commit b5a701cd2670182bbfac37e9fecfce0d71608346
author Robert Craig <rpcraig@tycho.ncsc.mil> Mon Sep 23 17:52:56 2013 -0400
committer Robert Craig <rpcraig@tycho.ncsc.mil> Tue Sep 24 13:13:36 2013 -0400
tree fe3fa906b465bf5b239ae18ac753713044b1fb08
parent 62b7856e56f3b9f4fdfda2c8dd1df3813b4c17db

New sensors-config selinux policy.

init.grouper.rc:
 We chown both /data/sensors and /data/lightsensor
 to avoid dac_override denials. sensors-config runs
 as root and will otherwise generate denials
 when trying to access /data/sensors and
 /data/lightsensor. The sensors-config
 binary does a chown to system,system
 as its final operation.

sensors_config.te:

1) Allow executing toolbox:
 denied  { execute } for  pid=139 comm="sensors-config" name="mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
 denied  { read open } for  pid=139 comm="sensors-config" name="mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
 denied  { execute_no_trans } for  pid=139 comm="sensors-config" path="/system/bin/mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
 denied  { execute_no_trans } for  pid=144 comm="sh" path="/system/bin/toolbox" dev=mmcblk0p3 ino=262 scontext=u:r:sensors_config:s0 tcontext=u:object_r:system_file:s0 tclass=file

2) Mounting and reading from PER block device:
 denied  { mounton } for  pid=127 comm="sensors-config" path="/data/calibration" dev=mmcblk0p9 ino=225345 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
 denied  { mount } for  pid=127 comm="sensors-config" name="/" dev=mmcblk0p7 ino=1 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
 denied  { unmount } for  pid=128 comm="sensors-config" scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
 denied  { read } for  pid=127 comm="sensors-config" name="KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
 denied  { open } for  pid=127 comm="sensors-config" name="KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
 denied  { getattr } for  pid=128 comm="sensors-config" path="/data/calibration/sensors/KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
 denied  { search } for  pid=128 comm="sensors-config" name="block" dev=tmpfs ino=5252 scontext=u:r:sensors_config:s0 tcontext=u:object_r:block_device:s0 tclass=dir
 denied  { search } for  pid=127 comm="sensors-config" name="/" dev=mmcblk0p7 ino=1 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=dir

3) Chown and chmod /data/lightsensor, /data/sensors
 denied  { chown } for  pid=408 comm="chown" capability=0  scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability
 denied  { fowner } for  pid=403 comm="chmod" capability=3  scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability

4) Mount and umount commands
 denied  { sys_admin } for  pid=128 comm="sensors-config" capability=21  scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability

Change-Id: I08a523766b9b55620c36fcc85793f1a27275edbc
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

init.grouper.rc

diff --git a/init.grouper.rc b/init.grouper.rc
index b28ed51..ecba6b1 100644
--- a/init.grouper.rc
+++ b/init.grouper.rc
@@ -57,8 +57,14 @@
     chown bluetooth net_bt_stack /data/misc/bluetooth
 
     # sensors-config
-    mkdir /data/sensors 751 system system
-    mkdir /data/lightsensor 751 system system
+    mkdir /data/sensors 751
+    # /data/sensors was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/sensors
+    mkdir /data/lightsensor 751
+    # /data/lightsensor was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/lightsensor
     mkdir /data/calibration
     mkdir /data/amit
 

sepolicy/sensors_config.te

diff --git a/sepolicy/sensors_config.te b/sepolicy/sensors_config.te
index 2669715..967cbe2 100644
--- a/sepolicy/sensors_config.te
+++ b/sepolicy/sensors_config.te
@@ -7,4 +7,28 @@
 type sensors_data_file, file_type, data_file_type;
 init_daemon_domain(sensors_config)
 file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
-unconfined_domain(sensors_config)
+
+# Execute toolbox commands
+allow sensors_config shell_exec:file rx_file_perms;
+allow sensors_config system_file:file execute_no_trans;
+
+# Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
+allow sensors_config sensors_data_file:dir mounton;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config { sdcard_external block_device }:dir search;
+
+# Read from the mounted PER partition
+allow sensors_config sdcard_external:file r_file_perms;
+
+# Need to chmod and chown files (/data/lightsensor, /data/sensors)
+allow sensors_config self:capability { chown fowner };
+
+# Checked as a side effect on the chmod (don't allow)
+dontaudit sensors_config self:capability { fsetid };
+
+# Needed for mount/umount
+allow sensors_config self:capability sys_admin;
+
+# Tries to delete /data/calibration (don't allow)
+dontaudit sensors_config system_data_file:dir remove_name;
+dontaudit sensors_config self:capability dac_override;