[ALPS03841839] fix nvram SELinux violations

[Detail]fix nvram selinux violations [Solution]remove system_data_file sepolicy from nvram_daemon.te/nvram_agent_binder.te MTK-Commit-Id: 4a9272ef13c590133649ca46d962f14768a216ef Change-Id: I473edae03de50c6d747477e34e6eb797b7b1875e CR-Id: ALPS03841839 Feature: NVRAM Partition
2020-01-18 09:30:59 +08:00 · 2020-01-18 09:30:59 +08:00 · 9764053433
commit 9764053433
parent 06fbbbdb00
3 changed files with 13 additions and 44 deletions
--- a/non_plat/merged_hal_service.te
+++ b/non_plat/merged_hal_service.te
@ -32,42 +32,6 @@ allow merged_hal_service mnld_data_file:dir create_file_perms;
 allow merged_hal_service mnld_data_file:dir rw_dir_perms;
 allow merged_hal_service mnld:unix_dgram_socket sendto;

-#for nvram agent hidl
-allow merged_hal_service hwservicemanager_prop:file r_file_perms;
-allow merged_hal_service sysfs:file { read open };
-allow merged_hal_service system_data_file:lnk_file read;
-hal_server_domain(merged_hal_service, hal_nvramagent)
-# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
-#hal_server_domain(merged_hal_service, hal_nvramagent)
-#for nvram agent hidl access nvram file
-allow merged_hal_service nvram_agent_service:service_manager add;
-allow merged_hal_service nvram_device:blk_file rw_file_perms;
-allow merged_hal_service bootdevice_block_device:blk_file rw_file_perms;
-allow merged_hal_service nvdata_device:blk_file rw_file_perms;
-allow merged_hal_service nvram_data_file:dir create_dir_perms;
-allow merged_hal_service nvram_data_file:file create_file_perms;
-allow merged_hal_service nvram_data_file:lnk_file read;
-allow merged_hal_service nvdata_file:lnk_file read;
-allow merged_hal_service nvdata_file:dir create_dir_perms;
-allow merged_hal_service nvdata_file:file create_file_perms;
-#allow merged_hal_service system_file:file execute_no_trans;
-allow merged_hal_service als_ps_device:chr_file r_file_perms;
-allow merged_hal_service mtk-adc-cali_device:chr_file rw_file_perms;
-allow merged_hal_service gsensor_device:chr_file r_file_perms;
-allow merged_hal_service gyroscope_device:chr_file r_file_perms;
-allow merged_hal_service init:unix_stream_socket connectto;
-allow merged_hal_service property_socket:sock_file write;
-allow merged_hal_service sysfs:file write;
-#allow merged_hal_service self:capability { fowner chown dac_override fsetid };
-typeattribute merged_hal_service data_between_core_and_vendor_violators;
-allow merged_hal_service system_data_file:dir create_file_perms;
-allow merged_hal_service nvram_device:chr_file rw_file_perms;
-allow merged_hal_service pro_info_device:chr_file rw_file_perms;
-allow merged_hal_service block_device:dir search;
-allow merged_hal_service app_data_file:file write;
-allow merged_hal_service mtd_device:dir search;
-allow merged_hal_service mtd_device:chr_file rw_file_perms;
-
 #graphics allocator permissions
 hal_server_domain(merged_hal_service, hal_graphics_allocator)
 allow merged_hal_service gpu_device:dir search;
--- a/non_plat/nvram_agent_binder.te
+++ b/non_plat/nvram_agent_binder.te
@ -40,8 +40,9 @@ allow nvram_agent_binder init:unix_stream_socket connectto;
 allow nvram_agent_binder property_socket:sock_file write;
 allow nvram_agent_binder sysfs:file write;
 #allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
-typeattribute nvram_agent_binder data_between_core_and_vendor_violators;
-allow nvram_agent_binder system_data_file:dir create_file_perms;
+#typeattribute nvram_agent_binder data_between_core_and_vendor_violators;
+#remove from Android P
+#allow nvram_agent_binder system_data_file:dir create_file_perms;

 # Purpose: for backup
 allow nvram_agent_binder nvram_device:chr_file rw_file_perms;
@ -58,7 +59,8 @@ allow nvram_agent_binder hwservicemanager_prop:file r_file_perms;

 #for nvram hidl client support
 allow nvram_agent_binder sysfs:file { read open };
-allow nvram_agent_binder system_data_file:lnk_file read;
+#remove from android P
+#allow nvram_agent_binder system_data_file:lnk_file read;

 # Allow to use HWBinder IPC
 hwbinder_use(nvram_agent_binder);
--- a/non_plat/nvram_daemon.te
+++ b/non_plat/nvram_daemon.te
@ -70,8 +70,9 @@ allow nvram_daemon proc_lk_env:file rw_file_perms;

 # Purpose: for workaround
 # Todo: Remove this policy
-typeattribute nvram_daemon data_between_core_and_vendor_violators;
-allow nvram_daemon system_data_file:dir write;
+#typeattribute nvram_daemon data_between_core_and_vendor_violators;
+#remove from Android P
+#allow nvram_daemon system_data_file:dir write;

 # Purpose: property set
 #allow nvram_daemon service_nvram_init_prop:property_service set;
@ -79,11 +80,13 @@ allow nvram_daemon system_data_file:dir write;
 # Purpose: copy /fstab*
 allow nvram_daemon rootfs:dir { read open };
 allow nvram_daemon rootfs:file r_file_perms;
-allow nvram_daemon system_data_file:lnk_file read;
+#remove from Android P
+#allow nvram_daemon system_data_file:lnk_file read;

 # Purpose: remove /data/nvram link
-allow nvram_daemon system_data_file:dir { remove_name add_name };
-allow nvram_daemon system_data_file:lnk_file { create unlink };
+#remove from Android P
+#allow nvram_daemon system_data_file:dir { remove_name add_name };
+#allow nvram_daemon system_data_file:lnk_file { create unlink };
 allow nvram_daemon nvram_data_file:lnk_file unlink;
 # Purpose: for run toolbox command: chown chmode..
 #allow nvram_daemon toolbox_exec:file rx_file_perms;