diff options
| -rw-r--r-- | BoardConfig.mk | 12 | ||||
| -rw-r--r-- | rootdir/init.target.rc | 17 | ||||
| -rw-r--r-- | selinux/bluetooth.te | 4 | ||||
| -rw-r--r-- | selinux/device.te | 2 | ||||
| -rw-r--r-- | selinux/file.te | 3 | ||||
| -rw-r--r-- | selinux/file_contexts | 15 | ||||
| -rw-r--r-- | selinux/gpsd.te | 8 | ||||
| -rw-r--r-- | selinux/init.te | 2 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 4 | ||||
| -rw-r--r-- | selinux/netd.te | 2 | ||||
| -rw-r--r-- | selinux/nfc.te | 1 | ||||
| -rw-r--r-- | selinux/rild.te | 7 | ||||
| -rw-r--r-- | selinux/service_contexts | 3 | ||||
| -rw-r--r-- | selinux/servicemanager.te | 3 | ||||
| -rw-r--r-- | selinux/surfaceflinger.te | 1 | ||||
| -rw-r--r-- | selinux/sysinit.te | 6 | ||||
| -rw-r--r-- | selinux/system.te | 10 | ||||
| -rw-r--r-- | selinux/system_app.te | 1 | ||||
| -rw-r--r-- | selinux/system_server.te | 18 | ||||
| -rw-r--r-- | selinux/ueventd.te | 1 | ||||
| -rw-r--r-- | selinux/vold.te | 5 | ||||
| -rw-r--r--[-rwxr-xr-x] | selinux/wpa_supplicant.te | 3 |
22 files changed, 89 insertions, 39 deletions
diff --git a/BoardConfig.mk b/BoardConfig.mk index de01361..e7021a5 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -39,18 +39,6 @@ RECOVERY_FSTAB_VERSION := 2 BOARD_SEPOLICY_DIRS += \ device/samsung/i9300/selinux -BOARD_SEPOLICY_UNION += \ - device.te \ - domain.te \ - file.te \ - file_contexts \ - init.te \ - mediaserver.te \ - rild.te \ - system.te \ - ueventd.te \ - wpa_supplicant.te - # assert TARGET_OTA_ASSERT_DEVICE := m0,i9300,GT-I9300 diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc index df70d03..1131054 100644 --- a/rootdir/init.target.rc +++ b/rootdir/init.target.rc @@ -17,21 +17,7 @@ on post-fs-data symlink /dev/block/mmcblk0p4 /dev/block/param # Restorecon - restorecon /efs/nv_data.bin - restorecon /efs/nv_data.bin.md5 - restorecon /efs/.nv_core.bak - restorecon /efs/.nv_core.bak.md5 - restorecon /efs/.nv_data.bak - restorecon /efs/.nv_data.bak.md5 - restorecon /efs/.nv_state - restorecon /efs/bluetooth/bt_addr - restorecon /efs/FactoryApp/factorymode - restorecon /efs/FactoryApp/hw_ver - restorecon /efs/FactoryApp/keystr - restorecon /efs/FactoryApp/serial_no - restorecon /efs/imei/mps_code.dat - restorecon /efs/gyro_cal_data - restorecon /efs/wifi/.mac.info + restorecon_recursive /efs on boot @@ -54,6 +40,7 @@ service gpsd /system/bin/gpsd -c /system/etc/gps.xml socket gps seqpacket 0660 gps system user gps group system inet sdcard_rw + seclabel u:r:gpsd:s0 service dmb /system/bin/dmbserver class main diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te new file mode 100644 index 0000000..76e62ea --- /dev/null +++ b/selinux/bluetooth.te @@ -0,0 +1,4 @@ +allow bluetooth bluetooth_efs_file:dir search; +allow bluetooth bluetooth_efs_file:file read; +allow bluetooth sysfs:file write; +allow bluetooth efs_device_file:dir search; diff --git a/selinux/device.te b/selinux/device.te index cca8ee1..ae6c250 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,3 +1,5 @@ type mali_device, dev_type, mlstrustedobject; type rfkill_device, dev_type; type efs_block_device, dev_type; +type hpd_device, dev_type; +type mfc_device, dev_type; diff --git a/selinux/file.te b/selinux/file.te index 9d1d823..15e8eff 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -2,3 +2,6 @@ type firmware_mfc, file_type; type firmware_camera, file_type; type sensors_data_file, file_type, data_file_type; +type sysfs_display, fs_type, sysfs_type; + +type efs_device_file, file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 55022ec..42b5fe4 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -11,17 +11,24 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 +/efs u:object_r:efs_device_file:s0 # Camera /data/ISP_CV