Robert Craig
62d77eeceb
Address SELinux denials with rild.
...
Allow r/w access to /dev/diag on userdebug/eng builds.
avc: denied { read write } for pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
avc: denied { open } for pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
Grant radio sockets access to rild.
avc: denied { write } for pid=323 comm="rild" name="qmux_radio" dev="tmpfs" ino=1053 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
avc: denied { write } for pid=323 comm="rild" name="qmux_connect_socket" dev="tmpfs" ino=1309 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
avc: denied { connectto } for pid=323 comm="rild" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:rild:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
Change-Id: I89f7531fb006bfcae9f97b979fba61f3ed6badde
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-20 19:52:09 -05:00
Robert Craig
1a5c4ac50a
Make conn_init domain enforcing.
...
Change-Id: I52d22c9551e3608bf920d67c1debf15c505de4d2
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-20 22:24:12 +00:00
Robert Craig
e68c94dd3b
Make kickstart domain enforcing.
...
Change-Id: If95807ed6adfc7064f8fb699867d23247c1675a5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-20 21:55:12 +00:00
Nick Kralevich
5a78321c12
Merge "SELinux policy for rmt_storage process."
2014-02-20 21:27:56 +00:00
Robert Craig
9a5556ff39
SELinux policy for rmt_storage process.
...
Initial policy helps address some of the following denials:
Wake lock access:
avc: denied { append } for pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
avc: denied { open } for pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Capabilities (dropping uid and gid):
avc: denied { setgid } for pid=171 comm="rmt_storage" capability=6 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
avc: denied { setuid } for pid=171 comm="rmt_storage" capability=7 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
Cgroup controls:
avc: denied { add_name } for pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
avc: denied { create } for pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
Socket creation:
avc: denied { read } for pid=209 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { create } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { ioctl } for pid=169 comm="rmt_storage" path="socket:[7463]" dev="sockfs" ino=7463 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { setopt } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { bind } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { read } for pid=210 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
Access to certian modem and root block devices:
avc: denied { read } for pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
avc: denied { open } for pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Change-Id: Ia01257891eb2315632cef45dde7a099c3c042432
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-19 20:31:35 -05:00
Nick Kralevich
bbb6185676
Revert "Temporarily move kickstart into permissive."
...
The underlying bug has been fixed. Move it back to
permissive_or_unconfined()
This reverts commit a43299d411
.
Change-Id: Ic3a8f37baeffe3359b433156b5499b88735faf52
2014-02-19 16:59:37 -08:00
Robert Craig
78c3127390
Add SELinux policy for kickstart denials.
...
Access to m9kefs* block devices.
avc: denied { getattr } for pid=215 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
avc: denied { setattr } for pid=216 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Change owner and perms on /dev/block/platform/msm_sdcc.1/by-name/m9kefs*
avc: denied { chown } for pid=216 comm="chown" capability=0 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
avc: denied { fowner } for pid=220 comm="chmod" capability=3 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
Label and give access to specific rmnet usb files.
avc: denied { write } for pid=182 comm="sh" name="rmnet_data_init" dev="sysfs" ino=4275 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I2a1edda0efdfc57615c56c61ee446c343d7d875b
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-19 19:43:30 -05:00
Nick Kralevich
a43299d411
Temporarily move kickstart into permissive.
...
User builds of deb are currently hanging on boot, due to various
kickstart denials. https://android-review.googlesource.com/81942
partially fixes this but not entirely.
Root cause is https://android-review.googlesource.com/81990
Works around the following denials:
<5>[ 6.355163] type=1400 audit(1392852942.902:4): avc: denied { getattr } for pid=202 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 6.362487] type=1400 audit(1392852942.912:5): avc: denied { setattr } for pid=208 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 8.621612] type=1400 audit(1392852945.174:12): avc: denied { read } for pid=259 comm="qcks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 20.165863] type=1400 audit(1392852956.715:14): avc: denied { getattr } for pid=670 comm="ks" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 20.166076] type=1400 audit(1392852956.715:15): avc: denied { write } for pid=670 comm="ks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 20.166290] type=1400 audit(1392852956.715:16): avc: denied { open } for pid=670 comm="ks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.678436] type=1400 audit(1392852716.202:5): avc: denied { getattr } for pid=206 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7563 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.686309] type=1400 audit(1392852716.212:6): avc: denied { getattr } for pid=222 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7563 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.691833] type=1400 audit(1392852716.222:7): avc: denied { getattr } for pid=224 comm="sh" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.699279] type=1400 audit(1392852716.232:8): avc: denied { getattr } for pid=226 comm="sh" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.705566] type=1400 audit(1392852716.232:9): avc: denied { getattr } for pid=228 comm="sh" path="/dev/block/mmcblk0p7" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.711700] type=1400 audit(1392852716.242:10): avc: denied { getattr } for pid=230 comm="sh" path="/dev/block/mmcblk0p7" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.718475] type=1400 audit(1392852716.242:11): avc: denied { getattr } for pid=233 comm="sh" path="/dev/block/mmcblk0p28" dev="tmpfs" ino=7655 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.723510] type=1400 audit(1392852716.252:12): avc: denied { getattr } for pid=235 comm="sh" path="/dev/block/mmcblk0p28" dev="tmpfs" ino=7655 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Bug: 13100319
Change-Id: If29e9ca63b4df946c2e3b29ec707a27a8ab79aa4
2014-02-19 15:56:49 -08:00
Stephen Smalley
b7ca5a706c
Add file_contexts entries for socket files.
