From c5b56c8940746b839e67e3006221c0bd5af32888 Mon Sep 17 00:00:00 2001 From: Henrik Grimler Date: Sun, 9 Aug 2020 18:20:18 +0200 Subject: [PATCH] Label files and address a bunch of selinux denials --- sepolicy/adbd.te | 1 + sepolicy/bootanim.te | 1 + sepolicy/crash_dump.te | 1 + sepolicy/file.te | 4 ++++ sepolicy/file_contexts | 6 ++++++ sepolicy/genfs_contexts | 2 ++ sepolicy/hal_audio_default.te | 3 +++ sepolicy/hal_bluetooth_default.te | 1 + sepolicy/hal_camera_default.te | 1 + sepolicy/hal_gatekeeper_default.te | 2 ++ sepolicy/hal_graphics_composer_default.te | 8 ++++++++ sepolicy/hal_health_default.te | 1 + sepolicy/hal_keymaster_default.te | 1 + sepolicy/hal_sensors_default.te | 5 +++++ sepolicy/init.te | 15 +++++++++++++++ sepolicy/installd.te | 1 + sepolicy/kernel.te | 2 ++ sepolicy/mediacodec.te | 1 + sepolicy/netd.te | 3 +++ sepolicy/platform_app.te | 2 ++ sepolicy/priv_app.te | 2 ++ sepolicy/rild.te | 6 ++++++ sepolicy/shell.te | 1 + sepolicy/surfaceflinger.te | 2 ++ sepolicy/system_app.te | 4 ++++ sepolicy/system_server.te | 11 +++++++++++ sepolicy/toolbox.te | 1 + sepolicy/untrusted_app.te | 2 ++ sepolicy/untrusted_app_25.te | 2 ++ sepolicy/untrusted_app_27.te | 2 ++ sepolicy/zygote.te | 1 + 31 files changed, 95 insertions(+) create mode 100644 sepolicy/adbd.te create mode 100644 sepolicy/bootanim.te create mode 100644 sepolicy/crash_dump.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/genfs_contexts create mode 100644 sepolicy/hal_audio_default.te create mode 100644 sepolicy/hal_bluetooth_default.te create mode 100644 sepolicy/hal_camera_default.te create mode 100644 sepolicy/hal_gatekeeper_default.te create mode 100644 sepolicy/hal_graphics_composer_default.te create mode 100644 sepolicy/hal_health_default.te create mode 100644 sepolicy/hal_keymaster_default.te create mode 100644 sepolicy/hal_sensors_default.te create mode 100644 sepolicy/init.te create mode 100644 sepolicy/installd.te create mode 100644 sepolicy/kernel.te create mode 100644 sepolicy/mediacodec.te create mode 100644 sepolicy/netd.te create mode 100644 sepolicy/platform_app.te create mode 100644 sepolicy/priv_app.te create mode 100644 sepolicy/rild.te create mode 100644 sepolicy/shell.te create mode 100644 sepolicy/surfaceflinger.te create mode 100644 sepolicy/system_app.te create mode 100644 sepolicy/system_server.te create mode 100644 sepolicy/toolbox.te create mode 100644 sepolicy/untrusted_app.te create mode 100644 sepolicy/untrusted_app_25.te create mode 100644 sepolicy/untrusted_app_27.te create mode 100644 sepolicy/zygote.te diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te new file mode 100644 index 0000000..bb82320 --- /dev/null +++ b/sepolicy/adbd.te @@ -0,0 +1 @@ +allow adbd proc_last_kmsg:file { getattr read }; diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te new file mode 100644 index 0000000..0aad1ec --- /dev/null +++ b/sepolicy/bootanim.te @@ -0,0 +1 @@ +allow bootanim device:chr_file { getattr ioctl }; diff --git a/sepolicy/crash_dump.te b/sepolicy/crash_dump.te new file mode 100644 index 0000000..b73ebbf --- /dev/null +++ b/sepolicy/crash_dump.te @@ -0,0 +1 @@ +allow crash_dump hwservicemanager_prop:file { getattr open }; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..b73f830 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,4 @@ +type batch_io_device, dev_type; + +# sysfs types +type sysfs_graphics, fs_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 01e6921..480f580 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1 +1,7 @@ /cpefs(/.*)? u:object_r:efs_file:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/fimg2d u:object_r:video_device:s0 + +# Sensors +/dev/batch_io u:object_r:batch_io_device:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..c961f81 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,2 @@ +# LED +genfscon sysfs /devices/virtual/sec/led/led_blink u:object_r:sysfs_graphics:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te new file mode 100644 index 0000000..8755bcd --- /dev/null +++ b/sepolicy/hal_audio_default.te @@ -0,0 +1,3 @@ +allow hal_audio_default efs_file:dir search; +allow hal_audio_default efs_file:file { open read }; +allow hal_audio_default property_socket:sock_file write; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..c9ea2de --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1 @@ +allow hal_bluetooth_default efs_file:file { open read }; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..c1adea5 --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1 @@ +allow hal_camera_default vndbinder_device:chr_file read; diff --git a/sepolicy/hal_gatekeeper_default.te b/sepolicy/hal_gatekeeper_default.te new file mode 100644 index 0000000..c3ce50e --- /dev/null +++ b/sepolicy/hal_gatekeeper_default.te @@ -0,0 +1,2 @@ +allow hal_gatekeeper_default efs_file:file { open read }; +allow hal_gatekeeper_default tee_device:chr_file { open read write }; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te new file mode 100644 index 0000000..0d67dbd --- /dev/null +++ b/sepolicy/hal_graphics_composer_default.te @@ -0,0 +1,8 @@ +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { create read }; +allow hal_graphics_composer_default servicemanager:binder call; +allow hal_graphics_composer_default sysfs:file read; +allow hal_graphics_composer_default vendor_data_file:file append; +allow