From 06b410dc4a2c7122ecfff888259aa74c9181e4f9 Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Tue, 6 Apr 2021 22:16:01 +0800 Subject: [PATCH] Fix avc denied for Silent Logging 04-06 15:18:31.513 root 1 1 E init : Do not have permissions to set 'persist.vendor.sys.silentlog.tcp' to 'On' in property file '/vendor/build.prop': SELinux permission check failed 04-06 15:20:17.988 root 1 1 W /system/bin/init: type=1107 audit(0.0:33): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog.ap pid=8917 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0' 04-06 15:20:23.256 root 1 1 W /system/bin/init: type=1107 audit(0.0:38): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog.cp pid=9025 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0' 04-06 15:20:51.340 root 1 1 W /system/bin/init: type=1107 audit(0.0:43): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog pid=9291 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0' 04-06 15:21:03.608 root 1 1 W /system/bin/init: type=1107 audit(0.0:54): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog.tcp pid=9473 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0' 04-06 20:17:08.060 1000 5754 5754 W Thread-3: type=1400 audit(0.0:21): avc: denied { write } for name="slog" dev="dm-7" ino=245 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=0 04-06 20:17:09.194 1000 398 398 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 pid=5754 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=0 04-06 21:07:18.376 7458 7458 I auditd : type=1400 audit(0.0:20): avc: denied { call } for comm="y.silentlogging" scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=0 04-06 21:16:53.200 8873 8873 W Thread-4: type=1400 audit(0.0:85): avc: denied { create } for name="NNEXT_PROFILE.nprf" scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0:c232,c259,c512,c768 tclass=file permissive=0 Bug: 184608648 Test: verified with the forrest ROM and error log gone Change-Id: Id9cdf15478c751de92a9a84bcfdc8233d6e9d294 --- whitechapel/vendor/google/dmd.te | 3 ++- whitechapel/vendor/google/property_contexts | 5 +++-- whitechapel/vendor/google/vendor_init.te | 1 + whitechapel/vendor/google/vendor_telephony_app.te | 13 ++++++++++--- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te index 0b5ff5a9..4dff6f71 100644 --- a/whitechapel/vendor/google/dmd.te +++ b/whitechapel/vendor/google/dmd.te @@ -28,4 +28,5 @@ get_prop(dmd, hwservicemanager_prop) add_hwservice(dmd, hal_vendor_oem_hwservice) binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) -binder_call(dmd, modem_logging_control) \ No newline at end of file +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_app) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 2770f23e..23e83f4a 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -45,8 +45,9 @@ vendor.cbd. u:object_r:vendor_cbd_prop:s0 persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 # for slog -vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 -vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 # for dmd persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index 4de85fdf..274a3907 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -3,6 +3,7 @@ set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_cbd_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_usb_config_prop) +set_prop(vendor_init, vendor_slog_prop) set_prop(vendor_init, vendor_sys_default_prop) set_prop(vendor_init, vendor_ims_prop) set_prop(vendor_init, vendor_ssrdump_prop) diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te index de486c88..65b12869 100644 --- a/whitechapel/vendor/google/vendor_telephony_app.te +++ b/whitechapel/vendor/google/vendor_telephony_app.te @@ -2,10 +2,17 @@ type vendor_telephony_app, domain; app_domain(vendor_telephony_app) get_prop(vendor_telephony_app, vendor_rild_prop) -get_prop(vendor_telephony_app, vendor_persist_sys_default_prop) +set_prop(vendor_telephony_app, vendor_persist_sys_default_prop) set_prop(vendor_telephony_app, vendor_modem_prop) set_prop(vendor_telephony_app, vendor_slog_prop) -r_dir_file(vendor_telephony_app, system_app_data_file) -r_dir_file(vendor_telephony_app, vendor_slog_file) + +# [TODO] Need to check further about the system data permission +# allow vendor_telephony_app system_app_data_file:dir create_dir_perms; +# allow vendor_telephony_app system_app_data_file:file create_file_perms; + +allow vendor_telephony_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_app vendor_slog_file:file create_file_perms; allow vendor_telephony_app app_api_service:service_manager find; +allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_app, dmd)