...
So that we do not relabel them on a restorecon -R /data.
Change-Id: Ibf51efcbe8fed395b214ee81c097c4b04d4ce335
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-04 15:58:27 -05:00
Nick Kralevich
4088242582
Make conn_init an init_daemon_domain
...
Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-24 20:31:42 -08:00
Nick Kralevich
b35de50e3c
Use permissive_or_unconfined.
...
please see external/sepolicy commit 623975fa5aece708032aaf29689d73e1f3a615e7
for details.
Change-Id: I23175a2982d7bdb962182b9b667d3767533b78d1
2014-01-13 15:49:07 -08:00
Nick Kralevich
d41065d4c0
sensors: allow dac_override
...
Same issue as device/lge/hammerhead commit
9ae16c2016141cc578a4bd7f6baa69f39e1900c9 . Screen rotation
is broken. Allowing dac_override fixes it.
Change-Id: Ia8dfb27306f543db88cf38f457c76ff3969f6943
2014-01-07 09:25:12 -08:00
Nick Kralevich
5c583986b8
Merge "Drop permissive constraint from sensors policy."
2014-01-04 01:43:06 +00:00
Nick Kralevich
8ceb5a3e69
Merge "Drop permissive constraint from qmux policy."
2014-01-04 01:42:24 +00:00
Nick Kralevich
6a7f0ee68b
Merge "Drop permissive constraint from bridge policy."
2014-01-04 01:41:01 +00:00
Nick Kralevich
c621314486
Merge "Drop permissive constraint from bluetooth policy."
2014-01-03 23:17:50 +00:00
Stephen Smalley
82b253eb78
Add execmem to camera domain.
...
Removed from domain so we need to add it back to individual domains
as required.
Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-20 08:32:55 -05:00
Nick Kralevich
a37cbdbfff
initial irsc_util domain
...
Initially unconfined and enforcing.
Change-Id: I49be1c53afb1f91836d5e49dbce84c4a0c789478
2013-12-18 12:46:24 -08:00
Stephen Smalley
c2fadc12a1
Move gpu_device type and rules to core policy.
...
Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-12 09:20:38 -05:00
Nick Kralevich
8040f4bb07
Merge "Drop permissive constraint from mpdecision policy."
2013-12-11 17:30:53 +00:00
Nick Kralevich
81063f921f
Merge "Drop permissive constraint from thermald policy."
2013-12-11 17:30:31 +00:00
Nick Kralevich
4ac328eb82
allow gpu execute for all app domains.
...
Addresses the following denial:
<5>[ 134.548725] type=1400 audit(1386010731.878:48): avc: denied { execute } for pid=3603 comm="droid.gallery3d" path="/dev/kgsl-3d0" dev="t
Bug: 11967400
Change-Id: Ie7813df171bc29ae12cd394621e8e20f13bb84dc
2013-12-02 16:55:39 -08:00
Nick Kralevich
deb46484ec
Fix camera denials.
...
Addresses the following denials on deb:
<5>[ 143.947113] type=1400 audit(1385421268.456:43): avc: denied { read write } for pid=2664 comm="mm-qcamera-daem" name="kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
<5>[ 143.947296] type=1400 audit(1385421268.456:44): avc: denied { open } for pid=2664 comm="mm-qcamera-daem" name="kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
<5>[ 143.947814] type=1400 audit(1385421268.456:45): avc: denied { ioctl } for pid=2664 comm="mm-qcamera-daem" path="/dev/kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
Change-Id: I801a52d1b7677e9a18ccabcd57b2f555488ac6c9
2013-11-25 15:14:49 -08:00
Nick Kralevich
191280412d
Merge "SELinux policy updates."
2013-11-25 22:45:28 +00:00
Robert Craig
df2aa61a2d
SELinux policy updates.
...
* Make gpu_device a trusted object since all apps can
write to the device.
denied { write } for pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
* Drop dead type mpdecision_device.
* Create policy for mm-pp-daemon and keep it permissive.
Address the following initial denials.
denied { write } for pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
denied { connectto } for pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
denied { read write } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
denied { open } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
denied { ioctl } for pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
* Add kickstart_exec labels for kickstart binaries
that are used by deb devices.
