diff options
| author | forkbomb <keepcalm444@gmail.com> | 2015-11-27 23:53:05 +1100 |
|---|---|---|
| committer | Simon Shields <keepcalm444@gmail.com> | 2015-12-11 10:57:35 +1100 |
| commit | 8d8ac23e55c865ce1d8f245f4ddea27792667688 (patch) | |
| tree | bf3ed5619df7484368b9db623e83b94847e7e942 | |
| parent | 808d0b578511aac96a32101c3df523e6fed5b0d8 (diff) | |
| download | device_samsung_i9300-8d8ac23e55c865ce1d8f245f4ddea27792667688.zip device_samsung_i9300-8d8ac23e55c865ce1d8f245f4ddea27792667688.tar.gz device_samsung_i9300-8d8ac23e55c865ce1d8f245f4ddea27792667688.tar.bz2 | |
i9300: M sepolicy bringup
GPS fixes taken from grouper:
https://github.com/CyanogenMod/android_device_asus_grouper/commit/9651b24fb481bf0fc1db3b1d700033cf66eb067e
and
https://github.com/CyanogenMod/android_device_asus_grouper/commit/f5592571d581478622f0fc3f86fbbddf20cf89c7
Change-Id: I7ec658691c65c3b6c087ee41ba69f2cb37ade525
| -rw-r--r-- | gps_daemon.sh | 2 | ||||
| -rw-r--r-- | i9300.mk | 3 | ||||
| -rw-r--r-- | rootdir/init.target.rc | 38 | ||||
| -rw-r--r-- | selinux/cpboot-daemon.te | 25 | ||||
| -rw-r--r-- | selinux/device.te | 1 | ||||
| -rw-r--r-- | selinux/domain.te | 3 | ||||
| -rw-r--r-- | selinux/file.te | 4 | ||||
| -rw-r--r-- | selinux/file_contexts | 30 | ||||
| -rw-r--r-- | selinux/gpsd.te | 30 | ||||
| -rw-r--r-- | selinux/init.te | 10 | ||||
| -rw-r--r-- | selinux/log.te | 3 | ||||
| -rw-r--r-- | selinux/macloader.te | 8 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 4 | ||||
| -rw-r--r-- | selinux/netd.te | 1 | ||||
| -rw-r--r-- | selinux/nfc.te | 1 | ||||
| -rw-r--r-- | selinux/rild.te | 6 | ||||
| -rw-r--r-- | selinux/servicemanager.te | 6 | ||||
| -rw-r--r-- | selinux/system_app.te | 3 | ||||
| -rw-r--r-- | selinux/system_server.te | 13 | ||||
| -rw-r--r-- | selinux/tinyplay.te | 6 | ||||
| -rw-r--r-- | selinux/ueventd.te | 1 | ||||
| -rw-r--r-- | selinux/untrusted_app.te | 5 | ||||
| -rw-r--r-- | selinux/vold.te | 6 | ||||
| -rw-r--r-- | selinux/wpa_supplicant.te | 1 | ||||
| -rw-r--r-- | selinux/zygote.te | 1 |
25 files changed, 162 insertions, 49 deletions
diff --git a/gps_daemon.sh b/gps_daemon.sh new file mode 100644 index 0000000..b5c6f8b --- /dev/null +++ b/gps_daemon.sh @@ -0,0 +1,2 @@ +#shellscript as this is the only way selinux will allow this to proceed +/system/bin/glgps -c /system/etc/gps/gpsconfig.xml @@ -41,7 +41,8 @@ PRODUCT_PACKAGES += \ # Gps PRODUCT_COPY_FILES += \ - $(LOCAL_PATH)/configs/gps.xml:system/etc/gps.xml + $(LOCAL_PATH)/configs/gps.xml:system/etc/gps.xml \ + $(LOCAL_PATH)/gps_daemon.sh:system/bin/gps_daemon.sh # Product specific Packages PRODUCT_PACKAGES += \ diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc index e8c2e42..ce6ae90 100644 --- a/rootdir/init.target.rc +++ b/rootdir/init.target.rc @@ -1,5 +1,5 @@ on init - export LD_SHIM_LIBS /system/lib/libsec-ril.so|libsamsung_symbols.so + export LD_SHIM_LIBS /system/lib/libsec-ril.so|libsamsung_symbols.so # ko files for FM Radio insmod /system/lib/modules/Si4709_driver.ko @@ -13,29 +13,16 @@ on post-fs-data chmod 0644 /dev/icdr chown system system /dev/tzic -# GPS - mkdir /data/gps - chown gps system /data/gps - chmod 770 /data/gps - # make param block device link for SysScope symlink /dev/block/mmcblk0p4 /dev/block/param # Restorecon restorecon_recursive /efs -on fs - # zram - swapon_all /fstab.smdk4x12 - -on boot -# cbd -service cpboot-daemon /sbin/cbd -d - class main - user root - group radio cache inet misc audio sdcard_rw log - # GPS init + mkdir /data/gps + chown gps system /data/gps + chmod 1770 /data/gps write /sys/class/sec/gps/GPS_PWR_EN/export 162 write /sys/class/sec/gps/GPS_PWR_EN/value 0 write /sys/class/sec/gps/GPS_PWR_EN/direction out @@ -47,10 +34,23 @@ service cpboot-daemon /sbin/cbd -d restorecon /sys/class/sec/gps/GPS_PWR_EN/value restorecon /sys/class/sec/gps/GPS_PWR_EN/direction +on fs + # zram + swapon_all /fstab.smdk4x12 + +on boot +# cbd +service cpboot-daemon /sbin/cbd -d + class main + user root + group radio cache inet misc audio sdcard_rw log + seclabel u:r:cpboot-daemon:s0 + + # Start GPS daemon -service gps-daemon /system/bin/glgps -c /system/etc/gps.xml +service gps-daemon gps_daemon.sh class main socket gps seqpacket 0660 gps system user gps group system inet sdcard_rw - seclabel u:r:gpsd:s0 + seclabel u:r:glgps:s0 diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te new file mode 100644 index 0000000..9974ff2 --- /dev/null +++ b/selinux/cpboot-daemon.te @@ -0,0 +1,25 @@ +type cpboot-daemon, domain; + +permissive cpboot-daemon; + +allow cpboot-daemon cgroup:dir { create add_name }; +allow cpboot-daemon device:dir { write remove_name add_name }; +allow cpboot-daemon efs_block_device:blk_file { read open }; +allow cpboot-daemon efs_device_file:dir search; +allow cpboot-daemon efs_file:file { read write open }; +allow cpboot-daemon init:unix_stream_socket connectto; +allow cpboot-daemon log_device:chr_file { write open }; +allow cpboot-daemon log_device:dir search; +allow cpboot-daemon property_socket:sock_file write; +allow cpboot-daemon radio_device:chr_file { read write ioctl open }; +allow cpboot-daemon radio_prop:property_service set; +allow cpboot-daemon self:capability { setuid }; +allow cpboot-daemon sysfs_radio:file { read write open }; +allow cpboot-daemon usbfs:dir search; +allow cpboot-daemon self:capability dac_override; +allow cpboot-daemon cbd_device:chr_file create_file_perms; + +# FIX ME +# allow cpboot-daemon usbfs:filesystem mount; +# allow cpboot-daemon self:capability { mknod }; + diff --git a/selinux/device.te b/selinux/device.te index ae6c250..854958d 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,4 +1,3 @@ -type mali_device, dev_type, mlstrustedobject; type rfkill_device, dev_type; type efs_block_device, dev_type; type hpd_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te index 26e8033..c8d8d53 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,2 +1 @@ -## /dev/mali, /dev/ump -allow domain mali_device:chr_file rw_file_perms; +dontaudit domain kernel:system module_request; diff --git a/selinux/file.te b/selinux/file.te index c686d2f..12b280a 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -5,3 +5,7 @@ type sensors_data_file, file_type, data_file_type; type sysfs_display, fs_type, sysfs_type; type efs_device_file, file_type; +type radio_data, file_type; +type sysfs_radio, fs_type, sysfs_type; +type sysfs_sensor, fs_type, sysfs_type; +type cbd_device, dev_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 35e4e99..12bbd51 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -1,17 +1,26 @@ # GFX -/dev/mali u:object_r:mali_device:s0 -/dev/ump u:object_r:mali_device:s0 -/dev/fimg2d u:object_r:mali_device:s0 +/dev/mali u:object_r:gpu_device:s0 +/dev/ump u:object_r:gpu_device:s0 +/dev/fimg2d u:object_r:gpu_device:s0 # RIL +/dev/link_pm