summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDerfElot <frederic.koch@gmail.com>2017-04-02 20:19:27 +0200
committerDerfElot <frederic.koch@gmail.com>2017-04-05 02:15:18 +0200
commit7da4b4ffcdc81be6029507bc5094fccebbc30141 (patch)
tree9a0bcf3cdeae41cb26af1b616e2fb7ca92adbf64
parent095fa56bfc35ad63ea06c086f58f7c3ff0a8eb6d (diff)
shinano-common: fix several selinux denials
when it is set to enforced (from logcat and dmesg): 04-01 22:29:40.566 W/macaddrsetup(362): type=1400 audit(0.0:302): avc: denied { dac_override } for capability=1 scontext=u:r:addrsetup:s0 tcontext=u:r:addrsetup:s0 tclass=capability permissive=0 04-01 22:31:46.119 W/credmgrd(333): type=1400 audit(0.0:380): avc: denied { search } for name="suntory" dev="tmpfs" ino=6960 scontext=u:r:credmgrd:s0 tcontext=u:object_r:suntrold_sock_socket:s0 tclass=dir permissive=0 04-01 22:31:46.123 W/credmgrd(333): type=1400 audit(0.0:381): avc: denied { search } for name="/" dev="tmpfs" ino=7367 scontext=u:r:credmgrd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 04-01 22:31:41.186 W/iddd (12977): type=1400 audit(0.0:378): avc: denied { search } for name="/" dev="tmpfs" ino=7367 scontext=u:r:iddd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 04-01 22:31:46.249 W/scd (13064): type=1400 audit(0.0:382): avc: denied { getattr } for path="/dev/socket/scd/scd.sock" dev="tmpfs" ino=9384 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0 04-02 01:54:06.328 W/scd (7200): type=1400 audit(0.0:47): avc: denied { remove_name } for name="scd.sock" dev="tmpfs" ino=8437 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=dir permissive=0 04-02 02:36:47.050 W/scd (6544): type=1400 audit(0.0:53): avc: denied { unlink } for name="scd.sock" dev="tmpfs" ino=8369 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0 04-02 03:09:36.677 W/scd (7902): type=1400 audit(0.0:72): avc: denied { search } for name="scd" dev="mmcblk0p25" ino=382769 scontext=u:r:scd:s0 tcontext=u:object_r:scd_data:s0 tclass=dir permissive=0 04-02 03:42:10.207 W/excal:HalCtrl(6497): type=1400 audit(0.0:16): avc: denied { write } for name="current1" dev="sysfs" ino=19887 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 29.029135] type=1400 audit(7343886.976:11): avc: denied { search } for pid=365 comm="mm-qcamera-daem" name="etc" dev="mmcblk0p25" ino=716673 scontext=u:r:mm-qcamerad:s0 tcontext=u:object_r:ta_data_file:s0 tclass=dir permissive=0 [ 27.905847] type=1400 audit(7343885.850:6): avc: denied { search } for pid=254 comm="wvkbd" name="suntory" dev="tmpfs" ino=7537 scontext=u:r:wv:s0 tcontext=u:object_r:suntrold_sock_socket:s0 tclass=dir permissive=0 04-02 13:20:48.566 W/excal:ExposureC(7212): type=1400 audit(0.0:18): avc: denied { search } for name="battery" dev="sysfs" ino=18957 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=dir permissive=0 04-02 14:03:30.945 W/excal:ExposureC(6244): type=1400 audit(0.0:14): avc: denied { read } for name="voltage_now" dev="sysfs" ino=18973 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 14:35:55.034 W/excal:ExposureC(6197): type=1400 audit(0.0:17): avc: denied { open } for name="voltage_now" dev="sysfs" ino=18870 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 15:05:29.858 W/excal:ExposureC(5947): type=1400 audit(0.0:15): avc: denied { getattr } for path="/sys/devices/qpnp-charger-14/power_supply/battery/technology" dev="sysfs" ino=18969 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 17:38:33.610 W/Binder:5021_3(5299): type=1400 audit(0.0:11): avc: denied { read } for name="/" dev="tmpfs" ino=6614 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0 04-02 18:27:24.996 W/Binder:5251_1(5266): type=1400 audit(0.0:13): avc: denied { open } for name="/" dev="tmpfs" ino=7203 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0 Change-Id: Ifbc5ef57cadea4d3f35d52dce23c1b56966bd981
-rw-r--r--sepolicy/addrsetup.te2
-rw-r--r--sepolicy/credmgrd.te2
-rw-r--r--sepolicy/file_contexts9
-rw-r--r--sepolicy/idd.te1
-rw-r--r--sepolicy/priv_app.te1
-rw-r--r--sepolicy/workarounds.te17
6 files changed, 23 insertions, 9 deletions
diff --git a/sepolicy/addrsetup.te b/sepolicy/addrsetup.te
index 773acef..805450c 100644
--- a/sepolicy/addrsetup.te
+++ b/sepolicy/addrsetup.te
