From 197ea4ad2a5b8737be5f76260bfd9939e0365491 Mon Sep 17 00:00:00 2001 From: Timo Liao Date: Sat, 18 Jan 2020 09:39:17 +0800 Subject: [PATCH] [ALPS03890927] battery: fix sepolicy violation [Detail] 1. fix data between core and vendor violator 2. remove fuelgauged_static.te 3. remove fg daemon access nvram sepolicy 4. add label for battery MTK-Commit-Id: 1443b78b112739594e0633526c6966e4871bd125 Change-Id: I931a18bfb8ac963e71311ceace8a28b4a495e881 Signed-off-by: Timo Liao CR-Id: ALPS03890927 Feature: Fuel Gauge --- non_plat/file.te | 5 +++- non_plat/file_contexts | 1 + non_plat/fuelgauged.te | 31 ++++++++++--------- non_plat/fuelgauged_nvram.te | 17 +++++++---- non_plat/fuelgauged_static.te | 34 --------------------- plat_private/fuelgauged_static.te | 50 ------------------------------- plat_public/fuelgauged_static.te | 7 ----- 7 files changed, 33 insertions(+), 112 deletions(-) delete mode 100644 non_plat/fuelgauged_static.te delete mode 100644 plat_private/fuelgauged_static.te delete mode 100644 plat_public/fuelgauged_static.te diff --git a/non_plat/file.te b/non_plat/file.te index 6928a8a..91e6639 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -251,8 +251,11 @@ type sysfs_boot, fs_type, sysfs_type; # consys Log folder type consyslog_data_file, file_type, data_file_type; - # Date : WK1817 # Purpose : for meta to get com port type and uart port info type sysfs_comport_type, fs_type, sysfs_type; type sysfs_uart_info, fs_type, sysfs_type; + +# Date : WK1817 +# Purpose : for fuelgauged access +type battery_node, fs_type, sysfs_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 1fdc9ee..92638b4 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -479,6 +479,7 @@ /sys/devices/virtual/BOOT/BOOT/boot/boot_mode(/.*)? u:object_r:sysfs_boot:s0 /sys/bus/platform/drivers/meta_com_type_info/meta_com_type_info(/.*)? u:object_r:sysfs_comport_type:s0 /sys/bus/platform/drivers/meta_uart_port_info/meta_uart_port_info(/.*)? u:object_r:sysfs_uart_info:s0 +/sys/devices/platform/battery(/.*)? u:object_r:battery_node:s0 ############################# # debugfs files diff --git a/non_plat/fuelgauged.te b/non_plat/fuelgauged.te index 26b8590..96590a9 100644 --- a/non_plat/fuelgauged.te +++ b/non_plat/fuelgauged.te @@ -51,18 +51,18 @@ allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_rea # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can access /data/FG folder -file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file); -allow fuelgauged fuelgauged_file:file rw_file_perms; -typeattribute fuelgauged data_between_core_and_vendor_violators; -allow fuelgauged system_data_file:dir rw_dir_perms; +#file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file); +#allow fuelgauged fuelgauged_file:file rw_file_perms; +#typeattribute fuelgauged data_between_core_and_vendor_violators; +#allow fuelgauged system_data_file:dir rw_dir_perms; # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can do nvram r/w to save car_tune_value -allow fuelgauged nvdata_file:dir rw_dir_perms; -allow fuelgauged nvdata_file:file {rw_file_perms create_file_perms}; -allow fuelgauged nvram_data_file:lnk_file rw_file_perms; -allow fuelgauged nvdata_file:lnk_file rw_file_perms; +#allow fuelgauged nvdata_file:dir rw_dir_perms; +#allow fuelgauged nvdata_file:file {rw_file_perms create_file_perms}; +#allow fuelgauged nvram_data_file:lnk_file rw_file_perms; +#allow fuelgauged nvdata_file:lnk_file rw_file_perms; # Data : WK16.39 #allow fuelgauged self:capability { chown fsetid dac_override }; @@ -70,9 +70,9 @@ allow fuelgauged nvdata_file:lnk_file rw_file_perms; # Data : W16.43 # Operation : New Feature # Purpose : Change from /data to /cache -allow fuelgauged cache_file:file {rw_file_perms create_file_perms}; -allow fuelgauged cache_file:dir {rw_dir_perms create_dir_perms}; -allow fuelgauged sysfs:file {rw_file_perms create_file_perms}; +#allow fuelgauged cache_file:file {rw_file_perms create_file_perms}; +#allow fuelgauged cache_file:dir {rw_dir_perms create_dir_perms}; +#allow fuelgauged sysfs:file {rw_file_perms create_file_perms}; # Date: W17.22 # Operation : New Feature @@ -82,8 +82,11 @@ allow fuelgauged kernel:system module_request; # Date: W18.03 # Operation : change fuelgagued access from cache to nvcfg # Purpose : add fuelgauged to nvcfg read write permit -#allow fuelgauged nvcfg_file:dir getattr; -#allow fuelgauged nvcfg_file:dir {rw_dir_perms create_dir_perms}; -#allow fuelgauged nvcfg_file:file {rw_dir_perms create_dir_perms}; allow fuelgauged nvcfg_file:dir { search write open read add_name create getattr}; allow fuelgauged nvcfg_file:file { read write getattr open create }; + +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add fuelgauged could access +allow fuelgauged battery_node:file { read open }; + diff --git a/non_plat/fuelgauged_nvram.te b/non_plat/fuelgauged_nvram.te index 3078edf..1a674f9 100644 --- a/non_plat/fuelgauged_nvram.te +++ b/non_plat/fuelgauged_nvram.te @@ -25,10 +25,10 @@ init_daemon_domain(fuelgauged_nvram) # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can access /data/FG folder -file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file); -allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms; -typeattribute fuelgauged_nvram data_between_core_and_vendor_violators; -allow