Git Product home page Git Product logo

device-sony-sepolicy's Introduction

sepolicy for SODP

This sepolicy is suitable for SODP supported devices when building on AOSP. Where possible, we follow the structure, style, and naming conventions found in the sepolicy written for Google devices.

When submitting patches please include the following in the commit message:

  1. The AVC denial you wish to resolve
  2. Why you think this is the correct sepolicy
  3. Steps to reproduce the denial

Failure to include the above may result in your patch being rejected.

This sepolicy also requires device specific file_contexts and genfs_contexts that can be found in each platform's git repository.

License

See LICENSE.md.

Formatting Tips

General

  • Group declarations of the same type together
  • When adding file permissions, first the dir line, then the file line
  • Use macros whenever possible (look for te_macros, global_macros in system/sepolicy/public/)

Recommended Order

  1. Documentation, if any
  2. domain, mydomain_exec
  3. init_daemon_domain or app_domain
  4. hal_server_domain() and equivalents
  5. typeattribute violation declarations
  6. binder_use() and equivalents get_prop(..., hwservicemanager_prop) goes here too
  7. add_service() and equivalents
  8. binder_call(), finding services and equivalents
  9. Miscellaneous things like wakelock_use() and capability
  10. get/set_prop()
  11. unix_socket_connect() and other socket stuff
  12. device access
  13. File permissions, ioctl
  14. kernel and module requests
  15. dontaudit

device-sony-sepolicy's People

Contributors

abioteau avatar adriandc avatar alviteri avatar bartcubbins avatar buzzbumblebee avatar diewi avatar enjens avatar haxk20 avatar humberos avatar ix5 avatar jeffvanderstoep avatar jerpelea avatar jlivings avatar julienbolard avatar kholk avatar konradybcio avatar luk1337 avatar magnus4 avatar marijns95 avatar maxbires avatar myself5 avatar oshmoun avatar pablomh avatar sonyxperiadev avatar spiritcroc avatar stellirin avatar tomgus1 avatar tstein avatar voidanix avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

necioerrante humberos tomgus1 diewi oshmoun sony-kitakami kj77 kholk buzzbumblebee spiritcroc zacharyzhang-ny 8974-sony-project lowtraxx rcstar6696 enjens riseos pablomh myself5 dudulle koron393 aolexiy bartcubbins jlivings magnus4 407alpha luk1337 pmnirom marijns95 ix5 infixremix auorra-jk3 wuju86 wojtek8668 rhine-dev tone-keep-on-4-4 stefanhh0 mehakimz haxk20 kenzo-10 msgpo sjllls sodp-experimentations sony-seine-mirror roberto-sartori-gl voidanix shujathmohd jmpfbmx konradybcio

device-sony-sepolicy's Issues

surfaceflinger denials on M and N related to google cam

07-08 09:42:36.636 I/surfaceflinger(372): type=1400 audit(0.0:83): avc: denied { write } for name="ad" dev="sysfs" ino=9902 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

surfaceflinger.te
allow surfaceflinger sysfs:file w_file_perms;

as provisional fix

checkpolicy failure when building AOSP N

(edit: 7.0 is N, not M. :) )

0e28686 appears to have broken the N build. The second line from device/sony/sepolicy/untrusted_app.te,

allow untrusted_app vfat:file create;

apparently conflicts with this stanza from system/sepolicy/untrusted_app.te:176:

# Do not allow untrusted_app to create/unlink files outside of its sandbox,        
# internal storage or sdcard.                                                      
# World accessible data locations allow application to fill the device             
# with unaccounted for data. This data will not get removed during                 
# application un-installation.                                                     
neverallow untrusted_app {                                                         
  fs_type                                                                          
  -fuse                     # sdcard                                               
  -sdcardfs                 # sdcard                                               
  file_type                                                                        
  -app_data_file            # The apps sandbox itself                              
  -media_rw_data_file       # Internal storage. Known that apps can                
                            # leave artfacts here after uninstall.                 
  -user_profile_data_file   # Access to profile files                              
  -user_profile_foreign_dex_data_file   # Access to profile files                  
  userdebug_or_eng(`                                                               
    -method_trace_data_file # only on ro.debuggable=1                              
    -coredump_file          # userdebug/eng only                                   
  ')                                                                               
}:dir_file_class_set { create unlink };

Commenting out that line in the Sony file fixes the build.

