From 071111d64d9d92c81399612877c44bc5cf0e3e93 Mon Sep 17 00:00:00 2001 From: "Kevin F. Haggerty" Date: Wed, 14 Nov 2018 19:57:03 -0700 Subject: [PATCH] msm8974-common: sepolicy: Label sysfs_sec_* types, resolve denials * Rename sysfs_sec type to sysfs_sec_key * Add additional sysfs_sec_* types as appropriate * avc: denied { read } for name="temp_adc" dev="sysfs" ino=10538 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_sec_thermistor:s0 tclass=file permissive=1 * avc: denied { open } for name="temp_adc" dev="sysfs" ino=10538 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_sec_thermistor:s0 tclass=file permissive=1 * avc: denied { write } for name="ir_send" dev="sysfs" ino=21339 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_sec_ir:s0 tclass=file permissive=1 * avc: denied { write } for name="led_blink" dev="sysfs" ino=25722 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_sec_led:s0 tclass=file permissive=1 * avc: denied { write } for name="brightness" dev="sysfs" ino=23467 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_sec_touchkey:s0 tclass=file permissive=1 * avc: denied { setattr } for name="ir_send" dev="sysfs" ino=21339 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_ir:s0 tclass=file permissive=1 * avc: denied { setattr } for name="hall_irq_ctrl" dev="sysfs" ino=29565 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_key:s0 tclass=file permissive=1 * avc: denied { setattr } for name="epen_firm_update" dev="sysfs" ino=23585 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_epen:s0 tclass=file permissive=1 * avc: denied { setattr } for name="cmd" dev="sysfs" ino=23756 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_tsp:s0 tclass=file permissive=1 * avc: denied { write } for name="wakeup_keys" dev="sysfs" ino=29568 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_key:s0 tclass=file permissive=1 * avc: denied { open } for name="wakeup_keys" dev="sysfs" ino=29568 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_key:s0 tclass=file permissive=1 * avc: denied { read } for name="input" dev="sysfs" ino=24012 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_tsp:s0 tclass=lnk_file permissive=0 * avc: denied { setattr } for name="waketime" dev="sysfs" ino=29035 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_bamdmux:s0 tclass=file permissive=0 * avc: denied { setattr } for name="led_r" dev="sysfs" ino=25719 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_led:s0 tclass=file permissive=0 * avc: denied { setattr } for name="usb_sel" dev="sysfs" ino=28162 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_switch:s0 tclass=file permissive=0 * avc: denied { setattr } for name="brightness" dev="sysfs" ino=23468 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_touchkey:s0 tclass=file permissive=0 * avc: denied { setattr } for name="temperature" dev="sysfs" ino=10538 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_thermistor:s0 tclass=file permissive=0 * avc: denied { setattr } for name="barcode_send" dev="sysfs" ino=19231 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_barcode_emul:s0 tclass=file permissive=0 Change-Id: I66b6d2aab875a2706f2730be9755e8d9805ffb6e --- sepolicy/common/file.te | 11 ++++++++++- sepolicy/common/file_contexts | 13 ++++++++++++- sepolicy/common/hal_sensors_default.te | 1 + sepolicy/common/init.te | 17 ++++++++++++++++- sepolicy/common/rild.te | 2 +- sepolicy/common/system_server.te | 6 ++++++ 6 files changed, 46 insertions(+), 4 deletions(-) diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te index 87ef68a..52a6e4b 100644 --- a/sepolicy/common/file.te +++ b/sepolicy/common/file.te @@ -5,7 +5,16 @@ type sysfs_hal_pwr, fs_type, sysfs_type; type sysfs_iio, fs_type, sysfs_type; type sysfs_input, fs_type, sysfs_type; type sysfs_mdnie, fs_type, sysfs_type; -type sysfs_sec, fs_type, sysfs_type; +type