summaryrefslogtreecommitdiff
path: root/sepolicy/file.te
AgeCommit message (Collapse)Author
2014-06-03Add contextmount_type attribute to types used for context= mounts.Stephen Smalley
Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-12Merge "Improve camera selinux policy."Nick Kralevich
2013-11-12Improve camera selinux policy.Robert Craig
Addressed the following denials. Access camera and video dev nodes denied { read write } for pid=212 comm="mm-qcamera-daem" name="video100" dev="tmpfs" ino=6414 scontext=u:r:camera:s0 tcontext=u:object_r:camera_device:s0 tclass=chr_file denied { open } for pid=212 comm="mm-qcamera-daem" name="video100" dev="tmpfs" ino=6414 scontext=u:r:camera:s0 tcontext=u:object_r:camera_device:s0 tclass=chr_file denied { ioctl } for pid=212 comm="mm-qcamera-daem" path="/dev/media0" dev="tmpfs" ino=6402 scontext=u:r:camera:s0 tcontext=u:object_r:camera_device:s0 tclass=chr_file Create and access /data/cam_socket[01] denied { create } for pid=2339 comm="mm-qcamera-daem" name="cam_socket0" scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file denied { unlink } for pid=2773 comm="mm-qcamera-daem" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file denied { write } for pid=2339 comm="mm-qcamera-daem" name="/" dev="mmcblk0p23" ino=2 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { add_name } for pid=2339 comm="mm-qcamera-daem" name="cam_socket0" scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { remove_name } for pid=2773 comm="mm-qcamera-daem" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir Connect to sensors socket (/data/app/sensor_ctl_socket). denied { write } for pid=2378 comm="mm-qcamera-daem" name="/" dev="mmcblk0p23" ino=2 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { add_name } for pid=2378 comm="mm-qcamera-daem" name="cam_socket1" scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { unlink } for pid=2389 comm="mm-qcamera-daem" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:camera:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file Label and grant access to /data/fdAlbum denied { read } for pid=2378 comm="mm-qcamera-daem" name="fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file denied { open } for pid=2378 comm="mm-qcamera-daem" name="fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file denied { getattr } for pid=2378 comm="mm-qcamera-daem" path="/data/fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file denied { write } for pid=2378 comm="mm-qcamera-daem" name="fdAlbum" dev="mmcblk0p23" ino=15 scontext=u:r:camera:s0 tcontext=u:object_r:camera_calibration_file:s0 tclass=file Give mediaserver access to camera socket denied { write } for pid=1148 comm="Binder_3" name="cam_socket0" dev="mmcblk0p23" ino=14 scontext=u:r:mediaserver:s0 tcontext=u:object_r:camera_socket:s0 tclass=sock_file denied { sendto } for pid=1148 comm="Binder_3" path="/data/cam_socket0" scontext=u:r:mediaserver:s0 tcontext=u:r:camera:s0 tclass=unix_dgram_socket Change-Id: I18433ab2cd55b3077a4fba55a99406d41141d2dd
2013-11-06Move audio_firmware_file and /data/misc/audio entry to core sepolicy.Stephen Smalley
file_contexts uses regexes, not a globs, so use (/.*)? rather than /* to match the directory and anything beneath it. Since /data/misc/audio is not device-specific, move it to core sepolicy. Consider renaming this type in the future to audio_data_file, but that is left to a separate change as it will require a restorecon_recursive on mako. Change-Id: Ib8c96ab9e19d34e8e34a4c859528345763be4906 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-06Improve sensors selinux policy.Robert Craig
Addressed the following denials. Allow sensors binary to change its own user and group. denied { setgid } for pid=201 comm="sensors.qcom" capability=6 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability denied { setuid } for pid=201 comm="sensors.qcom" capability=7 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability Change owner of /data/misc/sensors/debug/ to nobody. Also dontaudit the resulting fsetid. denied { chown } for pid=201 comm="sensors.qcom" capability=0 scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=capability Log diagnostic items (/dev/diag) denied { read write } for pid=208 comm="sensors.qcom" name="diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file denied { open } for pid=208 comm="sensors.qcom" name="diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file denied { ioctl } for pid=208 comm="sensors.qcom" path="/dev/diag" dev="tmpfs" ino=6256 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file Create socket at /data/app/sensor_ctl_socket denied { remove_name } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir denied { unlink } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file denied { add_name } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir denied { create } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file denied { setattr } for pid=209 comm="sensors.qcom" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=sock_file denied { write } for pid=209 comm="sensors.qcom" name="app" dev="mmcblk0p23" ino=24145 scontext=u:r:sensors:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir Access /data/misc/sensors and /data/system/sensors denied { getattr } for pid=204 comm="sensors.qcom" path="/data/misc/sensors" dev="mmcblk0p23" ino=313890 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir denied { setattr } for pid=216 