From 976405343309caaa6b004c510629bd161bb98feb Mon Sep 17 00:00:00 2001 From: henry huang Date: Sat, 18 Jan 2020 09:30:59 +0800 Subject: [PATCH] [ALPS03841839] fix nvram SELinux violations [Detail]fix nvram selinux violations [Solution]remove system_data_file sepolicy from nvram_daemon.te/nvram_agent_binder.te MTK-Commit-Id: 4a9272ef13c590133649ca46d962f14768a216ef Change-Id: I473edae03de50c6d747477e34e6eb797b7b1875e CR-Id: ALPS03841839 Feature: NVRAM Partition --- non_plat/merged_hal_service.te | 36 ---------------------------------- non_plat/nvram_agent_binder.te | 8 +++++--- non_plat/nvram_daemon.te | 13 +++++++----- 3 files changed, 13 insertions(+), 44 deletions(-) diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index 3a2d668..d422379 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -32,42 +32,6 @@ allow merged_hal_service mnld_data_file:dir create_file_perms; allow merged_hal_service mnld_data_file:dir rw_dir_perms; allow merged_hal_service mnld:unix_dgram_socket sendto; -#for nvram agent hidl -allow merged_hal_service hwservicemanager_prop:file r_file_perms; -allow merged_hal_service sysfs:file { read open }; -allow merged_hal_service system_data_file:lnk_file read; -hal_server_domain(merged_hal_service, hal_nvramagent) -# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. -#hal_server_domain(merged_hal_service, hal_nvramagent) -#for nvram agent hidl access nvram file -allow merged_hal_service nvram_agent_service:service_manager add; -allow merged_hal_service nvram_device:blk_file rw_file_perms; -allow merged_hal_service bootdevice_block_device:blk_file rw_file_perms; -allow merged_hal_service nvdata_device:blk_file rw_file_perms; -allow merged_hal_service nvram_data_file:dir create_dir_perms; -allow merged_hal_service nvram_data_file:file create_file_perms; -allow merged_hal_service nvram_data_file:lnk_file read; -allow merged_hal_service nvdata_file:lnk_file read; -allow merged_hal_service nvdata_file:dir create_dir_perms; -allow merged_hal_service nvdata_file:file create_file_perms; -#allow merged_hal_service system_file:file execute_no_trans; -allow merged_hal_service als_ps_device:chr_file r_file_perms; -allow merged_hal_service mtk-adc-cali_device:chr_file rw_file_perms; -allow merged_hal_service gsensor_device:chr_file r_file_perms; -allow merged_hal_service gyroscope_device:chr_file r_file_perms; -allow merged_hal_service init:unix_stream_socket connectto; -allow merged_hal_service property_socket:sock_file write; -allow merged_hal_service sysfs:file write; -#allow merged_hal_service self:capability { fowner chown dac_override fsetid }; -typeattribute merged_hal_service data_between_core_and_vendor_violators; -allow merged_hal_service system_data_file:dir create_file_perms; -allow merged_hal_service nvram_device:chr_file rw_file_perms; -allow merged_hal_service pro_info_device:chr_file rw_file_perms; -allow merged_hal_service block_device:dir search; -allow merged_hal_service app_data_file:file write; -allow merged_hal_service mtd_device:dir search; -allow merged_hal_service mtd_device:chr_file rw_file_perms; - #graphics allocator permissions hal_server_domain(merged_hal_service, hal_graphics_allocator) allow merged_hal_service gpu_device:dir search; diff --git a/non_plat/nvram_agent_binder.te b/non_plat/nvram_agent_binder.te index 7b9eed0..4da9faa 100644 --- a/non_plat/nvram_agent_binder.te +++ b/non_plat/nvram_agent_binder.te @@ -40,8 +40,9 @@ allow nvram_agent_binder init:unix_stream_socket connectto; allow nvram_agent_binder property_socket:sock_file write; allow nvram_agent_binder sysfs:file write; #allow nvram_agent_binder self:capability { fowner chown dac_override fsetid }; -typeattribute nvram_agent_binder data_between_core_and_vendor_violators; -allow nvram_agent_binder system_data_file:dir create_file_perms; +#typeattribute nvram_agent_binder data_between_core_and_vendor_violators; +#remove from Android P +#allow nvram_agent_binder system_data_file:dir create_file_perms; # Purpose: for backup allow nvram_agent_binder nvram_device:chr_file rw_file_perms; @@ -58,7 +59,8 @@ allow nvram_agent_binder hwservicemanager_prop:file r_file_perms; #for nvram hidl client support allow nvram_agent_binder sysfs:file { read open }; -allow nvram_agent_binder system_data_file:lnk_file read; +#remove from android P +#allow nvram_agent_binder system_data_file:lnk_file read; # Allow to use HWBinder IPC hwbinder_use(nvram_agent_binder); diff --git a/non_plat/nvram_daemon.te b/non_plat/nvram_daemon.te index c915dc8..8a1184f 100644 --- a/non_plat/nvram_daemon.te +++ b/non_plat/nvram_daemon.te @@ -70,8 +70,9 @@ allow nvram_daemon proc_lk_env:file rw_file_perms; # Purpose: for workaround # Todo: Remove this policy -typeattribute nvram_daemon data_between_core_and_vendor_violators; -allow nvram_daemon system_data_file:dir write; +#typeattribute nvram_daemon data_between_core_and_vendor_violators; +#remove from Android P +#allow nvram_daemon system_data_file:dir write; # Purpose: property set #allow nvram_daemon service_nvram_init_prop:property_service set; @@ -79,11 +80,13 @@ allow nvram_daemon system_data_file:dir write; # Purpose: copy /fstab* allow nvram_daemon rootfs:dir { read open }; allow nvram_daemon rootfs:file r_file_perms; -allow nvram_daemon system_data_file:lnk_file read; +#remove from Android P +#allow nvram_daemon system_data_file:lnk_file read; # Purpose: remove /data/nvram link -allow nvram_daemon system_data_file:dir { remove_name add_name }; -allow nvram_daemon system_data_file:lnk_file { create unlink }; +#remove from Android P +#allow nvram_daemon system_data_file:dir { remove_name add_name }; +#allow nvram_daemon system_data_file:lnk_file { create unlink }; allow nvram_daemon nvram_data_file:lnk_file unlink; # Purpose: for run toolbox command: chown chmode.. #allow nvram_daemon toolbox_exec:file rx_file_perms;