u:object_r:camera_data_file:s0 /dev/exynos-mem u:object_r:video_device:s0 +/dev/s3c-mfc u:object_r:mfc_device:s0 # Bluetooth /dev/ttySAC0 u:object_r:hci_attach_dev:s0 -/efs/bluetooth/(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 + +# Display +/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0 +/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0 # GPS /dev/ttySAC1 u:object_r:gps_device:s0 +/system/bin/gpsd u:object_r:gpsd_exec:s0 # Sensors /dev/akm8975 u:object_r:sensors_device:s0 @@ -35,3 +42,9 @@ /system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 /system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 /data/cfw(/.*)? u:object_r:firmware_camera:s0 + +# Vibrator +/dev/tspdrv u:object_r:input_device:s0 + +# Misc +/dev/HPD u:object_r:hpd_device:s0 diff --git a/selinux/gpsd.te b/selinux/gpsd.te new file mode 100644 index 0000000..5c7e39c --- /dev/null +++ b/selinux/gpsd.te @@ -0,0 +1,8 @@ +allow gpsd rild:unix_stream_socket connectto; +allow gpsd system_data_file:fifo_file { create read write setattr open }; +allow gpsd servicemanager:binder call; +allow gpsd sysfs_wake_lock:file { read write open }; +allow gpsd system_data_file:file { create read write setattr open }; +allow gpsd system_data_file:dir { read write setattr open add_name }; +allow gpsd system_server:binder call; +allow gpsd system_server:unix_stream_socket { read write }; diff --git a/selinux/init.te b/selinux/init.te index 3f11893..57397c6 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1 +1,3 @@ allow init wpa_socket:unix_dgram_socket { bind create }; +allow init init:process { execmem }; +allow init init:tcp_socket { create }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 520da3a..6145b7c 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -1,3 +1,7 @@ allow mediaserver { firmware_camera }:file r_file_perms; allow mediaserver firmware_camera:dir r_dir_perms; allow mediaserver camera_data_file:file rw_file_perms; +allow mediaserver mfc_device:chr_file rw_file_perms; + +# Bluetooth audio +allow mediaserver bluetooth:unix_stream_socket { connectto }; diff --git a/selinux/netd.te b/selinux/netd.te new file mode 100644 index 0000000..98db7f5 --- /dev/null +++ b/selinux/netd.te @@ -0,0 +1,2 @@ +allow netd init:tcp_socket { read write getopt }; +allow netd kernel:system module_request; diff --git a/selinux/nfc.te b/selinux/nfc.te new file mode 100644 index 0000000..b8d1d44 --- /dev/null +++ b/selinux/nfc.te @@ -0,0 +1 @@ +allow nfc firmware_camera:dir search; diff --git a/selinux/rild.te b/selinux/rild.te index 7f817d0..1df1a78 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -1,7 +1,14 @@ allow rild self:netlink_socket { create bind read write }; allow rild self:netlink_route_socket { write }; allow rild self:netlink_kobject_uevent_socket { create bind read write setopt }; +allow rild rild:process { execmem }; + +allow rild radio_data_file:dir setattr; +allow rild unlabeled:dir search; allow rild radio_device:chr_file rw_file_perms; allow rild efs_block_device:blk_file rw_file_perms; allow rild efs_file:file { read open write setattr }; + +allow rild efs_device_file:dir create_dir_perms; +allow rild efs_device_file:file { setattr create rw_file_perms link_file_perms }; diff --git a/selinux/service_contexts b/selinux/service_contexts new file mode 100644 index 0000000..fb14cf2 --- /dev/null +++ b/selinux/service_contexts @@ -0,0 +1,3 @@ +SecTVOutService u:object_r:surfaceflinger_service:s0 +Exynos.HWCService u:object_r:surfaceflinger_service:s0 +Exynos.IPService u:object_r:surfaceflinger_service:s0 diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te new file mode 100644 index 0000000..40a665d --- /dev/null +++ b/selinux/servicemanager.te @@ -0,0 +1,3 @@ +allow