diff options
| author | Nick Kralevich <nnk@google.com> | 2014-09-30 16:36:12 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2014-09-30 17:04:52 -0700 |
| commit | 44212f049d4ac5807b10271953259cb2256146c4 (patch) | |
| tree | d2b74fc9e15ee78193f3f61271aaf0868d7ac5e9 /sepolicy/file_contexts | |
| parent | 509f0465985aa2217162b92f2ab598c35219923c (diff) | |
| download | shamu-44212f049d4ac5807b10271953259cb2256146c4.tar.gz | |
fix rild/capsense SELinux denials.
1) Due to bug 17682157, "\." isn't always acceptable in
sepolicy/file_contexts. Avoid escaping the regex to work
around the bug. The underlying bug is fixed in a future release.
This was preventing /sys/devices/cycapsense_prog.1/cycapsense_fw
from being properly labeled.
2) rild attempts to create /data/misc/audio_cutback/ for
communication between rild and mediaserver. Have init create
the directory on behalf of rild to avoid excessive permission
grants on /data/misc. Allow rild access to that directory.
3) Allow mediaserver access to the socket at
/data/misc/audio_cutback/cutback
4) Allow ril access to /sys/devices/mmi_sar_ctrl*/sar_wifi. This
completes the change started in 0f415ff34909ac3b65ea3f28dbdf2a8dc8670f67
Addresses the following denials:
<12>[ 22.655119] type=1400 audit(2777946.169:5): avc: denied { write } for pid=543 comm="qmi_motext_hook" name="cycapsense_fw" dev="sysfs" ino=13269 scontext=u:r:rild:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
<12>[ 22.965722] type=1400 audit(1412117761.380:5): avc: denied { getattr } for pid=580 comm="qmi_motext_hook" path="/sys/devices/cycapsense_prog.1/cycapsense_fw" dev="sysfs" ino=13269 scontext=u:r:rild:s0 tcontext=u:object_r:sysfs_capsense_update:s0 tclass=file permissive=0
<12>[ 14.147898] type=1400 audit(1412118208.404:3): avc: denied { write } for pid=591 comm="rild" name="misc" dev="dm-0" ino=997473 scontext=u:r:rild:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
<12>[ 14.166523] type=1400 audit(1412118208.404:4): avc: denied { add_name } for pid=591 comm="rild" name="audio_cutback" scontext=u:r:rild:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
<12>[ 14.183771] type=1400 audit(1412118208.404:5): avc: denied { create } for pid=591 comm="rild" name="audio_cutback" scontext=u:r:rild:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
<12>[ 14.201716] type=1400 audit(1412118208.404:6): avc: denied { setattr } for pid=591 comm="rild" name="audio_cutback" dev="dm-0" ino=997520 scontext=u:r:rild:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
<12>[ 14.221157] type=1400 audit(1412118208.404:7): avc: denied { create } for pid=591 comm="rild" name="cutback" scontext=u:r:rild:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file permissive=1
<12>[ 14.269596] type=1400 audit(1412118208.404:8): avc: denied { setattr } for pid=591 comm="rild" name="cutback" dev="dm-0" ino=997521 scontext=u:r:rild:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file permissive=1
<12>[ 30.299898] type=1400 audit(1412118224.554:9): avc: denied { write } for pid=1007 comm="AudioOut_2" name="cutback" dev="dm-0" ino=997521 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=sock_file permissive=1
<12>[ 37.383431] type=1400 audit(1412097736.396:6): avc: denied { write } for pid=2126 comm="rild" name="sar_wifi" dev="sysfs" ino=13249 scontext=u:r:rild:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
Change-Id: I4ee4046fdce174c043a8de18a64b7fcd31892aaf
Diffstat (limited to 'sepolicy/file_contexts')
| -rw-r--r-- | sepolicy/file_contexts | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 58ce4323..a7d83559 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -7,6 +7,7 @@ /data/misc/location/quipc(/.*)? u:object_r:quipc_data_file:s0 /data/ss-ram-dumps(/.*)? u:object_r:ram_dump_logs:s0 /data/adspd(/.*)? u:object_r:adspd_data_file:s0 +/data/misc/audio_cutback(/.*)? u:object_r:audio_cutback_data_file:s0 # TODO move out of /data/system /data/system/dropbox-add(/.*)? u:object_r:dropbox_data_file:s0 @@ -144,4 +145,5 @@ /sys/bus/platform/drivers/xhci_msm_hsic(/.*)? u:object_r:sysfs_xhci_msm_hsic:s0 /sys/devices/msm_hsic_host/host_ready u:object_r:sysfs_msm_hsic_host:s0 -/sys/devices/cycapsense_prog\.1/cycapsense_fw u:object_r:sysfs_capsense_update:s0 +/sys/devices/cycapsense_prog.1/cycapsense_fw u:object_r:sysfs_capsense_update:s0 +/sys/devices/mmi_sar_ctrl.[0-9]*/sar_wifi u:object_r:sysfs_sar_wifi:s0 |