mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
14.1: fix maguro denials
This commit is contained in:
parent
a7a4e869fd
commit
ffabfb3616
@ -0,0 +1,39 @@
|
|||||||
|
From 3030156fc1e0e69e5fad36fb374a8eb19fed8875 Mon Sep 17 00:00:00 2001
|
||||||
|
From: nailyk-fr <nailyk_git@nailyk.fr>
|
||||||
|
Date: Sat, 12 Aug 2017 18:46:10 +0200
|
||||||
|
Subject: [PATCH] tuna: twrp: Add necessary policy for twrp decrypt
|
||||||
|
|
||||||
|
Change-Id: I7fab77518718961ca55f29c5263a43e69efc73ca
|
||||||
|
---
|
||||||
|
sepolicy/recovery.te | 21 +++++++++++++++++++++
|
||||||
|
1 file changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
|
||||||
|
index dca66805..0d30c0d7 100644
|
||||||
|
--- a/sepolicy/recovery.te
|
||||||
|
+++ b/sepolicy/recovery.te
|
||||||
|
@@ -40,3 +40,24 @@ allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr ope
|
||||||
|
|
||||||
|
# For rebooting in tunasetup
|
||||||
|
allow recovery powerctl_prop:property_service set;
|
||||||
|
+
|
||||||
|
+# For decryption
|
||||||
|
+allow recovery tee_device:chr_file { ioctl open read write };
|
||||||
|
+#============= healthd ==============
|
||||||
|
+allow healthd device:dir write;
|
||||||
|
+
|
||||||
|
+#============= init ==============
|
||||||
|
+allow init ashmem_device:chr_file execute;
|
||||||
|
+allow init block_device:blk_file write;
|
||||||
|
+allow init graphics_device:chr_file { ioctl write };
|
||||||
|
+allow init init_tmpfs:file append;
|
||||||
|
+allow init input_device:chr_file ioctl;
|
||||||
|
+allow init property_socket:sock_file write;
|
||||||
|
+allow init self:process execmem;
|
||||||
|
+allow init tee_device:chr_file rw_file_perms;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+allow init unlabeled:dir search;
|
||||||
|
+allow init tee_file:dir rw_dir_perms;
|
||||||
|
+allow init tee_file:file create_file_perms;
|
||||||
|
+allow init labeledfs:filesystem associate;
|
@ -0,0 +1,37 @@
|
|||||||
|
From b9219da6cc3efc4cce9ef39a2d570990fd68cf11 Mon Sep 17 00:00:00 2001
|
||||||
|
From: nailyk-fr <nailyk_git@nailyk.fr>
|
||||||
|
Date: Sun, 13 Aug 2017 20:31:53 +0200
|
||||||
|
Subject: [PATCH] Tuna: Sepolicy: Add tee-fs permissions
|
||||||
|
|
||||||
|
* Tee-fs-setup is launched as recovery context.
|
||||||
|
* Those rules are needed because of toybox android
|
||||||
|
move.
|
||||||
|
* This is mandatory for encryption as this script
|
||||||
|
init /tee then start TEE services.
|
||||||
|
|
||||||
|
* Denials details:
|
||||||
|
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/sh" dev=mmcblk0p10 ino=385 scontext=u:r:recovery:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
|
||||||
|
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
||||||
|
avc: denied { execute } for pid=128 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
||||||
|
avc: denied { read open } for pid=131 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
||||||
|
avc: denied { execute_no_trans } for pid=131 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
||||||
|
|
||||||
|
Change-Id: I559f15713c7893b97c7e33f421ff19d606814fb1
|
||||||
|
---
|
||||||
|
sepolicy/recovery.te | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
|
||||||
|
index 0d30c0d7..f1047b45 100644
|
||||||
|
--- a/sepolicy/recovery.te
|
||||||
|
+++ b/sepolicy/recovery.te
|
||||||
|
@@ -43,6 +43,9 @@ allow recovery powerctl_prop:property_service set;
|
||||||
|
|
||||||
|
# For decryption
|
||||||
|
allow recovery tee_device:chr_file { ioctl open read write };
|
||||||
|
+allow recovery shell_exec:file getattr;
|
||||||
|
+allow recovery toolbox_exec:file { execute execute_no_trans getattr open read };
|
||||||
|
+
|
||||||
|
#============= healthd ==============
|
||||||
|
allow healthd device:dir write;
|
||||||
|
|
@ -0,0 +1,52 @@
|
|||||||
|
From 03320366719016a58225cf2dcf428d9ff04f9039 Mon Sep 17 00:00:00 2001
|
||||||
|
From: nailyk-fr <nailyk_git@nailyk.fr>
|
||||||
|
Date: Sun, 13 Aug 2017 20:51:06 +0200
|
||||||
|
Subject: [PATCH] Tuna: Sepolicy: Label metadata partition
|
||||||
|
|
||||||
|
* Label metadata partition to allow vold
|
||||||
|
accessing it for decryption.