@@ -10,6 +10,8 @@ unix_socket_connect(addrsetup, tad, tad)
allow addrsetup bluetooth_data_file:dir rw_dir_perms;
allow addrsetup bluetooth_data_file:file create_file_perms;
+allow addrsetup self:capability dac_override;
+
allow addrsetup sysfs_addrsetup:file rw_file_perms;
allow addrsetup urandom_device:file read;
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 9a26a89..9e9df9e 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -40,6 +40,7 @@ allow credmgrd mm-qcamerad:unix_stream_socket connectto;
allow credmgrd tee_device:chr_file rw_file_perms;
#credmgrd suntrold
+allow credmgrd suntrold_sock_socket:dir search;
allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto;
allow credmgrd suntrold_sock_socket:unix_stream_socket connectto;
allow credmgrd suntrold_sock_socket:sock_file write;
@@ -54,6 +55,7 @@ allow credmgrd iddd_file:unix_dgram_socket sendto;
#/mnt/idd is tmpfs
+allow credmgrd tmpfs:dir search;
allow credmgrd tmpfs:lnk_file read;
#credmgrd ion
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index ef24289..9f2d734 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -49,3 +49,12 @@
# macaddrsetup
/system/bin/macaddrsetup u:object_r:addrsetup_exec:s0
/sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0
+
+#KGSL
+/sys/devices/fdb00000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:sysfs_thermal:s0
+/sys/devices(/soc\.0)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk u:object_r:sysfs_thermal:s0
+/sys/devices(/soc\.0)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/reset_count u:object_r:sysfs_thermal:s0
+
+# ZRAM
+/sys/devices/virtual/block/zram0/mm_stat u:object_r:sysfs_zram:s0
+
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index 5d7a3f7..1a59cc4 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -43,3 +43,4 @@ allow iddd iddd_exec:file execute_no_trans;
allow iddd iddd_file:dir create;
allow iddd proc:file { getattr open read };
+allow iddd tmpfs:dir search;
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
new file mode 100644
index 0000000..2adfc0e
--- /dev/null
+++ b/sepolicy/priv_app.te
@@ -0,0 +1 @@
+allow priv_app device:dir { open read };
diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te
index b026b37..7b0b6ab 100644
--- a/sepolicy/workarounds.te
+++ b/sepolicy/workarounds.te
@@ -11,11 +11,9 @@ allow qti_init_shell tad:unix_stream_socket connectto;
allow qti_init_shell tad_socket:sock_file write;
allow qti_init_shell toolbox_exec:file entrypoint;
-
#============= mm-qcamerad ==============
allow mm-qcamerad camera_device:chr_file { ioctl open read write };
-allow mm-qcamerad ta_data_file:dir { getattr open read };
-
+allow mm-qcamerad ta_data_file:dir { getattr open read search };
#============= thermanager ==============
allow thermanager sysfs:file { open read };
@@ -23,15 +21,16 @@ allow thermanager sysfs_battery_supply:dir search;
allow thermanager sysfs_battery_supply:file { open read write };
#============= scd ==============
-allow scd scd_data:dir getattr;
+allow scd scd_data:dir { getattr search };
allow scd scd_data:file { getattr open read write };
-allow scd socket_device:dir { add_name write };
-allow scd socket_device:sock_file { create setattr };
+allow scd socket_device:dir { add_name remove_name write };
+allow scd socket_device:sock_file { create getattr setattr unlink write };
allow scd sysfs:file { getattr open read };
#============= wv ==============
allow wv ion_device:chr_file { ioctl open read };
allow wv suntrold:unix_stream_socket connectto;
+allow wv suntrold_sock_socket:dir search;
allow wv suntrold_sock_socket:sock_file write;
allow wv tad:unix_stream_socket connectto;
allow wv tad_socket:sock_file write;
@@ -39,11 +38,11 @@ allow wv tee_device:chr_file { ioctl open read write };
#============= mediaserver ==============
allow mediaserver sensorservice_service:service_manager find;
+allow mediaserver sysfs:file write;
+allow mediaserver sysfs_battery_supply:dir search;
+allow mediaserver sysfs_battery_supply:file { getattr open read };
allow mediaserver ta_data_file:dir { getattr open read };
#============= rmt_storage ==============
allow rmt_storage self:capability dac_override;
-#============= scd ==============
-allow scd socket_device:sock_file write;
-