Age | Commit message (Collapse) | Author |
|
Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
Addressed the following denials.
Access camera and video dev nodes
denied { read write } for pid=212 comm="mm-qcamera-daem" name="video100" dev="tmpfs" ino=6414 scontext=u:r:camera:s0 tcontext=u:object_r:camera_device:s0 tclass=chr_file
denied { open } for pid=212 comm="mm-qcamera-daem" name="video100" dev="tmpfs" ino=6414 scontext=u:r:camera:s0 tcontext=u:object_r:camera_device:s0 tclass=chr_file
denied { ioctl } for pid=212 comm="mm-qcamera-daem" path="/dev/media0" dev="tmpfs" ino=6402 scontext=u:r:camera:s0 tcontext=u:object_r:camera_device:s0 tclass=chr_file
Create and access /data/cam_socket[01]
denied { create } for pid=2339 comm="mm-qcamera-daem" name="cam_socket0" scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file
denied { unlink } for pid=2773 comm="mm-qcamera-daem" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file
denied { write } for pid=2339 comm="mm-qcamera-daem" name="/" dev="mmcblk0p23" ino=2 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { add_name } for pid=2339 comm="mm-qcamera-daem" name="cam_socket0" scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { remove_name } for pid=2773 comm="mm-qcamera-daem" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
Connect to sensors socket (/data/app/sensor_ctl_socket).
denied { write } for pid=2378 comm="mm-qcamera-daem" name="/" dev="mmcblk0p23" ino=2 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { add_name } for pid=2378 comm="mm-qcamera-daem" name="cam_socket1" scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { unlink } for pid=2389 comm="mm-qcamera-daem" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file
Label and grant access to /data/fdAlbum
denied { read } for pid=2378 comm="mm-qcamera-daem" name="fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file
denied { open } for pid=2378 comm="mm-qcamera-daem" name="fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file
denied { getattr } for pid=2378 comm="mm-qcamera-daem" path="/data/fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file
denied { write } for pid=2378 comm="mm-qcamera-daem" name="fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file
Give mediaserver access to camera socket
denied { write } for pid=1148 comm="Binder_3" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:mediaserver:s0 tcontext=u:object_r:camera_socket:s0 tclass=sock_file
denied { sendto } for pid=1148 comm="Binder_3" path="/data/cam_socket0" scontext=u:r:mediaserver:s0 tcontext=u:r:camera:s0 tclass=unix_dgram_socket
Change-Id: I18433ab2cd55b3077a4fba55a99406d41141d2dd
|
|
file_contexts uses regexes, not a globs, so use (/.*)? rather than /*
to match the directory and anything beneath it.
Since /data/misc/audio is not device-specific, move it to core sepolicy.
Consider renaming this type in the future to audio_data_file, but that
is left to a separate change as it will require a restorecon_recursive
on mako.
Change-Id: Ib8c96ab9e19d34e8e34a4c859528345763be4906
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
Addressed the following denials.
Allow sensors binary to change its own user and group.
denied { setgid } for pid=201 comm="sensors.qcom" capability=6 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability
denied { setuid } for pid=201 comm="sensors.qcom" capability=7 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability
Change owner of /data/misc/sensors/debug/ to nobody. Also
dontaudit the resulting fsetid.
denied { chown } for pid=201 comm="sensors.qcom" capability=0 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability
Log diagnostic items (/dev/diag)
denied { read write } for pid=208 comm="sensors.qcom" name="diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { open } for pid=208 comm="sensors.qcom" name="diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { ioctl } for pid=208 comm="sensors.qcom" path="/dev/diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
Create socket at /data/app/sensor_ctl_socket
denied { remove_name } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir
denied { unlink } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file
denied { add_name } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir
denied { create } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file
denied { setattr } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file
denied { write } for pid=209 comm="sensors.qcom" name="app" dev="mmcblk0p23" ino=24145 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir
Access /data/misc/sensors and /data/system/sensors
denied { getattr } for pid=204 comm="sensors.qcom" path="/data/misc/sensors" dev="mmcblk0p23" ino=313890 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { setattr } for pid=216 comm="sensors.qcom" name="debug" dev="mmcblk0p23" ino=313897 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { read append } for pid=216 comm="sensors.qcom" name="error_log" dev="mmcblk0p23" ino=313898 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=file
denied { open } for pid=216 comm="sensors.qcom" name="error_log" dev="mmcblk0p23" ino=313898 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=file
denied { write } for pid=204 comm="sensors.qcom" name="sensors" dev="mmcblk0p23" ino=313890 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { add_name } for pid=204 comm="sensors.qcom" name="debug" scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { create } for pid=204 comm="sensors.qcom" name="debug" scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
Access sensors dev nodes (/dev/msm_dsps,...)
denied { read } for pid=208 comm="sensors.qcom" name="msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file
denied { open } for pid=208 comm="sensors.qcom" name="msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file
denied { ioctl } for pid=299 comm="sensors.qcom" path="/dev/msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file
Access to persist files.
denied { search } for pid=328 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
denied { getattr } for pid=328 comm="sensors.qcom" path="/persist/sensors/sns.reg" dev="mmcblk0p20" ino=15 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file
denied { read } for pid=304 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
denied { open } for pid=304 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
denied { write } for pid=304 comm="sensors.qcom" name="sns.reg" dev="mmcblk0p20" ino=15 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file
Write access to power management controls
denied { write } for pid=251 comm="sensors.qcom" name="cpu_dma_latency" dev="tmpfs" ino=7294 scontext=u:r:sensors:s0 tcontext=u:object_r:power_control_device:s0 tclass=chr_file
denied { open } for pid=251 comm="sensors.qcom" name="cpu_dma_latency" dev="tmpfs" ino=7294 scontext=u:r:sensors:s0 tcontext=u:object_r:power_control_device:s0 tclass=chr_file
Wake lock access
denied { append } for pid=208 comm="sensors.qcom" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=227 comm="sensors.qcom" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Give system server access to sensors socket
for PowerManagerService.
denied { connectto } for pid=536 comm="system_server" path="/data/app/sensor_ctl_socket" scontext=u:r:system_server:s0 tcontext=u:r:sensors:s0 tclass=unix_stream_socket
denied { write } for pid=527 comm="system_server" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:system_server:s0 tcontext=u:object_r:sensors_socket:s0 tclass=sock_file
Add groups radio and system to sensors binary. This allows us to
avoid dac_override denials with /dev/diag (radio) and
/sys/power/wake_lock (system). Change the permissions of
/dev/msm_dsps to 0660. This also allows us to avoid a dac_override
denial.
Change-Id: I9a8a5f1b981336db02d0a3e397d2f0791406fa9e
|
|
|
|
Addressed the following denials.
* Allow kickstart binary (/system/bin/qcks) to start
both efsks and ks binaries.
denied { execute_no_trans } for pid=169 comm="qcks" path="/system/bin/ks" dev="mmcblk0p21" ino=191 scontext=u:r:kickstart:s0 tcontext=u:object_r:kickstart_exec:s0 tclass=file
* Access modem driver (/dev/mdm)
denied { getattr } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { read } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { open } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { ioctl } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
* Read and write access to USB bridge driver
* Read and write to block device (mmcblk0p[89])
denied { getattr } for pid=170 comm="qcks" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { read } for pid=170 comm="qcks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { write } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { open } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { getattr } for pid=543 comm="ks" path="/dev/block/mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { write } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { open } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
denied { getattr } for pid=546 comm="ks" path="/dev/block/platform/msm_sdcc.1/by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir
denied { write } for pid=546 comm="ks" name="by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir
* Run dd from toolbox then write to /data/qcks
denied { execute } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { read open } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=510 comm="qcks" path="/system/bin/mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
* Read radio firmware files (/persist)
denied { getattr } for pid=170 comm="qcks" path="/firmware/image/efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
denied { read } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
denied { open } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file
* Wake lock access
denied { append } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Change-Id: I689323422f9c5dd7898c385c9ce575bb5a9fd3af
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Update the SELinux policy for mpdecision to get rid of denials
we're seeing.
