From ca32a5f18f3707106b5eed66f7ee3de3c35ef239 Mon Sep 17 00:00:00 2001 From: iusmac Date: Wed, 23 Mar 2022 22:47:28 +0800 Subject: [PATCH] sdm710-common: sepolicy: Adress IORap usap_pool denial W FinalizerDaemon: type=1400 audit(0.0:532): avc: denied { getopt } for path="/dev/socket/usap_pool_primary" scontext=u:rradios0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket permissive=0 --- sepolicy/private/permissioncontroller_app.te | 1 + sepolicy/private/untrusted_app.te | 1 + sepolicy/vendor/platform_app.te | 2 +- sepolicy/vendor/priv_app.te | 2 +- sepolicy/vendor/radio.te | 1 + sepolicy/vendor/shell.te | 1 + sepolicy/vendor/timeservice_app.te | 1 + sepolicy/vendor/traceur_app.te | 1 + sepolicy/vendor/untrusted_app_27.te | 2 +- sepolicy/vendor/untrusted_app_29.te | 1 + sepolicy/vendor/untrusted_app_30.te | 1 + 11 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 sepolicy/private/permissioncontroller_app.te create mode 100644 sepolicy/private/untrusted_app.te create mode 100644 sepolicy/vendor/radio.te create mode 100644 sepolicy/vendor/shell.te create mode 100644 sepolicy/vendor/timeservice_app.te create mode 100644 sepolicy/vendor/traceur_app.te create mode 100644 sepolicy/vendor/untrusted_app_29.te create mode 100644 sepolicy/vendor/untrusted_app_30.te diff --git a/sepolicy/private/permissioncontroller_app.te b/sepolicy/private/permissioncontroller_app.te new file mode 100644 index 0000000..930c619 --- /dev/null +++ b/sepolicy/private/permissioncontroller_app.te @@ -0,0 +1 @@ +allow permissioncontroller_app zygote:unix_stream_socket getopt; diff --git a/sepolicy/private/untrusted_app.te b/sepolicy/private/untrusted_app.te new file mode 100644 index 0000000..5afdd3f --- /dev/null +++ b/sepolicy/private/untrusted_app.te @@ -0,0 +1 @@ +allow untrusted_app zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te index 147993c..5fadd84 100644 --- a/sepolicy/vendor/platform_app.te +++ b/sepolicy/vendor/platform_app.te @@ -1 +1 @@ -allow platform_app zygote:unix_stream_socket getopt; \ No newline at end of file +allow platform_app zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te index c091ed4..ce43251 100644 --- a/sepolicy/vendor/priv_app.te +++ b/sepolicy/vendor/priv_app.te @@ -1 +1 @@ -allow priv_app zygote:unix_stream_socket getopt; \ No newline at end of file +allow priv_app zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te new file mode 100644 index 0000000..3dc8d4b --- /dev/null +++ b/sepolicy/vendor/radio.te @@ -0,0 +1 @@ +allow radio zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/shell.te b/sepolicy/vendor/shell.te new file mode 100644 index 0000000..b70916c --- /dev/null +++ b/sepolicy/vendor/shell.te @@ -0,0 +1 @@ +allow shell zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/timeservice_app.te b/sepolicy/vendor/timeservice_app.te new file mode 100644 index 0000000..14475e2 --- /dev/null +++ b/sepolicy/vendor/timeservice_app.te @@ -0,0 +1 @@ +allow timeservice_app zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/traceur_app.te b/sepolicy/vendor/traceur_app.te new file mode 100644 index 0000000..e0b427e --- /dev/null +++ b/sepolicy/vendor/traceur_app.te @@ -0,0 +1 @@ +allow traceur_app zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/untrusted_app_27.te b/sepolicy/vendor/untrusted_app_27.te index 3da57d1..3cfca29 100644 --- a/sepolicy/vendor/untrusted_app_27.te +++ b/sepolicy/vendor/untrusted_app_27.te @@ -1 +1 @@ -allow untrusted_app_27 zygote:unix_stream_socket { getopt }; \ No newline at end of file +allow untrusted_app_27 zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/untrusted_app_29.te b/sepolicy/vendor/untrusted_app_29.te new file mode 100644 index 0000000..11899ff --- /dev/null +++ b/sepolicy/vendor/untrusted_app_29.te @@ -0,0 +1 @@ +allow untrusted_app_29 zygote:unix_stream_socket getopt; diff --git a/sepolicy/vendor/untrusted_app_30.te b/sepolicy/vendor/untrusted_app_30.te new file mode 100644 index 0000000..db20cb6 --- /dev/null +++ b/sepolicy/vendor/untrusted_app_30.te @@ -0,0 +1 @@ +allow untrusted_app_30 zygote:unix_stream_socket getopt;