Add directory read permissions to certain domains.

Addresses the following denials and auditallows: avc: denied { read } for pid=561 comm="hwservicemanage" name="hw" dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0" ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: granted { read open } for pid=735 comm="fingerprintd" path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: no denials on boot Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f

Add directory read permissions to certain domains.
Addresses the following denials and auditallows: avc: denied { read } for pid=561 comm="hwservicemanage" name="hw" dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0" ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: granted { read open } for pid=735 comm="fingerprintd" path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: no denials on boot Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f
49e35884 · Nick Kralevich · 8fe7b8d2 · 49e35884 · 49e35884 · 49e35884
Commit 49e35884 authored 8 years ago by Nick Kralevich
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -27,6 +27,7 @@ allow domain_deprecated system_file:file r_file_perms;
 auditallow {
  domain_deprecated
  -appdomain
+  -fingerprintd
  -init
  -installd
  -rild

--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -3,6 +3,9 @@ type fingerprintd_exec, exec_type, file_type;

 binder_use(fingerprintd)

+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
 # need to find KeyStore and add self
 allow fingerprintd fingerprintd_service:service_manager { add find };


--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -10,6 +10,9 @@ allow gatekeeperd ion_device:chr_file r_file_perms;
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };

+# Scan through /system/lib64/hw looking for installed HALs
+allow gatekeeperd system_file:dir r_dir_perms;
+
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };

--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -13,6 +13,9 @@ allow hwservicemanager { domain -init }:binder transfer;

 set_prop(hwservicemanager, hwservicemanager_prop)

+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
 # TODO once hwservicemanager checks whether HALs are
 # allowed to register a certain service, add policy here
 # for allowing to check SELinux permissions.