Piteball
/
android_device_asus_flo
mirror of https://github.com/followmsi/android_device_asus_flo.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,200 Commits 32 Branches 3 Tags 144 MiB
Commit Graph

138 Commits

Author SHA1 Message Date
Robert Craig 62d77eeceb Address SELinux denials with rild. 
Allow r/w access to /dev/diag on userdebug/eng builds.
  avc:  denied  { read write } for  pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
  avc:  denied  { open } for  pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file

Grant radio sockets access to rild.
  avc:  denied  { write } for  pid=323 comm="rild" name="qmux_radio" dev="tmpfs" ino=1053 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
  avc:  denied  { write } for  pid=323 comm="rild" name="qmux_connect_socket" dev="tmpfs" ino=1309 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
  avc:  denied  { connectto } for  pid=323 comm="rild" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:rild:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket

Change-Id: I89f7531fb006bfcae9f97b979fba61f3ed6badde
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
 2014-02-20 19:52:09 -05:00
Robert Craig 1a5c4ac50a Make conn_init domain enforcing. 
Change-Id: I52d22c9551e3608bf920d67c1debf15c505de4d2
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
 2014-02-20 22:24:12 +00:00
Robert Craig e68c94dd3b Make kickstart domain enforcing. 
Change-Id: If95807ed6adfc7064f8fb699867d23247c1675a5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
 2014-02-20 21:55:12 +00:00
Nick Kralevich 5a78321c12 Merge "SELinux policy for rmt_storage process." 2014-02-20 21:27:56 +00:00
Robert Craig 9a5556ff39 SELinux policy for rmt_storage process. 
Initial policy helps address some of the following denials:

Wake lock access:
    avc:  denied  { append } for  pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
    avc:  denied  { open } for  pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file

Capabilities (dropping uid and gid):
    avc:  denied  { setgid } for  pid=171 comm="rmt_storage" capability=6  scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
    avc:  denied  { setuid } for  pid=171 comm="rmt_storage" capability=7  scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability

Cgroup controls:
    avc:  denied  { add_name } for  pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
    avc:  denied  { create } for  pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

Socket creation:
    avc:  denied  { read } for  pid=209 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
    avc:  denied  { create } for  pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
    avc:  denied  { ioctl } for  pid=169 comm="rmt_storage" path="socket:[7463]" dev="sockfs" ino=7463 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
    avc:  denied  { setopt } for  pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
    avc:  denied  { bind } for  pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
    avc:  denied  { read } for  pid=210 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket

Access to certian modem and root block devices:
    avc:  denied  { read } for  pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
    avc:  denied  { open } for  pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file

Change-Id: Ia01257891eb2315632cef45dde7a099c3c042432
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
 2014-02-19 20:31:35 -05:00
Nick Kralevich bbb6185676 Revert "Temporarily move kickstart into permissive." 
The underlying bug has been fixed. Move it back to
permissive_or_unconfined()

This reverts commit a43299d411.

Change-Id: Ic3a8f37baeffe3359b433156b5499b88735faf52
 2014-02-19 16:59:37 -08:00
Robert Craig 78c3127390 Add SELinux policy for kickstart denials. 
Access to m9kefs* block devices.
    avc: denied { getattr } for pid=215 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
    avc: denied { setattr } for pid=216 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file

Change owner and perms on /dev/block/platform/msm_sdcc.1/by-name/m9kefs*
    avc: denied { chown } for pid=216 comm="chown" capability=0 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
    avc: denied { fowner } for pid=220 comm="chmod" capability=3 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability

Label and give access to specific rmnet usb files.
    avc: denied { write } for pid=182 comm="sh" name="rmnet_data_init" dev="sysfs" ino=4275 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I2a1edda0efdfc57615c56c61ee446c343d7d875b
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
 2014-02-19 19:43:30 -05:00
Nick Kralevich a43299d411 Temporarily move kickstart into permissive. 
User builds of deb are currently hanging on boot, due to various
kickstart denials. https://android-review.googlesource.com/81942
partially fixes this but not entirely.

