Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / device / qcom / sepolicy / 9d9c0b5e42580ee3d12c218d0fc114fbef2ddb20^! / .
commit9d9c0b5e42580ee3d12c218d0fc114fbef2ddb20[log] [tgz]
authorSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>Tue Oct 28 11:30:03 2014 -0600
committerAvijit Kanti Das <avijitnsec@codeaurora.org>Thu Oct 30 11:01:45 2014 -0700
treec4bdfc9b42a8bc4894e606aa0475c35e729e984e
parent136e6638acac2caf08ee2850f0f1b1d97941a823 [diff]
port-bridge: Fix denials seen on startup.

Move port-bridge to confined domain and add policies for denials seen
on startup

Allow operations on sockets
[   21.705807] type=1400 audit(1637.259:22): avc: denied { create } for
pid=993 comm="port-bridge" scontext=u:r:port-bridge:s0 tcontext=
u:r:port-bridge:s0 tclass=netlink_kobject_uevent_socket permissive=1
[   21.707349] type=1400 audit(1637.259:23): avc: denied { bind } for
pid=993 comm="port-bridge" scontext=u:r:port-bridge:s0 tcontext=
u:r:port-bridge:s0 tclass=netlink_kobject_uevent_socket permissive=1
[   26.487757] type=1400 audit(1642.049:33): avc: denied { read } for
pid=1681 comm="port-bridge" scontext=u:r:port-bridge:s0 tcontext=
u:r:port-bridge:s0 tclass=netlink_kobject_uevent_socket permissive=1

Allow capabilities
[   26.487857] type=1400 audit(1642.049:34): avc: denied { dac_override }
for pid=1679 comm="port-bridge" capability=1 scontext=u:r:port-bridge:s0
tcontext=u:r:port-bridge:s0 tclass=capability permissive=1

Allow operations on mhi transport
[   26.488010] type=1400 audit(1642.049:35): avc: denied { read write }
for pid=1679 comm="port-bridge" name="mhi_pipe_32" dev="tmpfs" ino=12840
scontext=u:r:port-bridge:s0 tcontext=u:object_r:mhi_device:s0
tclass=chr_file permissive=1
[   26.488093] type=1400 audit(1642.049:36): avc: denied { open } for
pid=1679 comm="port-bridge" path="/dev/mhi_pipe_32" dev="tmpfs" ino=12840
scontext=u:r:port-bridge:s0 tcontext=u:object_r:mhi_device:s0
tclass=chr_file permissive=1

Allow operations on gadget serial device
[   26.488203] type=1400 audit(1642.049:37): avc: denied { read write }
for pid=1679 comm="port-bridge" name="ttyGS0" dev="tmpfs" ino=10594
scontext=u:r:port-bridge:s0 tcontext=u:object_r:device:s0  tclass=chr_file
 permissive=1
[   26.488267] type=1400 audit(1642.049:38): avc: denied { open } for
pid=1679 comm="port-bridge" path="/dev/ttyGS0" dev="tmpfs" ino=10594
scontext=u:r:port-bridge:s0 tcontext=u:object_r:device:s0 tclass=chr_file
permissive=1
[   26.488333] type=1400 audit(1642.049:39): avc: denied { ioctl } for
pid=1679 comm="port-bridge" path="/dev/ttyGS0" dev="tmpfs" ino=10594
scontext=u:r:port-bridge:s0 tcontext=u:object_r:device:s0 tclass=chr_file
 permissive=1

Change-Id: I7744f75943ebbd4e88193e7d34c9bbd1bf3e4478

diff --git a/Android.mk b/Android.mk
index d185e05..a7b2a31 100644
--- a/Android.mk
+++ b/Android.mk

@@ -28,6 +28,7 @@
        msm_irqbalanced.te \
        qmuxd.te \
        netmgrd.te \
+       port-bridge.te \
        atfwd.te \
        radio.te \
        smd_test.te \

diff --git a/common/device.te b/common/device.te
index 6e4c540..7b5920d 100644
--- a/common/device.te
+++ b/common/device.te

@@ -70,3 +70,6 @@
 type ipa_dev, dev_type;
 
 type mmc_block_device, dev_type;
+
+#Define Gadget serial device
+type gadget_serial_device, dev_type;

diff --git a/common/file_contexts b/common/file_contexts
index 6b1b26e..ae96af2 100755
--- a/common/file_contexts
+++ b/common/file_contexts

@@ -19,6 +19,7 @@
 /dev/smem_log                                   u:object_r:smem_log_device:s0
 /dev/ttyHSL0                                    u:object_r:console_device:s0
 /dev/ttyHS[0-9]*                                u:object_r:serial_device:s0
+/dev/ttyGS0                                     u:object_r:gadget_serial_device:s0
 /dev/usb_ext_chg                                u:object_r:hvdcp_device:s0
 /dev/media([0-9])+                              u:object_r:camera_device:s0
 /dev/jpeg[0-9]*                                 u:object_r:camera_device:s0
@@ -100,6 +101,7 @@
 /system/bin/ims_rtp_daemon                      u:object_r:ims_exec:s0
 /system/bin/netmgrd                             u:object_r:netmgrd_exec:s0
 /system/bin/qmuxd                               u:object_r:qmuxd_exec:s0
+/system/bin/port-bridge                         u:object_r:port-bridge_exec:s0
 /system/bin/sensors.qcom                        u:object_r:sensors_exec:s0
 /system/bin/sns.*                               u:object_r:sensors_test_exec:s0
 /system/bin/test_diag                           u:object_r:diag_exec:s0

diff --git a/common/port-bridge.te b/common/port-bridge.te
new file mode 100644
index 0000000..3a737d7
--- /dev/null
+++ b/common/port-bridge.te

@@ -0,0 +1,20 @@
+type port-bridge, domain;
+type port-bridge_exec, exec_type, file_type;
+init_daemon_domain(port-bridge)
+
+userdebug_or_eng(`
+  domain_auto_trans(shell, port-bridge_exec, netmgrd)
+  domain_auto_trans(adbd, port-bridge_exec, netmgrd)
+')
+
+#Allow operations on different types of sockets
+allow port-bridge port-bridge:netlink_kobject_uevent_socket { create bind read };
+
+#Allow process capabilities
+allow port-bridge port-bridge:capability { dac_override };
+
+#Allow operations on mhi transport
+allow port-bridge mhi_device:chr_file rw_file_perms;
+
+#Allow operations on gadget serial device
+allow port-bridge gadget_serial_device:chr_file { rw_file_perms };