From a1a8218d9810310bee05a8888a4f248a8ffab292 Mon Sep 17 00:00:00 2001 From: Jan Altensen Date: Sun, 9 May 2021 10:09:33 +0200 Subject: [PATCH] exynos9610: address IMS related denials Change-Id: I20285d510605238f2c0b62890d1e8a6f07b0d651 --- sepolicy/private/ims.te | 1 - sepolicy/private/netutils_wrapper.te | 7 ++++ sepolicy/vendor/charonservice.te | 32 ++++++++++++++++++ sepolicy/vendor/file.te | 1 + sepolicy/vendor/file_contexts | 1 + sepolicy/vendor/property.te | 1 + sepolicy/vendor/property_contexts | 7 +++- sepolicy/vendor/rild.te | 1 + sepolicy/{private => vendor}/seapp_contexts | 2 ++ sepolicy/vendor/system_server.te | 1 + sepolicy/vendor/vendor_ims_app.te | 37 +++++++++++++++++++++ sepolicy/vendor/vendor_init.te | 1 + sepolicy/vendor/vendor_rcs_app.te | 2 ++ 13 files changed, 92 insertions(+), 2 deletions(-) delete mode 100644 sepolicy/private/ims.te rename sepolicy/{private => vendor}/seapp_contexts (50%) create mode 100644 sepolicy/vendor/vendor_ims_app.te create mode 100644 sepolicy/vendor/vendor_rcs_app.te diff --git a/sepolicy/private/ims.te b/sepolicy/private/ims.te deleted file mode 100644 index c60dc56..0000000 --- a/sepolicy/private/ims.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_ims_app, domain; diff --git a/sepolicy/private/netutils_wrapper.te b/sepolicy/private/netutils_wrapper.te index 825cf5d..ca3a4e6 100644 --- a/sepolicy/private/netutils_wrapper.te +++ b/sepolicy/private/netutils_wrapper.te @@ -1,2 +1,9 @@ init_daemon_domain(netutils_wrapper) allow netutils_wrapper pktrouter_device:chr_file rw_file_perms; + +allow netutils_wrapper self:packet_socket create_socket_perms_no_ioctl; +allow netutils_wrapper node:rawip_socket node_bind; +allow netutils_wrapper port:udp_socket name_bind; +allow netutils_wrapper node:udp_socket node_bind; + +dontaudit netutils_wrapper self:capability dac_override; diff --git a/sepolicy/vendor/charonservice.te b/sepolicy/vendor/charonservice.te index 88f00b7..330b2a1 100644 --- a/sepolicy/vendor/charonservice.te +++ b/sepolicy/vendor/charonservice.te @@ -1,3 +1,35 @@ type charonservice, domain, mlstrustedsubject; type charonservice_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(charonservice) + +allow charonservice misc_vendor_data_file:dir create_dir_perms; +allow charonservice misc_vendor_data_file:file create_file_perms; + +allow charonservice misc_vendor_data_file:sock_file create_file_perms; + +allow charonservice self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow charonservice self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; + +allow charonservice self:udp_socket create_socket_perms; +allow charonservice port:udp_socket name_bind; +allow charonservice node:udp_socket node_bind; +allowxperm charonservice self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU }; + +allow charonservice self:capability { chown net_admin net_bind_service net_raw }; +allow charonservice self:capability2 wake_alarm; + +allow charonservice proc_net:file rw_file_perms; + +allowxperm charonservice tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; +allow charonservice tun_device:chr_file rw_file_perms; +allow charonservice self:tun_socket create; +allow charonservice vendor_ims_app:unix_stream_socket connectto; + +# reading/writing net.dns* props is not allowed anymore +# https://android-review.googlesource.com/c/platform/system/sepolicy/+/1226955 +dontaudit charonservice net_dns_prop:file read; +dontaudit charonservice net_dns_prop:property_service set; + +unix_socket_connect(charonservice, property, init) + +set_prop(charonservice, vendor_ims_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 0db8ba5..1cad0b7 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -2,6 +2,7 @@ type camera_vendor_data_file, file_type, data_file_type; type chargeonly_data_file, file_type, data_file_type; type mediadrm_vendor_data_file, file_type, data_file_type; +type misc_vendor_data_file, file_type, data_file_type; type mobicore_data_registry_file, file_type, data_file_type; type rild_vendor_data_file, file_type, data_file_type; type sensor_vendor_data_file, file_type, data_file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index ed2cde5..3d822c5 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -15,6 +15,7 @@ /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/misc(/.*)? u:object_r:misc_vendor_data_file:s0 /data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/mcRegistry(/.*)? u:object_r:mobicore_data_registry_file:s0 diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 2bbecb5..7aca4f7 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,6 +1,7 @@ type vendor_audio_prop, property_type; type vendor_camera_prop, property_type; type vendor_hwc_prop, property_type; +type vendor_ims_prop, property_type; type moto_boot_prop, property_type; type rmnet_mux_prop, property_type; type vendor_wifi_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index e3f5d4d..27b0f11 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -7,11 +7,16 @@ ro.boot.carrier u:object_r:moto_boot_prop:s0 # Camera persist.vendor.sys.camera. u:object_r:vendor_camera_prop:s0 +# Charon +vendor.charon u:object_r:vendor_ims_prop:s0 +vendor.charon.route u:object_r:vendor_ims_prop:s0 +custom.charon.status u:object_r:vendor_ims_prop:s0 + # HWC ro.vendor.ddk.set.afbc u:object_r:vendor_hwc_prop:s0 # Radio -persist.vendor.radio.cp. u:object_r:vendor_radio_prop:s0 +persist.vendor.radio. u:object_r:vendor_radio_prop:s0 persist.vendor.ril. u:object_r:vendor_radio_prop:s0 ro.product.model.dm u:object_r:vendor_radio_prop:s0 ro.radio.imei.sv u:object_r:vendor_radio_prop:s0 diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te index 913ee30..a3f6885 100644 --- a/sepolicy/vendor/rild.te +++ b/sepolicy/vendor/rild.te @@ -6,6 +6,7 @@ add_hwservice(rild, hal_exynos_rild_hwservice) binder_call(rild, gpsd) binder_call(rild, hal_audio_default) binder_call(rild, hal_secure_element_default) +binder_call(rild, vendor_ims_app) get_prop(rild, system_boot_reason_prop) set_prop(rild, vendor_radio_prop) diff --git a/sepolicy/private/seapp_contexts b/sepolicy/vendor/seapp_contexts similarity index 50% rename from sepolicy/private/seapp_contexts rename to sepolicy/vendor/seapp_contexts index c2c62fa..558acf5 100644 --- a/sepolicy/private/seapp_contexts +++ b/sepolicy/vendor/seapp_contexts @@ -1,2 +1,4 @@ user=radio seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app user=radio seinfo=platform name=com.shannon.imsservice:remote domain=vendor_ims_app +user=radio seinfo=platform name=com.shannon.rcsservice domain=vendor_rcs_app +user=radio seinfo=platform name=com.shannon.rcsservice:remote domain=vendor_rcs_app diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index 35a67c0..d2fc574 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -1,3 +1,4 @@ allow system_server proc_last_kmsg:file r_file_perms; +get_prop(system_server, vendor_radio_prop) get_prop(system_server, vendor_security_patch_level_prop) diff --git a/sepolicy/vendor/vendor_ims_app.te b/sepolicy/vendor/vendor_ims_app.te new file mode 100644 index 0000000..ecc4165 --- /dev/null +++ b/sepolicy/vendor/vendor_ims_app.te @@ -0,0 +1,37 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) + +allow vendor_ims_app { + app_api_service + radio_service + registry_service +}:service_manager find; + +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + +allow vendor_ims_app radio_data_file:dir rw_dir_perms; +allow vendor_ims_app radio_data_file:file create_file_perms; + +allow vendor_ims_app misc_vendor_data_file:dir create_dir_perms; +allow vendor_ims_app misc_vendor_data_file:file create_file_perms; + +allow vendor_ims_app misc_vendor_data_file:sock_file create_file_perms; + +allow vendor_ims_app dnsproxyd_socket:sock_file write; +allow vendor_ims_app self:udp_socket create_socket_perms; + +allow vendor_ims_app netd:unix_stream_socket connectto; +allow vendor_ims_app node:udp_socket node_bind; + +allow vendor_ims_app charonservice:unix_stream_socket connectto; +allow vendor_ims_app self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# no idea why, /system/etc/hosts +dontaudit vendor_ims_app system_file:file lock; + +set_prop(vendor_ims_app, radio_prop) +set_prop(vendor_ims_app, vendor_ims_prop) +set_prop(vendor_ims_app, vendor_radio_prop) + +binder_call(vendor_ims_app, rild) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index c149e82..70db74b 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -22,3 +22,4 @@ allow vendor_init unlabeled:{ dir file } { read getattr relabelfrom }; set_prop(vendor_init, moto_boot_prop) set_prop(vendor_init, rmnet_mux_prop) +set_prop(vendor_init, vendor_radio_prop) diff --git a/sepolicy/vendor/vendor_rcs_app.te b/sepolicy/vendor/vendor_rcs_app.te new file mode 100644 index 0000000..7dab37a --- /dev/null +++ b/sepolicy/vendor/vendor_rcs_app.te @@ -0,0 +1,2 @@ +type vendor_rcs_app, domain; +app_domain(vendor_rcs_app) -- 2.20.1