fuelgauged_nvram system_data_file:dir rw_dir_perms; +#file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file); +#allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms; +#typeattribute fuelgauged_nvram data_between_core_and_vendor_violators; +#allow fuelgauged_nvram system_data_file:dir rw_dir_perms; # Data : WK16.21 # Operation : New Feature @@ -44,8 +44,8 @@ allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms}; # Data : W16.43 # Operation : New Feature # Purpose : Change from /data to /cache -allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms}; -allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms}; +#allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms}; +#allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms}; #allow fuelgauged_nvram self:capability { dac_read_search dac_override chown }; allow fuelgauged_nvram kmsg_device:chr_file { write open }; allow fuelgauged_nvram self:capability fsetid; @@ -58,7 +58,12 @@ allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms; # Date: W18.03 # Operation : change fuelgagued_nvram access from cache to nvcfg # Purpose : add fuelgauged to nvcfg read write permit +# need add label allow fuelgauged_nvram sysfs:file { read open }; allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr}; allow fuelgauged_nvram nvcfg_file:file { read write getattr open create }; +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add fuelgauged could access +allow fuelgauged_nvram battery_node:file { read open }; diff --git a/non_plat/fuelgauged_static.te b/non_plat/fuelgauged_static.te deleted file mode 100644 index b031338..0000000 --- a/non_plat/fuelgauged_static.te +++ /dev/null @@ -1,34 +0,0 @@ -# ============================================== -# Policy File of /system/bin/fuelgauged_static Executable File - -# ============================================== -# Android Policy Rule -# ============================================== - -# ============================================== -# NSA Policy Rule -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Data : WK14.43 -# Operation : Migration -# Purpose : For meta tool calibration -allow fuelgauged_static mtk-adc-cali_device:chr_file rw_file_perms; - -# Data : WK14.43 -# Operation : Migration -# Purpose : For fg.log can be printed with kernel log -allow fuelgauged_static kmsg_device:chr_file w_file_perms; - -# Data : WK16.21 -# Operation : New Feature -# Purpose : For fg daemon can do nvram r/w to save car_tune_value -typeattribute fuelgauged_static data_between_core_and_vendor_violators; -allow fuelgauged_static nvdata_file:dir rw_dir_perms; -allow fuelgauged_static nvdata_file:file {rw_file_perms create_file_perms}; -allow fuelgauged_static nvram_data_file:lnk_file rw_file_perms; -allow fuelgauged_static nvdata_file:lnk_file rw_file_perms; - diff --git a/plat_private/fuelgauged_static.te b/plat_private/fuelgauged_static.te deleted file mode 100644 index fdbf7c1..0000000 --- a/plat_private/fuelgauged_static.te +++ /dev/null @@ -1,50 +0,0 @@ -# ============================================== -# Policy File of /system/bin/fuelgauged_static Executable File - -# ============================================== -# Type Declaration -# ============================================== -type fuelgauged_static_exec , exec_type, file_type; -type fuelgauged_static_file, file_type, data_file_type, core_data_file_type; -typeattribute fuelgauged_static coredomain; -# ============================================== -# Android Policy Rule -# ============================================== - -# ============================================== -# NSA Policy Rule -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(fuelgauged_static) - -# Data : WK14.43 -# Operation : Migration -# Purpose : Fuel Gauge daemon for access driver node -allow fuelgauged_static input_device:dir rw_dir_perms; -allow fuelgauged_static input_device:file r_file_perms; - - -# Data : WK14.43 -# Operation : Migration -# Purpose : For fg daemon can comminucate with kernel -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow fuelgauged_static fuelgauged_static:netlink_kobject_uevent_socket create_socket_perms; -#allow fuelgauged_static fuelgauged_static:netlink_socket create_socket_perms; -# Data : WK16.21 -# Operation : New Feature -# Purpose : For fg daemon can access /data/FG folder -file_type_auto_trans(fuelgauged_static, system_data_file, fuelgauged_static_file); -allow fuelgauged_static fuelgauged_static_file:file rw_file_perms; -allow fuelgauged_static system_data_file:dir rw_dir_perms; - -# Data : WK16.25 -# Operation : Migration -# Purpose : For fg daemon can work in recovery mode -allow fuelgauged_static rootfs:file entrypoint; - -# Data : WK16.39 -#allow fuelgauged_static self:capability { chown fsetid dac_override }; diff --git a/plat_public/fuelgauged_static.te b/plat_public/fuelgauged_static.te deleted file mode 100644 index 3e65ecd..0000000 --- a/plat_public/fuelgauged_static.te +++ /dev/null @@ -1,7 +0,0 @@ -# ============================================== -# Policy File of /system/bin/fuelgauged_static Executable File - -# ============================================== -# Type Declaration -# ============================================== -type fuelgauged_static ,domain;