From 1a9ed28058956beb0cc7f8d01a1c50400d7ded01 Mon Sep 17 00:00:00 2001 From: "yizheng.yang" Date: Sat, 18 Jan 2020 10:20:00 +0800 Subject: [PATCH] [ALPS04760107] Fix high risk selinux Fix high risk selinux in atci MTK-Commit-Id: 920482c8d6406a57b2b653e98b8b28c30c2e6d1b Change-Id: I6cbd85f3699f055312a5f6b2ea577bd9161ef29e CR-Id: ALPS04760107 Feature: [Module]ATCI (AT Command Interface) --- non_plat/atci_service.te | 7 +------ non_plat/atcid.te | 6 +----- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index f3f8f21..c3a4c81 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -13,9 +13,6 @@ init_daemon_domain(atci_service) allow atci_service block_device:dir search; allow atci_service misc2_block_device:blk_file { open read write }; allow atci_service misc2_device:chr_file { open read write }; -allow atci_service bootdevice_block_device:blk_file { open read write }; - -allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin }; allow atci_service camera_isp_device:chr_file { read write ioctl open }; allow atci_service graphics_device:chr_file { read write ioctl open }; allow atci_service graphics_device:dir search; @@ -71,11 +68,9 @@ allow atci_service storage_file:lnk_file read; #allow atci_service media_rw_data_file:file { read write create open }; #============= atci_service ============== -allow atci_service property_socket:sock_file write; allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open}; -allow atci_service init:unix_stream_socket connectto; -allow atci_service mtk_em_prop:property_service set; +set_prop(atci_service, mtk_em_prop) # Date : 2016/03/02 # Operation : M-Migration diff --git a/non_plat/atcid.te b/non_plat/atcid.te index 1b1eddd..0734116 100644 --- a/non_plat/atcid.te +++ b/non_plat/atcid.te @@ -9,8 +9,7 @@ type atcid, domain; type atcid_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(atcid) -allow atcid init:unix_stream_socket connectto; -allow atcid property_socket:sock_file write; +set_prop(atcid,persist_service_atci_prop) allow atcid block_device:dir search; allow atcid socket_device:sock_file write; @@ -20,11 +19,8 @@ hwbinder_use(atcid) hal_client_domain(atcid, hal_telephony) allow atcid ttyGS_device:chr_file { read write ioctl open }; -allow atcid persist_service_atci_prop:property_service set; -allow atcid misc2_device:chr_file { read write open }; allow atcid wmtWifi_device:chr_file { write open }; allow atcid misc2_block_device:blk_file { read write open }; -allow atcid bootdevice_block_device:blk_file { open read write }; allow atci_service gpu_device:chr_file { read write open ioctl getattr }; allow atcid self:capability sys_time;