diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2016-09-12 22:14:03 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-09-12 22:14:03 -0700 |
| commit | 952d39556be6417579b39e16d09dd283aec61022 (patch) | |
| tree | 4ed13f78b8caefc1e7a1c0bca4a3fdba30050167 | |
| parent | fec07fe5ce6c0268cf7a495fa377626bd481ae88 (diff) | |
| parent | 277acbba3c7adbb01364f738638a23b1b8674311 (diff) | |
| download | android_device_qcom_sepolicy-952d39556be6417579b39e16d09dd283aec61022.tar.gz android_device_qcom_sepolicy-952d39556be6417579b39e16d09dd283aec61022.tar.bz2 android_device_qcom_sepolicy-952d39556be6417579b39e16d09dd283aec61022.zip | |
Merge "sepolicy: Restrict diag access available to domains"
| -rw-r--r-- | common/audioserver.te | 3 | ||||
| -rw-r--r-- | common/cnd.te | 5 | ||||
| -rw-r--r-- | common/dataservice_app.te | 4 | ||||
| -rw-r--r-- | common/domain.te | 2 | ||||
| -rw-r--r-- | common/dpmd.te | 5 | ||||
| -rw-r--r-- | common/ims.te | 5 | ||||
| -rw-r--r-- | common/ipacm.te | 1 | ||||
| -rw-r--r-- | common/location.te | 5 | ||||
| -rw-r--r-- | common/location_app.te | 1 | ||||
| -rw-r--r-- | common/mdtp.te | 1 | ||||
| -rwxr-xr-x | common/mmi.te | 6 | ||||
| -rw-r--r-- | common/netmgrd.te | 1 | ||||
| -rw-r--r-- | common/port-bridge.te | 1 | ||||
| -rw-r--r-- | common/qcomsysd.te | 5 | ||||
| -rw-r--r-- | common/qfp-daemon.te | 5 | ||||
| -rw-r--r-- | common/qlogd.te | 1 | ||||
| -rw-r--r-- | common/qti-logkit.te | 1 | ||||
| -rw-r--r-- | common/qti.te | 5 | ||||
| -rw-r--r-- | common/radio.te | 4 | ||||
| -rw-r--r-- | common/rild.te | 5 | ||||
| -rw-r--r-- | common/sensors.te | 1 | ||||
| -rwxr-xr-x | common/ssr_diag.te | 1 | ||||
| -rw-r--r-- | common/surfaceflinger.te | 4 | ||||
| -rw-r--r-- | common/system_app.te | 1 | ||||
| -rw-r--r-- | common/system_server.te | 3 | ||||
| -rw-r--r-- | common/te_macros | 6 | ||||
| -rw-r--r-- | common/thermal-engine.te | 4 | ||||
| -rw-r--r-- | common/time_daemon.te | 4 | ||||
| -rw-r--r-- | common/wcnss_filter.te | 5 | ||||
| -rw-r--r-- | common/wcnss_service.te | 3 | ||||
| -rw-r--r-- | test/qti-testscripts.te | 2 |
31 files changed, 95 insertions, 5 deletions
diff --git a/common/audioserver.te b/common/audioserver.te index 990e1a1c..a1b74afb 100644 --- a/common/audioserver.te +++ b/common/audioserver.te @@ -47,3 +47,6 @@ allow audioserver audio_data_file:dir remove_name; # Allow audioserver to access sysfs nodes allow audioserver sysfs:file rw_file_perms; +userdebug_or_eng(` + diag_use(audioserver) +') diff --git a/common/cnd.te b/common/cnd.te index 44cdb1eb..54be97a1 100644 --- a/common/cnd.te +++ b/common/cnd.te @@ -87,3 +87,8 @@ domain_auto_trans(cnd, hostapd_exec, hostapd) # only allow getopt for appdomain allow appdomain zygote:unix_dgram_socket getopt; dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt; + +#diag +userdebug_or_eng(` + diag_use(cnd) +') diff --git a/common/dataservice_app.te b/common/dataservice_app.te index db123df8..9c48a601 100644 --- a/common/dataservice_app.te +++ b/common/dataservice_app.te @@ -52,3 +52,7 @@ dontaudit dataservice_app domain:dir r_dir_perms; #allow dpmservice to get running time for apps r_dir_file(dataservice_app, appdomain) + +userdebug_or_eng(` + diag_use(dataservice_app) +') diff --git a/common/domain.te b/common/domain.te index e831bb47..8a747e5c 100644 --- a/common/domain.te +++ b/common/domain.te @@ -1,5 +1,3 @@ -allow { domain -untrusted_app } diag_device:chr_file rw_file_perms; - r_dir_file(domain, sysfs_socinfo); r_dir_file(domain, sysfs_esoc); r_dir_file(domain, sysfs_ssr); diff --git a/common/dpmd.te b/common/dpmd.te index f94953ee..4b92e91b 100644 --- a/common/dpmd.te +++ b/common/dpmd.te @@ -71,3 +71,8 @@ dpmd_socket_perm(netd) #explicitly allow udp socket permissions for appdomain allow dpmd appdomain:udp_socket rw_socket_perms; + +#diag +userdebug_or_eng(` + diag_use(dpmd) +') diff --git a/common/ims.te b/common/ims.te index 2f74bb7c..68a6a5ac 100644 --- a/common/ims.te +++ b/common/ims.te @@ -63,3 +63,8 @@ netmgr_socket(ims); # Inherit and use open files from radio. allow ims radio:fd use; + +#diag +userdebug_or_eng(` + diag_use(ims) +') diff --git a/common/ipacm.te b/common/ipacm.te index 17f1fb29..000bfa5e 100644 --- a/common/ipacm.te +++ b/common/ipacm.te @@ -12,6 +12,7 @@ net_domain(ipacm) userdebug_or_eng(` # Allow using the logging file between ipacm and ipacm-diag unix_socket_send(ipacm, ipacm, ipacm-diag) + diag_use(ipacm-diag) ') # Allow capabilities to create netfilter_socket diff --git a/common/location.te b/common/location.te index 2dfec3ba..393bae60 100644 --- a/common/location.te +++ b/common/location.te @@ -59,3 +59,8 @@ netmgr_socket(location); #Allow access to properties set_prop(location, location_prop); + +#diag +userdebug_or_eng(` + diag_use(location) +') diff --git a/common/location_app.te b/common/location_app.te index 3fe928a7..799bc4d8 100644 --- a/common/location_app.te +++ b/common/location_app.te @@ -9,6 +9,7 @@ userdebug_or_eng(` net_domain(location_app) allow location_app { adbd su }:unix_stream_socket connectto; allow location_app mediaserver_service:service_manager find; + diag_use(location_app) ') allow location_app surfaceflinger_service:service_manager find; diff --git a/common/mdtp.te b/common/mdtp.te index 0d1e8511..c0f49e48 100644 --- a/common/mdtp.te +++ b/common/mdtp.te @@ -37,6 +37,7 @@ userdebug_or_eng(` #Needed for kill(pid, 0) existance test allow mdtpdaemon su:process signull; allow mdtpdaemon self:capability kill; + diag_use(mdtpdaemon) ') #Allow for transition from init domain to mdtpdaemon diff --git a/common/mmi.te b/common/mmi.te index 4ca0abc6..05a00828 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -115,4 +115,8 @@ unix_socket_connect(mmi, netmgrd, netmgrd); net_domain(mmi); #allow mmi access boot mode switch -allow mmi boot_mode_prop:property_service set;
\ No newline at end of file +allow mmi boot_mode_prop:property_service set; +#diag +userdebug_or_eng(` + diag_use(mmi) +') diff --git a/common/netmgrd.te b/common/netmgrd.te index 052b464e..73349c12 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -6,6 +6,7 @@ init_daemon_domain(netmgrd) userdebug_or_eng(` domain_auto_trans(shell, netmgrd_exec, netmgrd) domain_auto_trans(adbd, netmgrd_exec, netmgrd) + diag_use(netmgrd) ') #Allow files to be written during the operation of netmgrd diff --git a/common/port-bridge.te b/common/port-bridge.te index 8a74d497..83c993cd 100644 --- a/common/port-bridge.te +++ b/common/port-bridge.te @@ -5,6 +5,7 @@ init_daemon_domain(port-bridge) userdebug_or_eng(` domain_auto_trans(shell, port-bridge_exec, netmgrd) domain_auto_trans(adbd, port-bridge_exec, netmgrd) + diag_use(port-bridge) ') # Allow