u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_boot1 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ramdump0 u:object_r:radio_device:s0 /dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/__cbd_msg_ u:object_r:cbd_device:s0 -/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 /efs u:object_r:efs_device_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data:s0 +/sys/devices/platform/s5p-ohci/ohci_power u:object_r:sysfs_radio:s0 +/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0 + +# Partitions +/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p9 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p12 u:object_r:userdata_block_device:s0 # Camera /data/ISP_CV u:object_r:camera_data_file:s0 @@ -23,19 +32,21 @@ /efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 # Display -/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0 -/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0 +/sys/class/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 # GPS /dev/ttySAC1 u:object_r:gps_device:s0 -/system/bin/glgps u:object_r:gpsd_exec:s0 +/system/bin/gps_daemon.sh u:object_r:glgps_exec:s0 # Sensors /dev/akm8975 u:object_r:sensors_device:s0 /efs/gyro_cal_data u:object_r:sensors_data_file:s0 +/sys/class/sensors/accelerometer_sensor u:object_r:sysfs_sensor:s0 # Wifi /dev/rfkill u:object_r:rfkill_device:s0 +/data/.cid.info u:object_r:wifi_data_file:s0 /efs/wifi/.mac.info u:object_r:wifi_data_file:s0 # Firmwares @@ -46,5 +57,10 @@ # Vibrator /dev/tspdrv u:object_r:input_device:s0 +# Swap +/dev/block/zram(.*) u:object_r:swap_block_device:s0 + # Misc /dev/HPD u:object_r:hpd_device:s0 +/system/bin/macloader u:object_r:macloader_exec:s0 +/system/bin/tinyplay u:object_r:tinyplay_exec:s0 diff --git a/selinux/gpsd.te b/selinux/gpsd.te index 8eca21c..a65f3da 100644 --- a/selinux/gpsd.te +++ b/selinux/gpsd.te @@ -1,9 +1,21 @@ -allow gpsd self:process execmem; -allow gpsd rild:unix_stream_socket connectto; -allow gpsd system_data_file:fifo_file { create read write setattr open }; -allow gpsd servicemanager:binder call; -allow gpsd sysfs_wake_lock:file { read write open }; -allow gpsd system_data_file:file { read open }; -allow gpsd system_data_file:dir { read write setattr open add_name }; -allow gpsd system_server:binder call; -allow gpsd system_server:unix_stream_socket { read write }; +type glgps, domain; +type glgps_exec, exec_type, file_type; + +init_daemon_domain(glgps) + +allow glgps shell_exec:file { rx_file_perms entrypoint }; + +#for text relocs & execution +allow glgps system_file:file { execute_no_trans execmod }; +allow glgps gps_device:chr_file { getattr setattr }; +allow glgps gps_data_file:dir { search write add_name remove_name }; +allow glgps gps_data_file:file { create rw_file_perms }; +allow glgps gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow glgps node:udp_socket { node_bind name_bind }; + +allow glgps sysfs:file { setattr write }; +allow glgps gps_device:chr_file { ioctl open read write }; +allow glgps glgps:udp_socket { create bind }; +allow glgps dnsproxyd_socket:sock_file write; +allow glgps netd:unix_stream_socket connectto; diff --git a/selinux/init.te b/selinux/init.te index 57397c6..d9d20c2 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1,3 +1,13 @@ allow init wpa_socket:unix_dgram_socket { bind create }; allow init init:process { execmem }; allow init init:tcp_socket { create }; + +allow init sysfs_display:lnk_file { read setattr }; + +allow init tmpfs:lnk_file create; +allow init sysfs_sensor:lnk_file { setattr read }; + +domain_trans(init, rootfs, glgps) +domain_trans(init, rootfs, cpboot-daemon) +domain_trans(init, rootfs, tinyplay) +domain_trans(init, rootfs, macloader) diff --git a/selinux/log.te b/selinux/log.te new file mode 100644 index 0000000..c3dfc80 --- /dev/null +++ b/selinux/log.te @@ -0,0 +1,3 @@ +allow domain log_device:chr_file { open write }; +allow domain log_device:dir { search }; +allow { shell debuggerd } log_device:chr_file { read }; diff --git a/selinux/macloader.te b/selinux/macloader.te new file mode 100644 index 0000000..580f0d1 --- /dev/null +++ b/selinux/macloader.te @@ -0,0 +1,8 @@ +type macloader, domain; +type macloader_exec, exec_type, file_type; +init_daemon_domain(macloader); + +allow macloader efs_file:dir search; +allow macloader efs_device_file:dir search; +allow macloader wifi_data_file:file { read getattr open write setattr }; +allow macloader self:capability { dac_override chown fowner fsetid }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 43f5b21..cbcdcb8 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -5,3 +5,7 @@ allow mediaserver mfc_device:chr_file rw_file_perms; # Bluetooth audio allow mediaserver bluetooth:unix_stream_socket { connectto }; + +allow mediaserver { storage_file mnt_user_file }:dir { search read }; +allow mediaserver storage_file:lnk_file read; +allow mediaserver mnt_user_file:lnk_file read; diff --git a/selinux/netd.te b/selinux/netd.te index 98db7f5..2fdb809 100644 --- a/selinux/netd.te +++ b/selinux/netd.te @@ -1,2 +1 @@ allow netd init:tcp_socket { read write getopt }; -allow netd kernel:system module_request; diff --git a/selinux/nfc.te b/selinux/nfc.te index 6a6e324..b5afda7 100644 --- a/selinux/nfc.te +++ b/selinux/nfc.te @@ -1 +1,2 @@ allow nfc firmware_exynos:dir search; +allow nfc log_device:chr_file write; diff --git a/selinux/rild.te b/selinux/rild.te index 3339eaf..5da4924 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -6,6 +6,12 @@ allow rild rild:process { execmem }; allow rild radio_data_file:dir setattr; allow rild unlabeled:dir search; +allow radio log_device:chr_file w_file_perms; +allow rild log_device:chr_file w_file_perms; +allow rild system_file:file execmod; +allow rild radio_data:file create_file_perms; +allow rild radio_data:dir create_dir_perms; + allow rild radio_device:chr_file rw_file_perms; allow rild efs_block_device:blk_file rw_file_perms; allow rild efs_file:file { read open write setattr }; diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te index 40a665d..65337ed 100644 --- a/selinux/servicemanager.te +++ b/selinux/servicemanager.te @@ -1,3 +1,3 @@ -allow servicemanager gpsd:dir { search read write }; -allow servicemanager gpsd:file { open read write }; -allow servicemanager gpsd:process getattr; +allow servicemanager glgps:dir { search read write }; +allow servicemanager glgps:file { open read write }; +allow servicemanager glgps:process getattr; diff --git a/selinux/system_app.te b/selinux/system_app.te index bc716f2..8542dc2 100644 --- a/selinux/system_app.te +++ b/selinux/system_app.te @@ -1 +1,2 @@ -allow system_app sysfs_display:file { getattr open read write }; +allow system_app sysfs_display:{ file lnk_file } { getattr open read write }; +allow system_app sysfs_display:dir { search }; diff --git a/selinux/system_server.te