Skip to content
Permalink
Browse files
Rewrite sepolicy using wahoo as a style guide
The old sepolicy contained a lot of cruft due to merging poor
policies, and entries for devices no longer supported.

This is a full rewrite. It started by purging everything not
found in the wahoo sepolicy. Denials were addressed using
remaining wahoo policies where possible, else writing new
policies in the same style.

NOTE: There will be regressions, however this policy covers
denails for first boot and basic usage most major functionality.

Future denials will be addressed as and when needed, unsuring
the policy stays sane and secure.

Signed-off-by: Adam Farden <adam@farden.cz>
  • Loading branch information
stellirin committed Nov 20, 2017
1 parent 603c669 commit 14fe403ac06cdb2d1338795a9f6dc169f0a54f19
Showing 101 changed files with 651 additions and 1,245 deletions.
@@ -1 +1,18 @@
# device-sony-sepolicy
# sepolicy for SODP

This sepolicy is suitable for SODP supported devices when building on AOSP. Where
possible, we follow the structure, style, and naming conventions found in the sepolicy
written for Google devices. The current best comparison is the `wahoo` sepolicy.

When submitting patches please include the following in the commit message:

1. The AVC denial you wish to resolve
2. Why you think this is the correct sepolicy
3. Steps to reproduce the denial
4. Ping @AdFad666 for review.

Failure to include the above may result in your patch being rejected.

This sepolicy also requires device specific `file_contexts` and `genfs_contexts`
that can be found in each platform's git repository.

@@ -1,21 +1,14 @@
type addrsetup, domain;
type addrsetup_exec, exec_type, file_type;

# Started by init
init_daemon_domain(addrsetup)

# Connect to /dev/socket/tad
unix_socket_connect(addrsetup, tad, tad)

allow addrsetup bluetooth_data_file:dir rw_dir_perms;
allow addrsetup bluetooth_data_file:file create_file_perms;
allow addrsetup rootfs:lnk_file getattr;
allow addrsetup sysfs_addrsetup:file rw_file_perms;

# Permit creation of wlan_mac.bin
allow addrsetup wifi_data_file:dir rw_dir_perms;
allow addrsetup wifi_data_file:file create_file_perms;

unix_socket_connect(addrsetup, tad, tad)

allow addrsetup random_device:file read;
allow addrsetup sysfs_addrsetup:file rw_file_perms;
@@ -1,16 +1,12 @@
type adsprpcd, domain;
type adsprpcd_exec, exec_type, file_type;
type adsprpcd_device, dev_type;

# Started by init
init_daemon_domain(adsprpcd)

allow adsprpcd adsprpcd_device:chr_file rw_file_perms;
allow adsprpcd ion_device:chr_file rw_file_perms;
allow adsprpcd system_file:dir r_dir_perms;
allow adsprpcd qdsp_device:chr_file r_file_perms;
allow adsprpcd rootfs:lnk_file getattr;
allow adsprpcd vendor_file:dir r_file_perms;

allow adsprpcd system_file:dir r_dir_perms;

# For reading dir/files on /dsp
r_dir_file(adsprpcd, adsprpcd_file)
r_dir_file(adsprpcd, qdsp_file)
2 app.te

This file was deleted.

@@ -1,11 +1,4 @@
r_dir_file(audioserver, sysfs)

allow audioserver rootfs:lnk_file getattr;
allow audioserver system_server:unix_stream_socket connectto;
allow audioserver oemfs:dir search;

# PowerHAL
rw_dir_file(audioserver, powerhal_socket)
allow audioserver powerhal_socket:sock_file create_file_perms;

binder_call(audioserver, bootanim)

allow audioserver sysfs_soc:file r_file_perms;
allow audioserver sysfs_soc:dir search;
@@ -1,11 +1,2 @@
rw_dir_file(bluetooth, sysfs)
rw_dir_file(bluetooth, sysfs_bluetooth_writable)

allow bluetooth sysfs:file w_file_perms;
allow bluetooth smd_device:chr_file rw_file_perms;

allow bluetooth device:chr_file { ioctl };
allow bluetooth bt_device:chr_file rw_file_perms;

allow bluetooth start_hci_filter:unix_stream_socket connectto;
allow bluetooth storage_stub_file:dir getattr;
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;

This file was deleted.

This file was deleted.

@@ -1,20 +1,3 @@
# communicate with camera
allow cameraserver camera_data_file:sock_file write;

allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver rootfs:lnk_file getattr;

allow cameraserver surfaceflinger:unix_stream_socket { read write };

allow cameraserver camera_prop:property_service set;
allow cameraserver init:unix_stream_socket connectto;
allow cameraserver property_socket:sock_file write;