operations on different types of sockets diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 01e224c2..2dbd2cbc 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -23,3 +23,8 @@ allow qcomsysd self:capability { dac_override sys_boot }; use_per_mgr(qcomsysd); #allow qcomsysd access boot mode switch allow qcomsysd boot_mode_prop:property_service set; + +#diag +userdebug_or_eng(` + diag_use(qcomsysd) +') diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te index ccd60240..f7ddb32f 100644 --- a/common/qfp-daemon.te +++ b/common/qfp-daemon.te @@ -66,3 +66,8 @@ allow qfp-daemon sensors:unix_stream_socket connectto; # Allow listing input devices and sending input events allow qfp-daemon input_device:chr_file rw_file_perms; allow qfp-daemon input_device:dir r_dir_perms; + +#diag +userdebug_or_eng(` + diag_use(qfp-daemon) +') diff --git a/common/qlogd.te b/common/qlogd.te index ed51cddd..4740e58b 100644 --- a/common/qlogd.te +++ b/common/qlogd.te @@ -50,6 +50,7 @@ userdebug_or_eng(` allow qlogd sysfs:file w_file_perms; r_dir_file(qlogd, storage_file) r_dir_file(qlogd, mnt_user_file) + diag_use(qlogd) ') # need for capture adb logs diff --git a/common/qti-logkit.te b/common/qti-logkit.te index db03c406..b1f9d552 100644 --- a/common/qti-logkit.te +++ b/common/qti-logkit.te @@ -64,6 +64,7 @@ userdebug_or_eng(` # tcpdump allow qti_logkit self:packet_socket create_socket_perms; allow qti_logkit self:capability net_raw; + diag_use(qti_logkit) ') binder_use(qti_logkit) diff --git a/common/qti.te b/common/qti.te index 5b4827e4..921f083e 100644 --- a/common/qti.te +++ b/common/qti.te @@ -28,3 +28,8 @@ allow qti self:{ } create_socket_perms; allow qti { shell_exec system_file }:file rx_file_perms; + +#diag +userdebug_or_eng(` + diag_use(qti) +') diff --git a/common/radio.te b/common/radio.te index 4010500c..fcec958d 100644 --- a/common/radio.te +++ b/common/radio.te @@ -15,3 +15,7 @@ allow radio uce_service:service_manager { add find }; allow radio self:socket create_socket_perms; allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find; +#diag +userdebug_or_eng(` + diag_use(radio) +') diff --git a/common/rild.te b/common/rild.te index 62668a21..6d1fe057 100644 --- a/common/rild.te +++ b/common/rild.te @@ -30,3 +30,8 @@ allow rild { mediaserver_service audioserver_service }:service_manager find; # Rule for RILD to talk to peripheral manager use_per_mgr(rild); + +#diag +userdebug_or_eng(` + diag_use(rild) +') diff --git a/common/sensors.te b/common/sensors.te index 9e3cbdb4..3039434b 100644 --- a/common/sensors.te +++ b/common/sensors.te @@ -58,6 +58,7 @@ allow sensors device_latency:chr_file w_file_perms; # Access to tests from userdebug/eng builds userdebug_or_eng(` domain_auto_trans(shell, sensors_exec, sensors) + diag_use(sensors) ') binder_use(sensors) diff --git a/common/ssr_diag.te b/common/ssr_diag.te index 956d0b01..f04ab537 100755 --- a/common/ssr_diag.te +++ b/common/ssr_diag.te @@ -4,4 +4,5 @@ init_daemon_domain(ssr_diag); userdebug_or_eng(` allow ssr_diag sysfs:file w_file_perms; + diag_use(ssr_diag) ') diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 9baa3a04..0a8ae6de 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -37,3 +37,7 @@ binder_call(surfaceflinger, mmi) #Allow access to cameraserver service allow surfaceflinger cameraserver_service:service_manager