From 70b829c1cc578881ab6ba013034cd42345ddf49a Mon Sep 17 00:00:00 2001
From: MarcKe <herderkewitz@googlemail.com>
Date: Sun, 15 Mar 2015 09:44:25 +0100
Subject: i9300: squash selinux updates for CM 12.x

i9300: selinux updates for cm12

Change-Id: I724a1acb4724ae34e60881da4708f7fbc98080ad

i9300: Selinux updates

Change-Id: I4e31d24c2eefcfdffa49cf1ee7468498200bb83c
---
 selinux/bluetooth.te      |  4 ++++
 selinux/device.te         |  2 ++
 selinux/file.te           |  3 +++
 selinux/file_contexts     | 15 ++++++++++++++-
 selinux/gpsd.te           |  8 ++++++++
 selinux/init.te           |  2 ++
 selinux/mediaserver.te    |  4 ++++
 selinux/netd.te           |  2 ++
 selinux/nfc.te            |  1 +
 selinux/rild.te           |  7 +++++++
 selinux/service_contexts  |  3 +++
 selinux/servicemanager.te |  3 +++
 selinux/surfaceflinger.te |  1 +
 selinux/sysinit.te        |  6 ++++++
 selinux/system.te         | 10 ----------
 selinux/system_app.te     |  1 +
 selinux/system_server.te  | 18 ++++++++++++++++++
 selinux/ueventd.te        |  1 +
 selinux/vold.te           |  5 +++++
 selinux/wpa_supplicant.te |  3 ++-
 20 files changed, 87 insertions(+), 12 deletions(-)
 create mode 100644 selinux/bluetooth.te
 create mode 100644 selinux/gpsd.te
 create mode 100644 selinux/netd.te
 create mode 100644 selinux/nfc.te
 create mode 100644 selinux/service_contexts
 create mode 100644 selinux/servicemanager.te
 create mode 100644 selinux/surfaceflinger.te
 create mode 100644 selinux/sysinit.te
 delete mode 100644 selinux/system.te
 create mode 100644 selinux/system_app.te
 create mode 100644 selinux/system_server.te
 create mode 100644 selinux/vold.te
 mode change 100755 => 100644 selinux/wpa_supplicant.te

(limited to 'selinux')

diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
new file mode 100644
index 0000000..76e62ea
--- /dev/null
+++ b/selinux/bluetooth.te
@@ -0,0 +1,4 @@
+allow bluetooth bluetooth_efs_file:dir search;
+allow bluetooth bluetooth_efs_file:file read;
+allow bluetooth sysfs:file write;
+allow bluetooth efs_device_file:dir search;
diff --git a/selinux/device.te b/selinux/device.te
index cca8ee1..ae6c250 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -1,3 +1,5 @@
 type mali_device, dev_type, mlstrustedobject;
 type rfkill_device, dev_type;
 type efs_block_device, dev_type;
+type hpd_device, dev_type;
+type mfc_device, dev_type;
diff --git a/selinux/file.te b/selinux/file.te
index 9d1d823..15e8eff 100644
--- a/selinux/file.te
+++ b/selinux/file.te
@@ -2,3 +2,6 @@ type firmware_mfc, file_type;
 type firmware_camera, file_type;
 
 type sensors_data_file, file_type, data_file_type;
+type sysfs_display, fs_type, sysfs_type;
+
+type efs_device_file, file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index 55022ec..42b5fe4 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -11,17 +11,24 @@
 /dev/umts_rfs0                          u:object_r:radio_device:s0
 
 /dev/block/mmcblk0p7                    u:object_r:efs_block_device:s0
+/efs                                    u:object_r:efs_device_file:s0
 
 # Camera
 /data/ISP_CV                            u:object_r:camera_data_file:s0
 /dev/exynos-mem                         u:object_r:video_device:s0
+/dev/s3c-mfc                            u:object_r:mfc_device:s0
 
