tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow more file ioctls

Browse source 
The shell script interpreter checks if file descriptors are ttys, which
causes a bunch of denials. Allow the benign ioctl TCGETS. Addresses the
following denials:

  type=1400 audit(0.0:321): avc: denied { ioctl } for comm="sh"
  path="/data/misc/perfprofd/perferr.txt" dev="sda13" ino=6817306
  ioctlcmd=5401 scontext=u:r:perfprofd:s0
  tcontext=u:object_r:perfprofd_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3189): avc: denied { ioctl } for comm="ps"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3004): avc: denied { ioctl } for comm="top"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Include the virtual sdcard when allowing F2FS specific sqlite ioctls,
since apps write sqlite files to the virtual sdcard. Addresses the
following denials:

  type=1400 audit(0.0:324): avc: denied { ioctl } for comm="amapLocManagerT"
  path="/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db"
  dev="sdcardfs" ino=3546650 ioctlcmd=f50c
  scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0
  tclass=file permissive=0 app=com.xiaomi.hm.health

Test: policy compiles.
Change-Id: I7fc570f2bbf69485b1ee6e6b2d9a421639d29123
This commit is contained in:
Nick Kralevich 2018-10-12 12:44:33 -07:00
parent 186466e955
commit 6586fe3110
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
public/domain.te
View file

@ -325,11 +325,17 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
# named pipes, and named sockets)
allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };
# Allow a process to make a determination whether a file descriptor
# for a plain file is a tty. Note that granting this whitelist to domain
# does not grant the ioctl permission to these files. That must be granted
# separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
# Support sqlite F2FS specific optimizations
# ioctl permission on the specific file type is still required
# TODO: consider only compiling these rules if we know the
# /data partition is F2FS
allowxperm domain file_type:file ioctl {
allowxperm domain { file_type sdcard_type }:file ioctl {
F2FS_IOC_ABORT_VOLATILE_WRITE
F2FS_IOC_COMMIT_ATOMIC_WRITE
F2FS_IOC_GET_FEATURES