find; +#diag +userdebug_or_eng(` + diag_use(surfaceflinger) +') diff --git a/common/system_app.te b/common/system_app.te index fdfa00b3..255e5664 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -63,6 +63,7 @@ userdebug_or_eng(` # Access to tombstone segfaults allow system_app tombstone_data_file:dir r_dir_perms; allow system_app tombstone_data_file:file r_file_perms; + diag_use(system_app) ') allow system_app cnd_data_file:dir w_dir_perms; diff --git a/common/system_server.te b/common/system_server.te index 2d6c41be..0081be89 100644 --- a/common/system_server.te +++ b/common/system_server.te @@ -157,3 +157,6 @@ allow system_server system_file:system module_load; allow system_server persist_alarm_file:dir rw_dir_perms; allow system_server persist_alarm_file:file { rw_file_perms create }; +userdebug_or_eng(` + diag_use(system_server) +') diff --git a/common/te_macros b/common/te_macros index e232bb5a..4fd7b62b 100644 --- a/common/te_macros +++ b/common/te_macros @@ -53,3 +53,9 @@ allow dpmd $1:file r_file_perms; allow dpmd $1:fd use; allow dpmd $1:tcp_socket rw_socket_perms; ') +##################################### +# diag_use(clientdomain) +# allow clientdomain to read/write to diag +define(`diag_use', ` +allow $1 diag_device:chr_file rw_file_perms; +') diff --git a/common/thermal-engine.te b/common/thermal-engine.te index ac9db22e..b347958f 100644 --- a/common/thermal-engine.te +++ b/common/thermal-engine.te @@ -48,3 +48,7 @@ unix_socket_connect(thermal-engine, mpctl, mpdecision) #This is to allow access to uio device allow thermal-engine uio_device:chr_file rw_file_perms; + +userdebug_or_eng(` + diag_use(thermal-engine) +') diff --git a/common/time_daemon.te b/common/time_daemon.te index 7598ab83..20d9dbf5 100644 --- a/common/time_daemon.te +++ b/common/time_daemon.te @@ -22,3 +22,7 @@ allow time_daemon persist_time_file:dir w_dir_perms; allow time_daemon persist_file:dir search; r_dir_file(time_daemon, sysfs_esoc); + +userdebug_or_eng(` + diag_use(time_daemon) +') diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te index 9e811456..7d84a76e 100644 --- a/common/wcnss_filter.te +++ b/common/wcnss_filter.te @@ -49,3 +49,8 @@ r_dir_file(wcnss_filter, bt_firmware_file) # Data file accesses. allow wcnss_filter bluetooth_data_file:dir create_dir_perms; allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms; + +#diag +userdebug_or_eng(` + diag_use(wcnss_filter) +') diff --git a/common/wcnss_service.te b/common/wcnss_service.te index 0ceec433..05b31d40 100644 --- a/common/wcnss_service.te +++ b/common/wcnss_service.te @@ -48,7 +48,8 @@ allow wcnss_service dynamic_nv_data_file:dir r_dir_perms; # This is needed for ptt_socket app to write logs file collected to sdcard r_dir_file(wcnss_service, storage_file) r_dir_file(wcnss_service, mnt_user_file) +diag_use(wcnss_service) ') binder_use(wcnss_service) -use_per_mgr(wcnss_service)
\ No newline at end of file +use_per_mgr(wcnss_service) diff --git a/test/qti-testscripts.te b/test/qti-testscripts.te index 380af29f..4d3eadfd 100644 --- a/test/qti-testscripts.te +++ b/test/qti-testscripts.te @@ -78,5 +78,5 @@ userdebug_or_eng(` binder_call({ domain -init -netd }, qti-testscripts) allow domain qti-testscripts:fifo_file { write getattr }; allow domain qti-testscripts:process sigchld; - + diag_use(radio) ') |