tequilaOS/platform_device_qcom_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allowing system process to read gpu model

Browse source 
Addressing the following denials :
type=1400 audit(0.0:95): avc: denied { read }for name="gpu_model"
dev="sysfs" ino=80653 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0
type=1400 audit(0.0:59): avc: denied { read }for name="gpu_model"
dev="sysfs" ino=80653 scontext=u:r:hal_graphics_allocator_default:s0
tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 tclass=file permissive=0
type=1400 audit(906.783:162): avc: denied { read }for comm="surfaceflinger"
name="gpu_model" dev="sysfs" ino=61205 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 tclass=file permissive=0
type=1400 audit(0.0:345): avc: denied { read } for name="gpu_model"
dev="sysfs" ino=80685 scontext=u:r:mediacodec:s0
tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0
type=1400 audit(0.0:185): avc: denied { read } for name="gpu_model"
dev="sysfs" ino=80685 scontext=u:r:untrusted_app_27:s0:c512,c768
tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0
type=1400 audit(0.0:185): avc: denied { read } for name="gpu_model"
dev="sysfs" ino=80685 scontext=u:r:untrusted_app_29:s0:c512,c768
tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0

Change-Id: Icd52def059afed9114f0a5a868babc849086dd6f
This commit is contained in:
kranthi 2020-04-27 17:40:45 +05:30
parent ef73255fb9
commit a715cbecb7
8 changed files with 11 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
generic/vendor/common/bootanim.te vendored
View file

@ -32,6 +32,4 @@ allow bootanim hwservicemanager:binder call;
# this denial on phones since this functionality is not used.
dontaudit bootanim system_data_file:dir read;
dontaudit bootanim vendor_hal_qspmhal_hwservice:hwservice_manager find;
allow bootanim vendor_sysfs_kgsl_gpu_model:file r_file_perms;
dontaudit bootanim vendor_hal_qspmhal_hwservice:hwservice_manager find;

3
generic/vendor/common/domain.te vendored
View file

@ -56,3 +56,6 @@ neverallow {
-ueventd
-vold
} vendor_persist_type: { dir file } *;
# Allow all context to read gpu model
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;

2
generic/vendor/common/gmscore_app.te vendored
View file

@ -25,8 +25,6 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow gmscore_app vendor_sysfs_kgsl_gpu_model:file r_file_perms;
dontaudit gmscore_app vendor_hal_qspmhal_default:binder {call};
unix_socket_connect(gmscore_app, vendor_dpmtcm, vendor_dpmd);

3
generic/vendor/common/priv_app.te vendored
View file

@ -30,6 +30,3 @@ hal_client_domain(priv_app, vendor_hal_perf)
# TODO(b/123050471): this grants renderscript exec permissions to the
# priv_app domain
allow priv_app rs_exec:file rx_file_perms;
allow priv_app vendor_sysfs_kgsl_gpu_model:file r_file_perms;

4
generic/vendor/common/system_server.te vendored
View file

@ -51,6 +51,4 @@ get_prop(system_server, vendor_display_prop)
# allow system_server to read/acess peripheral manager.
get_prop(system_server, vendor_per_mgr_state_prop);
hal_client_domain(system_server, vendor_hal_dataconnection_qti)
allow system_server vendor_sysfs_kgsl_gpu_model:file r_file_perms;
hal_client_domain(system_server, vendor_hal_dataconnection_qti)

5
legacy/vendor/common/domain.te vendored
View file

@ -64,4 +64,7 @@ allowxperm domain domain:icmp_socket ioctl { unpriv_sock_ioctls unpriv_tty_ioctl
get_prop(domain, vendor_security_patch_level_prop)
get_prop(domain, public_vendor_default_prop)
allow domain qti_debugfs:dir search;
allow domain qti_debugfs:dir search;
# allow all context to read gpu model
allow { domain - isolated_app } sysfs_kgsl_gpu_model:file r_file_perms;

3
legacy/vendor/common/location_app.te vendored
View file

@ -54,5 +54,4 @@ allow vendor_location_app radio_service:service_manager find;
allowxperm vendor_location_app self:socket ioctl msm_sock_ipc_ioctls;
allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_location_app sysfs_data:file r_file_perms;
unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)
#allow location_app sysfs_kgsl_gpu_model:file r_file_perms;
unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)

4
legacy/vendor/common/priv_app.te vendored
View file

@ -28,6 +28,4 @@
hal_client_domain(priv_app, hal_perf)
# TODO(b/123050471): this grants renderscript exec permissions to the
# priv_app domain
allow priv_app rs_exec:file rx_file_perms;
allow priv_app sysfs_kgsl_gpu_model:file r_file_perms;
allow priv_app rs_exec:file rx_file_perms;