Root cause is https://android-review.googlesource.com/81990

Works around the following denials:
<5>[    6.355163] type=1400 audit(1392852942.902:4): avc:  denied  { getattr } for  pid=202 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[    6.362487] type=1400 audit(1392852942.912:5): avc:  denied  { setattr } for  pid=208 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[    8.621612] type=1400 audit(1392852945.174:12): avc:  denied  { read } for  pid=259 comm="qcks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[   20.165863] type=1400 audit(1392852956.715:14): avc:  denied  { getattr } for  pid=670 comm="ks" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[   20.166076] type=1400 audit(1392852956.715:15): avc:  denied  { write } for  pid=670 comm="ks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[   20.166290] type=1400 audit(1392852956.715:16): avc:  denied  { open } for  pid=670 comm="ks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.678436] type=1400 audit(1392852716.202:5): avc:  denied  { getattr } for  pid=206 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7563 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.686309] type=1400 audit(1392852716.212:6): avc:  denied  { getattr } for  pid=222 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7563 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.691833] type=1400 audit(1392852716.222:7): avc:  denied  { getattr } for  pid=224 comm="sh" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.699279] type=1400 audit(1392852716.232:8): avc:  denied  { getattr } for  pid=226 comm="sh" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.705566] type=1400 audit(1392852716.232:9): avc:  denied  { getattr } for  pid=228 comm="sh" path="/dev/block/mmcblk0p7" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.711700] type=1400 audit(1392852716.242:10): avc:  denied  { getattr } for  pid=230 comm="sh" path="/dev/block/mmcblk0p7" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.718475] type=1400 audit(1392852716.242:11): avc:  denied  { getattr } for  pid=233 comm="sh" path="/dev/block/mmcblk0p28" dev="tmpfs" ino=7655 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[    6.723510] type=1400 audit(1392852716.252:12): avc:  denied  { getattr } for  pid=235 comm="sh" path="/dev/block/mmcblk0p28" dev="tmpfs" ino=7655 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file

Bug: 13100319
Change-Id: If29e9ca63b4df946c2e3b29ec707a27a8ab79aa4
 2014-02-19 15:56:49 -08:00
Stephen Smalley b7ca5a706c Add file_contexts entries for socket files. 
So that we do not relabel them on a restorecon -R /data.

Change-Id: Ibf51efcbe8fed395b214ee81c097c4b04d4ce335
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-02-04 15:58:27 -05:00
Nick Kralevich 4088242582 Make conn_init an init_daemon_domain 
Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
 2014-01-24 20:31:42 -08:00
Nick Kralevich b35de50e3c Use permissive_or_unconfined. 
please see external/sepolicy commit 623975fa5aece708032aaf29689d73e1f3a615e7
for details.

Change-Id: I23175a2982d7bdb962182b9b667d3767533b78d1
 2014-01-13 15:49:07 -08:00
Nick Kralevich d41065d4c0 sensors: allow dac_override 
Same issue as device/lge/hammerhead commit
9ae16c2016141cc578a4bd7f6baa69f39e1900c9 . Screen rotation
is broken. Allowing dac_override fixes it.

Change-Id: Ia8dfb27306f543db88cf38f457c76ff3969f6943
 2014-01-07 09:25:12 -08:00
Nick Kralevich 5c583986b8 Merge "Drop permissive constraint from sensors policy." 2014-01-04 01:43:06 +00:00
Nick Kralevich 8ceb5a3e69 Merge "Drop permissive constraint from qmux policy." 2014-01-04 01:42:24 +00:00
Nick Kralevich 6a7f0ee68b Merge "Drop permissive constraint from bridge policy." 2014-01-04 01:41:01 +00:00
Nick Kralevich c621314486 Merge "Drop permissive constraint from bluetooth policy." 2014-01-03 23:17:50 +00:00
Stephen Smalley 82b253eb78 Add execmem to camera domain. 
Removed from domain so we need to add it back to individual domains
as required.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2013-12-20 08:32:55 -05:00
Nick Kralevich a37cbdbfff initial irsc_util domain 
Initially unconfined and enforcing.

