Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 49e3588429bcc5b0eddb0ffa5431d37bcc1990bf^! / . / public
commit49e3588429bcc5b0eddb0ffa5431d37bcc1990bf[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Nov 25 18:00:38 2016 -0800
committerNick Kralevich <nnk@google.com>Mon Nov 28 17:03:41 2016 +0000
tree50eca9c54bbc8aff41777bb5138e4a7c1f5dd120
parent8fe7b8d2a73d2c4ec3c88ab81688537b677f946e [diff]
Add directory read permissions to certain domains.

Addresses the following denials and auditallows:

avc: denied { read } for pid=561 comm="hwservicemanage" name="hw"
dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0"
ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: granted { read open } for pid=735 comm="fingerprintd"
path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0
tcontext=u:object_r:system_file:s0 tclass=dir

Test: no denials on boot
Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index b198703..a8320b5 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te

@@ -27,6 +27,7 @@
 auditallow {
   domain_deprecated
   -appdomain
+  -fingerprintd
   -init
   -installd
   -rild

diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index b541e34..b27f014 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te

@@ -3,6 +3,9 @@
 
 binder_use(fingerprintd)
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
 # need to find KeyStore and add self
 allow fingerprintd fingerprintd_service:service_manager { add find };
 

diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 13d2db7..f6ec1ab 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te

@@ -10,6 +10,9 @@
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow gatekeeperd system_file:dir r_dir_perms;
+
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };

diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index cbb47e5..f179599 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te

@@ -13,6 +13,9 @@
 
 set_prop(hwservicemanager, hwservicemanager_prop)
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
 # TODO once hwservicemanager checks whether HALs are
 # allowed to register a certain service, add policy here
 # for allowing to check SELinux permissions.