From 78cd6eb78e799c0c91c43d28fb2e6f7ea0132fa4 Mon Sep 17 00:00:00 2001 From: Eddie Tashjian Date: Mon, 22 Feb 2021 11:40:13 -0800 Subject: [PATCH] Add selinux policies for mounted modem parition Bug: 178980032 Bug: 178979986 Bug: 179198083 Bug: 179198085 Bug: 178980065 Test: Check selinux denials Change-Id: I7f826442d1536946d0e84aadfd80f679c0f4d6da --- tracking_denials/cbd.te | 16 ---------------- tracking_denials/init.te | 1 - tracking_denials/rild.te | 16 ---------------- whitechapel/vendor/google/cbd.te | 1 + whitechapel/vendor/google/file.te | 4 +++- whitechapel/vendor/google/init.te | 3 +++ whitechapel/vendor/google/rfsd.te | 5 +++++ whitechapel/vendor/google/rild.te | 5 +++++ 8 files changed, 17 insertions(+), 34 deletions(-) delete mode 100644 tracking_denials/cbd.te diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te deleted file mode 100644 index f0d5d6b0..00000000 --- a/tracking_denials/cbd.te +++ /dev/null @@ -1,16 +0,0 @@ -# b/178979986 -dontaudit cbd unlabeled:dir { getattr }; -dontaudit cbd unlabeled:file { open }; -dontaudit cbd unlabeled:file { read }; -dontaudit cbd unlabeled:file { getattr }; -dontaudit cbd unlabeled:lnk_file { read }; -dontaudit cbd unlabeled:dir { search }; -dontaudit cbd unlabeled:file { getattr }; -dontaudit cbd unlabeled:dir { getattr }; -dontaudit cbd unlabeled:lnk_file { read }; -dontaudit cbd unlabeled:dir { search }; -dontaudit cbd unlabeled:file { read }; -dontaudit cbd unlabeled:file { open }; -# b/179198083 -dontaudit cbd unlabeled:file { ioctl }; -dontaudit cbd unlabeled:file { ioctl }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te index 48fddf60..4371b751 100644 --- a/tracking_denials/init.te +++ b/tracking_denials/init.te @@ -16,5 +16,4 @@ dontaudit init device:chr_file { open }; dontaudit init device:chr_file { read write }; # b/180963348 dontaudit init overlayfs_file:chr_file { unlink }; -dontaudit init unlabeled:dir { mounton }; dontaudit init overlayfs_file:file { rename }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 405763e2..c9a686c4 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -1,19 +1,3 @@ -# b/178980065 -dontaudit rild unlabeled:dir { search }; -dontaudit rild unlabeled:lnk_file { read }; -dontaudit rild unlabeled:dir { search }; -dontaudit rild unlabeled:lnk_file { read }; -# b/179198085 -dontaudit rild unlabeled:file { ioctl }; -dontaudit rild unlabeled:file { open }; -dontaudit rild unlabeled:file { read }; -dontaudit rild unlabeled:file { getattr }; -dontaudit rild unlabeled:file { lock }; -dontaudit rild unlabeled:file { ioctl }; -dontaudit rild unlabeled:file { open }; -dontaudit rild unlabeled:file { read }; -dontaudit rild unlabeled:file { getattr }; -dontaudit rild unlabeled:file { lock }; # b/182320172 dontaudit rild sota_prop:file { map }; dontaudit rild sota_prop:file { getattr }; diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te index c283c3b3..d888deb5 100644 --- a/whitechapel/vendor/google/cbd.te +++ b/whitechapel/vendor/google/cbd.te @@ -46,6 +46,7 @@ allow cbd modem_userdata_file:file create_file_perms; # Allow cbd to access modem image file/dir allow cbd modem_img_file:dir r_dir_perms; allow cbd modem_img_file:file r_file_perms; +allow cbd modem_img_file:lnk_file r_file_perms; # Allow cbd to collect crash info allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 5776174b..efe9e8d1 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -110,12 +110,14 @@ type rild_vendor_data_file, file_type, data_file_type; # Modem type modem_stat_data_file, file_type, data_file_type; type modem_efs_file, file_type; -type modem_img_file, file_type; type modem_userdata_file, file_type; type sysfs_modem, sysfs_type, fs_type; type persist_modem_file, file_type, vendor_persist_type; +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + # Wireless type sysfs_wlc, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te index a703c47a..b83d9be7 100644 --- a/whitechapel/vendor/google/init.te +++ b/whitechapel/vendor/google/init.te @@ -7,6 +7,9 @@ allow init custom_ab_block_device:lnk_file relabelto; # after loading sepolicy in the second stage. allow init boot_block_device:lnk_file relabelto; +allow init modem_img_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; + allow init persist_file:dir mounton; allow init modem_efs_file:dir mounton; allow init modem_userdata_file:dir mounton; diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te index df395cb4..212b6700 100644 --- a/whitechapel/vendor/google/rfsd.te +++ b/whitechapel/vendor/google/rfsd.te @@ -30,3 +30,8 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) + +# Allow rfsd to access modem image file/dir +allow rfsd modem_img_file:dir r_dir_perms; +allow rfsd modem_img_file:file r_file_perms; +allow rfsd modem_img_file:lnk_file r_file_perms; \ No newline at end of file diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te index a45d2b5f..edaa026b 100644 --- a/whitechapel/vendor/google/rild.te +++ b/whitechapel/vendor/google/rild.te @@ -26,3 +26,8 @@ binder_call(rild, modem_svc_sit) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) allow rild hal_audio_ext_hwservice:hwservice_manager find; + +# Allow rild to access files on modem img. +allow rild modem_img_file:dir r_dir_perms; +allow rild modem_img_file:file r_file_perms; +allow rild modem_img_file:lnk_file r_file_perms;