|
||||||
|
|
||||||
|
* Wihtout this patchs:
|
||||||
|
avc: denied { read write } for pid=166 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
||||||
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
||||||
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
||||||
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
||||||
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
||||||
|
who cannot be allowed due to never allow
|
||||||
|
into system wide policies.
|
||||||
|
|
||||||
|
Change-Id: I577794a7298fcd105392699466661a7bd85a6218
|
||||||
|
---
|
||||||
|
sepolicy/file_contexts | 2 ++
|
||||||
|
sepolicy/vold.te | 1 +
|
||||||
|
2 files changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
|
||||||
|
index 1225c878..efd06764 100644
|
||||||
|
--- a/sepolicy/file_contexts
|
||||||
|
+++ b/sepolicy/file_contexts
|
||||||
|
@@ -46,11 +46,13 @@
|
||||||
|
# Block devices
|
||||||
|
/dev/block/mmcblk0 u:object_r:root_block_device:s0
|
||||||
|
/dev/block/mmcblk0p9 u:object_r:radio_device:s0
|
||||||
|
+/dev/block/mmcblk0p13 u:object_r:metadata_block_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/boot u:object_r:boot_block_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/recovery u:object_r:recovery_block_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/cache u:object_r:cache_block_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/system u:object_r:system_block_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata u:object_r:userdata_block_device:s0
|
||||||
|
+/dev/block/platform/omap/omap_hsmmc.0/by-name/metadata u:object_r:metadata_block_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/param u:object_r:radio_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0
|
||||||
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/dgs u:object_r:tee_block_device:s0
|
||||||
|
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
|
||||||
|
index 9ba84692..313104b5 100644
|
||||||
|
--- a/sepolicy/vold.te
|
||||||
|
+++ b/sepolicy/vold.te
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
# vold
|
||||||
|
allow vold efs_file:dir { getattr read open ioctl };
|
||||||
|
+allow vold metadata_block_device:blk_file { read write };
|
||||||
|
|
||||||
|
# For 'aes-*' module requests.
|
||||||
|
allow vold kernel:system module_request;
|
@ -0,0 +1,24 @@
|
|||||||
|
From b50670cc845167011e16af63fcda74887f03c8ba Mon Sep 17 00:00:00 2001
|
||||||
|
From: nailyk-fr <nailyk_git@nailyk.fr>
|
||||||
|
Date: Sun, 13 Aug 2017 20:54:18 +0200
|
||||||
|
Subject: [PATCH] Tuna: Sepolicy: Solve mediacodec denial
|
||||||
|
|
||||||
|
avc: denied { read write } for pid=1180 comm="mediacodec" name="rpmsg-omx1" dev=tmpfs ino=4913 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
|
||||||
|
avc: denied { read } for pid=1195 comm="Binder:1180_1" name="rproc_user" dev=tmpfs ino=4631 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
|
||||||
|
avc: denied { open } for pid=177 comm="mediacodec" name="rpmsg-omx1" dev=tmpfs ino=4940 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
|
||||||
|
avc: denied { ioctl } for pid=1227 comm="Binder:1198_1" path="/dev/rpmsg-omx1" dev="tmpfs" ino=4978 ioctlcmd=5801 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
|
||||||
|
|
||||||
|
Change-Id: Ibd6674b3bbf245605b79c6d97ff6ed0d31715870
|
||||||
|
---
|
||||||
|
sepolicy/mediacodec.te | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
create mode 100644 sepolicy/mediacodec.te
|
||||||
|
|
||||||
|
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..711a2047
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/sepolicy/mediacodec.te
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+#============= mediacodec ==============
|
||||||
|
+allow mediacodec rpmsg_device:chr_file { read write open ioctl };
|
@ -223,6 +223,14 @@ sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.
|
|||||||
enterAndClear "device/samsung/tuna";
|
enterAndClear "device/samsung/tuna";
|
||||||
rm setup-makefiles.sh; #broken, deblobber will still function
|
rm setup-makefiles.sh; #broken, deblobber will still function
|
||||||
sed -i 's/arm-eabi-4.7/arm-eabi-4.8/' BoardConfig.mk; #fix toolchain
|
sed -i 's/arm-eabi-4.7/arm-eabi-4.8/' BoardConfig.mk; #fix toolchain
|
||||||
|
#See: https://review.lineageos.org/q/topic:%22tuna-sepolicies and https://gerrit.nailyk.fr/#/q/project:android_device_samsung_tuna+branch:cm-14.1
|
||||||
|
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0001-fix_denial.patch";
|
||||||
|
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0002-fix_denial.patch";
|
||||||
|
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0003-fix_denial.patch";
|
||||||
|
patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0004-fix_denial.patch";
|
||||||
|
echo "allow rild system_file:file execmod;" >> sepolicy/rild.te;
|
||||||
|
echo "allow rild toolbox_exec:file getattr;" >> sepolicy/rild.te;
|
||||||
|
|
||||||
|
|
||||||
enter "vendor/google";
|
enter "vendor/google";
|
||||||
echo "" > atv/atv-common.mk;
|
echo "" > atv/atv-common.mk;
|
||||||
|
Loading…
Reference in New Issue
Block a user