# PowerHAL
allow cameraserver powerhal_socket:dir search;
allow cameraserver powerhal_socket:sock_file write;
allow cameraserver { hal_power_default system_server }:unix_stream_socket connectto;

allow cameraserver sysfs:file r_file_perms;
allow cameraserver camera_prop:file r_file_perms;
allow cameraserver debugfs_kgsl:dir search;
allow cameraserver system_server:unix_stream_socket { read write };
@@ -2,28 +2,32 @@ type cnss-daemon, domain;
type cnss-daemon_exec, exec_type, file_type;

init_daemon_domain(cnss-daemon)
net_domain(cnss-daemon)

allow cnss-daemon proc_net:file rw_file_perms;
binder_use(cnss-daemon)
binder_call(cnss-daemon, per_mgr)

allow cnss-daemon rootfs:lnk_file getattr;

allow cnss-daemon per_mgr:binder { call transfer };
allow cnss-daemon per_mgr_service:service_manager find;

allow cnss-daemon self:capability { setgid setuid net_admin};
allow cnss-daemon proc_net:file w_file_perms;

allow cnss-daemon self:capability {
net_admin
net_bind_service
};

allow cnss-daemon self:socket create_socket_perms;
allowxperm cnss-daemon self:socket ioctl msm_sock_ipc_ioctls;
allowxperm cnss-daemon self:udp_socket ioctl { SIOCIWFIRSTPRIV_05 SIOCSIFFLAGS };
allow cnss-daemon self:netlink_generic_socket create_socket_perms_no_ioctl;
allow cnss-daemon self:netlink_route_socket create_socket_perms_no_ioctl;
allow cnss-daemon self:netlink_socket create_socket_perms_no_ioctl;
allow cnss-daemon self:socket create_socket_perms;
allow cnss-daemon self:udp_socket create_socket_perms;

allowxperm cnss-daemon self:socket ioctl msm_sock_ipc_ioctls;
allowxperm cnss-daemon self:udp_socket ioctl msm_sock_ipc_ioctls;
allow cnss-daemon proc_net:file getattr;

allow cnss-daemon servicemanager:binder call;
r_dir_file(cnss-daemon, sysfs_msm_subsys)

allow cnss-daemon sysfs_subsys:dir search;
allow cnss-daemon sysfs_subsys:file r_file_perms;
allow cnss-daemon sysfs_soc:dir search;
allow cnss-daemon sysfs_soc:file r_file_perms;

allow cnss-daemon wifi_data_file:dir search;
# request_firmware causes a denial for /firmware. It can be safely ignored
dontaudit cnss-daemon firmware_file:dir search;

This file was deleted.

@@ -1,70 +1,20 @@
#Define the logging device type
type avtimer_device, dev_type;
type bt_device, dev_type;
type diag_device, dev_type, mlstrustedobject;
type smem_log_device, dev_type;

#device type for smd device nodes, ie /dev/smd*
type smd_device, dev_type;

#device type for smd device nodes, ie /dev/sg*
type sg_device, dev_type;

#device type for rmnet device nodes, ie /dev/rmnet_ctrl*
type rmnet_device, dev_type;

#Define thermal-engine devices
type thermal_device, dev_type;

#Add qdsp_device type
type qdsp_device, dev_type, mlstrustedobject;

#Define mpdecision device
type device_latency, dev_type;

#Add for fm_radio device
type fm_radio_device, dev_type;

#Add for storage pertitions for EFS partitions
type modem_efs_partition_device, dev_type;

#Define device for partition links
type ssd_device, dev_type;
type rpmb_device, dev_type;

type sd_device, dev_type;

#SSR device
type ssr_device, dev_type;

#Ramdump device
type ramdump_device, dev_type;

# Define IPA devices
type ipa_dev, dev_type;

type wcnss_device, dev_type;

#energy-awareness device
type pta_device, dev_type;

#Define qfintverify device
type qce_device, dev_type;
type rng_device, dev_type;

#added for voice device
type voice_device, dev_type;

#Define system health monitor devices
type system_health_monitor_device, dev_type;

#Define avtimer device
type avtimer_device, dev_type;

type subsys_modem_device, dev_type;
type trim_area_partition_device, dev_type;
type latency_device, dev_type;
type modem_block_device, dev_type;
type persist_block_device, dev_type;

#Define Bluetooth device
type bt_device, dev_type;

# ramdump partition block device
type rdimage_block_device, dev_type;
type qdsp_device, dev_type, mlstrustedobject;
type ramdump_device, dev_type;
type rmnet_device, dev_type;
type ramdump_block_device, dev_type;
type sg_device, dev_type;
type smd_device, dev_type;
type ssd_block_device, dev_type;
type ssr_device, dev_type;
type adsprpcd_block_device, dev_type;
type rpmb_block_device, dev_type;
type sd_block_device, dev_type;
type smem_log_device, dev_type;
type ta_block_device, dev_type;
@@ -1,7 +1,11 @@
allow { domain -untrusted_app } diag_device:chr_file rw_file_perms;
userdebug_or_eng(`
allow domain diag_device:chr_file rw_file_perms;
')

r_dir_file(domain, sysfs_socinfo);
r_dir_file(domain, sysfs_ssr);
# In order for /sys/kernel/debug/kgsl/proc/<pid>/mem
# to be created for memory tracking, the domain of
# the tracked process must have permission to search
# in /sys/kernel/debug/kgsl
allow domain debugfs_kgsl:dir search;

# Allow all domains read access to sysfs_thermal
r_dir_file(domain, sysfs_thermal);
allow domain debugfs_ion:dir search;

0 comments on commit 14fe403

Please sign in to comment.