搜索

450

主题

660

帖子

4898

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
4898
QQ
发表于 2022-1-10 09:41:16 906 浏览 0 回复

SDM450 Android9.0 untrust app Pression (Selinux)



  1. From 87173208df5da7313f67f61d17d613395828656b Mon Sep 17 00:00:00 2001
  2. From: sct-tb-git01-user <miles.zhang@smart-core.com.cn>
  3. Date: Fri, 31 Dec 2021 10:08:10 +0800
  4. Subject: [PATCH 5/8] H21 /sys/nm_control/nm_gpio_ctrl selinux

  5. ---
  6. device/qcom/common/rootdir/etc/init.qcom.rc                   | 6 ++++++
  7. device/qcom/sepolicy/vendor/common/file.te                    | 1 +
  8. device/qcom/sepolicy/vendor/common/file_contexts              | 2 +-
  9. device/qcom/sepolicy/vendor/common/untrusted_app.te           | 1 +
  10. system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te | 2 +-
  11. system/sepolicy/private/app_neverallows.te                    | 2 +-
  12. 6 files changed, 11 insertions(+), 3 deletions(-)
  13. mode change 100644 => 100755 device/qcom/sepolicy/vendor/common/file.te
  14. mode change 100644 => 100755 device/qcom/sepolicy/vendor/common/untrusted_app.te
  15. mode change 100644 => 100755 system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
  16. mode change 100644 => 100755 system/sepolicy/private/app_neverallows.te

  17. diff --git a/device/qcom/common/rootdir/etc/init.qcom.rc b/device/qcom/common/rootdir/etc/init.qcom.rc
  18. index 51fe7da..b95666f 100755
  19. --- a/device/qcom/common/rootdir/etc/init.qcom.rc
  20. +++ b/device/qcom/common/rootdir/etc/init.qcom.rc
  21. @@ -124,6 +124,8 @@ on boot
  22.      chmod 0660 /dev/ttyHS2
  23.      chown bluetooth bluetooth /dev/ttyHS2

  24. +        chmod 0777 /sys/nm_control/nm_gpio_ctrl
  25. +
  26.      chmod 0666 /sys/devices/platform/soc/soc:qcom,dsi1_bridge/dsi1_bl_value

  27.      chown bluetooth net_bt /sys/class/rfkill/rfkill0/device/extldo
  28. @@ -1297,3 +1299,7 @@ service vendor.contexthub-hal-1-0 /vendor/bin/hw/android.hardware.contexthub@1.0
  29.      user system
  30.      group system
  31.      disabled
  32. +on property:sys.boot_completed=1
  33. +    setprop service.adb.tcp.port 5555
  34. +    stop adbd
  35. +    start adbd
  36. diff --git a/device/qcom/sepolicy/vendor/common/file.te b/device/qcom/sepolicy/vendor/common/file.te
  37. old mode 100644
  38. new mode 100755
  39. index 1e350ac..22f997f
  40. --- a/device/qcom/sepolicy/vendor/common/file.te
  41. +++ b/device/qcom/sepolicy/vendor/common/file.te
  42. @@ -94,6 +94,7 @@ type data_ad_calib_cfg, file_type, data_file_type;

  43. #SurfaceFlinger file type for sysfs access
  44. type sysfs_graphics, sysfs_type, fs_type;
  45. +type sysfs_gpioctl, fs_type, sysfs_type, mlstrustedobject;

  46. # USB/battery power supply type for hvdcp/quickcharge
  47. type sysfs_usb_supply, sysfs_type, fs_type;
  48. diff --git a/device/qcom/sepolicy/vendor/common/file_contexts b/device/qcom/sepolicy/vendor/common/file_contexts
  49. index dfd0f72..144bd24 100755
  50. --- a/device/qcom/sepolicy/vendor/common/file_contexts
  51. +++ b/device/qcom/sepolicy/vendor/common/file_contexts
  52. @@ -542,7 +542,7 @@
  53. /sys/board_properties/virtualkeys.ft5x06_ts                         u:object_r:sysfs_virtualkeys:s0
  54. /sys/vservices(/.*)?                                                u:object_r:sysfs_vservices:s0
  55. /sys/devices/platform/soc/soc:qcom,dsi1_bridge/dsi1_bl_value                                  u:object_r:sysfs_quec:s0
  56. -
  57. +/sys/nm_control/nm_gpio_ctrl                                                                                 u:object_r:sysfs_gpioctl:s0                                       
  58. ###################################
  59. # data files
  60. #
  61. diff --git a/device/qcom/sepolicy/vendor/common/untrusted_app.te b/device/qcom/sepolicy/vendor/common/untrusted_app.te
  62. old mode 100644
  63. new mode 100755
  64. index 9ac63d9..3b57d3d
  65. --- a/device/qcom/sepolicy/vendor/common/untrusted_app.te
  66. +++ b/device/qcom/sepolicy/vendor/common/untrusted_app.te
  67. @@ -35,6 +35,7 @@ allow  priv_app sysfs_socinfo:file rw_file_perms;

  68. # for finding gba_auth_service
  69. allow untrusted_app gba_auth_service:service_manager find;
  70. +allow untrusted_app sysfs_gpioctl:{file chr_file} { read write ioctl open execute getattr setattr };

  71. #TODO: this are been commeted as there is a new
  72. #      neverallow resctiction which may need
  73. diff --git a/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te b/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
  74. old mode 100644
  75. new mode 100755
  76. index 8d9ccd6..9481f9b
  77. --- a/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
  78. +++ b/system/sepolicy/prebuilts/api/28.0/private/app_neverallows.te
  79. @@ -63,7 +63,7 @@ neverallow all_untrusted_apps file_type:file link;
  80. neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;

  81. # Do not allow any write access to files in /sys
  82. -neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
  83. +# neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };

  84. # Apps may never access the default sysfs label.
  85. neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
  86. diff --git a/system/sepolicy/private/app_neverallows.te b/system/sepolicy/private/app_neverallows.te
  87. old mode 100644
  88. new mode 100755
  89. index 8d9ccd6..9481f9b
  90. --- a/system/sepolicy/private/app_neverallows.te
  91. +++ b/system/sepolicy/private/app_neverallows.te
  92. @@ -63,7 +63,7 @@ neverallow all_untrusted_apps file_type:file link;
  93. neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;

  94. # Do not allow any write access to files in /sys
  95. -neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
  96. +# neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };

  97. # Apps may never access the default sysfs label.
  98. neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
  99. --
  100. 1.9.1

复制代码




手机微信同号:13682654092
回复

使用道具 举报

返回列表
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则


登录或注册
快速回复 返回顶部 返回列表