PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,864 Commits 17 Branches 0 Tags 41 MiB
7c539b1c96
Commit Graph

4 Commits

Author SHA1 Message Date
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain 
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
 2015-11-03 23:11:11 +00:00
Nick Kralevich
e2651972c1 Allow /dev/klog access, drop mknod and __null__ access 
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
 2015-06-08 10:29:11 -07:00
Sami Tolvanen
5895ffe1f7 Fix block_suspend denial for slideshow 
Add wakelock_use to slideshow.te to fix the following denial:

avc:  denied  { block_suspend } for  pid=137 comm="slideshow" capability=36  scontext=u:r:slideshow:s0 tcontext=u:r:slideshow:s0 tclass=capability2 permissive=0

Change-Id: If84f167cd235e8196eadf3fb85cc725a5ea464e6
 2015-03-31 09:22:27 +01:00
Sami Tolvanen
9d87c647af Allow init to execute /sbin/slideshow 
Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
 2015-02-26 17:23:29 +00:00