summaryrefslogtreecommitdiffstats
path: root/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'selinux')
-rw-r--r--selinux/bluetooth.te4
-rw-r--r--selinux/device.te2
-rw-r--r--selinux/file.te3
-rw-r--r--selinux/file_contexts15
-rw-r--r--selinux/gpsd.te8
-rw-r--r--selinux/init.te2
-rw-r--r--selinux/mediaserver.te4
-rw-r--r--selinux/netd.te2
-rw-r--r--selinux/nfc.te1
-rw-r--r--selinux/rild.te7
-rw-r--r--selinux/service_contexts3
-rw-r--r--selinux/servicemanager.te3
-rw-r--r--selinux/surfaceflinger.te1
-rw-r--r--selinux/sysinit.te6
-rw-r--r--selinux/system.te10
-rw-r--r--selinux/system_app.te1
-rw-r--r--selinux/system_server.te18
-rw-r--r--selinux/ueventd.te1
-rw-r--r--selinux/vold.te5
-rw-r--r--[-rwxr-xr-x]selinux/wpa_supplicant.te3
20 files changed, 87 insertions, 12 deletions
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
new file mode 100644
index 0000000..76e62ea
--- /dev/null
+++ b/selinux/bluetooth.te
@@ -0,0 +1,4 @@
+allow bluetooth bluetooth_efs_file:dir search;
+allow bluetooth bluetooth_efs_file:file read;
+allow bluetooth sysfs:file write;
+allow bluetooth efs_device_file:dir search;
diff --git a/selinux/device.te b/selinux/device.te
index cca8ee1..ae6c250 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -1,3 +1,5 @@
type mali_device, dev_type, mlstrustedobject;
type rfkill_device, dev_type;
type efs_block_device, dev_type;
+type hpd_device, dev_type;
+type mfc_device, dev_type;
diff --git a/selinux/file.te b/selinux/file.te
index 9d1d823..15e8eff 100644
--- a/selinux/file.te
+++ b/selinux/file.te
@@ -2,3 +2,6 @@ type firmware_mfc, file_type;
type firmware_camera, file_type;
type sensors_data_file, file_type, data_file_type;
+type sysfs_display, fs_type, sysfs_type;
+
+type efs_device_file, file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index 55022ec..42b5fe4 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -11,17 +11,24 @@
/dev/umts_rfs0 u:object_r:radio_device:s0
/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0
+/efs u:object_r:efs_device_file:s0
# Camera
/data/ISP_CV u:object_r:camera_data_file:s0
/dev/exynos-mem u:object_r:video_device:s0
+/dev/s3c-mfc u:object_r:mfc_device:s0
# Bluetooth
/dev/ttySAC0 u:object_r:hci_attach_dev:s0
-/efs/bluetooth/(/.*)? u:object_r:bluetooth_efs_file:s0
+/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
+
+# Display
+/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
+/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0
# GPS
/dev/ttySAC1 u:object_r:gps_device:s0
+/system/bin/gpsd u:object_r:gpsd_exec:s0
# Sensors
/dev/akm8975 u:object_r:sensors_device:s0
@@ -35,3 +42,9 @@
/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0
/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
/data/cfw(/.*)? u:object_r:firmware_camera:s0
+
+# Vibrator
+/dev/tspdrv u:object_r:input_device:s0
+
+# Misc
+/dev/HPD u:object_r:hpd_device:s0
diff --git a/selinux/gpsd.te b/selinux/gpsd.te
new file mode 100644
index 0000000..5c7e39c
--- /dev/null
+++ b/selinux/gpsd.te
@@ -0,0 +1,8 @@
+allow gpsd rild:unix_stream_socket connectto;
+allow gpsd system_data_file:fifo_file { create read write setattr open };
+allow gpsd servicemanager:binder call;
+allow gpsd sysfs_wake_lock:file { read write open };
+allow gpsd system_data_file:file { create read write setattr open };
+allow gpsd system_data_file:dir { read write setattr open add_name };
+allow gpsd system_server:binder call;
+allow gpsd system_server:unix_stream_socket { read write };
diff --git a/selinux/init.te b/selinux/init.te
index 3f11893..57397c6 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1 +1,3 @@
allow init wpa_socket:unix_dgram_socket { bind create };
+allow init init:process { execmem };
+allow init init:tcp_socket { create };
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index 520da3a..6145b7c 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -1,3 +1,7 @@
allow mediaserver { firmware_camera }:file r_file_perms;
allow mediaserver firmware_camera:dir r_dir_perms;
allow mediaserver camera_data_file:file rw_file_perms;
+allow mediaserver mfc_device:chr_file rw_file_perms;
+
+# Bluetooth audio
+allow mediaserver bluetooth:unix_stream_socket { connectto };
diff --git a/selinux/netd.te b/selinux/netd.te
new file mode 100644
index 0000000..98db7f5
--- /dev/null
+++ b/selinux/netd.te
@@ -0,0 +1,2 @@
+allow netd init:tcp_socket { read write getopt };
+allow netd kernel:system module_request;
diff --git a/selinux/nfc.te b/selinux/nfc.te
new file mode 100644
index 0000000..b8d1d44
--- /dev/null
+++ b/selinux/nfc.te
@@ -0,0 +1 @@
+allow nfc firmware_camera:dir search;
diff --git a/selinux/rild.te b/selinux/rild.te
index 7f817d0..1df1a78 100644
