Improve thermald selinux policy. Addressed the following denials. * CPU hotplug uevent denied { read } for pid=232 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=netlink_kobject_uevent_socket denied { create } for pid=237 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=netlink_kobject_uevent_socket * Talk to qmuxd denied { write } for pid=234 comm="thermald" name="qmux_connect_socket" dev="tmpfs" ino=7658 scontext=u:r:thermald:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file denied { connectto } for pid=234 comm="thermald" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:thermald:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket * Access shared and diagnostic loggers denied { read write } for pid=182 comm="thermald" name="smem_log" dev="tmpfs" ino=5431 scontext=u:r:thermald:s0 tcontext=u:object_r:device:s0 tclass=chr_file denied { open } for pid=182 comm="thermald" name="smem_log" dev="tmpfs" ino=5431 scontext=u:r:thermald:s0 tcontext=u:object_r:device:s0 tclass=chr_file denied { ioctl } for pid=182 comm="thermald" path="/dev/smem_log" dev="tmpfs" ino=5431 scontext=u:r:thermald:s0 tcontext=u:object_r:device:s0 tclass=chr_file denied { read write } for pid=240 comm="thermald" name="diag" dev="tmpfs" ino=6256 scontext=u:r:thermald:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file * Access /sys/devices/system/cpu/ denied { read } for pid=182 comm="thermald" name="cpuinfo_max_freq" dev="sysfs" ino=17431 scontext=u:r:thermald:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file denied { open } for pid=182 comm="thermald" name="cpuinfo_max_freq" dev="sysfs" ino=17431 scontext=u:r:thermald:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file denied { getattr } for pid=182 comm="thermald" path="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" dev="sysfs" ino=17431 scontext=u:r:thermald:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file * Creates its own sockets and r/w to them denied { create } for pid=237 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=socket denied { ioctl } for pid=237 comm="thermald" path="socket:[7888]" dev="sockfs" ino=7888 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=socket denied { read } for pid=253 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=socket Also, changed the group of the process to radio. This will allow us to avoid dac_override denials on accessing /dev/diag and when unlinking client sockets under /dev/socket/qmux_radio. Change-Id: Ie5a394b75cbab82a200902af9d6fc624e6b6facc Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

commit: 5623619aa9757c7378910ae7d30400bc3dd53d95 [log] [tgz]
author: Robert Craig <rpcraig@tycho.ncsc.mil> Thu Oct 31 06:53:35 2013 -0400
committer: Robert Craig <rpcraig@tycho.ncsc.mil> Thu Oct 31 14:08:50 2013 -0400
tree: e03155a48075211bbf0bb052aeaeb59dad96761f
parent: 1dd04af3a04f864429d9dd2d4fca9f6128a8b9b0 [diff]
diff --git a/init.mako.rc b/init.mako.rc
index a66f1ee..767f0b0 100644
--- a/init.mako.rc
+++ b/init.mako.rc

@@ -378,6 +378,7 @@
 
 service thermald /system/bin/thermald
     class main
+    group radio
 
 service mpdecision /system/bin/mpdecision --no_sleep --avg_comp
     class main

diff --git a/sepolicy/device.te b/sepolicy/device.te
index 1a204d6..f6b6bd9 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te

@@ -17,4 +17,7 @@
 type smd_device, dev_type;
 
 # Radio related block device
-type efs_block_device, dev_type;
\ No newline at end of file
+type efs_block_device, dev_type;
+
+# Shared memory logger
+type shared_log_device, dev_type;

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7711c0a..e739716 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts

@@ -38,6 +38,7 @@
 /dev/smd3                              u:object_r:hci_attach_dev:s0
 # Default label for shared memory drivers
 /dev/smd([0-9])+                       u:object_r:smd_device:s0
+/dev/smem_log                          u:object_r:shared_log_device:s0
 
 # Serial console
 /dev/ttyHS0                            u:object_r:hci_attach_dev:s0

diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
index 585141b..aca3fc7 100644
--- a/sepolicy/thermald.te
+++ b/sepolicy/thermald.te

@@ -6,4 +6,27 @@
 init_daemon_domain(thermald)
 
 permissive thermald;
-unconfined_domain(thermald)
+
+allow thermald self:socket create_socket_perms;
+
+# CPU hotplug uevent
+allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
+allow thermald self:capability net_admin;
+
+# Talk to qmuxd (/dev/socket/qmux_radio)
+qmux_socket(thermald)
+
+# Access shared logger (/dev/smem_log) and diagnostic logger (/dev/diag)
+allow thermald { shared_log_device diag_device }:chr_file rw_file_perms;
+
+# Access /sys/devices/system/cpu/
+allow thermald sysfs_devices_system_cpu:file rw_file_perms;
+
+# Some files in /sys/devices/system/cpu may pop in and out of existance,
+# defeating our attempt to label them. As a result, they could have the
+# sysfs label, not the sysfs_devices_system_cpu label.
+# Allow write access for now until we figure out a better solution.
+# For example, the following files pop in and out of existance:
+# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
+# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
+allow thermald sysfs:file write;
commit	5623619aa9757c7378910ae7d30400bc3dd53d95	[log] [tgz]
author	Robert Craig <rpcraig@tycho.ncsc.mil>	Thu Oct 31 06:53:35 2013 -0400
committer	Robert Craig <rpcraig@tycho.ncsc.mil>	Thu Oct 31 14:08:50 2013 -0400
tree	e03155a48075211bbf0bb052aeaeb59dad96761f
parent	1dd04af3a04f864429d9dd2d4fca9f6128a8b9b0 [diff]