/
system_sepolicy.patch
103 lines (85 loc) · 3.99 KB
/
system_sepolicy.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
From 32e4d65be8b14ca71c4ede2fb23e80840dfd368f Mon Sep 17 00:00:00 2001
From: xc-racer99 <xc-racer2@live.ca>
Date: Sat, 27 Aug 2016 09:26:34 -0700
Subject: [PATCH 1/3] sepolicy: Allow some execmods
Our blobs are so ancient, they need this...
---
domain.te | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/domain.te b/domain.te
index 45569de4..2b895349 100644
--- a/domain.te
+++ b/domain.te
@@ -298,6 +298,7 @@ neverallow {
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
+ -system_app_data_file
}:file no_x_file_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
@@ -306,7 +307,7 @@ neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
# Only recovery should be doing writes to /system
@@ -428,7 +429,7 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
-neverallow * {
+neverallow { domain -audioserver -gpsd -mediaserver -rild -system_server } {
file_type
-system_data_file
-apk_data_file
@@ -443,7 +444,7 @@ neverallow * self:process { execstack execheap };
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -appdomain -audioserver -gpsd -mediaserver -rild -system_server } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
--
2.11.0
From 7de66e71caad78eebefec77e937ba077a409a6a4 Mon Sep 17 00:00:00 2001
From: xc-racer99 <xc-racer2@live.ca>
Date: Mon, 26 Dec 2016 13:48:20 -0800
Subject: [PATCH 2/3] sepolicy: Allow gpsd access to /dev/__properties__
Since we're already allowing execmod's what another change :/
---
domain.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/domain.te b/domain.te
index 2b895349..65105bf1 100644
--- a/domain.te
+++ b/domain.te
@@ -308,7 +308,7 @@ neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_device:file { no_w_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init -gpsd } properties_serial:file { no_w_file_perms no_x_file_perms };
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
--
2.11.0
From 0851f1e40bce618749af0c3f31264c71bf306e58 Mon Sep 17 00:00:00 2001
From: xc-racer99 <xc-racer2@live.ca>
Date: Sun, 12 Feb 2017 19:38:29 -0800
Subject: [PATCH 3/3] Allow audio server access to network sockets
Yep, our audio actually does this...
---
audioserver.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audioserver.te b/audioserver.te
index da12649e..20d08a75 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -52,4 +52,4 @@ unix_socket_connect(audioserver, bluetooth, bluetooth)
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# audioserver should never need network access. Disallow network sockets.
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
--
2.11.0