diff options
| author | Daniel Hillenbrand <codeworkx@cyanogenmod.org> | 2013-08-14 20:02:51 +0200 |
|---|---|---|
| committer | Daniel Hillenbrand <codeworkx@cyanogenmod.org> | 2013-08-15 11:26:33 +0200 |
| commit | 2aa1146201ea9b422f7c72c01250f415ef712c4a (patch) | |
| tree | 500e6f79194ee73f647a58199e8d1f37ed3a79b5 | |
| parent | b0884d62ccbb35ac38d9a1028c1c9d97c265229c (diff) | |
| download | device_samsung_i9300-2aa1146201ea9b422f7c72c01250f415ef712c4a.zip device_samsung_i9300-2aa1146201ea9b422f7c72c01250f415ef712c4a.tar.gz device_samsung_i9300-2aa1146201ea9b422f7c72c01250f415ef712c4a.tar.bz2 | |
i9300: add selinux policies
Change-Id: I0304c2efeb06b583a28ea9c9dcc874254ee3930f
| -rw-r--r-- | BoardConfig.mk | 17 | ||||
| -rw-r--r-- | rootdir/init.target.rc | 17 | ||||
| -rw-r--r-- | selinux/device.te | 3 | ||||
| -rw-r--r-- | selinux/domain.te | 2 | ||||
| -rw-r--r-- | selinux/file.te | 5 | ||||
| -rw-r--r-- | selinux/file_contexts | 40 | ||||
| -rw-r--r-- | selinux/init.te | 1 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 3 | ||||
| -rw-r--r-- | selinux/rild.te | 7 | ||||
| -rw-r--r-- | selinux/system.te | 10 | ||||
| -rw-r--r-- | selinux/ueventd.te | 3 | ||||
| -rw-r--r-- | selinux/vold.te | 2 | ||||
| -rwxr-xr-x | selinux/wpa_supplicant.te | 10 |
13 files changed, 120 insertions, 0 deletions
diff --git a/BoardConfig.mk b/BoardConfig.mk index 594770a..d69d753 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -35,6 +35,23 @@ TARGET_KERNEL_CONFIG := cyanogenmod_i9300_defconfig TARGET_RECOVERY_FSTAB := device/samsung/i9300/rootdir/fstab.smdk4x12 RECOVERY_FSTAB_VERSION := 2 +# Selinux +BOARD_SEPOLICY_DIRS := \ + device/samsung/i9300/selinux + +BOARD_SEPOLICY_UNION := \ + device.te \ + domain.te \ + file.te \ + file_contexts \ + init.te \ + mediaserver.te \ + rild.te \ + system.te \ + ueventd.te \ + vold.te \ + wpa_supplicant.te + # assert TARGET_OTA_ASSERT_DEVICE := m0,i9300,GT-I9300 diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc index d573657..8a9c68b 100644 --- a/rootdir/init.target.rc +++ b/rootdir/init.target.rc @@ -2,6 +2,23 @@ on post-fs-data # make param block device link for SysScope symlink /dev/block/mmcblk0p4 /dev/block/param +# Restorecon + restorecon /efs/nv_data.bin + restorecon /efs/nv_data.bin.md5 + restorecon /efs/.nv_core.bak + restorecon /efs/.nv_core.bak.md5 + restorecon /efs/.nv_data.bak + restorecon /efs/.nv_data.bak.md5 + restorecon /efs/.nv_state + restorecon /efs/bluetooth/bt_addr + restorecon /efs/FactoryApp/factorymode + restorecon /efs/FactoryApp/hw_ver + restorecon /efs/FactoryApp/keystr + restorecon /efs/FactoryApp/serial_no + restorecon /efs/imei/mps_code.dat + restorecon /efs/gyro_cal_data + restorecon /efs/wifi/.mac.info + on boot # icd diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..cca8ee1 --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,3 @@ +type mali_device, dev_type, mlstrustedobject; +type rfkill_device, dev_type; +type efs_block_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..26e8033 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,2 @@ +## /dev/mali, /dev/ump +allow domain mali_device:chr_file rw_file_perms; diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..2a01dac --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,5 @@ +type firmware_mfc, file_type; +type firmware_camera, file_type; + +type camera_data_file, file_type, data_file_type; +type sensors_data_file, file_type, data_file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..93065b8 --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,40 @@ +# GFX +/dev/mali u:object_r:mali_device:s0 +/dev/ump u:object_r:mali_device:s0 +/dev/fimg2d u:object_r:mali_device:s0 + +# NFC +/dev/pn544 u:object_r:nfc_device:s0 + +# RIL +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 + +/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 + +# Camera +/data/ISP_CV u:object_r:camera_data_file:s0 +/dev/exynos-mem u:object_r:video_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth/(/.*)? u:object_r:bluetooth_efs_file:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 + +# Sensors +/dev/akm8975 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 + +# Wifi +/dev/rfkill u:object_r:rfkill_device:s0 +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/data/cfw(/.*)? u:object_r:firmware_camera:s0 diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..3f11893 --- /dev/null +++ b/selinux/init.te @@ -0,0 +1 @@ +allow init wpa_socket:unix_dgram_socket { bind create }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te new file mode 100644 index 0000000..520da3a --- /dev/null +++ b/selinux/mediaserver.te @@ -0,0 +1,3 @@ +allow mediaserver { firmware_camera }:file r_file_perms; +allow mediaserver firmware_camera:dir r_dir_perms; +allow mediaserver camera_data_file:file rw_file_perms; diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100644 index 0000000..7f817d0 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,7 @@ +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; +allow rild self:netlink_kobject_uevent_socket { create bind read write setopt }; + +allow rild radio_device:chr_file rw_file_perms; +allow rild efs_block_device:blk_file rw_file_perms; +allow rild efs_file:file { read open write setattr }; diff --git a/selinux/system.te b/selinux/system.te new file mode 100644 index 0000000..0ac9cfc --- /dev/null +++ b/selinux/system.te @@ -0,0 +1,10 @@ +allow system uinput_device:chr_file { read ioctl write open }; +allow system sensors_device:chr_file { read open }; +allow system sensors_data_file:file r_file_perms; +allow system wpa_socket:unix_dgram_socket sendto; + +allow system sysfs:file { read open write }; +allow system self:capability { sys_module }; + +# /efs/wifi/.mac.info +allow system wifi_data_file:file { read open }; diff --git a/selinux/ueventd.te b/selinux/ueventd.te new file mode 100644 index 0000000..4037e57 --- /dev/null +++ b/selinux/ueventd.te @@ -0,0 +1,3 @@ +# Firmwares +allow ueventd { firmware_mfc }:file r_file_perms; +allow ueventd { firmware_camera }:dir search; diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..9452abf --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1,2 @@ +allow vold kernel:process setsched; +allow vold sdcardd_exec:file { read open execute execute_no_trans }; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te new file mode 100755 index 0000000..ab5fb24 --- /dev/null +++ b/selinux/wpa_supplicant.te @@ -0,0 +1,10 @@ +allow wpa init:unix_dgram_socket { read write }; + +# logwrapper used with wpa_supplicant +allow wpa devpts:chr_file { read write }; + +allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa_socket system:unix_dgram_socket sendto; + +allow wpa_socket wifi_data_file:sock_file unlink; +allow wpa rfkill_device:chr_file rw_file_perms;
\ No newline at end of file |