14.1: fix maguro denials

This commit is contained in:
Tad 2019-02-09 14:47:55 -05:00
parent a7a4e869fd
commit ffabfb3616
5 changed files with 160 additions and 0 deletions

View File

@ -0,0 +1,39 @@
From 3030156fc1e0e69e5fad36fb374a8eb19fed8875 Mon Sep 17 00:00:00 2001
From: nailyk-fr <nailyk_git@nailyk.fr>
Date: Sat, 12 Aug 2017 18:46:10 +0200
Subject: [PATCH] tuna: twrp: Add necessary policy for twrp decrypt
Change-Id: I7fab77518718961ca55f29c5263a43e69efc73ca
---
sepolicy/recovery.te | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index dca66805..0d30c0d7 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -40,3 +40,24 @@ allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr ope
# For rebooting in tunasetup
allow recovery powerctl_prop:property_service set;
+
+# For decryption
+allow recovery tee_device:chr_file { ioctl open read write };
+#============= healthd ==============
+allow healthd device:dir write;
+
+#============= init ==============
+allow init ashmem_device:chr_file execute;
+allow init block_device:blk_file write;
+allow init graphics_device:chr_file { ioctl write };
+allow init init_tmpfs:file append;
+allow init input_device:chr_file ioctl;
+allow init property_socket:sock_file write;
+allow init self:process execmem;
+allow init tee_device:chr_file rw_file_perms;
+
+
+allow init unlabeled:dir search;
+allow init tee_file:dir rw_dir_perms;
+allow init tee_file:file create_file_perms;
+allow init labeledfs:filesystem associate;

View File

@ -0,0 +1,37 @@
From b9219da6cc3efc4cce9ef39a2d570990fd68cf11 Mon Sep 17 00:00:00 2001
From: nailyk-fr <nailyk_git@nailyk.fr>
Date: Sun, 13 Aug 2017 20:31:53 +0200
Subject: [PATCH] Tuna: Sepolicy: Add tee-fs permissions
* Tee-fs-setup is launched as recovery context.
* Those rules are needed because of toybox android
move.
* This is mandatory for encryption as this script
init /tee then start TEE services.
* Denials details:
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/sh" dev=mmcblk0p10 ino=385 scontext=u:r:recovery:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute } for pid=128 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for pid=131 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for pid=131 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
Change-Id: I559f15713c7893b97c7e33f421ff19d606814fb1
---
sepolicy/recovery.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 0d30c0d7..f1047b45 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -43,6 +43,9 @@ allow recovery powerctl_prop:property_service set;
# For decryption
allow recovery tee_device:chr_file { ioctl open read write };
+allow recovery shell_exec:file getattr;
+allow recovery toolbox_exec:file { execute execute_no_trans getattr open read };
+
#============= healthd ==============
allow healthd device:dir write;

View File

@ -0,0 +1,52 @@
From 03320366719016a58225cf2dcf428d9ff04f9039 Mon Sep 17 00:00:00 2001
From: nailyk-fr <nailyk_git@nailyk.fr>
Date: Sun, 13 Aug 2017 20:51:06 +0200
Subject: [PATCH] Tuna: Sepolicy: Label metadata partition
* Label metadata partition to allow vold
accessing it for decryption.
* Wihtout this patchs:
avc: denied { read write } for pid=166 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
who cannot be allowed due to never allow
into system wide policies.
Change-Id: I577794a7298fcd105392699466661a7bd85a6218
---
sepolicy/file_contexts | 2 ++
sepolicy/vold.te | 1 +
2 files changed, 3 insertions(+)
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 1225c878..efd06764 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -46,11 +46,13 @@
# Block devices
/dev/block/mmcblk0 u:object_r:root_block_device:s0
/dev/block/mmcblk0p9 u:object_r:radio_device:s0
+/dev/block/mmcblk0p13 u:object_r:metadata_block_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/param u:object_r:radio_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0
/dev/block/platform/omap/omap_hsmmc.0/by-name/dgs u:object_r:tee_block_device:s0
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 9ba84692..313104b5 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,5 +1,6 @@
# vold
allow vold efs_file:dir { getattr read open ioctl };
+allow vold metadata_block_device:blk_file { read write };
# For 'aes-*' module requests.
allow vold kernel:system module_request;

View File

@ -0,0 +1,24 @@
From b50670cc845167011e16af63fcda74887f03c8ba Mon Sep 17 00:00:00 2001
From: nailyk-fr <nailyk_git@nailyk.fr>
Date: Sun, 13 Aug 2017 20:54:18 +0200
Subject: [PATCH] Tuna: Sepolicy: Solve mediacodec denial
avc: denied { read write } for pid=1180 comm="mediacodec" name="rpmsg-omx1" dev=tmpfs ino=4913 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
avc: denied { read } for pid=1195 comm="Binder:1180_1" name="rproc_user" dev=tmpfs ino=4631 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
avc: denied { open } for pid=177 comm="mediacodec" name="rpmsg-omx1" dev=tmpfs ino=4940 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
avc: denied { ioctl } for pid=1227 comm="Binder:1198_1" path="/dev/rpmsg-omx1" dev="tmpfs" ino=4978 ioctlcmd=5801 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
Change-Id: Ibd6674b3bbf245605b79c6d97ff6ed0d31715870
---
sepolicy/mediacodec.te | 2 ++
1 file changed, 2 insertions(+)
create mode 100644 sepolicy/mediacodec.te
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
new file mode 100644
index 00000000..711a2047
--- /dev/null
+++ b/sepolicy/mediacodec.te
@@ -0,0 +1,2 @@
+#============= mediacodec ==============
+allow mediacodec rpmsg_device:chr_file { read write open ioctl };

View File

@ -223,6 +223,14 @@ sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.
enterAndClear "device/samsung/tuna"; enterAndClear "device/samsung/tuna";
rm setup-makefiles.sh; #broken, deblobber will still function rm setup-makefiles.sh; #broken, deblobber will still function
sed -i 's/arm-eabi-4.7/arm-eabi-4.8/' BoardConfig.mk; #fix toolchain sed -i 's/arm-eabi-4.7/arm-eabi-4.8/' BoardConfig.mk; #fix toolchain
#See: https://review.lineageos.org/q/topic:%22tuna-sepolicies and https://gerrit.nailyk.fr/#/q/project:android_device_samsung_tuna+branch:cm-14.1
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0001-fix_denial.patch";
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0002-fix_denial.patch";
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0003-fix_denial.patch";
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0004-fix_denial.patch";
echo "allow rild system_file:file execmod;" >> sepolicy/rild.te;
echo "allow rild toolbox_exec:file getattr;" >> sepolicy/rild.te;
enter "vendor/google"; enter "vendor/google";
echo "" > atv/atv-common.mk; echo "" > atv/atv-common.mk;