Commit Graph

80 Commits

Author SHA1 Message Date
Kyle Harrison
94878fa0bb
msm8974-common: sepolicy: Fix exported_camera_prop denials
Change-Id: Ib3abf88a4c71fcd1510a9b1a3cd496b85379c8b2
2020-12-30 09:19:05 -07:00
Kevin F. Haggerty
cb714bb23b
msm8974-common: sepolicy: Really quiet zygote reading cmdline
Change-Id: I180f434225a966a25cf4f9577e81588c7b2df9d9
2020-12-30 09:19:05 -07:00
Vladimir Oltean
1a7d87aba7
msm8974-common: sepolicy: allow uevent to control sysfs_mmc_host via vold
Change-Id: Iafea09efae38fb82f4019c6d3b3b4bb756cdca0b
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
2020-12-30 09:19:01 -07:00
Arne Coucheron
07931872be
msm8974-common: sepolicy: Resolve last_kmsg denials
Change-Id: Ib6a00d0c14eb03f1e16b24471736a0b84371152c
2020-12-30 07:58:37 -07:00
Kyle Harrison
ec4379ecd8
msm8974-common: sepolicy: Fix userspace_reboot prop denials
- userspace_reboot_exported_prop
- userspace_reboot_config_prop

Change-Id: Ibec834df41345d1268b1eea4ae88b2fd5d37dd55
2020-12-30 07:58:37 -07:00
Francescodario Cuzzocrea
fec1e0d49c
msm8974-common: sepolicy: allow rild read perms on proc_qtaguid_stat
Change-Id: I7f7c872603d162849a4c1b07ec6b04a35f15ddcc
2020-12-30 07:58:37 -07:00
Kevin F. Haggerty
393fdef68c
msm8974-common: sepolicy: Allow rild to set various radio props
* avc: denied { set } for property=persist.ril.radiocapa.tdscdma pid=532
  uid=1001 gid=1001 scontext=u:r:rild:s0
  tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
* avc: denied { set } for property=persist.ril.modem.board pid=572
  uid=1001 gid=1001 scontext=u:r:rild:s0
  tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
* avc: denied { set } for property=persist.ril.ims.eutranParam pid=2745
  uid=1001 gid=1001 scontext=u:r:rild:s0
  tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1

Change-Id: Ib64be5c213456f80f403c645655fbc502a50832d
2020-12-30 07:58:17 -07:00
Paul Crowley
bd627e8b90
msm8974-common: sepolicy: allow tee system_data_root_file:dir r_dir_perms;
aosp/1106014 introduces a new class system_data_root_file and
tee needs access to that as well as system_data_file.

09-09 20:26:53.639   645   645 I auditd  : type=1400 audit(0.0:9): avc: denied { read } for comm="qseecomd" name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
09-09 20:26:53.639   645   645 I qseecomd: type=1400 audit(0.0:9): avc: denied { read } for name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
09-09 20:26:53.639   645   645 I auditd  : type=1400 audit(0.0:10): avc: denied { open } for comm="qseecomd" path="/data" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
09-09 20:26:53.639   645   645 I qseecomd: type=1400 audit(0.0:10): avc: denied { open } for path="/data" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1

Bug: 140402208
Test: Flash Taimen device, enroll fingerprint, check log for denials
Change-Id: Ie976d7bbe4aeba875b96b6b82a94734b71ba1cb9
2020-12-30 07:52:16 -07:00
Kevin F. Haggerty
e28494bb9f
msm8974-common: sepolicy: macloader updates for new root label
Change-Id: I3526593a73b80c1ec1203734289cb5a2c8faad89
2020-12-30 07:52:16 -07:00
Bruno Martins
2bea09d812
msm8974-common: sepolicy: Deduplicate camera rule
No longer needed to keep it locally, since it has been recently
added globally.

Change-Id: Ia41e85d74da0937fddb4fe34d5b0bf15555d0ea1
2020-12-30 07:49:18 -07:00
Alessandro Astone
269d4721aa
msm8974-common: sepolicy: Camera rules for new root label
Change-Id: Iae2171eaf2acb77acabba626b7bcf017725ab81a
2020-12-30 07:48:16 -07:00
Kevin F. Haggerty
450f437728
Revert "msm8974-common: sepolicy: Allow mediaswcodec to use binder IPC"
* This is not needed with appropriate binder updates

This reverts commit b17d75621e.

