Improve kickstart selinux policy.

Addressed the following denials. * Allow kickstart binary (/system/bin/qcks) to start both efsks and ks binaries. denied { execute_no_trans } for pid=169 comm="qcks" path="/system/bin/ks" dev="mmcblk0p21" ino=191 scontext=u:r:kickstart:s0 tcontext=u:object_r:kickstart_exec:s0 tclass=file * Access modem driver (/dev/mdm) denied { getattr } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { read } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { open } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { ioctl } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file * Read and write access to USB bridge driver * Read and write to block device (mmcblk0p[89]) denied { getattr } for pid=170 comm="qcks" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { read } for pid=170 comm="qcks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { write } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { open } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { getattr } for pid=543 comm="ks" path="/dev/block/mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { write } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { open } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { getattr } for pid=546 comm="ks" path="/dev/block/platform/msm_sdcc.1/by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir denied { write } for pid=546 comm="ks" name="by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir * Run dd from toolbox then write to /data/qcks denied { execute } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { read open } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { execute_no_trans } for pid=510 comm="qcks" path="/system/bin/mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file * Read radio firmware files (/persist) denied { getattr } for pid=170 comm="qcks" path="/firmware/image/efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file denied { read } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file denied { open } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file * Wake lock access denied { append } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file Change-Id: I689323422f9c5dd7898c385c9ce575bb5a9fd3af Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
author: Robert Craig <rpcraig@tycho.ncsc.mil> 2013-10-22 08:10:14 -0400
committer: Robert Craig <rpcraig@tycho.ncsc.mil> 2013-10-30 11:37:23 -0400
commit: 14cd1b2d3abc3f33c431ca202868bf3c2714a015 (patch)
tree: e3a97ab4200e9345309b9b65c096d6e2108a070b /sepolicy
parent: d86e0c23edf97b436bfe15cf207e9dee3714c644 (diff)
download: mako-14cd1b2d3abc3f33c431ca202868bf3c2714a015.tar.gz
4 files changed, 45 insertions, 3 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te
index a8c6747..1a204d6 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -15,3 +15,6 @@ type kickstart_device, dev_type;
 
 # SMD device, used by hci_qcomm_init
 type smd_device, dev_type;
+
+# Radio related block device
+type efs_block_device, dev_type;
+\ No newline at end of file
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 6a7b06d..089d03c 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,6 +1,8 @@
 # Qualcomm MSM Interface (QMI) socket
 type qmuxd_socket, file_type;
 
+type kickstart_data_file, file_type, data_file_type;
+
 type mpdecision_socket, file_type;
 
 type audio_firmware_file, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index bf1e4c8..bd1b1d9 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -43,6 +43,9 @@
 /dev/ttyHS0                            u:object_r:hci_attach_dev:s0
 /dev/ttyMSM0                           u:object_r:hci_attach_dev:s0
 
+# Serial-to-Usb support
+/dev/ttyUSB0                           u:object_r:radio_device:s0
+
 # Jpeg Engine support
 /dev/gemini.*                          u:object_r:camera_device:s0
 # MSM camera related
@@ -75,7 +78,11 @@
 /system/bin/efsks                  u:object_r:kickstart_exec:s0
 /system/bin/ks                     u:object_r:kickstart_exec:s0
 
+# Block labeling
+/dev/block/mmcblk0p[89]            u:object_r:efs_block_device:s0
+
 /data/nfc(/.*)?                    u:object_r:nfc_data_file:s0
+/data/qcks(/.*)?                   u:object_r:kickstart_data_file:s0
 
 /system/bin/hci_qcomm_init         u:object_r:hci_exec:s0
 /system/bin/bdAddrLoader           u:object_r:bluetooth_loader_exec:s0
diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te
index f4a4a26..da77e61 100644
--- a/sepolicy/kickstart.te
+++ b/sepolicy/kickstart.te
@@ -1,5 +1,35 @@
+# kickstart processes and scripts (system process)
 type kickstart, domain;
-permissive kickstart;
 type kickstart_exec, file_type, exec_type;
-domain_auto_trans(init, kickstart_exec, kickstart)
-unconfined_domain(kickstart)
+
+permissive kickstart;
+
+init_daemon_domain(kickstart)
+
+# Spawn /system/bin/efsks and /system/bin/ks
+allow kickstart kickstart_exec:file { open execute_no_trans getattr };
+
+# Let qcks access /dev/mdm node (modem driver)
+allow kickstart radio_device:chr_file r_file_perms;
+
+# Access USB host ks bridge drivers
+allow kickstart kickstart_device:chr_file rw_file_perms;
+
+# Read and write to /dev/block/mmcblk0p[89]
+allow kickstart efs_block_device:blk_file rw_file_perms;
+allow kickstart block_device:dir { getattr write search };
+
+# Write contents of block device to kickstart data dir
+allow kickstart kickstart_data_file:file create_file_perms;
+allow kickstart kickstart_data_file:dir rw_dir_perms;
+
+# Read radio firmware file(s)
+allow kickstart radio_efs_file:dir search;
+allow kickstart radio_efs_file:file r_file_perms;
+
+# Run dd from toolbox on firmware files
+allow kickstart shell_exec:file rx_file_perms;
+allow kickstart system_file:file execute_no_trans;
+
+# Wake lock access
+allow kickstart sysfs_wake_lock:file { open append };
author	Robert Craig <rpcraig@tycho.ncsc.mil>	2013-10-22 08:10:14 -0400
committer	Robert Craig <rpcraig@tycho.ncsc.mil>	2013-10-30 11:37:23 -0400
commit	14cd1b2d3abc3f33c431ca202868bf3c2714a015 (patch)
tree	e3a97ab4200e9345309b9b65c096d6e2108a070b /sepolicy
parent	d86e0c23edf97b436bfe15cf207e9dee3714c644 (diff)
download	mako-14cd1b2d3abc3f33c431ca202868bf3c2714a015.tar.gz