sanders: sepolicy: Fix more denials

2018-01-22 20:53:55 -02:00
parent b237828d88
commit 2081af0064
12 changed files with 43 additions and 15 deletions
--- a/rootdir/etc/init.mmi.boot.sh
+++ b/rootdir/etc/init.mmi.boot.sh
@@ -25,7 +25,6 @@ rev="p${hw%??}$minor1$minor2"
 rev2=`echo $rev | tr '[:upper:]' '[:lower:]'`

 setprop ro.boot.hardware.revision $rev2
-setprop ro.hw.revision $rev2
 unset hw cinfo m1 m2 minor1 minor2

 # Let kernel know our image version/variant/crm_version
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -0,0 +1,7 @@
+allow bootanim hwservicemanager:binder call;
+
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on wahoo since this functionality is not used.
+dontaudit bootanim system_data_file:dir read;
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -0,0 +1 @@
+allow cnd system_wpa_socket:sock_file { unlink };
--- a/sepolicy/hal_drm_default.te
+++ b/sepolicy/hal_drm_default.te
@@ -0,0 +1,2 @@
+allow hal_drm_default firmware_file:lnk_file read;
+allow hal_drm_default debug_prop:file read;
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -1,4 +1,19 @@
 binder_call(hal_gnss_qti, servicemanager);
 get_prop(hal_gnss_qti, diag_prop);
 allow hal_gnss_qti per_mgr_service_old:service_manager find;
+allow hal_gnss_qti debug_prop:file read;
+allow hal_gnss_qti property_socket:sock_file write;

+# Most HALs are not allowed to use network sockets. Qcom library
+# libqdi is used across multiple processes which are clients of
+# netmgrd including the GNSS HAL. libqdi first attempts to get the network
+# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
+# If that fails, it falls back to using libc's if_nameindex() which requires
+# a netlink route socket, which HALs may use. Due to the initial
+# attempt to use a UDP socket, we still see a selinux denial,
+# but it is safe to ignore.
+# TODO (b/37730994) Remove udp_socket requirement from
+# libqdi and have all its clients use netlink route
+# sockets.
+# Taken from device/google/wahoo
+dontaudit hal_gnss_qti self:udp_socket create;
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -39,7 +39,6 @@ allow init self:capability sys_nice;

 allow init bt_firmware_file:filesystem { associate };
 allow init firmware_file:filesystem { associate };
-allow init firmware_file:dir mounton;

 allow init sensors_device:chr_file { rw_file_perms create };

--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -5,3 +5,4 @@ allow netmgrd self:capability dac_override;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netd_socket:sock_file write;
 allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
+r_dir_file(netmgrd, net_data_file)
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,8 +1,9 @@
-binder_call(platform_app, hal_sensors_default);
-
-allow platform_app isdbt_device:chr_file rw_file_perms;
-allow platform_app rootfs:dir getattr;
-
-allow platform_app init:unix_stream_socket { read write };
-allow platform_app hal_sensors_default:unix_stream_socket { read write };
-
+get_prop(platform_app, camera_prop);
+binder_call(platform_app, hal_sensors_default);
+
+allow platform_app rootfs:dir getattr;
+
+allow platform_app init:unix_stream_socket { read write };
+allow platform_app hal_sensors_default:unix_stream_socket { read write };
+
+allow platform_app qemu_hw_mainkeys_prop:file {getattr open read};
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,2 +1,4 @@
 allow priv_app device:dir r_dir_perms;
 allow priv_app persist_file:filesystem getattr;
+allow priv_app proc_interrupts:file { open read getattr };
+allow priv_app proc_modules:file { open read getattr };
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,5 +1,5 @@
-hw.aov.disable_hotword  u:object_r:adspd_prop:s0
-hw.aov.hotword_dsp_path u:object_r:adspd_prop:s0
-hw.motosh.booted        u:object_r:motosh_prop:s0
-ro.hw.revision          u:object_r:hw_rev_prop:s0
-hw.touch.status         u:object_r:touch_prop:s0
+hw.aov.disable_hotword             u:object_r:adspd_prop:s0
+hw.aov.hotword_dsp_path            u:object_r:adspd_prop:s0
+hw.motosh.booted                   u:object_r:motosh_prop:s0
+ro.boot.hardware.revision          u:object_r:hw_rev_prop:s0
+hw.touch.status                    u:object_r:touch_prop:s0
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1,3 +1,4 @@
+set_prop(qti_init_shell, hw_rev_prop);
 allow qti_init_shell apk_data_file:dir { write add_name create };
 allow qti_init_shell apk_data_file:file { create write setattr };
 allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
				`@@ -0,0 +1 @@`
				`allow cnd system_wpa_socket:sock_file { unlink };`