Add selinux policies for mounted modem parition
Bug: 178980032 Bug: 178979986 Bug: 179198083 Bug: 179198085 Bug: 178980065 Test: Check selinux denials Change-Id: I7f826442d1536946d0e84aadfd80f679c0f4d6da
This commit is contained in:
Eddie Tashjian
Salmax Chang
parent
ef6e91692a
commit
78cd6eb78e
8 changed files with 17 additions and 34 deletions
|
|
@ -1,16 +0,0 @@
|
||||||
# b/178979986
|
|
||||||
dontaudit cbd unlabeled:dir { getattr };
|
|
||||||
dontaudit cbd unlabeled:file { open };
|
|
||||||
dontaudit cbd unlabeled:file { read };
|
|
||||||
dontaudit cbd unlabeled:file { getattr };
|
|
||||||
dontaudit cbd unlabeled:lnk_file { read };
|
|
||||||
dontaudit cbd unlabeled:dir { search };
|
|
||||||
dontaudit cbd unlabeled:file { getattr };
|
|
||||||
dontaudit cbd unlabeled:dir { getattr };
|
|
||||||
dontaudit cbd unlabeled:lnk_file { read };
|
|
||||||
dontaudit cbd unlabeled:dir { search };
|
|
||||||
dontaudit cbd unlabeled:file { read };
|
|
||||||
dontaudit cbd unlabeled:file { open };
|
|
||||||
# b/179198083
|
|
||||||
dontaudit cbd unlabeled:file { ioctl };
|
|
||||||
dontaudit cbd unlabeled:file { ioctl };
|
|
||||||
|
|
@ -16,5 +16,4 @@ dontaudit init device:chr_file { open };
|
||||||
dontaudit init device:chr_file { read write };
|
dontaudit init device:chr_file { read write };
|
||||||
# b/180963348
|
# b/180963348
|
||||||
dontaudit init overlayfs_file:chr_file { unlink };
|
dontaudit init overlayfs_file:chr_file { unlink };
|
||||||
dontaudit init unlabeled:dir { mounton };
|
|
||||||
dontaudit init overlayfs_file:file { rename };
|
dontaudit init overlayfs_file:file { rename };
|
||||||
|
|
|
||||||
|
|
@ -1,19 +1,3 @@
|
||||||
# b/178980065
|
|
||||||
dontaudit rild unlabeled:dir { search };
|
|
||||||
dontaudit rild unlabeled:lnk_file { read };
|
|
||||||
dontaudit rild unlabeled:dir { search };
|
|
||||||
dontaudit rild unlabeled:lnk_file { read };
|
|
||||||
# b/179198085
|
|
||||||
dontaudit rild unlabeled:file { ioctl };
|
|
||||||
dontaudit rild unlabeled:file { open };
|
|
||||||
dontaudit rild unlabeled:file { read };
|
|
||||||
dontaudit rild unlabeled:file { getattr };
|
|
||||||
dontaudit rild unlabeled:file { lock };
|
|
||||||
dontaudit rild unlabeled:file { ioctl };
|
|
||||||
dontaudit rild unlabeled:file { open };
|
|
||||||
dontaudit rild unlabeled:file { read };
|
|
||||||
dontaudit rild unlabeled:file { getattr };
|
|
||||||
dontaudit rild unlabeled:file { lock };
|
|
||||||
# b/182320172
|
# b/182320172
|
||||||
dontaudit rild sota_prop:file { map };
|
dontaudit rild sota_prop:file { map };
|
||||||
dontaudit rild sota_prop:file { getattr };
|
dontaudit rild sota_prop:file { getattr };
|
||||||
|
|
|
||||||
1
whitechapel/vendor/google/cbd.te
vendored
1
whitechapel/vendor/google/cbd.te
vendored
|
|
@ -46,6 +46,7 @@ allow cbd modem_userdata_file:file create_file_perms;
|
||||||
# Allow cbd to access modem image file/dir
|
# Allow cbd to access modem image file/dir
|
||||||
allow cbd modem_img_file:dir r_dir_perms;
|
allow cbd modem_img_file:dir r_dir_perms;
|
||||||
allow cbd modem_img_file:file r_file_perms;
|
allow cbd modem_img_file:file r_file_perms;
|
||||||
|
allow cbd modem_img_file:lnk_file r_file_perms;
|
||||||
|
|
||||||
# Allow cbd to collect crash info
|
# Allow cbd to collect crash info
|
||||||
allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