hal_graphics_composer_default vndbinder_device:chr_file read; + +# /dev/fimg2d +allow hal_graphics_composer_default video_device:chr_file ioctl; diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te new file mode 100644 index 0000000..64e4b19 --- /dev/null +++ b/sepolicy/hal_health_default.te @@ -0,0 +1 @@ +allow hal_health_default sysfs:file { getattr open read }; diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te new file mode 100644 index 0000000..ce78258 --- /dev/null +++ b/sepolicy/hal_keymaster_default.te @@ -0,0 +1 @@ +allow hal_keymaster_default device:chr_file ioctl; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 0000000..452fcde --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1,5 @@ +allow hal_sensors_default efs_file:dir search; +allow hal_sensors_default sysfs:file { read write getattr open }; + +# sensor_device +allow hal_sensors_default sensor_device:chr_file rw_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..ee399e9 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,15 @@ +allow init device:chr_file ioctl; +allow init rild:unix_stream_socket connectto; +allow init self:netlink_kobject_uevent_socket { create setopt }; +allow init socket_device:sock_file create; +allow init sysfs_devices_system_cpu:file write; +allow init vendor_data_file:fifo_file write; +allow init vendor_data_file:file append; +allow init dnsproxyd_socket:sock_file write; +allow init fwk_sensor_hwservice:hwservice_manager find; +allow init hwservicemanager:binder call; +allow init netd:unix_stream_socket connectto; +allow init self:tcp_socket create; + +# LED +allow init sysfs_graphics:file { open read write }; diff --git a/sepolicy/installd.te b/sepolicy/installd.te new file mode 100644 index 0000000..702e5ad --- /dev/null +++ b/sepolicy/installd.te @@ -0,0 +1 @@ +allow installd device:file write; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..9f9de3a --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,2 @@ +allow kernel device:dir write; +allow kernel efs_file:file open; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..0be4af4 --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec sysfs:file { getattr open read }; diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..5051d72 --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,3 @@ +allow netd device:file write; +allow netd self:capability sys_module; +allow netd init:tcp_socket { read write }; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..8a50549 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,2 @@ +# /dev/mali0 +allow platform_app gpu_device:chr_file { ioctl read write }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..9bd1bc6 --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,2 @@ +# /dev/mali0 +allow priv_app gpu_device:chr_file { ioctl read write }; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..b660636 --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,6 @@ +allow rild init:file read; +allow rild proc_net:file write; +allow rild vendor_data_file:file { getattr read write open }; + +# /dev/umts_ipc0 +allow rild radio_device:chr_file ioctl; diff --git a/sepolicy/shell.te b/sepolicy/shell.te new file mode 100644 index 0000000..fe57529 --- /dev/null +++ b/sepolicy/shell.te @@ -0,0 +1 @@ +allow shell proc:file getattr; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..c4dd4ad --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,2 @@ +# /dev/mali0 +allow surfaceflinger gpu_device:chr_file { ioctl read write }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..bfee089 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,4 @@ +allow system_app proc_pagetypeinfo:file { getattr open read }; + +# /dev/mali0 +allow system_app gpu_device:chr_file { ioctl read write }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..685cfce --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,11 @@ +# /sys/kernel/debug/mali/mem +# allow system_server debugfs:dir { open read }; +# allow system_server debugfs:file { open read }; + +# /dev/mali0 +allow system_server gpu_device:chr_file { ioctl read write }; + +# memtrack HAL +allow system_server debugfs:dir r_dir_perms; +allow system_server debugfs_mali:dir r_dir_perms; +allow system_server debugfs_mali:file r_file_perms; diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te new file mode 100644 index 0000000..57dec0a --- /dev/null +++ b/sepolicy/toolbox.te @@ -0,0 +1 @@ +allow toolbox ram_device:blk_file { open read write }; \ No newline at end of file diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..71b786b --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1,2 @@ +# /dev/mali0 +allow untrusted_app gpu_device:chr_file { ioctl open read write }; diff --git a/sepolicy/untrusted_app_25.te b/sepolicy/untrusted_app_25.te new file mode 100644 index 0000000..89c5763 --- /dev/null +++ b/sepolicy/untrusted_app_25.te @@ -0,0 +1,2 @@ +# /dev/mali0 +allow untrusted_app_25 gpu_device:chr_file ioctl; diff --git a/sepolicy/untrusted_app_27.te b/sepolicy/untrusted_app_27.te new file mode 100644 index 0000000..037e6c6 --- /dev/null +++ b/sepolicy/untrusted_app_27.te @@ -0,0 +1,2 @@ +# /dev/mali0 +allow untrusted_app_27 gpu_device:chr_file { ioctl read write }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..25ee73f --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +allow zygote device:file { open write }; -- 2.20.1