From e15af041ddc238eb68b2d544b87079f38ec8f1bd Mon Sep 17 00:00:00 2001 From: Bruce Po Date: Fri, 14 Jun 2024 15:26:53 -0700 Subject: [PATCH] Fix aocx selinux dumpstate permissions After switching aocxd to stable AIDL, we encountered some permissions issues associated with dumpstate: dumpstate: type=1400 audit(0.0:548): avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:aocxd:s0 tclass=binder permissive=0 dumpstate: type=1400 audit(0.0:17): avc: denied { use } for path="pipe:[214567]" dev="pipefs" ino=214567 scontext=u:r:aocxd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0 dumpstate: type=1400 audit(0.0:15): avc: denied { write } for path="pipe:[212933]" dev="pipefs" ino=212933 scontext=u:r:aocxd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=0 TEST: make selinux_policy -j128 adb push $ANDROID_PRODUCT_OUT/vendor/etc/selinux/* /vendor/etc/selinux adb reboot adb root adb bugreport BUG: 347156752 Change-Id: I188263ee9b186736a48fd3a0cfa83745e2e54108 --- aoc/sepolicy/aocxd.te | 3 +++ aoc/sepolicy/dumpstate.te | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 aoc/sepolicy/dumpstate.te diff --git a/aoc/sepolicy/aocxd.te b/aoc/sepolicy/aocxd.te index bcfcd7b..2eedf48 100644 --- a/aoc/sepolicy/aocxd.te +++ b/aoc/sepolicy/aocxd.te @@ -26,3 +26,6 @@ add_service(aocxd, aocx); # allow managing thread priority allow aocxd self:global_capability_class_set sys_nice; + +allow aocxd dumpstate:fd use; +allow aocxd dumpstate:fifo_file write; diff --git a/aoc/sepolicy/dumpstate.te b/aoc/sepolicy/dumpstate.te new file mode 100644 index 0000000..5b89fe1 --- /dev/null +++ b/aoc/sepolicy/dumpstate.te @@ -0,0 +1,2 @@ +# Allow dumpstate to talk to aocxd over binder +binder_call(dumpstate, aocxd)