98620c3b10
1. Add init-check_ap_pd_auth-sh for the vendor daemon script
`/vendor/bin/init.check_ap_pd_auth.sh`.
2. Add policy for properties `ro.vendor.sjtag_{ap,gsa}_is_unlocked` for
init, init-check_ap_pd_auth-sh and ssr_detector to access them.
SjtagService: type=1400 audit(0.0:1005): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1
SjtagService: type=1400 audit(0.0:1006): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1
SjtagService: type=1400 audit(0.0:1007): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1
SjtagService: type=1400 audit(0.0:1008): avc: denied { write } for name="property_service" dev="tmpfs" ino=446 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
SjtagService: type=1400 audit(0.0:1009): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
Bug: 298314432
Change-Id: Ib5dbcc50e266e33797626280504ea9e2cdc9f942
14 lines
525 B
Text
14 lines
525 B
Text
type init-check_ap_pd_auth-sh, domain;
|
|
type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type;
|
|
|
|
userdebug_or_eng(`
|
|
init_daemon_domain(init-check_ap_pd_auth-sh)
|
|
|
|
set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop)
|
|
|
|
allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms;
|
|
allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms;
|
|
|
|
allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms;
|
|
allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms;
|
|
')
|