Debugfs is failed to be initialized because of the denial below.
Add selinux policy to fix it.
avc: denied { search } for comm="kworker/0:1" name="mmc0"
dev="debugfs" ino=6562 scontext=u:r:kernel:s0
tcontext=u:object_r:debugfs_mmc:s0 tclass=dir permissive=0
CRs-Fixed: 2636489
Change-Id: I831a363d448b3efe11960c3937b04dbca80d37f3
/dev/tee* are accessed by domains that interact with TEE and thus
require access to them too.
Test: Boot and observe that denials are not visible in logs anymore
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I7b0944a1063da8561d2928e4110674ce4845ecea
TEE stores its file in /data/vendor/thh/. Allow it required permissions
to do so.
Denials observed without this change:
12-28 16:42:11.556 416 416 I teei_daemon: type=1400 audit(0.0:394): avc: denied { open } for path="/data/vendor/thh/7778c03fc30c4dd0a319ea29643d4d4b." dev="sdc46" ino=2490455 scontext=u:r:tee:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=1
Test: Boot and notice that denials have resolved
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I1a608ebac628c8ce9c35ece1566e049236321a4b
/dev/*rpmb* devices are accessed by tee. Label it and allow tee required
permissions to manage it.
Denial observed without this change:
[ 46.559953] .(2)[399:logd.auditd]type=1400 audit(1609128921.644:391): avc: denied { ioctl } for comm="teei_daemon" path="/dev/rpmb0" dev="tmpfs" ino=17454 ioctlcmd=0x6 scontext=u:r:init:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and observe that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I3499e2a3ba177b8e69d8cdbb76939daf3f8bbc7b
/dev/ut_keymaster is used by keymaster. Label it and allow relevant permissions
which domains using it (vold, tee and keymaster) requires.
Denial observed without this change:
[ 46.666247] .(2)[399:logd.auditd]type=1400 audit(1609128921.744:392): avc: denied { ioctl } for comm="keymaster@3.0-s" path="/dev/ut_keymaster" dev="tmpfs" ino=17464 ioctlcmd=0x5402 scontext=u:r:hal_keymaster_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Iee0126d637a139397db8857d8a780277c3ea4576
/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to
store fingerprint data on the device. Label it and allow relevant source required
permissions.
Denial observed without this change:
[ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice denials have disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
Thermal binary is used to load, throttle, manage thermal profiles on MediaTek devices.
Label it and grant required permissions for it to operate without any issues.
Test: Boot and notice thermal has now a proper domain and works without an issues
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Ibbc7e0ce907cd5eedd7826c658e7ef9c2d7a907d
CONNAC is MediaTek's Connectivity Combo Chip Driver, generate sysfs_net
context for it
Denial observed without this change:
[ 59.165685] .(2)[399:logd.auditd]type=1400 audit(1609128934.244:404): avc: denied { open } for comm="Binder:4098_1" path="/sys/devices/platform/CONNAC/net/wlan0/address" dev="sysfs" ino=43157 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.gms
Test: Boot and notice that path now has a proper context
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I0c76124e953b80d06714340ab4413eee84e6f2ef
Camera data files are store in /data/vendor/camera/ by camera hal on
treble devices. Label and allow mtk_hal_camera to manage it.
Denial observed without this change:
[ 17.686535] .(4)[399:logd.auditd]type=1400 audit(1609114842.280:303): avc: denied { getattr } for comm="camerahalserver" path="/data/vendor/camera/back_dual_camera_caldata_wt.bin" dev="sdc46" ino=2490446 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=file permissive=1
Test: Boot and notice denial has disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I98d0ddcce95cccdb9e86c4d36cb692e1f1ff41cb
During init, vold needs rw permissions in order to manage block devices.
This change allows the required permissions.
Denial observed without this change:
[ 7.574441] .(1)[397:logd.auditd]type=1400 audit(1608975791.836:9): avc: denied { write } for comm="Binder:379_2" name="uevent" dev="sysfs" ino=35884 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_mmcblk:s0 tclass=file permissive=1
Test: Boot and observe that denial has disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I3fa256cf5957f0af3fa2628833820f0f9fcf298b
DSBP property is set by multiple mediatek devices to declare support
for the same. It is already labeled in property_contexts but seems to
missing permission for vendor_init to actually set it.
Denial observed without this change:
[ 4.713173] .(7)[1:init]selinux: avc: denied { set } for property=persist.vendor.radio.mtk_dsbp_support pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:mtk_dsbp_support_prop:s0 tclass=property_service permissive=1\x0a
Test: Boot and observe that propery is set without any denial
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I0cc0c2cadbf9edb3fb205b9e52074f852fe08658
wlan driver/fw version are set at property at enforcing mode.
Add rules to allow to set wlan driver/fw version info
CRs-Fixed: 2460816
Change-Id: Ic0bb570cd53fe450512496c5864f432ce3219bbe
Missing newline causes compile-time error when sepolicy squashes all given
service-contexts into single file to pack into the build. This change
fixes that issue.
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
These types are already defined in system/sepolicy and gives compile-time
errors. Remove them to resolve the issues.
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
[Detail]
The mode of sepolicy files should be -rw-r--r--,
and the type should be ASCII text with Unix/Linux format.
[Solution]
1.Use chmod 0644 to change sepolicy files mode.
2.Use iconv -t ASCII and dos2unix to change sepolicy files
type and format.
MTK-Commit-Id: ee386fd7ca89105f70b96f6b58c5f0e372fe9a4b
Change-Id: Iac13b1ea8a4546168f68a7918acdcdb0588f6630
CR-Id: ALPS04968083
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
BASIC and BSP project should have same sepolicies in basic/.
[Solution]
1.Modify SEPolicies in non_plat/ by comparing with r_non_plat/ .
2.Remove r_non_plat/ .
Change-Id: I24d3df00255779bd73f4075c1c4062176d5b6047
CR-Id: ALPS05009976
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
