Fix avc denied for Silent Logging am: 204dc05aa4

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/14182163 Change-Id: I23df127195424ce93b544767f450bd687a3a604c
2021-04-14 12:47:34 +00:00
parent 6c77867c16 204dc05aa4
commit ab5ab00a89
4 changed files with 17 additions and 6 deletions
--- a/tracking_denials/sced.te
+++ b/tracking_denials/sced.te
@@ -1,4 +0,0 @@
-# b/171760846
-dontaudit sced hidl_base_hwservice:hwservice_manager { add };
-dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
-dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };
--- a/whitechapel/vendor/google/dmd.te
+++ b/whitechapel/vendor/google/dmd.te
@@ -25,7 +25,8 @@ get_prop(dmd, vendor_persist_config_default_prop)

 # Grant to access hwservice manager
 get_prop(dmd, hwservicemanager_prop)
-add_hwservice(dmd, hal_vendor_oem_hwservice)
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
 binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
 binder_call(dmd, modem_logging_control)
--- a/whitechapel/vendor/google/sced.te
+++ b/whitechapel/vendor/google/sced.te
@@ -2,9 +2,22 @@ type sced, domain;
 type sced_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(sced)

+typeattribute sced vendor_executes_system_violators;
+
 userdebug_or_eng(`
 hwbinder_use(sced)
 binder_call(sced, dmd)
+binder_call(sced, vendor_telephony_app)

 get_prop(sced, hwservicemanager_prop)
-')
+allow sced self:packet_socket create_socket_perms_no_ioctl;
+
+allow sced self:capability net_raw;
+allow sced shell_exec:file rx_file_perms;
+allow sced tcpdump_exec:file rx_file_perms;
+allow sced vendor_shell_exec:file x_file_perms;
+allow sced vendor_slog_file:dir create_dir_perms;
+allow sced vendor_slog_file:file create_file_perms;
+allow sced hidl_base_hwservice:hwservice_manager add;
+allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
+')
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -16,3 +16,4 @@ allow vendor_telephony_app vendor_slog_file:file create_file_perms;
 allow vendor_telephony_app app_api_service:service_manager find;
 allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_app, dmd)
+binder_call(vendor_telephony_app, sced)