|
allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
|
||||||
|
|
|
||||||
4
whitechapel/vendor/google/file.te
vendored
4
whitechapel/vendor/google/file.te
vendored
|
|
@ -110,12 +110,14 @@ type rild_vendor_data_file, file_type, data_file_type;
|
||||||
# Modem
|
# Modem
|
||||||
type modem_stat_data_file, file_type, data_file_type;
|
type modem_stat_data_file, file_type, data_file_type;
|
||||||
type modem_efs_file, file_type;
|
type modem_efs_file, file_type;
|
||||||
type modem_img_file, file_type;
|
|
||||||
type modem_userdata_file, file_type;
|
type modem_userdata_file, file_type;
|
||||||
type sysfs_modem, sysfs_type, fs_type;
|
type sysfs_modem, sysfs_type, fs_type;
|
||||||
type persist_modem_file, file_type, vendor_persist_type;
|
type persist_modem_file, file_type, vendor_persist_type;
|
||||||
|
|
||||||
|
|
||||||
|
type modem_img_file, contextmount_type, file_type, vendor_file_type;
|
||||||
|
allow modem_img_file self:filesystem associate;
|
||||||
|
|
||||||
# Wireless
|
# Wireless
|
||||||
type sysfs_wlc, sysfs_type, fs_type;
|
type sysfs_wlc, sysfs_type, fs_type;
|
||||||
|
|
||||||
|
|
|
||||||
3
whitechapel/vendor/google/init.te
vendored
3
whitechapel/vendor/google/init.te
vendored
|
|
@ -7,6 +7,9 @@ allow init custom_ab_block_device:lnk_file relabelto;
|
||||||
# after loading sepolicy in the second stage.
|
# after loading sepolicy in the second stage.
|
||||||
allow init boot_block_device:lnk_file relabelto;
|
allow init boot_block_device:lnk_file relabelto;
|
||||||
|
|
||||||
|
allow init modem_img_file:dir mounton;
|
||||||
|
allow init modem_img_file:filesystem { getattr mount relabelfrom };
|
||||||
|
|
||||||
allow init persist_file:dir mounton;
|
allow init persist_file:dir mounton;
|
||||||
allow init modem_efs_file:dir mounton;
|
allow init modem_efs_file:dir mounton;
|
||||||
allow init modem_userdata_file:dir mounton;
|
allow init modem_userdata_file:dir mounton;
|
||||||
|
|
|
||||||
5
whitechapel/vendor/google/rfsd.te
vendored
5
whitechapel/vendor/google/rfsd.te
vendored
|
|
@ -30,3 +30,8 @@ allow rfsd radio_device:chr_file rw_file_perms;
|
||||||
# Allow to set rild and modem property
|
# Allow to set rild and modem property
|
||||||
set_prop(rfsd, vendor_modem_prop)
|
set_prop(rfsd, vendor_modem_prop)
|
||||||
set_prop(rfsd, vendor_rild_prop)
|
set_prop(rfsd, vendor_rild_prop)
|
||||||
|
|
||||||
|
# Allow rfsd to access modem image file/dir
|
||||||
|
allow rfsd modem_img_file:dir r_dir_perms;
|
||||||
|
allow rfsd modem_img_file:file r_file_perms;
|
||||||
|
allow rfsd modem_img_file:lnk_file r_file_perms;
|
||||||
5
whitechapel/vendor/google/rild.te
vendored
5
whitechapel/vendor/google/rild.te
vendored
|
|
@ -26,3 +26,8 @@ binder_call(rild, modem_svc_sit)
|
||||||
# for hal service
|
# for hal service
|
||||||
add_hwservice(rild, hal_exynos_rild_hwservice)
|
add_hwservice(rild, hal_exynos_rild_hwservice)
|
||||||
allow rild hal_audio_ext_hwservice:hwservice_manager find;
|
allow rild hal_audio_ext_hwservice:hwservice_manager find;
|
||||||
|
|
||||||
|
# Allow rild to access files on modem img.
|
||||||
|
allow rild modem_img_file:dir r_dir_perms;
|
||||||
|
allow rild modem_img_file:file r_file_perms;
|
||||||
|
allow rild modem_img_file:lnk_file r_file_perms;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue