="qmuxd" path=2F6465762F736F636B65742F716D75785F726164696F2F716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { unlink } for pid=179 comm="qmuxd" name=716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
* Node access to radio_device (/dev/hsicctl*)
denied { read write } for pid=179 comm="qmuxd" name="hsicctl0" dev="tmpfs" ino=5227 scontext=u:r:qmux:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { open } for pid=179 comm="qmuxd" name="hsicctl0" dev="tmpfs" ino=5227 scontext=u:r:qmux:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
* Allow logging diagnostic items to /dev/diag
denied { read write } for pid=179 comm="qmuxd" name="diag" dev="tmpfs" ino=7277 scontext=u:r:qmux:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { open } for pid=179 comm="qmuxd" name="diag" dev="tmpfs" ino=7277 scontext=u:r:qmux:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
* Wake lock access
denied { append } for pid=179 comm="qmuxd" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:qmux:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=180 comm="qmuxd" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:qmux:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Change-Id: Icba85b2cc727e6743b32e775a49d29c77fb6dc61
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'sepolicy/system_server.te')
-rw-r--r-- | sepolicy/system_server.te | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 0329ed9..3e8e1f6 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -4,5 +4,4 @@ allow system_server diag_device:chr_file rw_file_perms; # Grant access to Qualcomm MSM Interface (QMI) radio sockets to system services # (e.g., LocationManager) -allow system_server qmux_radio_socket:sock_file create_file_perms; -allow system_server qmux_radio_socket:dir rw_dir_perms; +qmux_socket(system_server) |