From 9f7d6ff7a0538bf89bbb5d0202fd29107a93f8c4 Mon Sep 17 00:00:00 2001 From: Russell Coker Date: Sat, 7 Oct 2023 13:56:52 +1100 Subject: [PATCH] Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro Signed-off-by: Russell Coker --- policy/modules/services/eg25manager.te | 11 ++++++++++- policy/modules/services/modemmanager.te | 18 ++++++++++++++++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/eg25manager.te b/policy/modules/services/eg25manager.te index 92fd3e4f8..f305a9a01 100644 --- a/policy/modules/services/eg25manager.te +++ b/policy/modules/services/eg25manager.te @@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t) logging_send_syslog_msg(eg25manager_t) miscfiles_read_generic_certs(eg25manager_t) +miscfiles_read_localization(eg25manager_t) -modemmanager_dbus_chat(eg25manager_t) +# will not upload to pinephone modem without this +selinux_get_fs_mount(eg25manager_t) sysnet_read_config(eg25manager_t) @@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t) systemd_read_resolved_runtime(eg25manager_t) systemd_use_logind_fds(eg25manager_t) systemd_write_inherited_logind_inhibit_pipes(eg25manager_t) + +term_use_unallocated_ttys(eg25manager_t) + +optional_policy(` + modemmanager_dbus_chat(eg25manager_t) +') + diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te index 5801baedd..b94117bff 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) # allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -allow modemmanager_t self:process { getsched signal }; +allow modemmanager_t self:process { getsched setsched signal setpgid }; allow modemmanager_t self:fifo_file rw_fifo_file_perms; -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; +allow modemmanager_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +allow modemmanager_t self:netlink_route_socket { create getattr getopt nlmsg_write read write }; +allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write }; + +# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC) +allow modemmanager_t self:process execmem; kernel_read_system_state(modemmanager_t) +kernel_request_load_module(modemmanager_t) +# for qmi/pass_through +dev_create_sysfs_files(modemmanager_t) + +dev_getattr_sysfs(modemmanager_t) dev_read_sysfs(modemmanager_t) +dev_write_sysfs(modemmanager_t) dev_rw_modem(modemmanager_t) +# for /usr/libexec/qmi-proxy +corecmd_exec_bin(modemmanager_t) + files_read_etc_files(modemmanager_t) term_use_generic_ptys(modemmanager_t)