Specifically:
1) mpdecision creates a socket in /dev/socket/pb . Make sure it's
labeled appropriately and we have write access to the parent
directory.
2) mpdecision minipulates /sys/devices/system/cpu/cpu?/* files.
Make sure they're labeled appropriately. But, see #3.
3) Files in /sys/devices/system/cpu/cpu?/* pop in and out of existance
as CPUs go online and offline. When that happens, they inherit
the default sysfs label. Allow write access to all sysfs labeled
files. :-(
4) Allow mpdecision to read system_server's /proc/PID/status file.
This change addresses the following denials.
<5>[ 6.251732] type=1400 audit(1382645684.953:8): avc: denied { write } for pid=185 comm="mpdecision" name="socket" dev="tmpfs" ino=8254 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
<5>[ 6.251884] type=1400 audit(1382645684.953:9): avc: denied { add_name } for pid=185 comm="mpdecision" name="pb" scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
<5>[ 6.252067] type=1400 audit(1382645684.953:10): avc: denied { create } for pid=185 comm="mpdecision" name="pb" scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 6.252281] type=1400 audit(1382645684.953:11): avc: denied { setattr } for pid=185 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 6.252403] type=1400 audit(1382645684.953:12): avc: denied { chown } for pid=185 comm="mpdecision" capability=0 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability
<5>[ 6.254082] type=1400 audit(1382645684.953:13): avc: denied { write } for pid=185 comm="mpdecision" name="online" dev="sysfs" ino=3184 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[ 7.820357] type=1400 audit(1382645686.515:14): avc: denied { write } for pid=199 comm="mpdecision" name="online" dev="sysfs" ino=3195 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[ 52.065862] type=1400 audit(1382645730.762:16): avc: denied { write } for pid=193 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 186.257836] type=1400 audit(1382645864.945:26): avc: denied { write } for pid=194 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 306.259423] type=1400 audit(1382645984.953:27): avc: denied { search } for pid=188 comm="mpdecision" name="626" dev="proc" ino=7662 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=dir
<5>[ 306.260155] type=1400 audit(1382645984.963:28): avc: denied { read } for pid=188 comm="mpdecision" name="status" dev="proc" ino=14274 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[ 306.260796] type=1400 audit(1382645984.963:29): avc: denied { open } for pid=188 comm="mpdecision" name="status" dev="proc" ino=14274 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[ 47.698092] type=1400 audit(1382661120.467:9): avc: denied { write } for pid=196 comm="mpdecision" name="scaling_min_freq" dev="sysfs" ino=18172 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I507ae4610b4bde433e05174ee96c2acf00cdc9ec
|
|
Removed the unconfined constraint and
addressed the following denials.
* Talk to qmux socket (qmux_radio)
denied { write } for pid=178 comm="bridgemgrd" name="qmux_radio" dev="tmpfs" ino=7208 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { add_name } for pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { create } for pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { setattr } for pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 dev="tmpfs" ino=6685 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { write } for pid=178 comm="bridgemgrd" name="qmux_connect_socket" dev="tmpfs" ino=7890 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { connectto } for pid=178 comm="bridgemgrd" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:bridge:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
* Allow logging diagnostic items to /dev/diag
denied { read write } for pid=178 comm="bridgemgrd" name="diag" dev="tmpfs" ino=6329 scontext=u:r:bridge:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { open } for pid=178 comm="bridgemgrd" name="diag" dev="tmpfs" ino=6329 scontext=u:r:bridge:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
* Listen for uevents concerning usb connections. Alert
RmNet SMD & SDIO function driver of the correct
transport via sysfs entry.
denied { create } for pid=178 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket
denied { bind } for pid=178 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket
denied { read } for pid=568 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket
denied { write } for pid=179 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
denied { read write } for pid=627 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
denied { open } for pid=627 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
denied { getattr } for pid=627 comm="bridgemgrd" path="/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
Change-Id: Ife3c5691bfe5dd969b5766ca08cb8a1cb67f2a5b
|
|
Presently, the persist filesystem remains
unlabeled when mounted. This patch defines
types and file_context entries to label the
persist filesystem, and applies a recursive
restorecon to /persist.
