From a715cbecb79a8e42808c699922c0aa798d61f139 Mon Sep 17 00:00:00 2001 From: kranthi Date: Mon, 27 Apr 2020 17:40:45 +0530 Subject: [PATCH] Allowing system process to read gpu model Addressing the following denials : type=1400 audit(0.0:95): avc: denied { read }for name="gpu_model" dev="sysfs" ino=80653 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 type=1400 audit(0.0:59): avc: denied { read }for name="gpu_model" dev="sysfs" ino=80653 scontext=u:r:hal_graphics_allocator_default:s0 tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 tclass=file permissive=0 type=1400 audit(906.783:162): avc: denied { read }for comm="surfaceflinger" name="gpu_model" dev="sysfs" ino=61205 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 tclass=file permissive=0 type=1400 audit(0.0:345): avc: denied { read } for name="gpu_model" dev="sysfs" ino=80685 scontext=u:r:mediacodec:s0 tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 type=1400 audit(0.0:185): avc: denied { read } for name="gpu_model" dev="sysfs" ino=80685 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 type=1400 audit(0.0:185): avc: denied { read } for name="gpu_model" dev="sysfs" ino=80685 scontext=u:r:untrusted_app_29:s0:c512,c768 tcontext=u:object_r:vendor_sysfs_kgsl_gpu_model:s0 Change-Id: Icd52def059afed9114f0a5a868babc849086dd6f --- generic/vendor/common/bootanim.te | 4 +--- generic/vendor/common/domain.te | 3 +++ generic/vendor/common/gmscore_app.te | 2 -- generic/vendor/common/priv_app.te | 3 --- generic/vendor/common/system_server.te | 4 +--- legacy/vendor/common/domain.te | 5 ++++- legacy/vendor/common/location_app.te | 3 +-- legacy/vendor/common/priv_app.te | 4 +--- 8 files changed, 11 insertions(+), 17 deletions(-) diff --git a/generic/vendor/common/bootanim.te b/generic/vendor/common/bootanim.te index 5c0ff820..21172a65 100644 --- a/generic/vendor/common/bootanim.te +++ b/generic/vendor/common/bootanim.te @@ -32,6 +32,4 @@ allow bootanim hwservicemanager:binder call; # this denial on phones since this functionality is not used. dontaudit bootanim system_data_file:dir read; -dontaudit bootanim vendor_hal_qspmhal_hwservice:hwservice_manager find; - -allow bootanim vendor_sysfs_kgsl_gpu_model:file r_file_perms; \ No newline at end of file +dontaudit bootanim vendor_hal_qspmhal_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/generic/vendor/common/domain.te b/generic/vendor/common/domain.te index fee30cea..91ac4936 100644 --- a/generic/vendor/common/domain.te +++ b/generic/vendor/common/domain.te @@ -56,3 +56,6 @@ neverallow { -ueventd -vold } vendor_persist_type: { dir file } *; + +# Allow all context to read gpu model +allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms; \ No newline at end of file diff --git a/generic/vendor/common/gmscore_app.te b/generic/vendor/common/gmscore_app.te index 12df1ba4..41573ff8 100644 --- a/generic/vendor/common/gmscore_app.te +++ b/generic/vendor/common/gmscore_app.te @@ -25,8 +25,6 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -allow gmscore_app vendor_sysfs_kgsl_gpu_model:file r_file_perms; - dontaudit gmscore_app vendor_hal_qspmhal_default:binder {call}; unix_socket_connect(gmscore_app, vendor_dpmtcm, vendor_dpmd); diff --git a/generic/vendor/common/priv_app.te b/generic/vendor/common/priv_app.te index 5a32387f..50e3afec 100644 --- a/generic/vendor/common/priv_app.te +++ b/generic/vendor/common/priv_app.te @@ -30,6 +30,3 @@ hal_client_domain(priv_app, vendor_hal_perf) # TODO(b/123050471): this grants renderscript exec permissions to the # priv_app domain allow priv_app rs_exec:file rx_file_perms; - -allow priv_app vendor_sysfs_kgsl_gpu_model:file r_file_perms; - diff --git a/generic/vendor/common/system_server.te b/generic/vendor/common/system_server.te index 6aea52a0..abfd9bdf 100644 --- a/generic/vendor/common/system_server.te +++ b/generic/vendor/common/system_server.te @@ -51,6 +51,4 @@ get_prop(system_server, vendor_display_prop) # allow system_server to read/acess peripheral manager. get_prop(system_server, vendor_per_mgr_state_prop); -hal_client_domain(system_server, vendor_hal_dataconnection_qti) - -allow system_server vendor_sysfs_kgsl_gpu_model:file r_file_perms; \ No newline at end of file +hal_client_domain(system_server, vendor_hal_dataconnection_qti) \ No newline at end of file diff --git a/legacy/vendor/common/domain.te b/legacy/vendor/common/domain.te index c2f4709d..83bb377c 100644 --- a/legacy/vendor/common/domain.te +++ b/legacy/vendor/common/domain.te @@ -64,4 +64,7 @@ allowxperm domain domain:icmp_socket ioctl { unpriv_sock_ioctls unpriv_tty_ioctl get_prop(domain, vendor_security_patch_level_prop) get_prop(domain, public_vendor_default_prop) -allow domain qti_debugfs:dir search; \ No newline at end of file +allow domain qti_debugfs:dir search; + +# allow all context to read gpu model +allow { domain - isolated_app } sysfs_kgsl_gpu_model:file r_file_perms; \ No newline at end of file diff --git a/legacy/vendor/common/location_app.te b/legacy/vendor/common/location_app.te index 82df910c..104c78fe 100644 --- a/legacy/vendor/common/location_app.te +++ b/legacy/vendor/common/location_app.te @@ -54,5 +54,4 @@ allow vendor_location_app radio_service:service_manager find; allowxperm vendor_location_app self:socket ioctl msm_sock_ipc_ioctls; allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl; allow vendor_location_app sysfs_data:file r_file_perms; -unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd) -#allow location_app sysfs_kgsl_gpu_model:file r_file_perms; +unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd) \ No newline at end of file diff --git a/legacy/vendor/common/priv_app.te b/legacy/vendor/common/priv_app.te index 723f1c2b..0717cd6d 100644 --- a/legacy/vendor/common/priv_app.te +++ b/legacy/vendor/common/priv_app.te @@ -28,6 +28,4 @@ hal_client_domain(priv_app, hal_perf) # TODO(b/123050471): this grants renderscript exec permissions to the # priv_app domain -allow priv_app rs_exec:file rx_file_perms; - -allow priv_app sysfs_kgsl_gpu_model:file r_file_perms; \ No newline at end of file +allow priv_app rs_exec:file rx_file_perms; \ No newline at end of file