comm="sensors.qcom" name="debug" dev="mmcblk0p23" ino=313897 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir denied { read append } for pid=216 comm="sensors.qcom" name="error_log" dev="mmcblk0p23" ino=313898 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=file denied { open } for pid=216 comm="sensors.qcom" name="error_log" dev="mmcblk0p23" ino=313898 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=file denied { write } for pid=204 comm="sensors.qcom" name="sensors" dev="mmcblk0p23" ino=313890 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir denied { add_name } for pid=204 comm="sensors.qcom" name="debug" scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir denied { create } for pid=204 comm="sensors.qcom" name="debug" scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir Access sensors dev nodes (/dev/msm_dsps,...) denied { read } for pid=208 comm="sensors.qcom" name="msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file denied { open } for pid=208 comm="sensors.qcom" name="msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file denied { ioctl } for pid=299 comm="sensors.qcom" path="/dev/msm_dsps" dev="tmpfs" ino=6324 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file Access to persist files. denied { search } for pid=328 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir denied { getattr } for pid=328 comm="sensors.qcom" path="/persist/sensors/sns.reg" dev="mmcblk0p20" ino=15 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file denied { read } for pid=304 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir denied { open } for pid=304 comm="sensors.qcom" name="sensors" dev="mmcblk0p20" ino=14 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir denied { write } for pid=304 comm="sensors.qcom" name="sns.reg" dev="mmcblk0p20" ino=15 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file Write access to power management controls denied { write } for pid=251 comm="sensors.qcom" name="cpu_dma_latency" dev="tmpfs" ino=7294 scontext=u:r:sensors:s0 tcontext=u:object_r:power_control_device:s0 tclass=chr_file denied { open } for pid=251 comm="sensors.qcom" name="cpu_dma_latency" dev="tmpfs" ino=7294 scontext=u:r:sensors:s0 tcontext=u:object_r:power_control_device:s0 tclass=chr_file Wake lock access denied { append } for pid=208 comm="sensors.qcom" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=227 comm="sensors.qcom" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file Give system server access to sensors socket for PowerManagerService. denied { connectto } for pid=536 comm="system_server" path="/data/app/sensor_ctl_socket" scontext=u:r:system_server:s0 tcontext=u:r:sensors:s0 tclass=unix_stream_socket denied { write } for pid=527 comm="system_server" name="sensor_ctl_socket" dev="mmcblk0p23" ino=24146 scontext=u:r:system_server:s0 tcontext=u:object_r:sensors_socket:s0 tclass=sock_file Add groups radio and system to sensors binary. This allows us to avoid dac_override denials with /dev/diag (radio) and /sys/power/wake_lock (system). Change the permissions of /dev/msm_dsps to 0660. This also allows us to avoid a dac_override denial. Change-Id: I9a8a5f1b981336db02d0a3e397d2f0791406fa9e
2013-10-30Merge "Improve kickstart selinux policy."Nick Kralevich
2013-10-30Improve kickstart selinux policy.Robert Craig
Addressed the following denials. * Allow kickstart binary (/system/bin/qcks) to start both efsks and ks binaries. denied { execute_no_trans } for pid=169 comm="qcks" path="/system/bin/ks" dev="mmcblk0p21" ino=191 scontext=u:r:kickstart:s0 tcontext=u:object_r:kickstart_exec:s0 tclass=file * Access modem driver (/dev/mdm) denied { getattr } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { read } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { open } for pid=169 comm="qcks" name="mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { ioctl } for pid=169 comm="qcks" path="/dev/mdm" dev="tmpfs" ino=6302 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file * Read and write access to USB bridge driver * Read and write to block device (mmcblk0p[89]) denied { getattr } for pid=170 comm="qcks" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { read } for pid=170 comm="qcks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { write } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { open } for pid=543 comm="ks" name="mmcblk0p8" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { getattr } for pid=543 comm="ks" path="/dev/block/mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { write } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { open } for pid=543 comm="ks" name="mmcblk0p9" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file denied { getattr } for pid=546 comm="ks" path="/dev/block/platform/msm_sdcc.1/by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir denied { write } for pid=546 comm="ks" name="by-name" dev="tmpfs" ino=6505 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=dir * Run dd from toolbox then write to /data/qcks denied { execute } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { read open } for pid=510 comm="qcks" name="mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file denied { execute_no_trans } for pid=510 comm="qcks" path="/system/bin/mksh" dev="mmcblk0p21" ino=208 scontext=u:r:kickstart:s0 tcontext=u:object_r:shell_exec:s0 tclass=file * Read radio firmware files (/persist) denied { getattr } for pid=170 comm="qcks" path="/firmware/image/efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file denied { read } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file denied { open } for pid=170 comm="qcks" name="efs1.mbn" dev="mmcblk0p1" ino=17 scontext=u:r:kickstart:s0 tcontext=u:object_r:radio_efs_file:s0 tclass=file * Wake lock access denied { append } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=543 comm="ks" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file Change-Id: I689323422f9c5dd7898c385c9ce575bb5a9fd3af Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-10-25mpdecision: address denials.Nick Kralevich
