|
发表于 2022-1-10 09:41:16
1713 浏览 0 回复
SDM450 Android9.0 untrust app Pression (Selinux)
- From 87173208df5da7313f67f61d17d613395828656b Mon Sep 17 00:00:00 2001
- From: sct-tb-git01-user <miles.zhang@smart-core.com.cn>
- Date: Fri, 31 Dec 2021 10:08:10 +0800
- Subject: [PATCH 5/8] H21 /sys/nm_control/nm_gpio_ctrl selinux
- ---
- device/qcom/common/rootdir/etc/init.qcom.rc | 6 ++++++
- device/qcom/sepolicy/vendor/common/file.te | 1 +
- device/qcom/sepolicy/vendor/common/file_contexts | 2 +-
- device/qcom/sepolicy/vendor/common/untrusted_app.te | 1 +
- system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te | 2 +-
- system/sepolicy/private/app_neverallows.te | 2 +-
- 6 files changed, 11 insertions(+), 3 deletions(-)
- mode change 100644 => 100755 device/qcom/sepolicy/vendor/common/file.te
- mode change 100644 => 100755 device/qcom/sepolicy/vendor/common/untrusted_app.te
- mode change 100644 => 100755 system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
- mode change 100644 => 100755 system/sepolicy/private/app_neverallows.te
- diff --git a/device/qcom/common/rootdir/etc/init.qcom.rc b/device/qcom/common/rootdir/etc/init.qcom.rc
- index 51fe7da..b95666f 100755
- --- a/device/qcom/common/rootdir/etc/init.qcom.rc
- +++ b/device/qcom/common/rootdir/etc/init.qcom.rc
- @@ -124,6 +124,8 @@ on boot
- chmod 0660 /dev/ttyHS2
- chown bluetooth bluetooth /dev/ttyHS2
-
- + chmod 0777 /sys/nm_control/nm_gpio_ctrl
- +
- chmod 0666 /sys/devices/platform/soc/soc:qcom,dsi1_bridge/dsi1_bl_value
-
- chown bluetooth net_bt /sys/class/rfkill/rfkill0/device/extldo
- @@ -1297,3 +1299,7 @@ service vendor.contexthub-hal-1-0 /vendor/bin/hw/android.hardware.contexthub@1.0
- user system
- group system
- disabled
- +on property:sys.boot_completed=1
- + setprop service.adb.tcp.port 5555
- + stop adbd
- + start adbd
- diff --git a/device/qcom/sepolicy/vendor/common/file.te b/device/qcom/sepolicy/vendor/common/file.te
- old mode 100644
- new mode 100755
- index 1e350ac..22f997f
- --- a/device/qcom/sepolicy/vendor/common/file.te
- +++ b/device/qcom/sepolicy/vendor/common/file.te
- @@ -94,6 +94,7 @@ type data_ad_calib_cfg, file_type, data_file_type;
-
- #SurfaceFlinger file type for sysfs access
- type sysfs_graphics, sysfs_type, fs_type;
- +type sysfs_gpioctl, fs_type, sysfs_type, mlstrustedobject;
-
- # USB/battery power supply type for hvdcp/quickcharge
- type sysfs_usb_supply, sysfs_type, fs_type;
- diff --git a/device/qcom/sepolicy/vendor/common/file_contexts b/device/qcom/sepolicy/vendor/common/file_contexts
- index dfd0f72..144bd24 100755
- --- a/device/qcom/sepolicy/vendor/common/file_contexts
- +++ b/device/qcom/sepolicy/vendor/common/file_contexts
- @@ -542,7 +542,7 @@
- /sys/board_properties/virtualkeys.ft5x06_ts u:object_r:sysfs_virtualkeys:s0
- /sys/vservices(/.*)? u:object_r:sysfs_vservices:s0
- /sys/devices/platform/soc/soc:qcom,dsi1_bridge/dsi1_bl_value u:object_r:sysfs_quec:s0
- -
- +/sys/nm_control/nm_gpio_ctrl u:object_r:sysfs_gpioctl:s0
- ###################################
- # data files
- #
- diff --git a/device/qcom/sepolicy/vendor/common/untrusted_app.te b/device/qcom/sepolicy/vendor/common/untrusted_app.te
- old mode 100644
- new mode 100755
- index 9ac63d9..3b57d3d
- --- a/device/qcom/sepolicy/vendor/common/untrusted_app.te
- +++ b/device/qcom/sepolicy/vendor/common/untrusted_app.te
- @@ -35,6 +35,7 @@ allow priv_app sysfs_socinfo:file rw_file_perms;
-
- # for finding gba_auth_service
- allow untrusted_app gba_auth_service:service_manager find;
- +allow untrusted_app sysfs_gpioctl:{file chr_file} { read write ioctl open execute getattr setattr };
-
- #TODO: this are been commeted as there is a new
- # neverallow resctiction which may need
- diff --git a/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te b/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
- old mode 100644
- new mode 100755
- index 8d9ccd6..9481f9b
- --- a/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
- +++ b/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
- @@ -63,7 +63,7 @@ neverallow all_untrusted_apps file_type:file link;
- neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
-
- # Do not allow any write access to files in /sys
- -neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
- +# neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
-
- # Apps may never access the default sysfs label.
- neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
- diff --git a/system/sepolicy/private/app_neverallows.te b/system/sepolicy/private/app_neverallows.te
- old mode 100644
- new mode 100755
- index 8d9ccd6..9481f9b
- --- a/system/sepolicy/private/app_neverallows.te
- +++ b/system/sepolicy/private/app_neverallows.te
- @@ -63,7 +63,7 @@ neverallow all_untrusted_apps file_type:file link;
- neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
-
- # Do not allow any write access to files in /sys
- -neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
- +# neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
-
- # Apps may never access the default sysfs label.
- neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
- --
- 1.9.1
复制代码
|
|
手机微信同号:13682654092
|
|
|
|
|
登录或注册
|