Move thermald into enforcing.
I have not yet traced the source of all of thermald's capability requests, but
am allowing in order to move into enforcing mode. Also address a few other
observed denials.
<12>[ 13.648000] type=1400 audit(57193.029:7): avc: denied { dac_override } for pid=373 comm="thermal-engine" capability=1 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=capability permissive=1
<12>[ 13.715266] type=1400 audit(57193.029:11): avc: denied { fsetid } for pid=373 comm="thermal-engine" capability=4 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=capability permissive=1
<12>[ 13.762708] type=1400 audit(57193.039:24): avc: denied { chown } for pid=343 comm="thermal-engine" capability=0 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=capability permissive=1
<12>[ 125.567298] type=1400 audit(6125.489:160): avc: denied { search } for pid=2998 comm="RenderThread" name="tmp" dev="dm-0" ino=1187842 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=0
<12>[ 137.716704] type=1400 audit(1408045466.362:173): avc: denied { connectto } for pid=3115 comm="omm.timeservice" path=0074696D655F67656E6F6666 scontext=u:r:platform_app:s0 tcontext=u:r:time:s0 tclass=unix_stream_socket permissive=0
<12>[ 63.383252] type=1400 audit(1408046324.590:158): avc: denied { write } for pid=2855 comm=time_daemon name=time dev=dm-0 ino=1458177 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
Bug: 16319212
Change-Id: I5975f8b086b90037cc4255262708775c24197c8c
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 99c10b2..95325c5 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -114,6 +114,7 @@
rild.te \
sensors.te \
surfaceflinger.te \
+ system_app.te \
system_server.te \
tee.te \
te_macros \
diff --git a/sepolicy/file.te b/sepolicy/file.te
index f12a005..5b7396c 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -6,7 +6,8 @@
type sensors_socket, file_type;
type thermald_socket, file_type;
-type sysfs_rmnet, fs_type, sysfs_type;
-
type diag_logs, file_type, data_file_type;
+type time_data_file, file_type, data_file_type;
+
+type sysfs_rmnet, fs_type, sysfs_type;
type sysfs_smdcntl_open_timeout, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 023e934..a168eee 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -2,6 +2,7 @@
/data/diag_logs(/.*)? u:object_r:diag_logs:s0
/data/misc/radio(/.*)? u:object_r:radio_data_file:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/time(/.*)? u:object_r:time_data_file:s0
# Bluetooth
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 94ba0be..51f3a91 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -2,4 +2,6 @@
# qxdmlogger access to /data/diag_logs.
allow platform_app diag_logs:dir rw_dir_perms;
allow platform_app diag_logs:file create_file_perms;
-')
\ No newline at end of file
+')
+
+allow platform_app time:unix_stream_socket connectto;
\ No newline at end of file
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..96ffe60
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1,2 @@
+# TODO b/17015082
+allow system_app shell_data_file:dir search;
\ No newline at end of file
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
index 29ce4ca..ce5583d 100644
--- a/sepolicy/thermald.te
+++ b/sepolicy/thermald.te
@@ -2,14 +2,15 @@
type thermald, domain;
type thermald_exec, exec_type, file_type;
-# STOPSHIP: Permissive is not allowed. CTS violation!
-permissive thermald;
-
# Started by init
init_daemon_domain(thermald)
allow thermald shared_log_device:chr_file rw_file_perms;
+# TODO - track down source of these capabilities requests, audit for now
+allow thermald self:capability { dac_override fsetid chown };
+auditallow thermald self:capability { dac_override fsetid chown };
+
# Access to /dev/msm_thermal_query
allow thermald thermal_engine_device:chr_file rw_file_perms;
@@ -19,4 +20,9 @@
# Create and access to /dev/socket/thermal-.*
type_transition thermald socket_device:sock_file thermald_socket;
allow thermald socket_device:dir w_dir_perms;
-allow thermald thermald_socket:sock_file create_file_perms;
\ No newline at end of file
+allow thermald thermald_socket:sock_file create_file_perms;
+
+allow thermald self:socket create_socket_perms;
+
+# TODO specify specific labels for /sys/ files
+allow thermald sysfs:file write;
\ No newline at end of file
diff --git a/sepolicy/time.te b/sepolicy/time.te
index 829e62d..136c17d 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -10,5 +10,8 @@
# Is r_file_perms sufficient for /dev/rtc0 ?
allow time rtc:chr_file r_file_perms;
+allow time time_data_file:dir rw_dir_perms;
+allow time time_data_file:file create_file_perms;
+
allow time self:socket *;
allow time self:capability { setuid setgid };
\ No newline at end of file