Change-Id: Ic5cabb16313e68b7a1cefa6e23fc9a9d43dc6c31
2020-12-30 07:47:37 -07:00
Kevin F. Haggerty
fd7fe5dd86
Revert "msm8974-common: Build and enable fastbootd"
* This seems to be wholly dead for legacy functionfs. Pour one out,
  she led a great, yet short-lived, life.

This reverts commit 53fd5b0828.
This reverts commit 8b07abf736.

Change-Id: I494769c2106638d8e442f43dfedf399e7f90aa9e
2020-12-30 07:42:55 -07:00
Amit Pundir
85a6137a28
msm8974-common: Add gatekeeper software HIDL service.
Use the default software implementation of gatekeeper.

Change-Id: Id696752ad78047155cad6a5dafe7ca1b4fe86345
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
2020-12-12 10:00:39 -07:00
Wang Han
b9a1d97191
msm8974-common: Switch to TimeKeep
* SE policies are imported and modified from
   https://github.com/sonyxperiadev/device-sony-sepolicy.
   Modifications are needed because qcom legacy policy
   contains conflicting labels and rules.

Change-Id: Id04a824dea69976f6fc9d48bef77859cc82971ed
2020-09-07 05:28:51 -06:00
Kevin F. Haggerty
9f313b3cee
msm8974-common: sepolicy: Allow system_app to access wificond via IPC
avc: denied { call } for comm=4173796E635461736B202334
scontext=u:r:system_app:s0 tcontext=u:r:wificond:s0 tclass=binder
permissive=0

Change-Id: I5fed7bfa2362bce7fa26d22618b2584a145f5385
2020-09-06 04:12:10 -06:00
Kevin F. Haggerty
b17d75621e
msm8974-common: sepolicy: Allow mediaswcodec to use binder IPC
Change-Id: I866c7b0843cd0e64f9f0f2e743b571c87281b086
2020-09-06 04:12:10 -06:00
Kevin F. Haggerty
8326e1562c
msm8974-common: sepolicy: Allow system_app to read /proc/pagetypeinfo
avc: denied { read } for name="pagetypeinfo" dev="proc" ino=4026543033
scontext=u:r:system_app:s0 tcontext=u:object_r:proc_pagetypeinfo:s0
tclass=file permissive=0

Change-Id: I16465eb9acca9ff64a755d47f86f4ff424ebe4de
2020-09-06 04:12:10 -06:00
Kevin F. Haggerty
5404fa9536
msm8974-common: sepolicy: Quiet system_app attempts to find disallowed services
Change-Id: I6a17bef88c3b9fe9f075dc0ef3de5e203f5d9ce3
2020-09-06 04:12:10 -06:00
Kevin F. Haggerty
d6e781307f
msm8974-common: sepolicy: Quiet priv_app opening sysfs_android_usb files
* Reading these is disallowed globally, no need to see logspam of
  open attempts

Change-Id: I4c0094097d39456c65720cbdfb949d14439ce5f4
2020-09-06 04:12:10 -06:00
Kevin F. Haggerty
3377f79b53
msm8974-common: sepolicy: Allow system_app to access zram sysfs nodes
avc: denied { search } for name="zram0" dev="sysfs" ino=20744
scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir
permissive=0

avc: denied { open } for name="mem_used_total" dev="sysfs" ino=20804
scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file
permissive=0

avc: denied { read } for name="mem_used_total" dev="sysfs" ino=20804
scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file
permissive=0

Change-Id: Ide9b1a9488b26fa69e7a2c8e73a8e657c8b28beb
2020-09-06 04:12:10 -06:00
Kevin F. Haggerty
a586ba7d50
msm8974-common: sepolicy: Quiet vold finding the bootctl hwservice
* We don't have this

