MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sdm660-common: sepolicy: Address many denials

Browse source 
sdm660-common: sepolicy: Address vendor_init persist_file read denial
avc: denied { read } for comm="init" name="persist" dev="mmcblk0p63" ino=47 scontext=u:r:vendor_init:s0 tcontext=u:object_r:persist_file:s0 tclass=lnk_file permissive=0

sdm660-common: sepolicy: Address tee persist_file read denial
avc: denied { read } for comm="qseecomd" name="persist" dev="mmcblk0p63" ino=47 scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=lnk_file permissive=0

sdm660-common: sepolicy: Address installd mnt_user_file denial
avc: denied { search } for comm="Binder:1018_6" name="0" dev="tmpfs" ino=5541 scontext=u:r:installd:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=0

sdm660-common: sepolicy: Address ssgtzd qipcrtr_socket denial

sdm660-common: sepolicy: Address platform_app denials
avc: denied { read } for comm="emui:screenshot" name="u:object_r:exported_audio_prop:s0" dev="tmpfs" ino=4254 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:exported_audio_prop:s0 tclass=file permissive=0 app=com.android.systemui

sdm660-common: sepolicy: Address init sysfs_graphics denial
avc: denied { read } for comm="init" name="device" dev="sysfs" ino=44569 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_graphics:s0 tclass=lnk_file permissive=0

sdm660-common: sepolicy: Address system_app sysfs_graphics denials
avc: denied { write } for comm="settings.device" name="max_brightness" dev="sysfs" ino=44572 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_graphics:s0 tclass=file permissive=0
avc: denied { open } for comm="settings.device" path="/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/red/max_brightness" dev="sysfs" ino=44572 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_graphics:s0 tclass=file permissive=0

sdm660-common: sepolicy: Address system_server sysfs_rtc denial
avc: denied { read } for comm="system_server" name="hctosys" dev="sysfs" ino=41512 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

sdm660-common: sepolicy: Address gmscore_app getattr denials
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/linkerconfig" dev="tmpfs" ino=3474 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:linkerconfig_file:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/persist" dev="mmcblk0p63" ino=47 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:persist_file:s0 tclass=lnk_file permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/init" dev="mmcblk0p63" ino=28 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:init_exec:s0 tclass=lnk_file permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/metadata" dev="mmcblk0p63" ino=32 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/postinstall" dev="mmcblk0p63" ino=48 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/vendor/firmware_mnt" dev="mmcblk0p58" ino=1 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:firmware_file:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/vendor/firmware" dev="mmcblk0p64" ino=1216 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:vendor_firmware_file:s0 tclass=dir permissive=0 app=com.google.android.gms

sdm660-common: sepolicy: Address vendor_mutualex create denial
avc: denied { create } for comm="mutualex" scontext=u:r:vendor_mutualex:s0 tcontext=u:r:vendor_mutualex:s0 tclass=qipcrtr_socket permissive=0

Signed-off-by: pix106 <sbordenave@gmail.com>
This commit is contained in:
pix106 2021-07-30 09:06:00 +02:00
parent ee3fa3b300
commit 738dff294a
10 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
sepolicy/public/installd.te Normal file
View file

@ -0,0 +1 @@
allow installd mnt_user_file:dir search;

1
sepolicy/public/platform_app.te Normal file
View file

@ -0,0 +1 @@
get_prop(platform_app, exported_audio_prop)

4
sepolicy/vendor/gmscore_app.te vendored
View file

@ -1,2 +1,6 @@
binder_call(gmscore_app, hal_memtrack_default);
allow gmscore_app { firmware_file linkerconfig_file metadata_file postinstall_mnt_dir vendor_firmware_file }:dir getattr;
allow gmscore_app { init_exec persist_file }:lnk_file getattr;
dontaudit gmscore_app { bt_firmware_file firmware_file }:filesystem getattr;

1
sepolicy/vendor/init.te vendored
View file

@ -2,6 +2,7 @@ allow init adsprpcd_file:file mounton;
allow init apex_metadata_file:lnk_file read;
allow init socket_device:sock_file { unlink setattr create };
allow init sysfs_graphics:file { read open };
allow init sysfs_graphics:lnk_file read;
allow init sysfs_battery_supply:file setattr;
allow init vendor_default_prop:property_service set;

1
sepolicy/vendor/mutalex.te vendored
View file

@ -4,3 +4,4 @@ type vendor_mutualex_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_mutualex)
allow vendor_mutualex self:socket create_socket_perms_no_ioctl;
allow vendor_mutualex self:qipcrtr_socket create;

1
sepolicy/vendor/ssgtzd.te vendored
View file

@ -1 +1,2 @@
allow ssgtzd self:socket create_socket_perms_no_ioctl;
allow ssgtzd self:qipcrtr_socket create;

1
sepolicy/vendor/system_app.te vendored
View file

@ -5,6 +5,7 @@ allow system_app proc_vmallocinfo:file read;
allow system_app sysfs_vibrator:dir search;
allow system_app sysfs_vibrator:file rw_file_perms;
allow system_app sysfs_graphics:dir search;
allow system_app sysfs_graphics:file rw_file_perms;
allow system_app sysfs_leds:dir search;
allow system_app sysfs_fpsinfo:file rw_file_perms;
allow system_app sysfs_headphonegain:file rw_file_perms;

1
sepolicy/vendor/system_server.te vendored
View file

@ -4,5 +4,6 @@ get_prop(system_server, vendor_video_prop)
allow system_server app_zygote:process getpgid;
allow system_server blkio_dev:dir search;
allow system_server sysfs_battery_supply:file rw_file_perms;
allow system_server sysfs_rtc:file read;
dontaudit system_server sysfs:file { read open getattr };

1
sepolicy/vendor/tee.te vendored
View file

@ -4,3 +4,4 @@ typeattribute tee data_between_core_and_vendor_violators;
allow tee system_data_file:dir r_dir_perms;
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;
allow tee persist_file:lnk_file r_file_perms;

1
sepolicy/vendor/vendor_init.te vendored
View file

@ -7,6 +7,7 @@ allow vendor_init {
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init tee_device:chr_file getattr;
allow vendor_init persist_file:lnk_file read;
set_prop(vendor_init, camera_prop)
set_prop(vendor_init, vendor_freq_prop)