SDM450 Android9.0 untrust app Pression (Selinux)
From 87173208df5da7313f67f61d17d613395828656b Mon Sep 17 00:00:00 2001
From: sct-tb-git01-user <miles.zhang@smart-core.com.cn>
Date: Fri, 31 Dec 2021 10:08:10 +0800
Subject: H21 /sys/nm_control/nm_gpio_ctrl selinux
---
device/qcom/common/rootdir/etc/init.qcom.rc | 6 ++++++
device/qcom/sepolicy/vendor/common/file.te | 1 +
device/qcom/sepolicy/vendor/common/file_contexts | 2 +-
device/qcom/sepolicy/vendor/common/untrusted_app.te | 1 +
system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te | 2 +-
system/sepolicy/private/app_neverallows.te | 2 +-
6 files changed, 11 insertions(+), 3 deletions(-)
mode change 100644 => 100755 device/qcom/sepolicy/vendor/common/file.te
mode change 100644 => 100755 device/qcom/sepolicy/vendor/common/untrusted_app.te
mode change 100644 => 100755 system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
mode change 100644 => 100755 system/sepolicy/private/app_neverallows.te
diff --git a/device/qcom/common/rootdir/etc/init.qcom.rc b/device/qcom/common/rootdir/etc/init.qcom.rc
index 51fe7da..b95666f 100755
--- a/device/qcom/common/rootdir/etc/init.qcom.rc
+++ b/device/qcom/common/rootdir/etc/init.qcom.rc
@@ -124,6 +124,8 @@ on boot
chmod 0660 /dev/ttyHS2
chown bluetooth bluetooth /dev/ttyHS2
+ chmod 0777 /sys/nm_control/nm_gpio_ctrl
+
chmod 0666 /sys/devices/platform/soc/soc:qcom,dsi1_bridge/dsi1_bl_value
chown bluetooth net_bt /sys/class/rfkill/rfkill0/device/extldo
@@ -1297,3 +1299,7 @@ service vendor.contexthub-hal-1-0 /vendor/bin/hw/android.hardware.contexthub@1.0
user system
group system
disabled
+on property:sys.boot_completed=1
+ setprop service.adb.tcp.port 5555
+ stop adbd
+ start adbd
diff --git a/device/qcom/sepolicy/vendor/common/file.te b/device/qcom/sepolicy/vendor/common/file.te
old mode 100644
new mode 100755
index 1e350ac..22f997f
--- a/device/qcom/sepolicy/vendor/common/file.te
+++ b/device/qcom/sepolicy/vendor/common/file.te
@@ -94,6 +94,7 @@ type data_ad_calib_cfg, file_type, data_file_type;
#SurfaceFlinger file type for sysfs access
type sysfs_graphics, sysfs_type, fs_type;
+type sysfs_gpioctl, fs_type, sysfs_type, mlstrustedobject;
# USB/battery power supply type for hvdcp/quickcharge
type sysfs_usb_supply, sysfs_type, fs_type;
diff --git a/device/qcom/sepolicy/vendor/common/file_contexts b/device/qcom/sepolicy/vendor/common/file_contexts
index dfd0f72..144bd24 100755
--- a/device/qcom/sepolicy/vendor/common/file_contexts
+++ b/device/qcom/sepolicy/vendor/common/file_contexts
@@ -542,7 +542,7 @@
/sys/board_properties/virtualkeys.ft5x06_ts u:object_r:sysfs_virtualkeys:s0
/sys/vservices(/.*)? u:object_r:sysfs_vservices:s0
/sys/devices/platform/soc/soc:qcom,dsi1_bridge/dsi1_bl_value u:object_r:sysfs_quec:s0
-
+/sys/nm_control/nm_gpio_ctrl u:object_r:sysfs_gpioctl:s0
###################################
# data files
#
diff --git a/device/qcom/sepolicy/vendor/common/untrusted_app.te b/device/qcom/sepolicy/vendor/common/untrusted_app.te
old mode 100644
new mode 100755
index 9ac63d9..3b57d3d
--- a/device/qcom/sepolicy/vendor/common/untrusted_app.te
+++ b/device/qcom/sepolicy/vendor/common/untrusted_app.te
@@ -35,6 +35,7 @@ allowpriv_app sysfs_socinfo:file rw_file_perms;
# for finding gba_auth_service
allow untrusted_app gba_auth_service:service_manager find;
+allow untrusted_app sysfs_gpioctl:{file chr_file} { read write ioctl open execute getattr setattr };
#TODO: this are been commeted as there is a new
# neverallow resctiction which may need
diff --git a/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te b/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
old mode 100644
new mode 100755
index 8d9ccd6..9481f9b
--- a/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
+++ b/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
@@ -63,7 +63,7 @@ neverallow all_untrusted_apps file_type:file link;
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+# neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
diff --git a/system/sepolicy/private/app_neverallows.te b/system/sepolicy/private/app_neverallows.te
old mode 100644
new mode 100755
index 8d9ccd6..9481f9b
--- a/system/sepolicy/private/app_neverallows.te
+++ b/system/sepolicy/private/app_neverallows.te
@@ -63,7 +63,7 @@ neverallow all_untrusted_apps file_type:file link;
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+# neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
--
1.9.1
页:
[1]