Change-Id: I49be1c53afb1f91836d5e49dbce84c4a0c789478
 2013-12-18 12:46:24 -08:00
Stephen Smalley c2fadc12a1 Move gpu_device type and rules to core policy. 
Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2013-12-12 09:20:38 -05:00
Nick Kralevich 8040f4bb07 Merge "Drop permissive constraint from mpdecision policy." 2013-12-11 17:30:53 +00:00
Nick Kralevich 81063f921f Merge "Drop permissive constraint from thermald policy." 2013-12-11 17:30:31 +00:00
Nick Kralevich 4ac328eb82 allow gpu execute for all app domains. 
Addresses the following denial:

<5>[ 134.548725] type=1400 audit(1386010731.878:48): avc: denied { execute } for pid=3603 comm="droid.gallery3d" path="/dev/kgsl-3d0" dev="t

Bug: 11967400
Change-Id: Ie7813df171bc29ae12cd394621e8e20f13bb84dc
 2013-12-02 16:55:39 -08:00
Nick Kralevich deb46484ec Fix camera denials. 
Addresses the following denials on deb:

<5>[  143.947113] type=1400 audit(1385421268.456:43): avc:  denied  { read write } for  pid=2664 comm="mm-qcamera-daem" name="kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
<5>[  143.947296] type=1400 audit(1385421268.456:44): avc:  denied  { open } for  pid=2664 comm="mm-qcamera-daem" name="kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
<5>[  143.947814] type=1400 audit(1385421268.456:45): avc:  denied  { ioctl } for  pid=2664 comm="mm-qcamera-daem" path="/dev/kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Change-Id: I801a52d1b7677e9a18ccabcd57b2f555488ac6c9
 2013-11-25 15:14:49 -08:00
Nick Kralevich 191280412d Merge "SELinux policy updates." 2013-11-25 22:45:28 +00:00
Robert Craig df2aa61a2d SELinux policy updates. 
* Make gpu_device a trusted object since all apps can
  write to the device.
    denied  { write } for  pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

* Drop dead type mpdecision_device.

* Create policy for mm-pp-daemon and keep it permissive.
  Address the following initial denials.
    denied  { write } for  pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
    denied  { connectto } for  pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
    denied  { read write } for  pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
    denied  { open } for  pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
    denied  { ioctl } for  pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file

* Add kickstart_exec labels for kickstart binaries
  that are used by deb devices.

* Add tee policy. Label /data/misc/playready and
  allow tee access.
    denied  { write } for  pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
    denied  { read } for  pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
    denied  { create } for  pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { search } for  pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { read } for  pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { write } for  pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { create } for  pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
    denied  { read write open } for  pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file

* Give surfaceflinger access to /dev/socket/pps and allow
  access to certain sysfs nodes.
    denied  { write } for  pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file
    denied  { write } for  pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3
 2013-11-25 11:43:49 -05:00
Robert Craig be1065dfbd Drop permissive constraint from thermald policy. 
Change-Id: Ie4f658964a9e374dfbec38b57cc9f2db8940fcea
 2013-11-25 08:41:23 -05:00
Robert Craig d8a2aa32db Drop permissive constraint from sensors policy. 
Change-Id: Ia1744f0df3e797f12111965971cb5f006f9b346c
 2013-11-25 08:40:48 -05:00
Robert Craig cbda2333ad Drop permissive constraint from qmux policy. 
Change-Id: I0ebd460d121e8fa653abff829a096b48d82b62f1
 2013-11-25 08:40:20 -05:00
Robert Craig 9dbd7c0c0b Drop permissive constraint from mpdecision policy. 
Change-Id: I5e93b63498db9fbdacdb5b63ca5d03dfebeb00e0
 2013-11-25 08:39:14 -05:00
Robert Craig ab5859fd0a Drop permissive constraint from camera policy. 
Change-Id: Ieef883633910d73a8f09bccb912c53428998543d
 2013-11-25 08:37:38 -05:00
Robert Craig 30e271311e Drop permissive constraint from bridge policy. 
Change-Id: I3b13eeeec011e80811890b88dbab179c2540e1e9
 2013-11-25 08:37:05 -05:00
Robert Craig 7a0c294c8b Drop permissive constraint from bluetooth policy. 
Change-Id: I9580fb6af2591a9b16a76d730b5dcedf95614cd1
 2013-11-25 08:36:24 -05:00
Robert Craig 9d6624a0b5 Add to selinux policy. 
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.

Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.

Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
 2013-11-15 14:24:59 -05:00
Robert Craig 6e899c8568 Create new security labels for device nodes. 
Labeling nodes with appropriate types doesn't
introduce any new denials to the mix. This
list largely addresses the Qualcomm specific
nodes.

Various nodes are labeled with radio specific
types. Since the deb build inherits from this flo
policy, it is a good idea to include them.

Change-Id: Ia55a80af027c8bde933d45c41f4ed287f01adb2e
 2013-11-14 13:10:30 -08:00
Robert Craig c1dd2c8312 Label kgsl (graphics) nodes. 
Created a new label and addressed the following denials.

* For system server
    denied  { read write } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { open } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { ioctl } for  pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file

* For surfaceflinger
    denied  { ioctl } for  pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { read write } for  pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file

* For app domains
    denied  { read write } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { open } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { ioctl } for  pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file

Change-Id: I417bbd12fbdc17cd3d1110dcf3bff73dd5e385a4
 2013-11-14 13:01:50 -08:00
Nick Kralevich 226d605c9d fix broken wifi on flo/deb 
00739e3d14f2f1ea9240037283c3edd836d2aa2f in external/sepolicy
moved ueventd into enforcing. This broke wifi on flo/deb.
Fix it.

This addresses the following denials:

<5>[  219.755523] type=1400 audit(1384456650.969:107): avc:  denied  { search } for  pid=2868 comm="ueventd" name="wifi" dev="mmcblk0p30" ino=637740 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir
<5>[  219.755706] type=1400 audit(1384456650.969:108): avc:  denied  { read } for  pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[  219.755889] type=1400 audit(1384456650.969:109): avc:  denied  { open } for  pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[  219.756134] type=1400 audit(1384456650.969:110): avc:  denied  { getattr } for  pid=2868 comm="ueventd" path="/data/misc/wifi/WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file

Bug: 11688129
Change-Id: Ice0d3432010cfbbce88dd0ede013af3b2297d3d6
 2013-11-14 11:13:15 -08:00
Nick Kralevich 40b7b28ddf Move rmt into its own domain. 
Don't run rmt in init's domain. /system/bin/rmt_storage
is a qualcomm specific daemon responsible for servicing modem
filesystem requests. It doesn't make sense to run rmt_storage
in init's domain, as doing so prevents us from fine tuning
its policy.

Keep the domain in permissive mode right now until we address
the following denials:

<5>[    7.497467] type=1400 audit(1383939680.983:5): avc:  denied  { read write } for  pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file
<5>[    7.497741] type=1400 audit(1383939680.983:6): avc:  denied  { open } for  pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file

We still need to get a better understanding of what rmt_storage
does and what rules should be applied to it.

Change-Id: I45d03fb93870f1b4bb64215f5dcd9a2a443f5566
 2013-11-08 12:35:41 -08:00
Nick Kralevich 203fd0df67 Label /dev/qseecom 
Otherwise keystore in enforcing is broken.

Bug: 11518274
Change-Id: I10ead7cabe794d1752a8cba4dc3193217aad7805
 2013-11-06 15:22:32 -08:00