 # Bluetooth
 /dev/ttySAC0                            u:object_r:hci_attach_dev:s0
-/efs/bluetooth/(/.*)?                   u:object_r:bluetooth_efs_file:s0
+/efs/bluetooth(/.*)?                    u:object_r:bluetooth_efs_file:s0
+
+# Display
+/sys/class/mdnie/mdnie/scenario         u:object_r:sysfs_display:s0
+/sys/class/mdnie/mdnie/mode             u:object_r:sysfs_display:s0
 
 # GPS
 /dev/ttySAC1                            u:object_r:gps_device:s0
+/system/bin/gpsd                        u:object_r:gpsd_exec:s0
 
 # Sensors
 /dev/akm8975                            u:object_r:sensors_device:s0
@@ -35,3 +42,9 @@
 /system/vendor/firmware(/.*)?           u:object_r:firmware_camera:s0
 /system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
 /data/cfw(/.*)?                         u:object_r:firmware_camera:s0
+
+# Vibrator
+/dev/tspdrv                             u:object_r:input_device:s0
+
+# Misc
+/dev/HPD                                u:object_r:hpd_device:s0
diff --git a/selinux/gpsd.te b/selinux/gpsd.te
new file mode 100644
index 0000000..5c7e39c
--- /dev/null
+++ b/selinux/gpsd.te
@@ -0,0 +1,8 @@
+allow gpsd rild:unix_stream_socket connectto;
+allow gpsd system_data_file:fifo_file { create read write setattr open };
+allow gpsd servicemanager:binder call;
+allow gpsd sysfs_wake_lock:file { read write open };
+allow gpsd system_data_file:file { create read write setattr open };
+allow gpsd system_data_file:dir { read write setattr open add_name };
+allow gpsd system_server:binder call;
+allow gpsd system_server:unix_stream_socket { read write };
diff --git a/selinux/init.te b/selinux/init.te
index 3f11893..57397c6 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1 +1,3 @@
 allow init wpa_socket:unix_dgram_socket { bind create };
+allow init init:process { execmem };
+allow init init:tcp_socket { create };
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index 520da3a..6145b7c 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -1,3 +1,7 @@
 allow mediaserver { firmware_camera }:file r_file_perms;
 allow mediaserver firmware_camera:dir r_dir_perms;
 allow mediaserver camera_data_file:file rw_file_perms;
+allow mediaserver mfc_device:chr_file rw_file_perms;
+
+# Bluetooth audio
+allow mediaserver bluetooth:unix_stream_socket { connectto };
diff --git a/selinux/netd.te b/selinux/netd.te
new file mode 100644
index 0000000..98db7f5
--- /dev/null
+++ b/selinux/netd.te
@@ -0,0 +1,2 @@
+allow netd init:tcp_socket { read write getopt };
+allow netd kernel:system module_request;
diff --git a/selinux/nfc.te b/selinux/nfc.te
new file mode 100644
index 0000000..b8d1d44
--- /dev/null
+++ b/selinux/nfc.te
@@ -0,0 +1 @@
+allow nfc firmware_camera:dir search;
diff --git a/selinux/rild.te b/selinux/rild.te
index 7f817d0..1df1a78 100644
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -1,7 +1,14 @@
 allow rild self:netlink_socket { create bind read write };
 allow rild self:netlink_route_socket { write };
 allow rild self:netlink_kobject_uevent_socket { create bind read write setopt };
+allow rild rild:process { execmem };
+
+allow rild radio_data_file:dir setattr;
+allow rild unlabeled:dir search;
 