This file gained a reference to vfat in 7.1, but it looks like that should have created the problem, not solved it. (This is my first time looking at te definitions, so maybe I've got it backwards. :) )

I'm building 7.0.0_r24 for e5823 and can reproduce this after a make clean/repo init/repo sync. Let me know if I can provide more information from my tree or try something else.

The full error:

[  0% 8/33495] build out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy
FAILED: /bin/bash -c "(out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/suzuran/obj/ETC/sepolicy_intermediates/policy.conf ) && (out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/suzuran/obj/ETC/sepolicy_intermediates//sepolicy.dontaudit out/target/product/suzuran/obj/ETC/sepolicy_intermediates/policy.conf.dontaudit ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then              echo \"==========\" 1>&2;               echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;             echo \"List of invalid domains:\" 1>&2;              cat out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2;          exit 1;                 fi ) && (mv out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/suzuran/obj/ETC/sepolicy_intermediates/sepolicy )"
libsepol.report_failure: neverallow on line 195 of system/sepolicy/untrusted_app.te (or line 18262 of policy.conf) violated by allow untrusted_app vfat:file { create };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/suzuran/obj/ETC/sepolicy_intermediates/policy.conf
ninja: build stopped: subcommand failed.
build/core/ninja.mk:148: recipe for target 'ninja_wrapper' failed
make: *** [ninja_wrapper] Error 1

zygote services

04-12 01:32:23.694 697 697 I Binder:697_1: type=1400 audit(0.0:578): avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=13989 scontext=u:r:zygote:s0 tcontext=u:r:hal_graphics_allocator_default:s0 tclass=fd permissive=1
04-12 01:32:23.714 2098 2098 I RenderThread: type=1400 audit(0.0:579): avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=16596 ioctlcmd=0x945 scontext=u:r:zygote:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
04-12 01:32:24.764 2098 2098 I ndroid.settings: type=1400 audit(0.0:627): avc: denied { read } for scontext=u:r:zygote:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=1
04-12 01:32:25.014 2067 2067 I Binder:2067_9: type=1400 audit(0.0:631): avc: denied { use } for path="/dev/ashmem" dev="tmpfs" ino=17563 ioctlcmd=0x7704 scontext=u:r:zygote:s0 tcontext=u:r:system_server:s0 tclass=fd permissive=1
04-12 01:32:25.824 675 675 I HwBinder:675_1: type=1400 audit(0.0:645): avc: denied { call } for scontext=u:r:hal_bluetooth_default:s0 tcontext=u:r:zygote:s0 tclass=binder permissive=1

@ix5 @jerpelea

mediaserver denials in AOSP N

I'm currently building 7.1.1_r25 for e5823 with a fresh tree and extra attention to following the instructions (thanks, jerpelea :) ). Opening the camera hangs on a black screen with the following denial in logcat:
avc: denied { add } for service=media.camera pid=529 uid=1013 scontext=u:r:mediaserver:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive= 0

With that permitted, there's a second denial:
avc: denied { find } for service=media.camera.proxy pid=532 uid=1013 scontext=u:r:mediaserver:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager permissive=0

audit2allow generated these two rules, which I added to mediaserver.te:

allow mediaserver cameraserver_service:service_manager add;
allow mediaserver cameraproxy_service:service_manager find;

Subsequent builds have no camera-related denials, and the camera works. I'm submitting this as an issue rather than a pull request because I'm not sure what the root cause is or if this is the right way to fix it. Please let me know if you need any additional info.

[n-mr1] Build failure on latest aosp sources

When trying to build latest aosp sources 7.1.2r11
Build failure due to sepolicy:

libsepol.report_failure: neverallow on line 204 of system/sepolicy/untrusted_app.te (or line 19699 of policy.conf) violated by allow untrusted_app vfat:file { create };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

Which is similar to issue #142
So, a similar solution needed?
https://github.com/SonyAosp/device_sony_sepolicy/commit/01724dd80617285a4d129afcfbf2a9f427cd2ba6

Just built successfully by following same changes as mentioned commit, removing the following,
-allow untrusted_app vfat:file create;

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.