Skip to content
Snippets Groups Projects
Commit f100b2c4 authored by dcashman's avatar dcashman
Browse files

Create sysfs_hwrandom type. 

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

(cherry-pick from internal commit: 85c0f8af)

Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
parent 1c983327
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
file.te
+ 1
0
View file @ f100b2c4
...@@ -25,6 +25,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject; ...@@ -25,6 +25,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_batteryinfo, fs_type, sysfs_type; type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type; type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type; type sysfs_mac_address, fs_type, sysfs_type;
......
file_contexts
+ 1
0
View file @ f100b2c4
...@@ -327,6 +327,7 @@ ...@@ -327,6 +327,7 @@
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 /sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0 /sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0 /sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0 /sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
......
ueventd.te
+ 1
0
View file @ f100b2c4
...@@ -13,6 +13,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da ...@@ -13,6 +13,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da
allow ueventd device:file create_file_perms; allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms; allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms; allow ueventd sysfs:file rw_file_perms;
allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms; allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr }; allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms }; allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
......
untrusted_app.te
+ 4
0
View file @ f100b2c4
...@@ -95,6 +95,10 @@ allow untrusted_app proc_meminfo:file r_file_perms; ...@@ -95,6 +95,10 @@ allow untrusted_app proc_meminfo:file r_file_perms;
# access /proc/net/xt_qtguid/stats # access /proc/net/xt_qtguid/stats
r_dir_file(untrusted_app, proc_net) r_dir_file(untrusted_app, proc_net)
# Cts: HwRngTest
allow untrusted_app sysfs_hwrandom:dir search;
allow untrusted_app sysfs_hwrandom:file r_file_perms;
### ###
### neverallow rules ### neverallow rules
### ###
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment