Target the denials/policies over qtaguid file and device: 1. Relabel...

Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. Actually, some of policies related to qtaguid have been there already, but we refind existing ones and add new ones.

Target the denials/policies over qtaguid file and device: 1. Relabel...
4c06d273 · hqjiang · Stephen Smalley · 20d6963a · 4c06d273 · 4c06d273
Commit 4c06d273 authored 12 years ago by hqjiang Committed by Stephen Smalley 12 years ago
--- a/app.te
+++ b/app.te
@@ -42,7 +42,9 @@ allow media_app cache_file:file create_file_perms;
 # Access sdcard.
 allow media_app sdcard:dir create_dir_perms;
 allow media_app sdcard:file create_file_perms;
-
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow media_app qtaguid_proc:file rw_file_perms;
+allow media_app qtaguid_device:chr_file r_file_perms;
 # Apps signed with the shared key.
 type shared_app, domain;
 app_domain(shared_app)
@@ -141,7 +143,7 @@ allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };

 # Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid:file write;
+allow appdomain qtaguid_proc:file write;

 # Use the Binder.
 binder_use(appdomain)

--- a/device.te
+++ b/device.te
@@ -40,6 +40,7 @@ type zero_device, dev_type;
 type fuse_device, dev_type;
 type ion_device, dev_type;
 type gps_device, dev_type;
+type qtaguid_device, dev_type;

 # All devices have a uart for the hci
 # attach service. The uart dev node

--- a/file.te
+++ b/file.te
@@ -4,7 +4,7 @@ type pipefs, fs_type;
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type;
-type qtaguid, fs_type, mlstrustedobject;
+type qtaguid_proc, fs_type, mlstrustedobject;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;

--- a/file_contexts
+++ b/file_contexts
@@ -77,6 +77,7 @@
 /dev/urandom		u:object_r:urandom_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 #############################
 # System files

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -2,7 +2,7 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -35,3 +35,7 @@ allow mediaserver system:fifo_file r_file_perms;
 # Camera calibration
 allow mediaserver camera_calibration_file:dir r_dir_perms;
 allow mediaserver camera_calibration_file:file r_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file rw_file_perms;
+allow mediaserver qtaguid_device:chr_file r_file_perms;
--- a/system.te
+++ b/system.te
@@ -89,7 +89,8 @@ allow system appdomain:dir r_dir_perms;
 allow system appdomain:{ file lnk_file } rw_file_perms;

 # Write to /proc/net/xt_qtaguid/ctrl.
-allow system qtaguid:file rw_file_perms;
+allow system qtaguid_proc:file rw_file_perms;
+allow system qtaguid_device:chr_file rw_file_perms;

 # Notify init of death.
 allow system init:process sigchld;