From b9219da6cc3efc4cce9ef39a2d570990fd68cf11 Mon Sep 17 00:00:00 2001 From: nailyk-fr Date: Sun, 13 Aug 2017 20:31:53 +0200 Subject: [PATCH] Tuna: Sepolicy: Add tee-fs permissions * Tee-fs-setup is launched as recovery context. * Those rules are needed because of toybox android move. * This is mandatory for encryption as this script init /tee then start TEE services. * Denials details: avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/sh" dev=mmcblk0p10 ino=385 scontext=u:r:recovery:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { execute } for pid=128 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { read open } for pid=131 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { execute_no_trans } for pid=131 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 Change-Id: I559f15713c7893b97c7e33f421ff19d606814fb1 --- sepolicy/recovery.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te index 0d30c0d7..f1047b45 100644 --- a/sepolicy/recovery.te +++ b/sepolicy/recovery.te @@ -43,6 +43,9 @@ allow recovery powerctl_prop:property_service set; # For decryption allow recovery tee_device:chr_file { ioctl open read write }; +allow recovery shell_exec:file getattr; +allow recovery toolbox_exec:file { execute execute_no_trans getattr open read }; + #============= healthd ============== allow healthd device:dir write;