 allow rild radio_device:chr_file rw_file_perms;
 allow rild efs_block_device:blk_file rw_file_perms;
 allow rild efs_file:file { read open write setattr };
+
+allow rild efs_device_file:dir create_dir_perms;
+allow rild efs_device_file:file { setattr create rw_file_perms link_file_perms };
diff --git a/selinux/service_contexts b/selinux/service_contexts
new file mode 100644
index 0000000..fb14cf2
--- /dev/null
+++ b/selinux/service_contexts
@@ -0,0 +1,3 @@
+SecTVOutService                           u:object_r:surfaceflinger_service:s0
+Exynos.HWCService                         u:object_r:surfaceflinger_service:s0
+Exynos.IPService                          u:object_r:surfaceflinger_service:s0
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..40a665d
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager gpsd:dir { search read write };
+allow servicemanager gpsd:file { open read write };
+allow servicemanager gpsd:process getattr;
diff --git a/selinux/surfaceflinger.te b/selinux/surfaceflinger.te
new file mode 100644
index 0000000..00fa1e9
--- /dev/null
+++ b/selinux/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger hpd_device:chr_file rw_file_perms;
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
new file mode 100644
index 0000000..55e9dc5
--- /dev/null
+++ b/selinux/sysinit.te
@@ -0,0 +1,6 @@
+allow sysinit firmware_camera:dir { read search open getattr };
+allow sysinit userinit_exec:file { getattr execute execute_no_trans read open };
+allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
+allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
+allow sysinit sysinit:capability { dac_override chown fowner fsetid };
+allow sysinit unlabeled:dir { search };
diff --git a/selinux/system.te b/selinux/system.te
deleted file mode 100644
index 395aeea..0000000
--- a/selinux/system.te
+++ /dev/null
@@ -1,10 +0,0 @@
-allow system input_device:chr_file { read ioctl write open };
-allow system sensors_device:chr_file { read open };
-allow system sensors_data_file:file r_file_perms;
-allow system wpa_socket:unix_dgram_socket sendto;
-
-allow system sysfs:file { read open write };
-allow system self:capability { sys_module };
-
-# /efs/wifi/.mac.info
-allow system wifi_data_file:file { read open };
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..bc716f2
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1 @@
+allow system_app sysfs_display:file { getattr open read write };
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..e42bdd0
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,18 @@
+allow system_server input_device:chr_file { read ioctl write open };
+allow system_server sensors_device:chr_file { read open };
+allow system_server sensors_data_file:file r_file_perms;
+allow system_server wpa_socket:unix_dgram_socket sendto;
+
+allow system_server sysfs:file { read open write };
+allow system_server self:capability { sys_module };
+
+allow system_server efs_file:dir search;
+allow system_server efs_device_file:dir search;
+allow system_server uhid_device:chr_file { read ioctl write open };
+
+# /efs/wifi/.mac.info
+allow system_server wifi_data_file:file { read open };
+
+allow system_server default_prop:property_service set;
+
+allow system_server gpsd:binder transfer;
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
index 4037e57..1d993e4 100644
--- a/selinux/ueventd.te
+++ b/selinux/ueventd.te
@@ -1,3 +1,4 @@
 # Firmwares
 allow ueventd { firmware_mfc }:file r_file_perms;
 allow ueventd { firmware_camera }:dir search;
+allow ueventd { firmware_camera }:file { read getattr open };
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..a2cbe68
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1,5 @@
+allow vold kernel:process setsched;
+allow vold sdcardd_exec:file { read open execute execute_no_trans };
+
+allow vold efs_device_file:dir rw_file_perms;
+allow vold efs_device_file:file rw_file_perms;
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
old mode 100755
new mode 100644
index bbe679b..6e221e3
--- a/selinux/wpa_supplicant.te
+++ b/selinux/wpa_supplicant.te
@@ -4,6 +4,7 @@ allow wpa init:unix_dgram_socket { read write };
 allow wpa devpts:chr_file { read write };
 
 allow wpa wpa_socket:unix_dgram_socket { read write };
-allow wpa_socket system:unix_dgram_socket sendto;
+allow wpa_socket system_app:unix_dgram_socket sendto;
 
 allow wpa_socket wifi_data_file:sock_file unlink;
+allow wpa rfkill_device:chr_file rw_file_perms;
-- 
cgit v1.1