Change-Id: I879f9b30e94c153dfec30ef369ae0ca31e3ab3d7
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
135f55810f
msm8974-common: sepolicy: Quiet zygote reading cmdline
Change-Id: I3fad2a7a3a7e2200453fd40ef325a9f98bce5506
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
39c71a0276
msm8974-common: sepolicy: Allow platform_app to getattr radio_data_file
avc: denied { getattr } for path="/data/user_de/0/com.android.phone"
dev="dm-0" ino=1545357 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:radio_data_file:s0 tclass=dir permissive=0
app=com.android.systemui

Change-Id: I74744dde2a3af01a4f30e0898889cad13f95d563
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
98dd537e3c
msm8974-common: sepolicy: Allow the BT HAL to read /efs
avc: denied { search } for name="/" dev="mmcblk0p11" ino=2
scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:efs_file:s0
tclass=dir permissive=0

Change-Id: I1a8abfb3d02c5cb3c63c93ff20a2974ff70ecb87
2020-09-06 04:12:09 -06:00
Arne Coucheron
8462d2ec5b
msm8974-common: sepolicy: Allow ueventd to set sys_nice capability
avc: denied { sys_nice } for capability=23 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability permissive=0

Change-Id: Icfa56283a9b4c67456bd4e714aa3922fece59436
2020-09-06 04:12:09 -06:00
Arne Coucheron
66dcc79709
msm8974-common: sepolicy: Allow gpuservice to read opengles_prop
avc: denied { read } for name="u:object_r:opengles_prop:s0" dev="tmpfs" ino=6353 scontext=u:r:gpuservice:s0 tcontext=u:object_r:opengles_prop:s0 tclass=file permissive=0

Change-Id: I455c5d681e301451ad11210e91d0a71b4b80239a
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
065046fd6d
msm8974-common: sepolicy: Allow fsck_untrusted appropriate access to sysfs_dm
avc: denied { search } for name="dm-0" dev="sysfs" ino=33209
scontext=u:r:fsck_untrusted:s0 tcontext=u:object_r:sysfs_dm:s0
tclass=dir permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=33374
scontext=u:r:fsck_untrusted:s0 tcontext=u:object_r:sysfs_dm:s0
tclass=file permissive=0

Change-Id: I38d74974d23f94ddac4c45f1d5470288d4ee8a6f
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
7bfaa1d75f
msm8974-common: sepolicy: Allow ioctls necessary for physical sdcard operations
* Note: 0x1271 is note defined in system/sepolicy/public/ioctl_defines

avc: denied { ioctl } for path="/dev/block/vold/public:179,65"
dev="tmpfs" ino=19222 ioctlcmd=125e scontext=u:r:vold:s0
tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

avc: denied { ioctl } for path="/dev/block/vold/public:179,65"
dev="tmpfs" ino=20176 ioctlcmd=1271 scontext=u:r:vold:s0
tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

avc: denied { ioctl } for path="/dev/block/vold/public:179,65"
dev="tmpfs" ino=27110 ioctlcmd=125e scontext=u:r:fsck_untrusted:s0
tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

avc: denied { ioctl } for path="/dev/block/vold/public:179,65"
dev="tmpfs" ino=27110 ioctlcmd=1271 scontext=u:r:fsck_untrusted:s0
tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Change-Id: I7bf2346b9517196160e4dde51baa550fb343bfdf
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
61d3a4eafa
msm8974-common: sepolicy: Allow untrusted fsck to getattr block_device dirs
avc: denied { getattr } for path="/dev/block" dev="tmpfs" ino=6914
scontext=u:r:fsck_untrusted:s0 tcontext=u:object_r:block_device:s0
tclass=dir permissive=0

Change-Id: I03c1086a21edba4e193f81b473e6785aac890364
2020-09-06 04:12:09 -06:00
Kevin F. Haggerty
631007d58c
msm8974-common: sepolicy: Update for move of init.{qcom,target}.rc to /vendor
Change-Id: Ic0042ed52e7aeb3faba856411fd0a1b298446125
2020-09-06 04:12:09 -06:00
Bruno Martins
eac9496d05
msm8974-common: Binderize them all
* Switch to binderized HAL services as possible and update
   HIDL manifest accordingly.

