Diff - 0b832acdd054b2aac7871e5bacbdf9e54f6e3b9a^! - fp2-dev/device/lge/mako

commit	0b832acdd054b2aac7871e5bacbdf9e54f6e3b9a	[log] [tgz]
author	Robert Craig <rpcraig@tycho.ncsc.mil>	Tue Oct 08 16:58:47 2013 -0400
committer	Robert Craig <rpcraig@tycho.ncsc.mil>	Tue Oct 15 13:26:56 2013 -0400
tree	823118e9168dad99376c22c4317bccfb6c493d1a
parent	6db08c3ff15b91c28a658b24f9a95d838a9e0f4e [diff] [blame]

Improve bridgemgrd selinux policy.

Removed the unconfined constraint and
addressed the following denials.

  * Talk to qmux socket (qmux_radio)
      denied  { write } for  pid=178 comm="bridgemgrd" name="qmux_radio" dev="tmpfs" ino=7208 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
      denied  { add_name } for  pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
      denied  { create } for  pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
      denied  { setattr } for  pid=178 comm="bridgemgrd" name=716D75785F636C69656E745F736F636B657420202020313738 dev="tmpfs" ino=6685 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
      denied  { write } for  pid=178 comm="bridgemgrd" name="qmux_connect_socket" dev="tmpfs" ino=7890 scontext=u:r:bridge:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
      denied  { connectto } for  pid=178 comm="bridgemgrd" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:bridge:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket

  * Allow logging diagnostic items to /dev/diag
      denied  { read write } for  pid=178 comm="bridgemgrd" name="diag" dev="tmpfs" ino=6329 scontext=u:r:bridge:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
      denied  { open } for  pid=178 comm="bridgemgrd" name="diag" dev="tmpfs" ino=6329 scontext=u:r:bridge:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file

  * Listen for uevents concerning usb connections. Alert
    RmNet SMD & SDIO function driver of the correct
    transport via sysfs entry.
      denied  { create } for  pid=178 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket
      denied  { bind } for  pid=178 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket
      denied  { read } for  pid=568 comm="bridgemgrd" scontext=u:r:bridge:s0 tcontext=u:r:bridge:s0 tclass=netlink_kobject_uevent_socket
      denied  { write } for  pid=179 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
      denied  { read write } for  pid=627 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
      denied  { open } for  pid=627 comm="bridgemgrd" name="transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file
      denied  { getattr } for  pid=627 comm="bridgemgrd" path="/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport" dev="sysfs" ino=13392 scontext=u:r:bridge:s0 tcontext=u:object_r:sysfs_rmnet:s0 tclass=file

Change-Id: Ife3c5691bfe5dd969b5766ca08cb8a1cb67f2a5b

diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te
index 40ef355..1b5c886 100644
--- a/sepolicy/bridge.te
+++ b/sepolicy/bridge.te

@@ -6,4 +6,16 @@
 init_daemon_domain(bridge)
 
 permissive bridge;
-unconfined_domain(bridge)
+
+# Uevent for usb connection
+allow bridge self:netlink_kobject_uevent_socket { create bind read };
+
+# Allow logging diagnostic items to /dev/diag
+allow bridge diag_device:chr_file rw_file_perms;
+
+# Talk to qmuxd (qmux_radio)
+qmux_socket(bridge)
+
+# Alert the RmNet SMD & SDIO function driver of the correct transport.
+# (/sys/class/android_usb/f_rmnet_smd_sdio/transport)
+allow bridge sysfs_rmnet:file { open read write getattr };