servicemanager gpsd:dir { search read write }; +allow servicemanager gpsd:file { open read write }; +allow servicemanager gpsd:process getattr; diff --git a/selinux/surfaceflinger.te b/selinux/surfaceflinger.te new file mode 100644 index 0000000..00fa1e9 --- /dev/null +++ b/selinux/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger hpd_device:chr_file rw_file_perms; diff --git a/selinux/sysinit.te b/selinux/sysinit.te new file mode 100644 index 0000000..55e9dc5 --- /dev/null +++ b/selinux/sysinit.te @@ -0,0 +1,6 @@ +allow sysinit firmware_camera:dir { read search open getattr }; +allow sysinit userinit_exec:file { getattr execute execute_no_trans read open }; +allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name }; +allow sysinit firmware_camera:file { read open write getattr setattr create unlink }; +allow sysinit sysinit:capability { dac_override chown fowner fsetid }; +allow sysinit unlabeled:dir { search }; diff --git a/selinux/system.te b/selinux/system.te deleted file mode 100644 index 395aeea..0000000 --- a/selinux/system.te +++ /dev/null @@ -1,10 +0,0 @@ -allow system input_device:chr_file { read ioctl write open }; -allow system sensors_device:chr_file { read open }; -allow system sensors_data_file:file r_file_perms; -allow system wpa_socket:unix_dgram_socket sendto; - -allow system sysfs:file { read open write }; -allow system self:capability { sys_module }; - -# /efs/wifi/.mac.info -allow system wifi_data_file:file { read open }; diff --git a/selinux/system_app.te b/selinux/system_app.te new file mode 100644 index 0000000..bc716f2 --- /dev/null +++ b/selinux/system_app.te @@ -0,0 +1 @@ +allow system_app sysfs_display:file { getattr open read write }; diff --git a/selinux/system_server.te b/selinux/system_server.te new file mode 100644 index 0000000..e42bdd0 --- /dev/null +++ b/selinux/system_server.te @@ -0,0 +1,18 @@ +allow system_server input_device:chr_file { read ioctl write open }; +allow system_server sensors_device:chr_file { read open }; +allow system_server sensors_data_file:file r_file_perms; +allow system_server wpa_socket:unix_dgram_socket sendto; + +allow system_server sysfs:file { read open write }; +allow system_server self:capability { sys_module }; + +allow system_server efs_file:dir search; +allow system_server efs_device_file:dir search; +allow system_server uhid_device:chr_file { read ioctl write open }; + +# /efs/wifi/.mac.info +allow system_server wifi_data_file:file { read open }; + +allow system_server default_prop:property_service set; + +allow system_server gpsd:binder transfer; diff --git a/selinux/ueventd.te b/selinux/ueventd.te index 4037e57..1d993e4 100644 --- a/selinux/ueventd.te +++ b/selinux/ueventd.te @@ -1,3 +1,4 @@ # Firmwares allow ueventd { firmware_mfc }:file r_file_perms; allow ueventd { firmware_camera }:dir search; +allow ueventd { firmware_camera }:file { read getattr open }; diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..a2cbe68 --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1,5 @@ +allow vold kernel:process setsched; +allow vold sdcardd_exec:file { read open execute execute_no_trans }; + +allow vold efs_device_file:dir rw_file_perms; +allow vold efs_device_file:file rw_file_perms; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te index bbe679b..6e221e3 100755..100644 --- a/selinux/wpa_supplicant.te +++ b/selinux/wpa_supplicant.te @@ -4,6 +4,7 @@ allow wpa init:unix_dgram_socket { read write }; allow wpa devpts:chr_file { read write }; allow wpa wpa_socket:unix_dgram_socket { read write }; -allow wpa_socket system:unix_dgram_socket sendto; +allow wpa_socket system_app:unix_dgram_socket sendto; allow wpa_socket wifi_data_file:sock_file unlink; +allow wpa rfkill_device:chr_file rw_file_perms; |