Depends on Ia7fbcc82645baf52c6bff0490d3492f458881cbb.
Change-Id: I48eaa2b9901ac8c978192c14493ba1058a089423
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
First, relabeled qmux socket directories using a common label
which helped reduce the number of labels policy writers had to
follow. Then, introduced a macro to allow domains to easily
create and connect to qmux sockets under each qmux directory.
The macro creates a new type for each domain requesting a
qmux socket independent of the actual directory location.
Having a derived type from the creator of each socket will
slightly increasing the total number of new types, but this
will also ensure that each domain can only delete their own
created socket. The following class of denials are addressed
by this switch.
denied { write } for pid=176 comm="mediaserver" name="qmux_connect_socket" dev="tmpfs" ino=6888 scontext=u:r:mediaserver:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { connectto } for pid=176 comm="mediaserver" path="/dev/socket/qmux_audio/qmux_connect_socket" scontext=u:r:mediaserver:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
Removed the unconfined constraint from qmux policy and
addressed the following denials.
* Allow qmux to create a connect socket under each
/dev/socket/qmux_* directory.
denied { write } for pid=179 comm="qmuxd" name="qmux_radio" dev="tmpfs" ino=7607 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { add_name } for pid=179 comm="qmuxd" name="qmux_connect_socket" scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { remove_name } for pid=179 comm="qmuxd" name=716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { create } for pid=179 comm="qmuxd" name="qmux_connect_socket" scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { setattr } for pid=179 comm="qmuxd" name="qmux_connect_socket" dev="tmpfs" ino=6656 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { getattr } for pid=179 comm="qmuxd" path=2F6465762F736F636B65742F716D75785F726164696F2F716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { unlink } for pid=179 comm="qmuxd" name=716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
* Node access to radio_device (/dev/hsicctl*)
denied { read write } for pid=179 comm="qmuxd" name="hsicctl0" dev="tmpfs" ino=5227 scontext=u:r:qmux:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
denied { open } for pid=179 comm="qmuxd" name="hsicctl0" dev="tmpfs" ino=5227 scontext=u:r:qmux:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
* Allow logging diagnostic items to /dev/diag
denied { read write } for pid=179 comm="qmuxd" name="diag" dev="tmpfs" ino=7277 scontext=u:r:qmux:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { open } for pid=179 comm="qmuxd" name="diag" dev="tmpfs" ino=7277 scontext=u:r:qmux:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
* Wake lock access
denied { append } for pid=179 comm="qmuxd" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:qmux:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
denied { open } for pid=180 comm="qmuxd" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:qmux:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Change-Id: Icba85b2cc727e6743b32e775a49d29c77fb6dc61
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Change-Id: I68d55f78dacc672e918248f5f2ae884cde15befa
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
* Move certain services out of inits domain.
inits domain is unconfined and we should
be limiting those services that need to
run in inits context. For the new domains
introduced, keep them permissive and unconfined
for now until future policy work will individually
drop these constraints.
* Add context option to fstab when mounting
the firmware partition. This will ensure
proper labeling and not use the default vfat
label of sdcard_external.
* Use concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This
will allow sepolicy to exist in the vendor
directory.
Change-Id: I93c7413bf2a8ceb7589f059e754c4b2a787fdbaf
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Change-Id: I9a0467b16e7b0a4f6ca41bdd1a76971a3771112a
|
|
NOTE: There appear to be no attempts to use GPS and Bluetooth
sockets. Thus, the sockets (and directories that contain them) have
been assigned their own type, but no grants have been added (yet).
Change-Id: I16ebf9f13238b224e7a629da8e6002f9cbcbfb8c
|
|
Change-Id: I7f1b1d26693dc5d4ed63f4b32e5538cec1dd9093
|