From 513a0c7562b5f15852090cf4ba3b9e4321e03102 Mon Sep 17 00:00:00 2001 From: Sashko Date: Sun, 3 Nov 2019 01:47:42 +0200 Subject: [PATCH] sepolicy: Resolve init denials * denied { setattr } for name=state dev=sysfs ino=9120 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_bluetooth_writable:s0 tclass=file permissive=1 * denied { setattr } for name=hpd dev=sysfs ino=11773 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_surfaceflinger:s0 tclass=file permissive=1 * denied { setattr } for pid=1 comm=init name=firmware_path dev=sysfs ino=5881 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=1 * denied { setattr } for name=file dev=sysfs ino=15720 scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 * denied { write } for name=boot dev=sysfs ino=8899 scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 * denied { open } for name=boot dev=sysfs ino=8899 scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Change-Id: I2f35267ea74a5646bb423192162752e44aa51064 --- sepolicy/file.te | 5 +++++ sepolicy/file_contexts | 23 ++++++++++++++++++++++- sepolicy/init.te | 17 +++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/sepolicy/file.te b/sepolicy/file.te index 34eb6229..0c1a3820 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -26,3 +26,8 @@ type sysfs_mpdecision, fs_type, sysfs_type; type sysfs_surfaceflinger, fs_type, sysfs_type; type sysfs_smdcntl_open_timeout, fs_type, sysfs_type; type sysfs_soc, fs_type, sysfs_type; +type sysfs_adsp, fs_type, sysfs_type; +type sysfs_thermal_control, fs_type, sysfs_type; +type sysfs_ssr_toggle, fs_type, sysfs_type; +type sysfs_ramdump, fs_type, sysfs_type; +type sysfs_irq, fs_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7cb352a2..602f1753 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -162,11 +162,32 @@ #sysfs - net /sys/devices/virtual/net(/.*)? u:object_r:sysfs_net:s0 +/sys/devices/mdp\.0/qcom,mdss_fb_primary.160/leds/lcd-backlight/brightness u:object_r:sysfs_leds:s0 +/sys/devices/leds-qpnp-23/leds(/.*)? u:object_r:sysfs_leds:s0 + +/sys/kernel/boot_adsp/boot u:object_r:sysfs_adsp:s0 + +/sys/module/msm_thermal/core_control/enabled u:object_r:sysfs_thermal_control:s0 + +/sys/devices/fe200000\.qcom,lpass/subsys[0-2]/restart_level u:object_r:sysfs_ssr_toggle:s0 +/sys/devices/fc880000\.qcom,mss/subsys[0-2]/restart_level u:object_r:sysfs_ssr_toggle:s0 +/sys/devices/fdce0000\.qcom,venus/subsys[0-2]/restart_level u:object_r:sysfs_ssr_toggle:s0 + +/sys/module/subsystem_restart/parameters/enable_ramdumps u:object_r:sysfs_ramdump:s0 + +/sys/devices/msm_dwc3/f9200000\.dwc3/gadget/lun[0-9]+(/.*)? u:object_r:sysfs_android_usb:s0 + # Sysfs files used by qmuxd /sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0 # Bluetooth -/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 + +/sys/module/lpm_resources/enable_low_power(/.*)? u:object_r:sysfs_mpdecision:s0 + +/sys/module/slimport/parameters/enable_irq u:object_r:sysfs_irq:s0 +/sys/module/msm_show_resume_irq/parameters/debug_mask u:object_r:sysfs_irq:s0 # Thermal engine /dev/msm_thermal_query u:object_r:thermal_engine_device:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te index 3aa81d1b..05a26d5b 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1 +1,18 @@ allow init tmpfs:lnk_file create_file_perms; + +allow init { + sysfs_bluetooth_writable + sysfs_leds + sysfs_surfaceflinger + sysfs_wlan_fwpath + }:file setattr; + +allow init { + sysfs_adsp + sysfs_devices_system_cpu + sysfs_mpdecision + sysfs_irq + sysfs_ramdump + sysfs_ssr_toggle + sysfs_thermal_control + }:file w_file_perms; \ No newline at end of file