mpdecision: address denials.
Update the SELinux policy for mpdecision to get rid of denials
we're seeing.
Specifically:
1) mpdecision creates a socket in /dev/socket/pb . Make sure it's
labeled appropriately and we have write access to the parent
directory.
2) mpdecision minipulates /sys/devices/system/cpu/cpu?/* files.
Make sure they're labeled appropriately. But, see #3.
3) Files in /sys/devices/system/cpu/cpu?/* pop in and out of existance
as CPUs go online and offline. When that happens, they inherit
the default sysfs label. Allow write access to all sysfs labeled
files. :-(
4) Allow mpdecision to read system_server's /proc/PID/status file.
This change addresses the following denials.
<5>[ 6.251732] type=1400 audit(1382645684.953:8): avc: denied { write } for pid=185 comm="mpdecision" name="socket" dev="tmpfs" ino=8254 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
<5>[ 6.251884] type=1400 audit(1382645684.953:9): avc: denied { add_name } for pid=185 comm="mpdecision" name="pb" scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=dir
<5>[ 6.252067] type=1400 audit(1382645684.953:10): avc: denied { create } for pid=185 comm="mpdecision" name="pb" scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 6.252281] type=1400 audit(1382645684.953:11): avc: denied { setattr } for pid=185 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 6.252403] type=1400 audit(1382645684.953:12): avc: denied { chown } for pid=185 comm="mpdecision" capability=0 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability
<5>[ 6.254082] type=1400 audit(1382645684.953:13): avc: denied { write } for pid=185 comm="mpdecision" name="online" dev="sysfs" ino=3184 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[ 7.820357] type=1400 audit(1382645686.515:14): avc: denied { write } for pid=199 comm="mpdecision" name="online" dev="sysfs" ino=3195 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[ 52.065862] type=1400 audit(1382645730.762:16): avc: denied { write } for pid=193 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 186.257836] type=1400 audit(1382645864.945:26): avc: denied { write } for pid=194 comm="mpdecision" name="pb" dev="tmpfs" ino=7347 scontext=u:r:mpdecision:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
<5>[ 306.259423] type=1400 audit(1382645984.953:27): avc: denied { search } for pid=188 comm="mpdecision" name="626" dev="proc" ino=7662 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=dir
<5>[ 306.260155] type=1400 audit(1382645984.963:28): avc: denied { read } for pid=188 comm="mpdecision" name="status" dev="proc" ino=14274 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[ 306.260796] type=1400 audit(1382645984.963:29): avc: denied { open } for pid=188 comm="mpdecision" name="status" dev="proc" ino=14274 scontext=u:r:mpdecision:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[ 47.698092] type=1400 audit(1382661120.467:9): avc: denied { write } for pid=196 comm="mpdecision" name="scaling_min_freq" dev="sysfs" ino=18172 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I507ae4610b4bde433e05174ee96c2acf00cdc9ec
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 6a7b06d..d7faf79 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -16,3 +16,4 @@
type persist_wifi_file, file_type;
type sysfs_rmnet, fs_type, sysfs_type;
+type sysfs_mpdecision, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index bf1e4c8..96f92a7 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -91,8 +91,7 @@
/system/bin/qseecomd u:object_r:tee_exec:s0
/system/bin/conn_init u:object_r:conn_init_exec:s0
-/sys/devices/system/cpu/cpu0/cpufreq(/.*)? u:object_r:sysfs_devices_system_cpu:s0
-/sys/devices/system/cpu/cpu0/rq-stats(/.*)? u:object_r:sysfs_devices_system_cpu:s0
+/sys/devices/system/cpu/cpu([0-9])+(/.*)?(/.*)? u:object_r:sysfs_devices_system_cpu:s0
# Persist firmware filesystem
/persist(/.*)? u:object_r:persist_file:s0
@@ -104,3 +103,7 @@
# Sysfs entry for the RmNet function driver
/sys/class/android_usb/f_rmnet_smd_sdio/transport -- u:object_r:sysfs_rmnet:s0
+
+# Sysfs files used by mpdecision
+/sys/module/pm2/modes(/.*)? u:object_r:sysfs_mpdecision:s0
+/sys/module/pm_8x60/modes(/.*)? u:object_r:sysfs_mpdecision:s0
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
index 593d92b..a8adb2d 100644
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@@ -15,8 +15,28 @@
allow mpdecision mpdecision_socket:dir w_dir_perms;
allow mpdecision mpdecision_socket:sock_file { create setattr write };
+# Also support mpdecision creating the /dev/socket/pb socket
+type_transition mpdecision socket_device:sock_file mpdecision_socket;
+allow mpdecision self:capability chown;
+allow mpdecision socket_device:dir { write add_name };
+
# By-product of setting owner on sock_file (don't allow)
dontaudit mpdecision self:capability fsetid;
allow mpdecision sysfs_devices_system_cpu:dir search;
allow mpdecision sysfs_devices_system_cpu:file { open read write getattr };
+allow mpdecision sysfs_mpdecision:dir search;
+allow mpdecision sysfs_mpdecision:file { open read write getattr };
+
+# Some files in /sys/devices/system/cpu may pop in and out of existance,
+# defeating our attempt to label them. As a result, they could have the
+# sysfs label, not the sysfs_devices_system_cpu label.
+# Allow write access for now until we figure out a better solution.
+# For example, the following files pop in and out of existance:
+# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
+# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
+allow mpdecision sysfs:file write;
+
+# This is needed to allow mpdecision to look at system_server's
+# /proc/PID/status file.
+r_dir_file(mpdecision, system_server)
