Improve thermald selinux policy.
Addressed the following denials.
* CPU hotplug uevent
denied { read } for pid=232 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=netlink_kobject_uevent_socket
denied { create } for pid=237 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=netlink_kobject_uevent_socket
* Talk to qmuxd
denied { write } for pid=234 comm="thermald" name="qmux_connect_socket" dev="tmpfs" ino=7658 scontext=u:r:thermald:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { connectto } for pid=234 comm="thermald" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:thermald:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
* Access shared and diagnostic loggers
denied { read write } for pid=182 comm="thermald" name="smem_log" dev="tmpfs" ino=5431 scontext=u:r:thermald:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=182 comm="thermald" name="smem_log" dev="tmpfs" ino=5431 scontext=u:r:thermald:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=182 comm="thermald" path="/dev/smem_log" dev="tmpfs" ino=5431 scontext=u:r:thermald:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { read write } for pid=240 comm="thermald" name="diag" dev="tmpfs" ino=6256 scontext=u:r:thermald:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
* Access /sys/devices/system/cpu/
denied { read } for pid=182 comm="thermald" name="cpuinfo_max_freq" dev="sysfs" ino=17431 scontext=u:r:thermald:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
denied { open } for pid=182 comm="thermald" name="cpuinfo_max_freq" dev="sysfs" ino=17431 scontext=u:r:thermald:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
denied { getattr } for pid=182 comm="thermald" path="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" dev="sysfs" ino=17431 scontext=u:r:thermald:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
* Creates its own sockets and r/w to them
denied { create } for pid=237 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=socket
denied { ioctl } for pid=237 comm="thermald" path="socket:[7888]" dev="sockfs" ino=7888 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=socket
denied { read } for pid=253 comm="thermald" scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=socket
Also, changed the group of the process to radio.
This will allow us to avoid dac_override denials
on accessing /dev/diag and when unlinking client
sockets under /dev/socket/qmux_radio.
Change-Id: Ie5a394b75cbab82a200902af9d6fc624e6b6facc
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/init.mako.rc b/init.mako.rc
index a66f1ee..767f0b0 100644
--- a/init.mako.rc
+++ b/init.mako.rc
@@ -378,6 +378,7 @@
service thermald /system/bin/thermald
class main
+ group radio
service mpdecision /system/bin/mpdecision --no_sleep --avg_comp
class main
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 1a204d6..f6b6bd9 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -17,4 +17,7 @@
type smd_device, dev_type;
# Radio related block device
-type efs_block_device, dev_type;
\ No newline at end of file
+type efs_block_device, dev_type;
+
+# Shared memory logger
+type shared_log_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7711c0a..e739716 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -38,6 +38,7 @@
/dev/smd3 u:object_r:hci_attach_dev:s0
# Default label for shared memory drivers
/dev/smd([0-9])+ u:object_r:smd_device:s0
+/dev/smem_log u:object_r:shared_log_device:s0
# Serial console
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
index 585141b..aca3fc7 100644
--- a/sepolicy/thermald.te
+++ b/sepolicy/thermald.te
@@ -6,4 +6,27 @@
init_daemon_domain(thermald)
permissive thermald;
-unconfined_domain(thermald)
+
+allow thermald self:socket create_socket_perms;
+
+# CPU hotplug uevent
+allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
+allow thermald self:capability net_admin;
+
+# Talk to qmuxd (/dev/socket/qmux_radio)
+qmux_socket(thermald)
+
+# Access shared logger (/dev/smem_log) and diagnostic logger (/dev/diag)
+allow thermald { shared_log_device diag_device }:chr_file rw_file_perms;
+
+# Access /sys/devices/system/cpu/
+allow thermald sysfs_devices_system_cpu:file rw_file_perms;
+
+# Some files in /sys/devices/system/cpu may pop in and out of existance,
+# defeating our attempt to label them. As a result, they could have the
+# sysfs label, not the sysfs_devices_system_cpu label.
+# Allow write access for now until we figure out a better solution.
+# For example, the following files pop in and out of existance:
+# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
+# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
+allow thermald sysfs:file write;