From 22ad11aa7191c68cb08fbd220222cf41afbba79c Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Fri, 15 Apr 2022 09:17:29 +0200 Subject: [PATCH 1/8] avicii: sepolicy: Allow vendor.oneplus.hardware.camera to add interface * 04-13 06:26:43.960 548 548 E SELinux : avc: denied { add } for interface=vendor.oneplus.hardware.CameraMDMHIDL::IOnePlusCameraMDM sid=u:r:hal_cameraHIDL_default:s0 pid=5541 scontext=u:r:hal_cameraHIDL_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 * 04-13 06:26:43.970 548 548 E SELinux : avc: denied { add } for interface=vendor.oneplus.hardware.camera::IOnePlusCameraProvider sid=u:r:hal_cameraHIDL_default:s0 pid=5542 scontext=u:r:hal_cameraHIDL_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 --- sepolicy/vendor/hwservice_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 04917f8..eb83860 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -7,6 +7,8 @@ vendor.nxp.nxpwiredse::INxpWiredSe u:obj vendor.oneplus.camera.CameraHIDL::IOnePlusCameraProvider u:object_r:hal_cameraHIDL_hwservice:s0 vendor.oneplus.camera.CameraMDMHIDL::IOnePlusCameraMDM u:object_r:hal_cameraHIDL_hwservice:s0 vendor.oneplus.fingerprint.extension::IVendorFingerprintExtensions u:object_r:hal_fingerprint_hwservice:s0 +vendor.oneplus.hardware.camera::IOnePlusCameraProvider u:object_r:default_android_hwservice:s0 +vendor.oneplus.hardware.CameraMDMHIDL::IOnePlusCameraMDM u:object_r:default_android_hwservice:s0 vendor.oneplus.hardware.display::IOneplusDisplay u:object_r:hal_display_hwservice:s0 vendor.oneplus.hardware.drmkey::IOneplusDrmKey u:object_r:hal_drmkey_hwservice:s0 vendor.oneplus.hardware.ifaa::IOneplusIfaa u:object_r:hal_ifaa_hwservice:s0 -- GitLab From 090ff7fbcf95a2fca886e531f19926d8ab2d0b39 Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Fri, 15 Apr 2022 09:27:27 +0200 Subject: [PATCH 2/8] avicii: sepolicy: Allow kernel to read and write to block device * 04-13 06:26:43.988 480 480 W kworker/7:4: type=1400 audit(0.0:3137): avc: denied { read write } for name="sde67" dev="tmpfs" ino=15438 scontext=u:r:kernel:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 --- sepolicy/vendor/kernel.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te index ede180b..3dfe90f 100644 --- a/sepolicy/vendor/kernel.te +++ b/sepolicy/vendor/kernel.te @@ -11,3 +11,6 @@ allow kernel oem_block_device:blk_file rw_file_perms; # Allow kernel to read and write to param_block_device allow kernel param_block_device:blk_file rw_file_perms; + +# Allow kernel to read and write to block device +allow kernel block_device:blk_file rw_file_perms; -- GitLab From 29e1ce5e75507604ce1971f5a85b5e5db3e7b7d7 Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Mon, 25 Apr 2022 20:42:50 +0200 Subject: [PATCH 3/8] avicii: Sepolicy: Address secure element denials --- sepolicy/vendor/hal_secure_element_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 sepolicy/vendor/hal_secure_element_default.te diff --git a/sepolicy/vendor/hal_secure_element_default.te b/sepolicy/vendor/hal_secure_element_default.te new file mode 100644 index 0000000..d29336a --- /dev/null +++ b/sepolicy/vendor/hal_secure_element_default.te @@ -0,0 +1,2 @@ +dontaudit hal_secure_element_default debugfs_ipc:dir search; +get_prop(hal_secure_element_default, persist_nfc_prop) -- GitLab From 343e3f104efd785be1b626f9cb44c24be05c94cc Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Tue, 26 Apr 2022 07:53:06 +0200 Subject: [PATCH 4/8] avicii: sepolicy: default_android_hwservice -> hal_cameraHIDL_hwservice --- sepolicy/vendor/hwservice_contexts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index