DivestOS/Patches/LineageOS-14.1/android_device_samsung_tuna/0002-fix_denial.patch

38 lines
2.0 KiB
Diff
Raw Normal View History

2019-02-09 14:47:55 -05:00
From b9219da6cc3efc4cce9ef39a2d570990fd68cf11 Mon Sep 17 00:00:00 2001
From: nailyk-fr <nailyk_git@nailyk.fr>
Date: Sun, 13 Aug 2017 20:31:53 +0200
Subject: [PATCH] Tuna: Sepolicy: Add tee-fs permissions
* Tee-fs-setup is launched as recovery context.
* Those rules are needed because of toybox android
move.
* This is mandatory for encryption as this script
init /tee then start TEE services.
* Denials details:
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/sh" dev=mmcblk0p10 ino=385 scontext=u:r:recovery:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute } for pid=128 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for pid=131 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for pid=131 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
Change-Id: I559f15713c7893b97c7e33f421ff19d606814fb1
---
sepolicy/recovery.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 0d30c0d7..f1047b45 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -43,6 +43,9 @@ allow recovery powerctl_prop:property_service set;
# For decryption
allow recovery tee_device:chr_file { ioctl open read write };
+allow recovery shell_exec:file getattr;
+allow recovery toolbox_exec:file { execute execute_no_trans getattr open read };
+
#============= healthd ==============
allow healthd device:dir write;