diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-10-22 08:10:14 -0400 |
---|---|---|
committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-10-30 11:37:23 -0400 |
commit | 14cd1b2d3abc3f33c431ca202868bf3c2714a015 (patch) | |
tree | e3a97ab4200e9345309b9b65c096d6e2108a070b /sepolicy | |
parent | d86e0c23edf97b436bfe15cf207e9dee3714c644 (diff) | |
download | mako-14cd1b2d3abc3f33c431ca202868bf3c2714a015.tar.gz |
Improve kickstart selinux policy.
Addressed the following denials.
* Allow kickstart binary (/system/bin/qcks) to start
both efsks and ks binaries.
denied { execute_no_trans } for pid=169 comm="qcks" path="/system/bin/ks" dev="mmcblk0p21" ino=191 scontext=u:r:kickstart:s0 tcontext=u:object_r:kickstart_exec:s0 tclass=file
* Access modem driver (/dev/mdm)
denied { getattr } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { read } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { open } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { ioctl } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
* Read and write access to USB bridge driver
* Read and write to block device (mmcblk0p[89])
denied { getattr } for pid=170 comm="qcks" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { read } for pid=170 comm="qcks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { write } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { open } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { getattr } for pid=543 comm="ks" path="/dev/block/mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { write } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { open } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { getattr } for pid=546 comm="ks" path="/dev/block/platform/msm_sdcc.1/by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir
denied { write } for pid=546 comm="ks" name="by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir
* Run dd from toolbox then write to /data/qcks
denied { execute } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { read open } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=510 comm="qcks" path="/system/bin/mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
* Read radio firmware files (/persist)
denied { getattr } for pid=170 comm="qcks" path="/firmware/image/efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
denied { read } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
denied { open } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
* Wake lock access
denied { append } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Change-Id: I689323422f9c5dd7898c385c9ce575bb5a9fd3af
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/device.te | 3 | ||||
-rw-r--r-- | sepolicy/file.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 7 | ||||
-rw-r--r-- | sepolicy/kickstart.te | 36 |
4 files changed, 45 insertions, 3 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te index a8c6747..1a204d6 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -15,3 +15,6 @@ type kickstart_device, dev_type; # SMD device, used by hci_qcomm_init type smd_device, dev_type; + +# Radio related block device +type efs_block_device, dev_type;
\ No newline at end of file diff --git a/sepolicy/file.te b/sepolicy/file.te index 6a7b06d..089d03c 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,6 +1,8 @@ # Qualcomm MSM Interface (QMI) socket type qmuxd_socket, file_type; +type kickstart_data_file, file_type, data_file_type; + type mpdecision_socket, file_type; type audio_firmware_file, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index bf1e4c8..bd1b1d9 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -43,6 +43,9 @@ /dev/ttyHS0 u:object_r:hci_attach_dev:s0 /dev/ttyMSM0 u:object_r:hci_attach_dev:s0 +# Serial-to-Usb support +/dev/ttyUSB0 u:object_r:radio_device:s0 + # Jpeg Engine support /dev/gemini.* u:object_r:camera_device:s0 # MSM camera related @@ -75,7 +78,11 @@ /system/bin/efsks u:object_r:kickstart_exec:s0 /system/bin/ks u:object_r:kickstart_exec:s0 +# Block labeling +/dev/block/mmcblk0p[89] u:object_r:efs_block_device:s0 + /data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/qcks(/.*)? u:object_r:kickstart_data_file:s0 /system/bin/hci_qcomm_init u:object_r:hci_exec:s0 /system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0 diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te index f4a4a26..da77e61 100644 --- a/sepolicy/kickstart.te +++ b/sepolicy/kickstart.te @@ -1,5 +1,35 @@ +# kickstart processes and scripts (system process) type kickstart, domain; -permissive kickstart; type kickstart_exec, file_type, exec_type; -domain_auto_trans(init, kickstart_exec, kickstart) -unconfined_domain(kickstart) + +permissive kickstart; + +init_daemon_domain(kickstart) + +# Spawn /system/bin/efsks and /system/bin/ks +allow kickstart kickstart_exec:file { open execute_no_trans getattr }; + +# Let qcks access /dev/mdm node (modem driver) +allow kickstart radio_device:chr_file r_file_perms; + +# Access USB host ks bridge drivers +allow kickstart kickstart_device:chr_file rw_file_perms; + +# Read and write to /dev/block/mmcblk0p[89] +allow kickstart efs_block_device:blk_file rw_file_perms; +allow kickstart block_device:dir { getattr write search }; + +# Write contents of block device to kickstart data dir +allow kickstart kickstart_data_file:file create_file_perms; +allow kickstart kickstart_data_file:dir rw_dir_perms; + +# Read radio firmware file(s) +allow kickstart radio_efs_file:dir search; +allow kickstart radio_efs_file:file r_file_perms; + +# Run dd from toolbox on firmware files +allow kickstart shell_exec:file rx_file_perms; +allow kickstart system_file:file execute_no_trans; + +# Wake lock access +allow kickstart sysfs_wake_lock:file { open append }; |