b/selinux/system_server.te index 28085f4..b9cc2f2 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -10,18 +10,21 @@ allow system_server efs_file:dir search; allow system_server efs_file:file read; allow system_server efs_device_file:dir search; allow system_server uhid_device:chr_file { read ioctl write open }; +allow system_server storage_stub_file:dir getattr; + + +# for sensors +allow system_server system_file:file execmod; # /efs/wifi/.mac.info allow system_server wifi_data_file:file { read open }; -#allow system_server default_prop:property_service set; - -allow system_server gpsd:binder transfer; +allow system_server glgps:binder transfer; type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; # Access .gps.interface.pipe.to_gpsd. -allow system_server gps_data_file:dir search; -allow system_server gps_data_file:fifo_file { write setattr rw_file_perms }; +allow system_server gps_data_file:dir rw_dir_perms; +allow system_server gps_data_file:fifo_file { setattr rw_file_perms create }; # Access /data/sensors/gps* socket allow system_server gps_data_file:sock_file create_file_perms; diff --git a/selinux/tinyplay.te b/selinux/tinyplay.te new file mode 100644 index 0000000..ef7de81 --- /dev/null +++ b/selinux/tinyplay.te @@ -0,0 +1,6 @@ +type tinyplay, domain; +type tinyplay_exec, exec_type, file_type; +init_daemon_domain(tinyplay) + +allow tinyplay audio_device:chr_file { open read write ioctl }; +allow tinyplay audio_device:dir search; diff --git a/selinux/ueventd.te b/selinux/ueventd.te index 8044d34..315ccb3 100644 --- a/selinux/ueventd.te +++ b/selinux/ueventd.te @@ -2,3 +2,4 @@ allow ueventd { firmware_mfc }:file r_file_perms; allow ueventd { firmware_exynos }:dir search; allow ueventd { firmware_exynos }:file { read getattr open }; +allow ueventd sysfs_display:file { write open }; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te new file mode 100644 index 0000000..f9c5bde --- /dev/null +++ b/selinux/untrusted_app.te @@ -0,0 +1,5 @@ +allow untrusted_app storage_stub_file:dir getattr; +allow untrusted_app log_device:chr_file { read write }; +allow untrusted_app self:udp_socket ioctl; +allow untrusted_app app_data_file:file create_file_perms; +allow untrusted_app app_data_file:dir create_dir_perms; diff --git a/selinux/vold.te b/selinux/vold.te index a2cbe68..b39e3e3 100644 --- a/selinux/vold.te +++ b/selinux/vold.te @@ -1,5 +1,11 @@ allow vold kernel:process setsched; allow vold sdcardd_exec:file { read open execute execute_no_trans }; +allow vold log_device:dir search; +allow vold storage_stub_file:dir { read open }; +allow vold blkid_exec:file { getattr execute read open execute_no_trans }; + +allow vold log_device:chr_file { write open }; + allow vold efs_device_file:dir rw_file_perms; allow vold efs_device_file:file rw_file_perms; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te index c7568f3..9b806e0 100644 --- a/selinux/wpa_supplicant.te +++ b/selinux/wpa_supplicant.te @@ -2,6 +2,7 @@ allow wpa init:unix_dgram_socket { read write }; # logwrapper used with wpa_supplicant allow wpa devpts:chr_file { read write }; +allow wpa log_device:chr_file { write }; allow wpa wpa_socket:unix_dgram_socket { read write }; allow wpa_socket system_app:unix_dgram_socket sendto; diff --git a/selinux/zygote.te b/selinux/zygote.te new file mode 100644 index 0000000..4de92c2 --- /dev/null +++ b/selinux/zygote.te @@ -0,0 +1 @@ +allow zygote log_device:dir search; |