sysfs_sec_bamdmux, fs_type, sysfs_type; +type sysfs_sec_barcode_emul, fs_type, sysfs_type; +type sysfs_sec_epen, fs_type, sysfs_type; +type sysfs_sec_ir, fs_type, sysfs_type; +type sysfs_sec_key, fs_type, sysfs_type; +type sysfs_sec_led, fs_type, sysfs_type; +type sysfs_sec_switch, fs_type, sysfs_type; +type sysfs_sec_thermistor, fs_type, sysfs_type; +type sysfs_sec_touchkey, fs_type, sysfs_type; +type sysfs_sec_tsp, fs_type, sysfs_type; type sysfs_wifi_writeable, fs_type, sysfs_type; type bt_fw_file, file_type; diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts index 20956bf..8dcab87 100644 --- a/sepolicy/common/file_contexts +++ b/sepolicy/common/file_contexts @@ -33,7 +33,6 @@ /sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 /sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 /sys/devices/virtual/input(/.*)? u:object_r:sysfs_input:s0 -/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0 /sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi_writeable:s0 /sys/module/dhd/parameters/nvram_path u:object_r:sysfs_wifi_writeable:s0 @@ -60,3 +59,15 @@ # sysfs - mdnie /sys/devices/virtual/mdnie/mdnie(/.*)? u:object_r:sysfs_mdnie:s0 + +# sysfs - sec +/sys/devices/platform/sec-thermistor(/.*)? u:object_r:sysfs_sec_thermistor:s0 +/sys/devices/virtual/sec/bamdmux(/.*)? u:object_r:sysfs_sec_bamdmux:s0 +/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_sec_led:s0 +/sys/devices/virtual/sec/sec_barcode_emul(/.*)? u:object_r:sysfs_sec_barcode_emul:s0 +/sys/devices/virtual/sec/sec_epen(/.*)? u:object_r:sysfs_sec_epen:s0 +/sys/devices/virtual/sec/sec_ir(/.*)? u:object_r:sysfs_sec_ir:s0 +/sys/devices/virtual/sec/sec_key(/.*)? u:object_r:sysfs_sec_key:s0 +/sys/devices/virtual/sec/sec_touchkey(/.*)? u:object_r:sysfs_sec_touchkey:s0 +/sys/devices/virtual/sec/switch(/.*)? u:object_r:sysfs_sec_switch:s0 +/sys/devices/virtual/sec/tsp(/.*)? u:object_r:sysfs_sec_tsp:s0 diff --git a/sepolicy/common/hal_sensors_default.te b/sepolicy/common/hal_sensors_default.te index ae7996e..d01b5f9 100644 --- a/sepolicy/common/hal_sensors_default.te +++ b/sepolicy/common/hal_sensors_default.te @@ -12,6 +12,7 @@ allow hal_sensors_default { allow hal_sensors_default { sysfs_batteryinfo sysfs_graphics + sysfs_sec_thermistor }:file r_file_perms; allow hal_sensors_default { diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te index 25c93da..8c86832 100644 --- a/sepolicy/common/init.te +++ b/sepolicy/common/init.te @@ -1,9 +1,14 @@ -allow init sysfs_iio:lnk_file read; +allow init { + sysfs_iio + sysfs_sec_tsp +}:lnk_file read; allow init sysfs_input:file rw_file_perms; allow init sysfs_graphics:file r_file_perms; +allow init sysfs_sec_key:file w_file_perms; + allow init { sysfs_batteryinfo sysfs_graphics @@ -11,4 +16,14 @@ allow init { sysfs_input sysfs_leds sysfs_mdnie + sysfs_sec_bamdmux + sysfs_sec_barcode_emul + sysfs_sec_epen + sysfs_sec_ir + sysfs_sec_key + sysfs_sec_led + sysfs_sec_switch + sysfs_sec_thermistor + sysfs_sec_touchkey + sysfs_sec_tsp }:file setattr; diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te index 6bbe2cf..8efef11 100644 --- a/sepolicy/common/rild.te +++ b/sepolicy/common/rild.te @@ -5,4 +5,4 @@ allow rild radio_data_file:file create_file_perms; allow rild radio_data_file:lnk_file read; allow rild proc_net:file w_file_perms; -allow rild sysfs_sec:file rw_file_perms; +allow rild sysfs_sec_key:file rw_file_perms; diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te index a801e96..3d0c927 100644 --- a/sepolicy/common/system_server.te +++ b/sepolicy/common/system_server.te @@ -11,3 +11,9 @@ allow system_server qmuxd_socket:sock_file { create setattr write }; allow system_server qti_debugfs:file r_file_perms; allow system_server sensors_device:chr_file r_file_perms; allow system_server sysfs_mdnie:file rw_file_perms; + +allow system_server { + sysfs_sec_ir + sysfs_sec_led + sysfs_sec_touchkey +}:file w_file_perms;