From 7da4b4ffcdc81be6029507bc5094fccebbc30141 Mon Sep 17 00:00:00 2001 From: DerfElot Date: Sun, 2 Apr 2017 20:19:27 +0200 Subject: shinano-common: fix several selinux denials when it is set to enforced (from logcat and dmesg): 04-01 22:29:40.566 W/macaddrsetup(362): type=1400 audit(0.0:302): avc: denied { dac_override } for capability=1 scontext=u:r:addrsetup:s0 tcontext=u:r:addrsetup:s0 tclass=capability permissive=0 04-01 22:31:46.119 W/credmgrd(333): type=1400 audit(0.0:380): avc: denied { search } for name="suntory" dev="tmpfs" ino=6960 scontext=u:r:credmgrd:s0 tcontext=u:object_r:suntrold_sock_socket:s0 tclass=dir permissive=0 04-01 22:31:46.123 W/credmgrd(333): type=1400 audit(0.0:381): avc: denied { search } for name="/" dev="tmpfs" ino=7367 scontext=u:r:credmgrd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 04-01 22:31:41.186 W/iddd (12977): type=1400 audit(0.0:378): avc: denied { search } for name="/" dev="tmpfs" ino=7367 scontext=u:r:iddd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 04-01 22:31:46.249 W/scd (13064): type=1400 audit(0.0:382): avc: denied { getattr } for path="/dev/socket/scd/scd.sock" dev="tmpfs" ino=9384 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0 04-02 01:54:06.328 W/scd (7200): type=1400 audit(0.0:47): avc: denied { remove_name } for name="scd.sock" dev="tmpfs" ino=8437 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=dir permissive=0 04-02 02:36:47.050 W/scd (6544): type=1400 audit(0.0:53): avc: denied { unlink } for name="scd.sock" dev="tmpfs" ino=8369 scontext=u:r:scd:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0 04-02 03:09:36.677 W/scd (7902): type=1400 audit(0.0:72): avc: denied { search } for name="scd" dev="mmcblk0p25" ino=382769 scontext=u:r:scd:s0 tcontext=u:object_r:scd_data:s0 tclass=dir permissive=0 04-02 03:42:10.207 W/excal:HalCtrl(6497): type=1400 audit(0.0:16): avc: denied { write } for name="current1" dev="sysfs" ino=19887 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 29.029135] type=1400 audit(7343886.976:11): avc: denied { search } for pid=365 comm="mm-qcamera-daem" name="etc" dev="mmcblk0p25" ino=716673 scontext=u:r:mm-qcamerad:s0 tcontext=u:object_r:ta_data_file:s0 tclass=dir permissive=0 [ 27.905847] type=1400 audit(7343885.850:6): avc: denied { search } for pid=254 comm="wvkbd" name="suntory" dev="tmpfs" ino=7537 scontext=u:r:wv:s0 tcontext=u:object_r:suntrold_sock_socket:s0 tclass=dir permissive=0 04-02 13:20:48.566 W/excal:ExposureC(7212): type=1400 audit(0.0:18): avc: denied { search } for name="battery" dev="sysfs" ino=18957 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=dir permissive=0 04-02 14:03:30.945 W/excal:ExposureC(6244): type=1400 audit(0.0:14): avc: denied { read } for name="voltage_now" dev="sysfs" ino=18973 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 14:35:55.034 W/excal:ExposureC(6197): type=1400 audit(0.0:17): avc: denied { open } for name="voltage_now" dev="sysfs" ino=18870 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 15:05:29.858 W/excal:ExposureC(5947): type=1400 audit(0.0:15): avc: denied { getattr } for path="/sys/devices/qpnp-charger-14/power_supply/battery/technology" dev="sysfs" ino=18969 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_battery_supply:s0 tclass=file permissive=0 04-02 17:38:33.610 W/Binder:5021_3(5299): type=1400 audit(0.0:11): avc: denied { read } for name="/" dev="tmpfs" ino=6614 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0 04-02 18:27:24.996 W/Binder:5251_1(5266): type=1400 audit(0.0:13): avc: denied { open } for name="/" dev="tmpfs" ino=7203 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0 Change-Id: Ifbc5ef57cadea4d3f35d52dce23c1b56966bd981 --- sepolicy/addrsetup.te | 2 ++ sepolicy/credmgrd.te | 2 ++ sepolicy/file_contexts | 9 +++++++++ sepolicy/idd.te | 1 + sepolicy/priv_app.te | 1 + sepolicy/workarounds.te | 17 ++++++++--------- 6 files changed, 23 insertions(+), 9 deletions(-) create mode 100644 sepolicy/priv_app.te diff --git a/sepolicy/addrsetup.te b/sepolicy/addrsetup.te index 773acef..805450c 100644 --- a/sepolicy/addrsetup.te +++ b/sepolicy/addrsetup.te @@ -10,6 +10,8 @@ unix_socket_connect(addrsetup, tad, tad) allow