eb83860..63905a7 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -7,8 +7,8 @@ vendor.nxp.nxpwiredse::INxpWiredSe u:obj vendor.oneplus.camera.CameraHIDL::IOnePlusCameraProvider u:object_r:hal_cameraHIDL_hwservice:s0 vendor.oneplus.camera.CameraMDMHIDL::IOnePlusCameraMDM u:object_r:hal_cameraHIDL_hwservice:s0 vendor.oneplus.fingerprint.extension::IVendorFingerprintExtensions u:object_r:hal_fingerprint_hwservice:s0 -vendor.oneplus.hardware.camera::IOnePlusCameraProvider u:object_r:default_android_hwservice:s0 -vendor.oneplus.hardware.CameraMDMHIDL::IOnePlusCameraMDM u:object_r:default_android_hwservice:s0 +vendor.oneplus.hardware.camera::IOnePlusCameraProvider u:object_r:hal_cameraHIDL_hwservice:s0 +vendor.oneplus.hardware.CameraMDMHIDL::IOnePlusCameraMDM u:object_r:hal_cameraHIDL_hwservice:s0 vendor.oneplus.hardware.display::IOneplusDisplay u:object_r:hal_display_hwservice:s0 vendor.oneplus.hardware.drmkey::IOneplusDrmKey u:object_r:hal_drmkey_hwservice:s0 vendor.oneplus.hardware.ifaa::IOneplusIfaa u:object_r:hal_ifaa_hwservice:s0 -- GitLab From a3f7d12b04334bf707b00f5c9e5c900fbddb2d02 Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Tue, 26 Apr 2022 07:57:04 +0200 Subject: [PATCH 5/8] avicii: sepolicy: Allow hal_secure_element_default to find hal_nfc_hwservice. --- sepolicy/vendor/hal_secure_element_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/sepolicy/vendor/hal_secure_element_default.te b/sepolicy/vendor/hal_secure_element_default.te index d29336a..9d9f821 100644 --- a/sepolicy/vendor/hal_secure_element_default.te +++ b/sepolicy/vendor/hal_secure_element_default.te @@ -1,2 +1,3 @@ dontaudit hal_secure_element_default debugfs_ipc:dir search; get_prop(hal_secure_element_default, persist_nfc_prop) +hal_client_domain(hal_secure_element_default, hal_nfc); -- GitLab From d87ef6d6987d36e222943bb003c89af653045662 Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Tue, 26 Apr 2022 08:26:39 +0200 Subject: [PATCH 6/8] avicii: sepolicy: Address zRAM denials --- sepolicy/pirvate/system_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 sepolicy/pirvate/system_app.te diff --git a/sepolicy/pirvate/system_app.te b/sepolicy/pirvate/system_app.te new file mode 100644 index 0000000..0f8fe94 --- /dev/null +++ b/sepolicy/pirvate/system_app.te @@ -0,0 +1,2 @@ +allow system_app sysfs_zram:dir search; +allow system_app sysfs_zram:file rw_file_perms; -- GitLab From 1ab3b2a85353378c74b58f23b9c93318e661ad1c Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Tue, 26 Apr 2022 08:31:12 +0200 Subject: [PATCH 7/8] avicii: Sepolicy: Allow system_app to read /proc/pagetypeinfo --- sepolicy/pirvate/system_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sepolicy/pirvate/system_app.te b/sepolicy/pirvate/system_app.te index 0f8fe94..a824431 100644 --- a/sepolicy/pirvate/system_app.te +++ b/sepolicy/pirvate/system_app.te @@ -1,2 +1,4 @@ allow system_app sysfs_zram:dir search; allow system_app sysfs_zram:file rw_file_perms; +allow system_app proc_pagetypeinfo:file r_file_perms; + -- GitLab From 1c7e7ee3bb290d62a2020b28aacaa2a8087db76f Mon Sep 17 00:00:00 2001 From: Ahmed Harhash Date: Tue, 26 Apr 2022 08:41:03 +0200 Subject: [PATCH 8/8] avicii: sepolicy: Allow secure_element to get NFC props --- sepolicy/vendor/secure_element.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 sepolicy/vendor/secure_element.te diff --git a/sepolicy/vendor/secure_element.te b/sepolicy/vendor/secure_element.te new file mode 100644 index 0000000..9d8ebc5 --- /dev/null +++ b/sepolicy/vendor/secure_element.te @@ -0,0 +1 @@ +get_prop(secure_element, vendor_nfc_prop) -- GitLab