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -1,7 +1,14 @@
allow rild self:netlink_socket { create bind read write };
allow rild self:netlink_route_socket { write };
allow rild self:netlink_kobject_uevent_socket { create bind read write setopt };
+allow rild rild:process { execmem };
+
+allow rild radio_data_file:dir setattr;
+allow rild unlabeled:dir search;
allow rild radio_device:chr_file rw_file_perms;
allow rild efs_block_device:blk_file rw_file_perms;
allow rild efs_file:file { read open write setattr };
+
+allow rild efs_device_file:dir create_dir_perms;
+allow rild efs_device_file:file { setattr create rw_file_perms link_file_perms };
diff --git a/selinux/service_contexts b/selinux/service_contexts
new file mode 100644
index 0000000..fb14cf2
--- /dev/null
+++ b/selinux/service_contexts
@@ -0,0 +1,3 @@
+SecTVOutService u:object_r:surfaceflinger_service:s0
+Exynos.HWCService u:object_r:surfaceflinger_service:s0
+Exynos.IPService u:object_r:surfaceflinger_service:s0
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..40a665d
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager gpsd:dir { search read write };
+allow servicemanager gpsd:file { open read write };
+allow servicemanager gpsd:process getattr;
diff --git a/selinux/surfaceflinger.te b/selinux/surfaceflinger.te
new file mode 100644
index 0000000..00fa1e9
--- /dev/null
+++ b/selinux/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger hpd_device:chr_file rw_file_perms;
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
new file mode 100644
index 0000000..55e9dc5
--- /dev/null
+++ b/selinux/sysinit.te
@@ -0,0 +1,6 @@
+allow sysinit firmware_camera:dir { read search open getattr };
+allow sysinit userinit_exec:file { getattr execute execute_no_trans read open };
+allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
+allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
+allow sysinit sysinit:capability { dac_override chown fowner fsetid };
+allow sysinit unlabeled:dir { search };
diff --git a/selinux/system.te b/selinux/system.te
deleted file mode 100644
index 395aeea..0000000
--- a/selinux/system.te
+++ /dev/null
@@ -1,10 +0,0 @@
-allow system input_device:chr_file { read ioctl write open };
-allow system sensors_device:chr_file { read open };
-allow system sensors_data_file:file r_file_perms;
-allow system wpa_socket:unix_dgram_socket sendto;
-
-allow system sysfs:file { read open write };
-allow system self:capability { sys_module };
-
-# /efs/wifi/.mac.info
-allow system wifi_data_file:file { read open };
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..bc716f2
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1 @@
+allow system_app sysfs_display:file { getattr open read write };
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..e42bdd0
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,18 @@
+allow system_server input_device:chr_file { read ioctl write open };
+allow system_server sensors_device:chr_file { read open };
+allow system_server sensors_data_file:file r_file_perms;
+allow system_server wpa_socket:unix_dgram_socket sendto;
+
+allow system_server sysfs:file { read open write };
+allow system_server self:capability { sys_module };
+
+allow system_server efs_file:dir search;
+allow system_server efs_device_file:dir search;
+allow system_server uhid_device:chr_file { read ioctl write open };
+
+# /efs/wifi/.mac.info
+allow system_server wifi_data_file:file { read open };
+
+allow system_server default_prop:property_service set;
+
+allow system_server gpsd:binder transfer;
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
index 4037e57..1d993e4 100644
--- a/selinux/ueventd.te
+++ b/selinux/ueventd.te
@@ -1,3 +1,4 @@
# Firmwares
allow ueventd { firmware_mfc }:file r_file_perms;
allow ueventd { firmware_camera }:dir search;
+allow ueventd { firmware_camera }:file { read getattr open };
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..a2cbe68
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1,5 @@
+allow vold kernel:process setsched;
+allow vold sdcardd_exec:file { read open execute execute_no_trans };
+
+allow vold efs_device_file:dir rw_file_perms;
+allow vold efs_device_file:file rw_file_perms;
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
index bbe679b..6e221e3 100755..100644
--- a/selinux/wpa_supplicant.te
+++ b/selinux/wpa_supplicant.te
@@ -4,6 +4,7 @@ allow wpa init:unix_dgram_socket { read write };
allow wpa devpts:chr_file { read write };
allow wpa wpa_socket:unix_dgram_socket { read write };
-allow wpa_socket system:unix_dgram_socket sendto;
+allow wpa_socket system_app:unix_dgram_socket sendto;
allow wpa_socket wifi_data_file:sock_file unlink;
+allow wpa rfkill_device:chr_file rw_file_perms;