Evolution-X-Tensor/device_google_zuma
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add vendor_sjtag_lock_state_prop and init-check_ap_pd_auth-sh

Browse source 
1. Add init-check_ap_pd_auth-sh for the vendor daemon script
   `/vendor/bin/init.check_ap_pd_auth.sh`.
2. Add policy for properties `ro.vendor.sjtag_{ap,gsa}_is_unlocked` for
   init, init-check_ap_pd_auth-sh and ssr_detector to access them.

SjtagService: type=1400 audit(0.0:1005): avc:  denied  { open } for  path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1
SjtagService: type=1400 audit(0.0:1006): avc:  denied  { getattr } for  path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1
SjtagService: type=1400 audit(0.0:1007): avc:  denied  { map } for  path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1
SjtagService: type=1400 audit(0.0:1008): avc:  denied  { write } for  name="property_service" dev="tmpfs" ino=446 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
SjtagService: type=1400 audit(0.0:1009): avc:  denied  { connectto } for  path="/dev/socket/property_service" scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1

Bug: 299043634
Change-Id: I6b2abf69fca9b4765f2dfb7ed82e6546159e96e9
This commit is contained in:
Woody Lin 2023-09-14 10:48:08 +08:00
parent e45cb8ef52
commit 9687d162bc
5 changed files with 22 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
radio/file_contexts
View file

@ -11,6 +11,7 @@
/vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0
/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0
# Config files # Config files
/vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0

14
radio/init-check_ap_pd_auth-sh.te Normal file
View file

@ -0,0 +1,14 @@
type init-check_ap_pd_auth-sh, domain;
type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type;
userdebug_or_eng(`
init_daemon_domain(init-check_ap_pd_auth-sh)
set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop)
allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms;
allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms;
allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms;
allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms;
')

2
radio/property.te
View file

@ -15,3 +15,5 @@ vendor_internal_prop(vendor_tcpdump_log_prop)
# Telephony debug app # Telephony debug app
vendor_internal_prop(vendor_telephony_app_prop) vendor_internal_prop(vendor_telephony_app_prop)
# SJTAG lock state
vendor_internal_prop(vendor_sjtag_lock_state_prop)

3
radio/property_contexts
View file

@ -57,3 +57,6 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0
persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0
vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0
# SJTAG lock state
ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0
ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0

2
radio/ssr_detector.te
View file

@ -13,11 +13,13 @@ userdebug_or_eng(`
allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
get_prop(ssr_detector_app, vendor_aoc_prop) get_prop(ssr_detector_app, vendor_aoc_prop)
set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop)
allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
allow ssr_detector_app proc_vendor_sched:dir search; allow ssr_detector_app proc_vendor_sched:dir search;
allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
allow ssr_detector_app cgroup:file write; allow ssr_detector_app cgroup:file write;
allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans;
') ')
get_prop(ssr_detector_app, vendor_ssrdump_prop) get_prop(ssr_detector_app, vendor_ssrdump_prop)