addrsetup bluetooth_data_file:dir rw_dir_perms; allow addrsetup bluetooth_data_file:file create_file_perms; +allow addrsetup self:capability dac_override; + allow addrsetup sysfs_addrsetup:file rw_file_perms; allow addrsetup urandom_device:file read; diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te index 9a26a89..9e9df9e 100644 --- a/sepolicy/credmgrd.te +++ b/sepolicy/credmgrd.te @@ -40,6 +40,7 @@ allow credmgrd mm-qcamerad:unix_stream_socket connectto; allow credmgrd tee_device:chr_file rw_file_perms; #credmgrd suntrold +allow credmgrd suntrold_sock_socket:dir search; allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto; allow credmgrd suntrold_sock_socket:unix_stream_socket connectto; allow credmgrd suntrold_sock_socket:sock_file write; @@ -54,6 +55,7 @@ allow credmgrd iddd_file:unix_dgram_socket sendto; #/mnt/idd is tmpfs +allow credmgrd tmpfs:dir search; allow credmgrd tmpfs:lnk_file read; #credmgrd ion diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index ef24289..9f2d734 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -49,3 +49,12 @@ # macaddrsetup /system/bin/macaddrsetup u:object_r:addrsetup_exec:s0 /sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0 + +#KGSL +/sys/devices/fdb00000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:sysfs_thermal:s0 +/sys/devices(/soc\.0)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk u:object_r:sysfs_thermal:s0 +/sys/devices(/soc\.0)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/reset_count u:object_r:sysfs_thermal:s0 + +# ZRAM +/sys/devices/virtual/block/zram0/mm_stat u:object_r:sysfs_zram:s0 + diff --git a/sepolicy/idd.te b/sepolicy/idd.te index 5d7a3f7..1a59cc4 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -43,3 +43,4 @@ allow iddd iddd_exec:file execute_no_trans; allow iddd iddd_file:dir create; allow iddd proc:file { getattr open read }; +allow iddd tmpfs:dir search; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..2adfc0e --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1 @@ +allow priv_app device:dir { open read }; diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te index b026b37..7b0b6ab 100644 --- a/sepolicy/workarounds.te +++ b/sepolicy/workarounds.te @@ -11,11 +11,9 @@ allow qti_init_shell tad:unix_stream_socket connectto; allow qti_init_shell tad_socket:sock_file write; allow qti_init_shell toolbox_exec:file entrypoint; - #============= mm-qcamerad ============== allow mm-qcamerad camera_device:chr_file { ioctl open read write }; -allow mm-qcamerad ta_data_file:dir { getattr open read }; - +allow mm-qcamerad ta_data_file:dir { getattr open read search }; #============= thermanager ============== allow thermanager sysfs:file { open read }; @@ -23,15 +21,16 @@ allow thermanager sysfs_battery_supply:dir search; allow thermanager sysfs_battery_supply:file { open read write }; #============= scd ============== -allow scd scd_data:dir getattr; +allow scd scd_data:dir { getattr search }; allow scd scd_data:file { getattr open read write }; -allow scd socket_device:dir { add_name write }; -allow scd socket_device:sock_file { create setattr }; +allow scd socket_device:dir { add_name remove_name write }; +allow scd socket_device:sock_file { create getattr setattr unlink write }; allow scd sysfs:file { getattr open read }; #============= wv ============== allow wv ion_device:chr_file { ioctl open read }; allow wv suntrold:unix_stream_socket connectto; +allow wv suntrold_sock_socket:dir search; allow wv suntrold_sock_socket:sock_file write; allow wv tad:unix_stream_socket connectto; allow wv tad_socket:sock_file write; @@ -39,11 +38,11 @@ allow wv tee_device:chr_file { ioctl open read write }; #============= mediaserver ============== allow mediaserver sensorservice_service:service_manager find; +allow mediaserver sysfs:file write; +allow mediaserver sysfs_battery_supply:dir search; +allow mediaserver sysfs_battery_supply:file { getattr open read }; allow mediaserver ta_data_file:dir { getattr open read }; #============= rmt_storage ============== allow rmt_storage self:capability dac_override; -#============= scd ============== -allow scd socket_device:sock_file write; - -- cgit v1.2.3