msm8974-common: sepolicy: Resolve misc denials

avc: denied { chown } for capability=0 scontext=u:r:thermal-engine:s0 tcontext=u:r:thermal-engine:s0 tclass=capability permissive=0 avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=1315 scontext=u:r:mediaserver:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { getattr } for pid=1940 comm="mount.ntfs" path="/dev/block/mmcblk0p23" dev="tmpfs" ino=6957 scontext=u:r:vold:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0 avc: denied { read write } for pid=1370 comm="mm-qcamera-daem" name="rear_corever" dev="sysfs" ino=24696 scontext=u:r:mm-qcamerad:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 avc: denied { search } for pid=561 comm="mm-qcamera-daem" name="camera" dev="sysfs" ino=24680 scontext=u:r:mm-qcamerad:s0 tcontext=u:object_r:sysfs_camera:s0 tclass=dir permissive=0 avc: denied { getattr } for pid=1950 comm="mount.ntfs" path="/dev/block/mmcblk0p24" dev="tmpfs" ino=8134 scontext=u:r:vold:s0 tcontext=u:object_r:cache_block_device:s0 tclass=blk_file permissive=0 avc: denied { getattr } for pid=1926 comm="fsck.ntfs" path="/dev/block" dev="tmpfs" ino=6956 scontext=u:r:fsck_untrusted:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0 avc: denied { getattr } for pid=1948 comm="mount.ntfs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=8090 scontext=u:r:vold:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=0 avc: denied { read } for pid=339 comm="mediaserver" name="rear_camfw_load" dev="sysfs" ino=24694 scontext=u:r:mediaserver:s0 tcontext=u:object_r:sysfs_camera:s0 tclass=file permissive=0 Change-Id: Ieb941d135d9f245f4a2bb9abb78e1b84bbef4b38
2018-03-26 06:37:07 -06:00 · 2018-03-26 06:37:07 -06:00 · d766a7e028
commit d766a7e028
parent e405ae831d
6 changed files with 14 additions and 1 deletions
--- a/sepolicy/common/file.te
+++ b/sepolicy/common/file.te
@ -1,7 +1,8 @@
 type proc_bt_sleep, fs_type;

-type sysfs_mdnie, fs_type, sysfs_type;
+type sysfs_camera, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;
+type sysfs_mdnie, fs_type, sysfs_type;
 type sysfs_sec, fs_type, sysfs_type;
 type sysfs_wifi_writeable, fs_type, sysfs_type;

--- a/sepolicy/common/file_contexts
+++ b/sepolicy/common/file_contexts
@ -34,6 +34,7 @@
 /sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_writeable:s0
 /sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_writeable:s0
 /sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state   u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/virtual/camera(/.*)?                                u:object_r:sysfs_camera:s0
 /sys/devices/virtual/sec/sec_key/hall_irq_ctrl                   u:object_r:sysfs_sec:s0

 # mdnie sysfs
--- a/sepolicy/common/mediaserver.te
+++ b/sepolicy/common/mediaserver.te
@ -1,4 +1,7 @@
 allow mediaserver camera_socket:sock_file write;
+allow mediaserver hal_camera_hwservice:hwservice_manager find;
 allow mediaserver mm-qcamerad:unix_dgram_socket sendto;
+allow mediaserver sysfs_camera:dir search;
+allow mediaserver sysfs_camera:file r_file_perms;
 allow mediaserver thermal-engine:unix_stream_socket connectto;
 allow mediaserver vendor_file:file execmod;
--- a/sepolicy/common/mm-qcamerad.te
+++ b/sepolicy/common/mm-qcamerad.te
@ -5,4 +5,6 @@ type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket
 # Allow mm-qcamera-daemon to create the socket camera_socket
 allow mm-qcamerad system_data_file:dir w_dir_perms;

+allow mm-qcamerad sysfs_camera:dir search;
+allow mm-qcamerad sysfs_camera:file rw_file_perms;
 allow mm-qcamerad vendor_file:file execmod;
--- a/sepolicy/common/thermal-engine.te
+++ b/sepolicy/common/thermal-engine.te
@ -1,3 +1,5 @@
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client";
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client";
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";
+
+allow thermal-engine self:capability chown;
--- a/sepolicy/common/vold.te
+++ b/sepolicy/common/vold.te
@ -1,2 +1,6 @@
+allow vold block_device:blk_file getattr;
+allow vold cache_block_device:blk_file getattr;
+allow vold efs_block_device:blk_file getattr;
 allow vold efs_file:dir rw_dir_perms;
 allow vold efs_file:file create;
+allow vold system_block_device:blk_file getattr;