From 8f0313215eb8643c71a692cc2318a1440d1ab0a9 Mon Sep 17 00:00:00 2001 From: Wolfgang Wiedmeyer Date: Tue, 16 Feb 2016 18:36:09 +0100 Subject: selinux: allow rild access to sysfs_radio and let system_server open the wifi firmware This makes RIL and wifi work with SELinux in enforcing mode also remove rules for the proprietary cbd Signed-off-by: Wolfgang Wiedmeyer --- selinux/cpboot-daemon.te | 25 ------------------------- selinux/file.te | 1 - selinux/file_contexts | 1 - selinux/init.te | 1 - selinux/rild.te | 2 ++ selinux/system_server.te | 4 ++++ 6 files changed, 6 insertions(+), 28 deletions(-) delete mode 100644 selinux/cpboot-daemon.te diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te deleted file mode 100644 index 9974ff2..0000000 --- a/selinux/cpboot-daemon.te +++ /dev/null @@ -1,25 +0,0 @@ -type cpboot-daemon, domain; - -permissive cpboot-daemon; - -allow cpboot-daemon cgroup:dir { create add_name }; -allow cpboot-daemon device:dir { write remove_name add_name }; -allow cpboot-daemon efs_block_device:blk_file { read open }; -allow cpboot-daemon efs_device_file:dir search; -allow cpboot-daemon efs_file:file { read write open }; -allow cpboot-daemon init:unix_stream_socket connectto; -allow cpboot-daemon log_device:chr_file { write open }; -allow cpboot-daemon log_device:dir search; -allow cpboot-daemon property_socket:sock_file write; -allow cpboot-daemon radio_device:chr_file { read write ioctl open }; -allow cpboot-daemon radio_prop:property_service set; -allow cpboot-daemon self:capability { setuid }; -allow cpboot-daemon sysfs_radio:file { read write open }; -allow cpboot-daemon usbfs:dir search; -allow cpboot-daemon self:capability dac_override; -allow cpboot-daemon cbd_device:chr_file create_file_perms; - -# FIX ME -# allow cpboot-daemon usbfs:filesystem mount; -# allow cpboot-daemon self:capability { mknod }; - diff --git a/selinux/file.te b/selinux/file.te index 12b280a..f5edd1a 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -8,4 +8,3 @@ type efs_device_file, file_type; type radio_data, file_type; type sysfs_radio, fs_type, sysfs_type; type sysfs_sensor, fs_type, sysfs_type; -type cbd_device, dev_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 6e54311..83f6559 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -10,7 +10,6 @@ /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ramdump0 u:object_r:radio_device:s0 /dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/__cbd_msg_ u:object_r:cbd_device:s0 /efs u:object_r:efs_device_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data:s0 diff --git a/selinux/init.te b/selinux/init.te index 6056a94..1740499 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -10,4 +10,3 @@ allow init sysfs_sensor:lnk_file { setattr read }; allow init rild:process noatsecure; domain_trans(init, rootfs, glgps) -domain_trans(init, rootfs, cpboot-daemon) diff --git a/selinux/rild.te b/selinux/rild.te index 5da4924..d40aae8 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -18,3 +18,5 @@ allow rild efs_file:file { read open write setattr }; allow rild efs_device_file:dir create_dir_perms; allow rild efs_device_file:file { setattr create create_file_perms }; + +allow rild sysfs_radio:file { read write open }; diff --git a/selinux/system_server.te b/selinux/system_server.te index b20927b..09a603e 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -22,6 +22,10 @@ allow system_server system_file:file execmod; # /efs/wifi/.mac.info allow system_server wifi_data_file:file { read open }; +# wifi firmware +allow system_server firmware_exynos:dir { open read search }; +allow system_server firmware_exynos:file { open read }; + allow system_server glgps:binder transfer; type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; -- cgit v1.1