From 2aa1146201ea9b422f7c72c01250f415ef712c4a Mon Sep 17 00:00:00 2001 From: Daniel Hillenbrand Date: Wed, 14 Aug 2013 20:02:51 +0200 Subject: i9300: add selinux policies Change-Id: I0304c2efeb06b583a28ea9c9dcc874254ee3930f --- selinux/device.te | 3 +++ selinux/domain.te | 2 ++ selinux/file.te | 5 +++++ selinux/file_contexts | 40 ++++++++++++++++++++++++++++++++++++++++ selinux/init.te | 1 + selinux/mediaserver.te | 3 +++ selinux/rild.te | 7 +++++++ selinux/system.te | 10 ++++++++++ selinux/ueventd.te | 3 +++ selinux/vold.te | 2 ++ selinux/wpa_supplicant.te | 10 ++++++++++ 11 files changed, 86 insertions(+) create mode 100644 selinux/device.te create mode 100644 selinux/domain.te create mode 100644 selinux/file.te create mode 100644 selinux/file_contexts create mode 100644 selinux/init.te create mode 100644 selinux/mediaserver.te create mode 100644 selinux/rild.te create mode 100644 selinux/system.te create mode 100644 selinux/ueventd.te create mode 100644 selinux/vold.te create mode 100755 selinux/wpa_supplicant.te (limited to 'selinux') diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..cca8ee1 --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,3 @@ +type mali_device, dev_type, mlstrustedobject; +type rfkill_device, dev_type; +type efs_block_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..26e8033 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,2 @@ +## /dev/mali, /dev/ump +allow domain mali_device:chr_file rw_file_perms; diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..2a01dac --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,5 @@ +type firmware_mfc, file_type; +type firmware_camera, file_type; + +type camera_data_file, file_type, data_file_type; +type sensors_data_file, file_type, data_file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..93065b8 --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,40 @@ +# GFX +/dev/mali u:object_r:mali_device:s0 +/dev/ump u:object_r:mali_device:s0 +/dev/fimg2d u:object_r:mali_device:s0 + +# NFC +/dev/pn544 u:object_r:nfc_device:s0 + +# RIL +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 + +/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 + +# Camera +/data/ISP_CV u:object_r:camera_data_file:s0 +/dev/exynos-mem u:object_r:video_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth/(/.*)? u:object_r:bluetooth_efs_file:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 + +# Sensors +/dev/akm8975 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 + +# Wifi +/dev/rfkill u:object_r:rfkill_device:s0 +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/data/cfw(/.*)? u:object_r:firmware_camera:s0 diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..3f11893 --- /dev/null +++ b/selinux/init.te @@ -0,0 +1 @@ +allow init wpa_socket:unix_dgram_socket { bind create }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te new file mode 100644 index 0000000..520da3a --- /dev/null +++ b/selinux/mediaserver.te @@ -0,0 +1,3 @@ +allow mediaserver { firmware_camera }:file r_file_perms; +allow mediaserver firmware_camera:dir r_dir_perms; +allow mediaserver camera_data_file:file rw_file_perms; diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100644 index 0000000..7f817d0 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,7 @@ +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; +allow rild self:netlink_kobject_uevent_socket { create bind read write setopt }; + +allow rild radio_device:chr_file rw_file_perms; +allow rild efs_block_device:blk_file rw_file_perms; +allow rild efs_file:file { read open write setattr }; diff --git a/selinux/system.te b/selinux/system.te new file mode 100644 index 0000000..0ac9cfc --- /dev/null +++ b/selinux/system.te @@ -0,0 +1,10 @@ +allow system uinput_device:chr_file { read ioctl write open }; +allow system sensors_device:chr_file { read open }; +allow system sensors_data_file:file r_file_perms; +allow system wpa_socket:unix_dgram_socket sendto; + +allow system sysfs:file { read open write }; +allow system self:capability { sys_module }; + +# /efs/wifi/.mac.info +allow system wifi_data_file:file { read open }; diff --git a/selinux/ueventd.te b/selinux/ueventd.te new file mode 100644 index 0000000..4037e57 --- /dev/null +++ b/selinux/ueventd.te @@ -0,0 +1,3 @@ +# Firmwares +allow ueventd { firmware_mfc }:file r_file_perms; +allow ueventd { firmware_camera }:dir search; diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..9452abf --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1,2 @@ +allow vold kernel:process setsched; +allow vold sdcardd_exec:file { read open execute execute_no_trans }; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te new file mode 100755 index 0000000..ab5fb24 --- /dev/null +++ b/selinux/wpa_supplicant.te @@ -0,0 +1,10 @@ +allow wpa init:unix_dgram_socket { read write }; + +# logwrapper used with wpa_supplicant +allow wpa devpts:chr_file { read write }; + +allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa_socket system:unix_dgram_socket sendto; + +allow wpa_socket wifi_data_file:sock_file unlink; +allow wpa rfkill_device:chr_file rw_file_perms; \ No newline at end of file -- cgit v1.1