diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-02-16 18:36:09 +0100 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-02-16 18:36:31 +0100 |
commit | 8f0313215eb8643c71a692cc2318a1440d1ab0a9 (patch) | |
tree | 1fb1b67118879fcb6a9689a0b8cbde7d68f44f80 /selinux | |
parent | b58a574578f1f5a268d498638352a0680d459024 (diff) | |
download | device_samsung_i9300-8f0313215eb8643c71a692cc2318a1440d1ab0a9.zip device_samsung_i9300-8f0313215eb8643c71a692cc2318a1440d1ab0a9.tar.gz device_samsung_i9300-8f0313215eb8643c71a692cc2318a1440d1ab0a9.tar.bz2 |
selinux: allow rild access to sysfs_radio and let system_server open the wifi firmware
This makes RIL and wifi work with SELinux in enforcing mode
also remove rules for the proprietary cbd
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/cpboot-daemon.te | 25 | ||||
-rw-r--r-- | selinux/file.te | 1 | ||||
-rw-r--r-- | selinux/file_contexts | 1 | ||||
-rw-r--r-- | selinux/init.te | 1 | ||||
-rw-r--r-- | selinux/rild.te | 2 | ||||
-rw-r--r-- | selinux/system_server.te | 4 |
6 files changed, 6 insertions, 28 deletions
diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te deleted file mode 100644 index 9974ff2..0000000 --- a/selinux/cpboot-daemon.te +++ /dev/null @@ -1,25 +0,0 @@ -type cpboot-daemon, domain; - -permissive cpboot-daemon; - -allow cpboot-daemon cgroup:dir { create add_name }; -allow cpboot-daemon device:dir { write remove_name add_name }; -allow cpboot-daemon efs_block_device:blk_file { read open }; -allow cpboot-daemon efs_device_file:dir search; -allow cpboot-daemon efs_file:file { read write open }; -allow cpboot-daemon init:unix_stream_socket connectto; -allow cpboot-daemon log_device:chr_file { write open }; -allow cpboot-daemon log_device:dir search; -allow cpboot-daemon property_socket:sock_file write; -allow cpboot-daemon radio_device:chr_file { read write ioctl open }; -allow cpboot-daemon radio_prop:property_service set; -allow cpboot-daemon self:capability { setuid }; -allow cpboot-daemon sysfs_radio:file { read write open }; -allow cpboot-daemon usbfs:dir search; -allow cpboot-daemon self:capability dac_override; -allow cpboot-daemon cbd_device:chr_file create_file_perms; - -# FIX ME -# allow cpboot-daemon usbfs:filesystem mount; -# allow cpboot-daemon self:capability { mknod }; - diff --git a/selinux/file.te b/selinux/file.te index 12b280a..f5edd1a 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -8,4 +8,3 @@ type efs_device_file, file_type; type radio_data, file_type; type sysfs_radio, fs_type, sysfs_type; type sysfs_sensor, fs_type, sysfs_type; -type cbd_device, dev_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 6e54311..83f6559 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -10,7 +10,6 @@ /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ramdump0 u:object_r:radio_device:s0 /dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/__cbd_msg_ u:object_r:cbd_device:s0 /efs u:object_r:efs_device_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data:s0 diff --git a/selinux/init.te b/selinux/init.te index 6056a94..1740499 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -10,4 +10,3 @@ allow init sysfs_sensor:lnk_file { setattr read }; allow init rild:process noatsecure; domain_trans(init, rootfs, glgps) -domain_trans(init, rootfs, cpboot-daemon) diff --git a/selinux/rild.te b/selinux/rild.te index 5da4924..d40aae8 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -18,3 +18,5 @@ allow rild efs_file:file { read open write setattr }; allow rild efs_device_file:dir create_dir_perms; allow rild efs_device_file:file { setattr create create_file_perms }; + +allow rild sysfs_radio:file { read write open }; diff --git a/selinux/system_server.te b/selinux/system_server.te index b20927b..09a603e 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -22,6 +22,10 @@ allow system_server system_file:file execmod; # /efs/wifi/.mac.info allow system_server wifi_data_file:file { read open }; +# wifi firmware +allow system_server firmware_exynos:dir { open read search }; +allow system_server firmware_exynos:file { open read }; + allow system_server glgps:binder transfer; type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; |