Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I7573fdb24f9c53ad169bce2aeab1baac8b2a11ea
Bionic commit 8fdb3419a51ffeda64f9c811f22a42edf9c7f633 modified how we
handle shared libraries with text relocations, which triggered
an execmod denial when handling /system/vendor/lib/libmmjpeg.so.
Allow the mediaserver process to load shared libraries with text
relocations.
STEPS TO REPRODUCE:
1.Flash and Factory wipe the device.
2.Launch Camera.
3.Capture image tapping on shutter button and observe.
4.Then try to switch to video mode and observe.
OBSERVED RESULTS:
Shutter button gets disabled on capturing a picture and then
switching to video mode displays 'Can't connect to camera error'
EXPECTED RESULTS:
Camera should work without any error.
Addresses the following denial:
avc: denied { execmod } for path="/system/vendor/lib/libmmjpeg.so" dev="mmcblk0p25" ino=1734 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=file
Bug: 20081970
Bug: 20013628
Change-Id: Ie98e7316bd124d58ebb1c529acc865074c8851e6
Addresses denials such as:
avc: denied { ioctl } for pid=31771 comm="mediaserver" path="socket:[217520]" dev="sockfs" ino=217520 scontext=u:r:mediaserver:s0 tcontext=u:r:mediaserver:s0 tclass=socket
We may want to take this to core policy.
Change-Id: I633346feac8f16bea15df6924cf9ec856ae95e79
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.
Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.
Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
Jeff Vander Stoep
Nick Kralevich
Stephen Smalley
Robert Craig