Change-Id: Id50291488d655187aa013c51bdd6890dca010564
2020-05-29 12:14:16 -06:00
Elektroschmock
e9a18e2d9e
msm8974-common: sepolicy: label /dev/stune(/.*) as cgroup
* avc: denied { write } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:adbroot:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { open } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:adbroot:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { write } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:installd:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { open } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:installd:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { write } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:netd:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { open } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:netd:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { write } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:storaged:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { open } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:storaged:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1
* avc: denied { write } for name="tasks" dev="tmpfs" ino=7795
  scontext=u:r:gsid:s0 tcontext=u:object_r:device:s0 tclass=file
  permissive=1

Change-Id: Idc69978328640ff40ad5efe2f0abd79304e75893
2020-05-29 12:14:16 -06:00
Kevin F. Haggerty
f3cd79f3ae
msm8974-common: sepolicy: Resurrect alarm_device
* Both our ril_daemon, via libsec-ril*.so, and our time_daemon
  need access to this device node

Change-Id: Ib787f45596bb6aa606bab102a5bd1cb93eb645a4
2020-05-26 15:09:19 -06:00
Kevin F. Haggerty
8b07abf736
msm8974-common: sepolicy: Put fastbootd.te in correct place
Change-Id: I7e65f7835e1ee37aee90aa84dfc431fc0d434231
2020-05-15 10:43:56 -06:00
Kevin F. Haggerty
64ed0d4ffc
msm8974-common: sepolicy: Resolve hal_lineage_touch_default denials
* avc: denied { search } for name="sec_epen" dev="sysfs" ino=23534
  scontext=u:r:hal_lineage_touch_default:s0
  tcontext=u:object_r:sysfs_sec_epen:s0 tclass=dir permissive=1
* avc: denied { search } for name="sec_touchkey" dev="sysfs" ino=23413
  scontext=u:r:hal_lineage_touch_default:s0
  tcontext=u:object_r:sysfs_sec_touchkey:s0 tclass=dir permissive=1

* avc: denied { read } for name="epen_gestures" dev="sysfs" ino=23559
  scontext=u:r:hal_lineage_touch_default:s0
  tcontext=u:object_r:sysfs_sec_epen:s0 tclass=file permissive=1
* avc: denied { open } for name="epen_gestures" dev="sysfs" ino=23559
  scontext=u:r:hal_lineage_touch_default:s0
  tcontext=u:object_r:sysfs_sec_epen:s0 tclass=file permissive=1
* avc: denied { read write } for name="epen_gestures" dev="sysfs"
  ino=23559 scontext=u:r:hal_lineage_touch_default:s0
  tcontext=u:object_r:sysfs_sec_epen:s0 tclass=file permissive=1

Change-Id: Ie62004f9ca8e93cb8e1dfe45fcff0a9e74f3c44d
2020-04-25 14:27:00 -06:00
Kevin F. Haggerty
5eb54f4a81
msm8974-common: sepolicy: Label rootfs tombstones symlink
Change-Id: Ic9960d487b37521c8c1d730bb4f3bb69ed8b53e2
2020-04-24 16:20:42 -06:00
Kevin F. Haggerty
0cfb50a823
msm8974-common: sepolicy: Label .psm.info file
Change-Id: Id2e6cf9706262bac877deca0d692d81ef637b0fb
2020-04-24 16:20:42 -06:00
Kevin F. Haggerty
b46d020e98
msm8974-common: Build the Samsung hwbinder light service
Change-Id: I33c259766914a5a714b05b59735ee2a8d70b0a5c
2020-04-24 15:44:37 -06:00
Kevin F. Haggerty
d68795bd7f
msm8974-common: sepolicy: Label /firmware-modem mountpoint
Change-Id: I08720daf701235f9209b7e6fd66d6432a5684ec2
2020-04-24 14:22:24 -06:00
Paul Keith
50045fa46e msm8974-common: Transition to consumerir HIDL hal
Change-Id: I85950a46eebec0e9a4b34681b2042467231b33b3
2020-01-31 15:08:24 +01:00
LuK1337
756a4e4063
msm8974-common: hal_lineage_livedisplay_default -> hal_lineage_livedisplay_sysfs
Change-Id: If8954290c41913b7453a1cba4d67f7a63d08d2dd
2019-06-16 09:01:58 -06:00
Kevin F. Haggerty
66b282da2e
msm8974-common: Build Samsung LiveDisplay service
Change-Id: I74d38aa0df3179bb00b942135e8ff055aa8a5658
2019-05-07 07:20:49 -06:00
Paul Keith
c036f18fe2
msm8974-common: Build vendor.lineage.touch HAL from hardware/samsung
Change-Id: I6eca1e9875cb5793a3a45c6e77bc201946ebd897
2019-04-10 06:45:59 -06:00
Kevin F. Haggerty
4b086d485b
Revert "msm8974-common: sepolicy: Label sysfs_net, resolve denials"
This reverts commit 97ff0e6d32.

