Low Power Monitor security policies for wahoo
Adds a security policy allowing ConnectivityMonitor to access the new
system property controlling startup of the Low Power Monitor service.
Also adds security policies allowing ConnectivityMonitor to access the
device PowerHAL service, which is used on 2017 devices to obtain low
power operation stats.
Error 1 (related to PowerHAL access):
01-24 11:20:41.444 589 589 E SELinux : avc: denied { find }
for interface=android.hardware.power::IPower pid=3964
scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:object_r:hal_power_hwservice:s0 tclass=hwservice_manager
permissive=0
Policy 1:
allow con_monitor_app hal_power_hwservice:hwservice_manager find;
Error 2 (also related to PowerHAL access):
01-24 11:28:37.527 3971 3971 W ectivitymonitor: type=1400
audit(0.0:12): avc: denied { call } for
scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:r:hal_power_default:s0 tclass=binder permissive=0
Policy 2:
allow con_monitor_app hal_power_default:binder call;
Error 3 (related to setting system property):
01-24 11:37:41.853 3756 3756 W libc : Unable to set property
"persist.radio.poweranomaly.start" to "disabled": error code: 0x18
01-24 11:37:41.854 3756 3756 D AndroidRuntime: Shutting down VM
--------- beginning of crash
01-24 11:37:41.855 3756 3756 E AndroidRuntime: FATAL EXCEPTION: main
01-24 11:37:41.855 3756 3756 E AndroidRuntime: Process:
com.google.android.connectivitymonitor, PID: 3756
01-24 11:37:41.855 3756 3756 E AndroidRuntime:
java.lang.RuntimeException: Unable to start receiver
com.google.android.connectivitymonitor.GservicesChangeReceiver:
java.lang.RuntimeException: failed to set system property
Policy 3:
persist.radio.lowpowermonitor.start u:object_r:tel_mon_prop:s0
Bug:35955665
Test: All policies taken from audit2allow (see commit text) and tested
before/after policy change to establish correctness.
Change-Id: I02bb85a8fd39f3003c035a1ac8f28622d1f0ecc2
diff --git a/sepolicy/vendor/con_monitor.te b/sepolicy/vendor/con_monitor.te
index 96483ac..ee1f0f0 100644
--- a/sepolicy/vendor/con_monitor.te
+++ b/sepolicy/vendor/con_monitor.te
@@ -7,3 +7,6 @@
allow con_monitor_app app_api_service:service_manager find;
allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
allow con_monitor_app radio_vendor_data_file:file create_file_perms;
+allow con_monitor_app hal_power_hwservice:hwservice_manager find;
+allow con_monitor_app hal_power_default:binder call;
+
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 611b45e..3c3046b 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -22,6 +22,7 @@
sys.modem.diag. u:object_r:modem_diag_prop:s0
persist.radio.enable_tel_mon u:object_r:tel_mon_prop:s0
persist.radio.poweranomaly.start u:object_r:tel_mon_prop:s0
+persist.radio.lowpowermonitor.start u:object_r:tel_mon_prop:s0
sys.time.set u:object_r:sys_time_prop:s0
persist.radio.atfwd.start u:object_r:atfwd_start_prop:s0
sys.logger.bluetooth u:object_r:bluetooth_log_prop:s0
