Commits

Robert Craig committed b5a701c

New sensors-config selinux policy.

init.grouper.rc:
We chown both /data/sensors and /data/lightsensor
to avoid dac_override denials. sensors-config runs
as root and will otherwise generate denials
when trying to access /data/sensors and
/data/lightsensor. The sensors-config
binary does a chown to system,system
as its final operation.

sensors_config.te:

1) Allow executing toolbox:
denied { execute } for pid=139 comm="sensors-config" name="mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { read open } for pid=139 comm="sensors-config" name="mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=139 comm="sensors-config" path="/system/bin/mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=144 comm="sh" path="/system/bin/toolbox" dev=mmcblk0p3 ino=262 scontext=u:r:sensors_config:s0 tcontext=u:object_r:system_file:s0 tclass=file

2) Mounting and reading from PER block device:
denied { mounton } for pid=127 comm="sensors-config" path="/data/calibration" dev=mmcblk0p9 ino=225345 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { mount } for pid=127 comm="sensors-config" name="/" dev=mmcblk0p7 ino=1 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
denied { unmount } for pid=128 comm="sensors-config" scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
denied { read } for pid=127 comm="sensors-config" name="KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
denied { open } for pid=127 comm="sensors-config" name="KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
denied { getattr } for pid=128 comm="sensors-config" path="/data/calibration/sensors/KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
denied { search } for pid=128 comm="sensors-config" name="block" dev=tmpfs ino=5252 scontext=u:r:sensors_config:s0 tcontext=u:object_r:block_device:s0 tclass=dir
denied { search } for pid=127 comm="sensors-config" name="/" dev=mmcblk0p7 ino=1 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=dir

3) Chown and chmod /data/lightsensor, /data/sensors
denied { chown } for pid=408 comm="chown" capability=0 scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability
denied { fowner } for pid=403 comm="chmod" capability=3 scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability

4) Mount and umount commands
denied { sys_admin } for pid=128 comm="sensors-config" capability=21 scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability

Change-Id: I08a523766b9b55620c36fcc85793f1a27275edbc
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Comments (0)

Files changed (2)

     chown bluetooth net_bt_stack /data/misc/bluetooth
 
     # sensors-config
-    mkdir /data/sensors 751 system system
-    mkdir /data/lightsensor 751 system system
+    mkdir /data/sensors 751
+    # /data/sensors was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/sensors
+    mkdir /data/lightsensor 751
+    # /data/lightsensor was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/lightsensor
     mkdir /data/calibration
     mkdir /data/amit
 

sepolicy/sensors_config.te

 type sensors_data_file, file_type, data_file_type;
 init_daemon_domain(sensors_config)
 file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
-unconfined_domain(sensors_config)
+
+# Execute toolbox commands
+allow sensors_config shell_exec:file rx_file_perms;
+allow sensors_config system_file:file execute_no_trans;
+
+# Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
+allow sensors_config sensors_data_file:dir mounton;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config { sdcard_external block_device }:dir search;
+
+# Read from the mounted PER partition
+allow sensors_config sdcard_external:file r_file_perms;
+
+# Need to chmod and chown files (/data/lightsensor, /data/sensors)
+allow sensors_config self:capability { chown fowner };
+
+# Checked as a side effect on the chmod (don't allow)
+dontaudit sensors_config self:capability { fsetid };
+
+# Needed for mount/umount
+allow sensors_config self:capability sys_admin;
+
+# Tries to delete /data/calibration (don't allow)
+dontaudit sensors_config system_data_file:dir remove_name;
+dontaudit sensors_config self:capability dac_override;