* Add tee policy. Label /data/misc/playready and
allow tee access.
denied { write } for pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { read } for pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { create } for pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { search } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { read } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { write } for pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { create } for pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
denied { read write open } for pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
* Give surfaceflinger access to /dev/socket/pps and allow
access to certain sysfs nodes.
denied { write } for pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file
denied { write } for pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3
2013-11-25 11:43:49 -05:00
Robert Craig
be1065dfbd
Drop permissive constraint from thermald policy.
...
Change-Id: Ie4f658964a9e374dfbec38b57cc9f2db8940fcea
2013-11-25 08:41:23 -05:00
Robert Craig
d8a2aa32db
Drop permissive constraint from sensors policy.
...
Change-Id: Ia1744f0df3e797f12111965971cb5f006f9b346c
2013-11-25 08:40:48 -05:00
Robert Craig
cbda2333ad
Drop permissive constraint from qmux policy.
...
Change-Id: I0ebd460d121e8fa653abff829a096b48d82b62f1
2013-11-25 08:40:20 -05:00
Robert Craig
9dbd7c0c0b
Drop permissive constraint from mpdecision policy.
...
Change-Id: I5e93b63498db9fbdacdb5b63ca5d03dfebeb00e0
2013-11-25 08:39:14 -05:00
Robert Craig
ab5859fd0a
Drop permissive constraint from camera policy.
...
Change-Id: Ieef883633910d73a8f09bccb912c53428998543d
2013-11-25 08:37:38 -05:00
Robert Craig
30e271311e
Drop permissive constraint from bridge policy.
...
Change-Id: I3b13eeeec011e80811890b88dbab179c2540e1e9
2013-11-25 08:37:05 -05:00
Robert Craig
7a0c294c8b
Drop permissive constraint from bluetooth policy.
...
Change-Id: I9580fb6af2591a9b16a76d730b5dcedf95614cd1
2013-11-25 08:36:24 -05:00
Robert Craig
9d6624a0b5
Add to selinux policy.
...
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.
Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.
Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
2013-11-15 14:24:59 -05:00
Robert Craig
6e899c8568
Create new security labels for device nodes.
...
Labeling nodes with appropriate types doesn't
introduce any new denials to the mix. This
list largely addresses the Qualcomm specific
nodes.
Various nodes are labeled with radio specific
types. Since the deb build inherits from this flo
policy, it is a good idea to include them.
Change-Id: Ia55a80af027c8bde933d45c41f4ed287f01adb2e
2013-11-14 13:10:30 -08:00
Robert Craig
c1dd2c8312
Label kgsl (graphics) nodes.
...
Created a new label and addressed the following denials.
* For system server
denied { read write } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
* For surfaceflinger
denied { ioctl } for pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { read write } for pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
* For app domains
denied { read write } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
Change-Id: I417bbd12fbdc17cd3d1110dcf3bff73dd5e385a4
2013-11-14 13:01:50 -08:00
Nick Kralevich
226d605c9d
fix broken wifi on flo/deb
...
00739e3d14f2f1ea9240037283c3edd836d2aa2f in external/sepolicy
moved ueventd into enforcing. This broke wifi on flo/deb.
Fix it.
This addresses the following denials:
<5>[ 219.755523] type=1400 audit(1384456650.969:107): avc: denied { search } for pid=2868 comm="ueventd" name="wifi" dev="mmcblk0p30" ino=637740 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir
<5>[ 219.755706] type=1400 audit(1384456650.969:108): avc: denied { read } for pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[ 219.755889] type=1400 audit(1384456650.969:109): avc: denied { open } for pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[ 219.756134] type=1400 audit(1384456650.969:110): avc: denied { getattr } for pid=2868 comm="ueventd" path="/data/misc/wifi/WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
Bug: 11688129
Change-Id: Ice0d3432010cfbbce88dd0ede013af3b2297d3d6
2013-11-14 11:13:15 -08:00
Nick Kralevich
40b7b28ddf
Move rmt into its own domain.
...
Don't run rmt in init's domain. /system/bin/rmt_storage
is a qualcomm specific daemon responsible for servicing modem
filesystem requests. It doesn't make sense to run rmt_storage
in init's domain, as doing so prevents us from fine tuning
its policy.
Keep the domain in permissive mode right now until we address
the following denials:
<5>[ 7.497467] type=1400 audit(1383939680.983:5): avc: denied { read write } for pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file
<5>[ 7.497741] type=1400 audit(1383939680.983:6): avc: denied { open } for pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file
We still need to get a better understanding of what rmt_storage
does and what rules should be applied to it.
Change-Id: I45d03fb93870f1b4bb64215f5dcd9a2a443f5566
2013-11-08 12:35:41 -08:00
Nick Kralevich
203fd0df67
Label /dev/qseecom
...
Otherwise keystore in enforcing is broken.
Bug: 11518274
Change-Id: I10ead7cabe794d1752a8cba4dc3193217aad7805
2013-11-06 15:22:32 -08:00