Update the SELinux policy for mpdecision to get rid of denials we're seeing. Specifically: 1) mpdecision creates a socket in /dev/socket/pb . Make sure it's labeled appropriately and we have write access to the parent directory. 2) mpdecision minipulates /sys/devices/system/cpu/cpu?/* files. Make sure they're labeled appropriately. But, see #3. 3) Files in /sys/devices/system/cpu/cpu?/* pop in and out of existance as CPUs go online and offline. When that happens, they inherit the default sysfs label. Allow write access to all sysfs labeled files. :-( 4) Allow mpdecision to read system_server's /proc/PID/status file. This change addresses the following denials. <5>[ 6.251732] type=1400 audit(1382645684.953:8): avc: denied { write } for pid=185 comm="mpdecision" name="socket" dev="tmpfs" ino=8254 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=dir <5>[ 6.251884] type=1400 audit(1382645684.953:9): avc: denied { add_name } for pid=185 comm="mpdecision" name="pb" scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=dir <5>[ 6.252067] type=1400 audit(1382645684.953:10): avc: denied { create } for pid=185 comm="mpdecision" name="pb" scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file <5>[ 6.252281] type=1400 audit(1382645684.953:11): avc: denied { setattr } for pid=185 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file <5>[ 6.252403] type=1400 audit(1382645684.953:12): avc: denied { chown } for pid=185 comm="mpdecision" capability=0 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability <5>[ 6.254082] type=1400 audit(1382645684.953:13): avc: denied { write } for pid=185 comm="mpdecision" name="online" dev="sysfs" ino=3184 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 7.820357] type=1400 audit(1382645686.515:14): avc: denied { write } for pid=199 comm="mpdecision" name="online" dev="sysfs" ino=3195 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 52.065862] type=1400 audit(1382645730.762:16): avc: denied { write } for pid=193 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file <5>[ 186.257836] type=1400 audit(1382645864.945:26): avc: denied { write } for pid=194 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file <5>[ 306.259423] type=1400 audit(1382645984.953:27): avc: denied { search } for pid=188 comm="mpdecision" name="626" dev="proc" ino=7662 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=dir <5>[ 306.260155] type=1400 audit(1382645984.963:28): avc: denied { read } for pid=188 comm="mpdecision" name="status" dev="proc" ino=14274 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 306.260796] type=1400 audit(1382645984.963:29): avc: denied { open } for pid=188 comm="mpdecision" name="status" dev="proc" ino=14274 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 47.698092] type=1400 audit(1382661120.467:9): avc: denied { write } for pid=196 comm="mpdecision" name="scaling_min_freq" dev="sysfs" ino=18172 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file Change-Id: I507ae4610b4bde433e05174ee96c2acf00cdc9ec
2013-10-15Improve bridgemgrd selinux policy.Robert Craig
Removed the unconfined constraint and addressed the following denials. * Talk to qmux socket (qmux_radio) denied { write } for pid=178 comm="bridgemgrd" name="qmux_radio" dev="tmpfs" ino=7208 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir denied { add_name } for pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir denied { create } for pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { setattr } for pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 dev="tmpfs" ino=6685 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { write } for pid=178 comm="bridgemgrd" name="qmux_connect_socket" dev="tmpfs" ino=7890 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { connectto } for pid=178 comm="bridgemgrd" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:bridge:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket * Allow logging diagnostic items to /dev/diag denied { read write } for pid=178 comm="bridgemgrd" name="diag" dev="tmpfs" ino=6329 scontext=u:r:bridge:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file denied { open } for pid=178 comm="bridgemgrd" name="diag" dev="tmpfs" ino=6329 scontext=u:r:bridge:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file * Listen for uevents concerning usb connections. Alert RmNet SMD & SDIO function driver of the correct transport via sysfs entry. denied { create } for pid=178 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket denied { bind } for pid=178 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket denied { read } for pid=568 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket denied { write } for pid=179 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file denied { read write } for pid=627 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file denied { open } for pid=627 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file denied { getattr } for pid=627 comm="bridgemgrd" path="/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file Change-Id: Ife3c5691bfe5dd969b5766ca08cb8a1cb67f2a5b
2013-10-10Apply SELinux labels to the persist filesystem.Robert Craig
Presently, the persist filesystem remains unlabeled when mounted. This patch defines types and file_context entries to label the persist filesystem, and applies a recursive restorecon to /persist. Depends on Ia7fbcc82645baf52c6bff0490d3492f458881cbb. Change-Id: I48eaa2b9901ac8c978192c14493ba1058a089423 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-10-08Complete qmux selinux policy.Robert Craig
First, relabeled qmux socket directories using a common label which helped reduce the number of labels policy writers had to follow. Then, introduced a macro to allow domains to easily create and connect to qmux sockets under each qmux directory. The macro creates a new type for each domain requesting a qmux socket independent of the actual directory location. Having a derived type from the creator of each socket will slightly increasing the total number of new types, but this will also ensure that each domain can only delete their own created socket. The following class of denials are addressed by this switch. denied { write } for pid=176 comm="mediaserver" name="qmux_connect_socket" dev="tmpfs" ino=6888 scontext=u:r:mediaserver:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { connectto } for pid=176 comm="mediaserver" path="/dev/socket/qmux_audio/qmux_connect_socket" scontext=u:r:mediaserver:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket Removed the unconfined constraint from qmux policy and addressed the following denials. * Allow qmux to create a connect socket under each /dev/socket/qmux_* directory. denied { write } for pid=179 comm="qmuxd" name="qmux_radio" dev="tmpfs" ino=7607 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir denied { add_name } for pid=179 comm="qmuxd" name="qmux_connect_socket" scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir denied { remove_name } for pid=179 comm="qmuxd" name=716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir denied { create } for pid=179 comm="qmuxd" name="qmux_connect_socket" scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { setattr } for pid=179 comm="qmuxd" name="qmux_connect_socket" dev="tmpfs" ino=6656 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { getattr } for pid=179 comm="qmuxd" path=2F6465762F736F636B65742F716D75785F726164696F2F716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { unlink } for pid=179 comm="qmuxd" name=716D75785F636C69656E745F736F636B657420202020313730 dev="tmpfs" ino=5261 scontext=u:r:qmux:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file * Node access to radio_device (/dev/hsicctl*) denied { read write } for pid=179 comm="qmuxd" name="hsicctl0" dev="tmpfs" ino=5227 scontext=u:r:qmux:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file denied { open } for pid=179 comm="qmuxd" name="hsicctl0" dev="tmpfs" ino=5227 scontext=u:r:qmux:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file * Allow logging diagnostic items to /dev/diag denied { read write } for pid=179 comm="qmuxd" name="diag" dev="tmpfs" ino=7277 scontext=u:r:qmux:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file denied { open } for pid=179 comm="qmuxd" name="diag" dev="tmpfs" ino=7277 scontext=u:r:qmux:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file * Wake lock access denied { append } for pid=179 comm="qmuxd" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:qmux:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file denied { open } for pid=180 comm="qmuxd" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:qmux:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file Change-Id: Icba85b2cc727e6743b32e775a49d29c77fb6dc61 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-09-27Better selinux device node labeling.Robert Craig
Change-Id: I68d55f78dacc672e918248f5f2ae884cde15befa Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-09-26Improve sepolicy labeling and domain confinement.Robert Craig
* Move certain services out of inits domain. inits domain is unconfined and we should be limiting those services that need to run in inits context. For the new domains introduced, keep them permissive and unconfined for now until future policy work will individually drop these constraints. * Add context option to fstab when mounting the firmware partition. This will ensure proper labeling and not use the default vfat label of sdcard_external. * Use concatenation versus assignment when making policy declarations inside BoardConfig.mk. This will allow sepolicy to exist in the vendor directory. Change-Id: I93c7413bf2a8ceb7589f059e754c4b2a787fdbaf Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-05-02SELinux policy for accessing audio firmware files.Alex Klyubin
Change-Id: I9a0467b16e7b0a4f6ca41bdd1a76971a3771112a
2013-05-02SELinux policy for Qualcomm QMI QMUX sockets.Alex Klyubin
NOTE: There appear to be no attempts to use GPS and Bluetooth sockets. Thus, the sockets (and directories that contain them) have been assigned their own type, but no grants have been added (yet). Change-Id: I16ebf9f13238b224e7a629da8e6002f9cbcbfb8c
2013-05-01Add policy support for the qmux sockets.repo sync
Change-Id: I7f1b1d26693dc5d4ed63f4b32e5538cec1dd9093
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 11:41:47 +0000