gs-common: add rules for euiccpixel_app
09-11 21:19:25.452 345 345 I auditd : avc: denied { find } for pid=14141 uid=10246 name=activity scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=0
09-11 21:20:57.035 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=netstats scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.055 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=content_capture scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.064 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=activity_task scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.111 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=gpu scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.182 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=voiceinteraction scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.184 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=autofill scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.190 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=sensitive_content_protection_service scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.193 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=performance_hint scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
09-11 21:21:09.436 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=audio scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-11 21:21:09.449 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=batterystats scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:batterystats_service:s0 tclass=service_manager permissive=1
09-11 21:21:09.454 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=batteryproperties scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:batteryproperties_service:s0 tclass=service_manager permissive=1
09-11 23:21:26.678 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=permission_checker scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:permission_checker_service:s0 tclass=service_manager permissive=1
09-03 16:29:54.032 351 351 E SELinux : avc: denied { find } for pid=3914 uid=10217 name=phone scontext=u:r:euiccpixel_app:s0:c217,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1
09-03 17:35:07.453 351 351 E SELinux : avc: denied { find } for pid=3914 uid=10217 name=nfc scontext=u:r:euiccpixel_app:s0:c217,c256,c512,c768 tcontext=u:object_r:nfc_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1055): avc: denied { read } for comm="RenderThread" name="uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1056): avc: denied { open } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1057): avc: denied { getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:21:48.494 12343 12343 I auditd : type=1400 audit(0.0:23): avc: denied { read write } for comm=4173796E635461736B202331 name="st54spi" dev="tmpfs" ino=1573 scontext=u:r:euiccpixel_app:s0:c3,c257,c522,c768 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1056): avc: denied { read open } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1057): avc: denied { getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-13 17:55:20.904 3776 3776 I auditd : type=1400 audit(0.0:1087): avc: denied { read } for comm="RenderThread" name="uevent" dev="sysfs" ino=46480 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:sysfs_gpu_uevent:s0 tclass=file permissive=0 app=com.google.euiccpixel
09-13 18:18:26.988 4029 4029 I auditd : type=1400 audit(0.0:1077): avc: denied { open getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46480 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:sysfs_gpu_uevent:s0 tclass=file permissive=0 app=com.google.euiccpixel
09-13 17:55:20.996 3776 3776 I auditd : type=1400 audit(0.0:1090): avc: denied { read } for comm="ogle.euiccpixel" name="u:object_r:default_prop:s0" dev="tmpfs" ino=164 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.euiccpixel
Bug: 361092897
Test: make selinux_policy, flash and test on 25' project
Flag: EXEMPT NDK
Change-Id: I8850fe0c1eae7dc575cb323d1f4a9234b7df82db
This commit is contained in:
Welly Hsu
parent
194a58c7bb
commit
0393e7fbe6
9 changed files with 101 additions and 0 deletions
3
euiccpixel_app/euiccpixel_app_st54.mk
Normal file
3
euiccpixel_app/euiccpixel_app_st54.mk
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/euiccpixel_app/sepolicy/common
|
||||
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/euiccpixel_app/sepolicy/st54
|
||||
PRODUCT_PACKAGES += EuiccSupportPixel-P23
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ
|
||||
BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
|
||||
EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw
|
||||
b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v
|
||||
Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC
|
||||
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb
|
||||
WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/
|
||||
amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK
|
||||
aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0
|
||||
oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho
|
||||
+9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td
|
||||
5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK
|
||||
rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki
|
||||
uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag
|
||||
ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
|
||||
HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5
|
||||
FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9
|
||||
Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp
|
||||
ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL
|
||||
EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB
|
||||
GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U
|
||||
XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0
|
||||
IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj
|
||||
pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon
|
||||
A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU
|
||||
0JD1T1qdCm3aUSEmFgEA4rOL/0K3
|
||||
-----END CERTIFICATE-----
|
||||
27
euiccpixel_app/sepolicy/common/euiccpixel_app.te
Normal file
27
euiccpixel_app/sepolicy/common/euiccpixel_app.te
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# Euiccpixel_app
|
||||
type euiccpixel_app, domain;
|
||||
app_domain(euiccpixel_app)
|
||||
|
||||
allow euiccpixel_app activity_service:service_manager find;
|
||||
allow euiccpixel_app netstats_service:service_manager find;
|
||||
allow euiccpixel_app content_capture_service:service_manager find;
|
||||
allow euiccpixel_app activity_task_service:service_manager find;
|
||||
allow euiccpixel_app gpu_service:service_manager find;
|
||||
allow euiccpixel_app voiceinteraction_service:service_manager find;
|
||||
allow euiccpixel_app autofill_service:service_manager find;
|
||||
allow euiccpixel_app sensitive_content_protection_service:service_manager find;
|
||||
allow euiccpixel_app hint_service:service_manager find;
|
||||
allow euiccpixel_app audio_service:service_manager find;
|
||||
allow euiccpixel_app batterystats_service:service_manager find;
|
||||
allow euiccpixel_app batteryproperties_service:service_manager find;
|
||||
allow euiccpixel_app permission_checker_service:service_manager find;
|
||||
allow euiccpixel_app radio_service:service_manager find;
|
||||
allow euiccpixel_app nfc_service:service_manager find;
|
||||
|
||||
set_prop(euiccpixel_app, vendor_secure_element_prop)
|
||||
set_prop(euiccpixel_app, vendor_modem_prop)
|
||||
get_prop(euiccpixel_app, dck_prop)
|
||||
|
||||
# b/265286368 framework UI rendering properties and file access
|
||||
dontaudit euiccpixel_app default_prop:file { read };
|
||||
dontaudit euiccpixel_app sysfs_gpu_uevent:file { read open getattr };
|
||||
2
euiccpixel_app/sepolicy/common/file.te
Normal file
2
euiccpixel_app/sepolicy/common/file.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# type for gpu uevent
|
||||
type sysfs_gpu_uevent, sysfs_type, fs_type;
|
||||
1
euiccpixel_app/sepolicy/common/genfs_contexts
Normal file
1
euiccpixel_app/sepolicy/common/genfs_contexts
Normal file
|
|
@ -0,0 +1 @@
|
|||
genfscon sysfs /devices/platform/34f00000.gpu0/uevent u:object_r:sysfs_gpu_uevent:s0
|
||||
2
euiccpixel_app/sepolicy/common/keys.conf
Normal file
2
euiccpixel_app/sepolicy/common/keys.conf
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
[@EUICCSUPPORTPIXEL]
|
||||
ALL : device/google/gs-common/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem
|
||||
27
euiccpixel_app/sepolicy/common/mac_permissions.xml
Normal file
27
euiccpixel_app/sepolicy/common/mac_permissions.xml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<policy>
|
||||
|
||||
<!--
|
||||
|
||||
* A signature is a hex encoded X.509 certificate or a tag defined in
|
||||
keys.conf and is required for each signer tag.
|
||||
* A signer tag may contain a seinfo tag and multiple package stanzas.
|
||||
* A default tag is allowed that can contain policy for all apps not signed with a
|
||||
previously listed cert. It may not contain any inner package stanzas.
|
||||
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
|
||||
represents additional info that each app can use in setting a SELinux security
|
||||
context on the eventual process.
|
||||
* When a package is installed the following logic is used to determine what seinfo
|
||||
value, if any, is assigned.
|
||||
- All signatures used to sign the app are checked first.
|
||||
- If a signer stanza has inner package stanzas, those stanza will be checked
|
||||
to try and match the package name of the app. If the package name matches
|
||||
then that seinfo tag is used. If no inner package matches then the outer
|
||||
seinfo tag is assigned.
|
||||
- The default tag is consulted last if needed.
|
||||
-->
|
||||
<!-- google apps key -->
|
||||
<signer signature="@EUICCSUPPORTPIXEL" >
|
||||
<seinfo value="EuiccSupportPixel" />
|
||||
</signer>
|
||||
</policy>
|
||||
2
euiccpixel_app/sepolicy/common/seapp_contexts
Normal file
2
euiccpixel_app/sepolicy/common/seapp_contexts
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# Domain for EuiccSupportPixel
|
||||
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
|
||||
8
euiccpixel_app/sepolicy/st54/euiccpixel_app.te
Normal file
8
euiccpixel_app/sepolicy/st54/euiccpixel_app.te
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
# euiccpixel requires st54spi for firmware upgrade
|
||||
userdebug_or_eng(`
|
||||
net_domain(euiccpixel_app)
|
||||
|
||||
# Access to directly upgrade firmware on st54spi_device used for engineering devices
|
||||
typeattribute st54spi_device mlstrustedobject;
|
||||
allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
|
||||
')
|
||||
Loading…
Add table
Add a link
Reference in a new issue