Change-Id: Ib609a1a9987598be26e2fe32cc77ea9f57c9c63d
2019-02-19 07:42:09 -07:00
Kevin F. Haggerty
9aa32ce3c9
msm8974-common: sepolicy: Adapt to global sepolicy merges
* Several items merged globally caused duplicate definition of paths
  that were previously labeled here.

This reverts commit 27afbf1dc6.
This reverts commit 7fb5a8c6cb.
This partially reverts commit bb196ad94b.
This partially reverts commit c39a735ab5.

Change-Id: I901e5aa78058e1a465f110cde31fb7d76eaf3d51
2019-01-21 16:59:40 -07:00
Kevin F. Haggerty
f823b51508
msm8974-common: sepolicy: Eliminate qemu_hw_mainkeys_prop entries
* Specific definition of this is dropped from qcom/sepolicy-legacy

Change-Id: I429abf7dddd2de4443349366b932149f30b87206
2018-12-31 15:21:52 -07:00
Kevin F. Haggerty
afa0af84d6 msm8974-common: sepolicy: Clean up
* Group policy statements better
* Nuke unneeded allows

Change-Id: Ibc1fd4debe8c95005a6dd54e1428d6365248bd80
2018-12-26 22:06:35 +01:00
Kevin F. Haggerty
7e3f9a566d
msm8974-common: sepolicy: Resolve init denials
* avc: denied { write } for name="enable_adaptive_lmk" dev="sysfs"
  ino=6724 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file permissive=1
* avc: denied { open } for name="enable_adaptive_lmk" dev="sysfs"
  ino=6724 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file
  permissive=1
* avc: denied { setattr } for name="firmware_path" dev="sysfs"
  ino=6423 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_wifi_writeable:s0 tclass=file
  permissive=1
* avc: denied { write } for name="l2" dev="sysfs" ino=29063
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_msm_power:s0
  tclass=file permissive=1
* avc: denied { open } for name="l2" dev="sysfs" ino=29063
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_msm_power:s0
  tclass=file permissive=1
* avc: denied { write } for name="enabled" dev="sysfs" ino=29716
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_thermal:s0
  tclass=file permissive=1
* avc: denied { write } for name="online" dev="sysfs" ino=5871
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
  tclass=file permissive=1
* avc: denied { write } for name="boost_ms" dev="sysfs" ino=6652
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_cpu_boost:s0
  tclass=file permissive=1
* avc: denied { open } for name="boost_ms" dev="sysfs" ino=6652
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_cpu_boost:s0
  tclass=file permissive=1
* avc: denied { setattr } for name="min_pwrlevel" dev="sysfs"
  ino=19546 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_kgsl:s0
  tclass=file permissive=0
* avc: denied { setattr } for name="enabled" dev="sysfs" ino=23417
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_hal_pwr:s0
  tclass=file permissive=1
* avc: denied { setattr } for name="rear_camfw" dev="sysfs" ino=24404
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_camera:s0
  tclass=file permissive=1
* avc: denied { check_context } for scontext=u:r:init:s0
  tcontext=u:object_r:kernel:s0 tclass=security permissive=0

Change-Id: Id7f78abedea2209f84527b1b83259574d06a0900
2018-11-30 14:29:49 -07:00
Kevin F. Haggerty
7fb5a8c6cb
msm8974-common: sepolicy: Label sysfs_usb_storage_gadget, resolve denials
* avc: denied { setattr } for name="file" dev="sysfs" ino=23591
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_usb_storage_gadget:s0
  tclass=file permissive=1

Change-Id: Ia96e3634cbe1a85bb7da3f24ecfa3fbaaa55baad
2018-11-30 14:14:59 -07:00