From 36f255ff5209cb8b13217ec050d8def5472aed23 Mon Sep 17 00:00:00 2001 From: dcashman Date: Mon, 4 Jan 2016 14:23:23 -0800 Subject: [PATCH] Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158 --- file.te | 2 ++ file_contexts | 2 ++ init.te | 3 +++ priv_app.te | 4 ++++ system_app.te | 4 ++++ system_server.te | 4 ++++ ueventd.te | 1 + vold.te | 4 ++++ 8 files changed, 24 insertions(+) diff --git a/file.te b/file.te index a2f2811ce..701d99107 100644 --- a/file.te +++ b/file.te @@ -30,6 +30,8 @@ type sysfs_mac_address, fs_type, sysfs_type; type sysfs_devices_system_cpu, fs_type, sysfs_type; # /sys/module/lowmemorykiller type sysfs_lowmemorykiller, fs_type, sysfs_type; +type sysfs_zram, fs_type, sysfs_type; +type sysfs_zram_uevent, fs_type, sysfs_type; type inotify, fs_type, mlstrustedobject; type devpts, fs_type, mlstrustedobject; type tmpfs, fs_type; diff --git a/file_contexts b/file_contexts index 76d514558..0201a6d57 100644 --- a/file_contexts +++ b/file_contexts @@ -322,6 +322,8 @@ # /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 /sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 +/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0 +/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 /sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0 diff --git a/init.te b/init.te index 555fc30a7..24fdee867 100644 --- a/init.te +++ b/init.te @@ -157,6 +157,9 @@ allow init self:capability sys_boot; allow init sysfs_type:dir r_dir_perms; allow init sysfs_type:file w_file_perms; +# disksize +allow init sysfs_zram:file getattr; + # Transitions to seclabel processes in init.rc domain_trans(init, rootfs, adbd) domain_trans(init, rootfs, healthd) diff --git a/priv_app.te b/priv_app.te index 6617feb01..59b4ea0ca 100644 --- a/priv_app.te +++ b/priv_app.te @@ -68,6 +68,10 @@ allow priv_app exec_type:file getattr; allow priv_app vold:fd use; allow priv_app fuse_device:chr_file { read write }; +# /sys access +allow priv_app sysfs_zram:dir search; +allow priv_app sysfs_zram:file r_file_perms; + ### ### neverallow rules ### diff --git a/system_app.te b/system_app.te index de9146c5e..e3666d210 100644 --- a/system_app.te +++ b/system_app.te @@ -73,4 +73,8 @@ allow system_app keystore:keystore_key { user_changed }; +# /sys access +allow system_app sysfs_zram:dir search; +allow system_app sysfs_zram:file r_file_perms; + control_logd(system_app) diff --git a/system_server.te b/system_server.te index 2a1d761c5..bc861e77a 100644 --- a/system_server.te +++ b/system_server.te @@ -369,6 +369,10 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; +# /sys access +allow system_server sysfs_zram:dir search; +allow system_server sysfs_zram:file r_file_perms; + allow system_server drmserver_service:service_manager find; allow system_server healthd_service:service_manager find; allow system_server keystore_service:service_manager find; diff --git a/ueventd.te b/ueventd.te index 04a18a303..9eb2b1a56 100644 --- a/ueventd.te +++ b/ueventd.te @@ -14,6 +14,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da allow ueventd device:file create_file_perms; allow ueventd device:chr_file rw_file_perms; allow ueventd sysfs:file rw_file_perms; +allow ueventd sysfs_zram_uevent:file w_file_perms; allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr }; allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms }; allow ueventd sysfs_devices_system_cpu:file rw_file_perms; diff --git a/vold.te b/vold.te index 35e502f3d..cb1f92559 100644 --- a/vold.te +++ b/vold.te @@ -167,6 +167,10 @@ allow vold storage_file:dir mounton; # For AppFuse. allow vold fuse_device:chr_file rw_file_perms; +# coldboot of /sys/block +allow vold sysfs_zram:dir r_dir_perms; +allow vold sysfs_zram_uevent:file rw_file_perms; + neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -vold -init } vold_data_file:dir *;