diff options
author | Keita Espinoza <clouddarkgenesis@gmail.com> | 2017-07-18 01:29:11 +0000 |
---|---|---|
committer | Steven Lay <arbiter1000@gmail.com> | 2017-08-04 14:12:08 +0000 |
commit | 3cbc628bb1a5b7ee0b5096c9c6390b843812cea1 (patch) | |
tree | e763bc515b15a9d221c3bf5db28f51bd6f20fcc9 | |
parent | 51a7e01103b10d88bda3f0dae87a69dd7ffa39f6 (diff) |
shinano: Rework In Device Diagnostics sepolicy
- Fix symlinking and reading denials for iddd and credmgrd
Change-Id: I786301f2cb4f2aaa76e8f5b96a036ada0563463b
-rw-r--r-- | sepolicy/credmgrd.te | 1 | ||||
-rw-r--r-- | sepolicy/file_contexts | 10 | ||||
-rw-r--r-- | sepolicy/idd.te | 2 | ||||
-rw-r--r-- | sepolicy/init.te | 1 | ||||
-rw-r--r-- | sepolicy/vold.te | 4 |
5 files changed, 10 insertions, 8 deletions
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te index 78db47a..b354cda 100644 --- a/sepolicy/credmgrd.te +++ b/sepolicy/credmgrd.te @@ -49,6 +49,7 @@ allow credmgrd iddd_file:dir search; allow credmgrd iddd_file:sock_file write; allow credmgrd iddd_file:unix_stream_socket connectto; allow credmgrd iddd_file:unix_dgram_socket sendto; +allow credmgrd iddd_file:lnk_file { read }; #/mnt/idd is tmpfs allow credmgrd tmpfs:dir search; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index d817851..560f2b6 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -11,11 +11,11 @@ # Hardware tunables /sys/devices/virtual/timed_output/vibrator/vtg_level -- u:object_r:sysfs_vibrator:s0 -#iddd -/system/bin/iddd u:object_r:iddd_exec:s0 -/idd(/.*)? u:object_r:iddd_file:s0 -/mnt/idd u:object_r:iddd_file:s0 -/system/bin/idd-logreader u:object_r:iddd_exec:s0 +# In Device Diagnostics (idd) +/system/bin/iddd u:object_r:iddd_exec:s0 +/system/bin/idd-logreader u:object_r:iddd_exec:s0 +/idd(/.*)? u:object_r:iddd_file:s0 +/mnt/idd u:object_r:iddd_file:s0 # HCI /dev/ttyHS0 u:object_r:hci_attach_dev:s0 diff --git a/sepolicy/idd.te b/sepolicy/idd.te index 6ec0b3c..1c068d7 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -33,3 +33,5 @@ allow iddd proc:file { getattr open read }; # Allow idd to read ro.semc allow iddd ta_prop:file { getattr open read }; +# Allow reading via symlink +allow iddd iddd_file:lnk_file { read };
\ No newline at end of file diff --git a/sepolicy/init.te b/sepolicy/init.te index dd6d281..78e2f75 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -3,3 +3,4 @@ allow init hci_attach_dev:chr_file rw_file_perms; allow init brcm_uim_exec:file { execute getattr read open }; allow init brcm_ldisc_sysfs:lnk_file { read }; allow init uim:process { siginh noatsecure transition rlimitinh }; +allow init tmpfs:lnk_file { relabelfrom };
\ No newline at end of file diff --git a/sepolicy/vold.te b/sepolicy/vold.te index dc3885b..0881f15 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -1,10 +1,8 @@ allow vold diag_data_file:dir { read open ioctl }; allow vold tee_prop:file { getattr open read }; allow vold firmware_file:file { getattr open read }; -allow vold iddd_file:dir { open read }; +allow vold iddd_file:dir { open read ioctl }; allow vold tee_device:unix_stream_socket connectto; allow vold tee_device:sock_file write; -allow vold iddd_file:dir read; allow vold tee_device:unix_stream_socket connectto; allow vold tee_device:sock_file write; - |