From 8d8ac23e55c865ce1d8f245f4ddea27792667688 Mon Sep 17 00:00:00 2001 From: forkbomb Date: Fri, 27 Nov 2015 23:53:05 +1100 Subject: i9300: M sepolicy bringup GPS fixes taken from grouper: https://github.com/CyanogenMod/android_device_asus_grouper/commit/9651b24fb481bf0fc1db3b1d700033cf66eb067e and https://github.com/CyanogenMod/android_device_asus_grouper/commit/f5592571d581478622f0fc3f86fbbddf20cf89c7 Change-Id: I7ec658691c65c3b6c087ee41ba69f2cb37ade525 --- selinux/cpboot-daemon.te | 25 +++++++++++++++++++++++++ selinux/device.te | 1 - selinux/domain.te | 3 +-- selinux/file.te | 4 ++++ selinux/file_contexts | 30 +++++++++++++++++++++++------- selinux/gpsd.te | 30 +++++++++++++++++++++--------- selinux/init.te | 10 ++++++++++ selinux/log.te | 3 +++ selinux/macloader.te | 8 ++++++++ selinux/mediaserver.te | 4 ++++ selinux/netd.te | 1 - selinux/nfc.te | 1 + selinux/rild.te | 6 ++++++ selinux/servicemanager.te | 6 +++--- selinux/system_app.te | 3 ++- selinux/system_server.te | 13 ++++++++----- selinux/tinyplay.te | 6 ++++++ selinux/ueventd.te | 1 + selinux/untrusted_app.te | 5 +++++ selinux/vold.te | 6 ++++++ selinux/wpa_supplicant.te | 1 + selinux/zygote.te | 1 + 22 files changed, 139 insertions(+), 29 deletions(-) create mode 100644 selinux/cpboot-daemon.te create mode 100644 selinux/log.te create mode 100644 selinux/macloader.te create mode 100644 selinux/tinyplay.te create mode 100644 selinux/untrusted_app.te create mode 100644 selinux/zygote.te (limited to 'selinux') diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te new file mode 100644 index 0000000..9974ff2 --- /dev/null +++ b/selinux/cpboot-daemon.te @@ -0,0 +1,25 @@ +type cpboot-daemon, domain; + +permissive cpboot-daemon; + +allow cpboot-daemon cgroup:dir { create add_name }; +allow cpboot-daemon device:dir { write remove_name add_name }; +allow cpboot-daemon efs_block_device:blk_file { read open }; +allow cpboot-daemon efs_device_file:dir search; +allow cpboot-daemon efs_file:file { read write open }; +allow cpboot-daemon init:unix_stream_socket connectto; +allow cpboot-daemon log_device:chr_file { write open }; +allow cpboot-daemon log_device:dir search; +allow cpboot-daemon property_socket:sock_file write; +allow cpboot-daemon radio_device:chr_file { read write ioctl open }; +allow cpboot-daemon radio_prop:property_service set; +allow cpboot-daemon self:capability { setuid }; +allow cpboot-daemon sysfs_radio:file { read write open }; +allow cpboot-daemon usbfs:dir search; +allow cpboot-daemon self:capability dac_override; +allow cpboot-daemon cbd_device:chr_file create_file_perms; + +# FIX ME +# allow cpboot-daemon usbfs:filesystem mount; +# allow cpboot-daemon self:capability { mknod }; + diff --git a/selinux/device.te b/selinux/device.te index ae6c250..854958d 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,4 +1,3 @@ -type mali_device, dev_type, mlstrustedobject; type rfkill_device, dev_type; type efs_block_device, dev_type; type hpd_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te index 26e8033..c8d8d53 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,2 +1 @@ -## /dev/mali, /dev/ump -allow domain mali_device:chr_file rw_file_perms; +dontaudit domain kernel:system module_request; diff --git a/selinux/file.te b/selinux/file.te index c686d2f..12b280a 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -5,3 +5,7 @@ type sensors_data_file, file_type, data_file_type; type sysfs_display, fs_type, sysfs_type; type efs_device_file, file_type; +type radio_data, file_type; +type sysfs_radio, fs_type, sysfs_type; +type sysfs_sensor, fs_type, sysfs_type; +type cbd_device, dev_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 35e4e99..12bbd51 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -1,17 +1,26 @@ # GFX -/dev/mali u:object_r:mali_device:s0 -/dev/ump u:object_r:mali_device:s0 -/dev/fimg2d u:object_r:mali_device:s0 +/dev/mali u:object_r:gpu_device:s0 +/dev/ump u:object_r:gpu_device:s0 +/dev/fimg2d u:object_r:gpu_device:s0 # RIL +/dev/link_pm u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_boot1 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ramdump0 u:object_r:radio_device:s0 /dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/__cbd_msg_ u:object_r:cbd_device:s0 -/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 /efs u:object_r:efs_device_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data:s0 +/sys/devices/platform/s5p-ohci/ohci_power u:object_r:sysfs_radio:s0 +/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0 + +# Partitions +/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p9 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p12 u:object_r:userdata_block_device:s0 # Camera /data/ISP_CV u:object_r:camera_data_file:s0 @@ -23,19 +32,21 @@ /efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 # Display -/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0 -/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0 +/sys/class/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 # GPS /dev/ttySAC1 u:object_r:gps_device:s0 -/system/bin/glgps u:object_r:gpsd_exec:s0 +/system/bin/gps_daemon.sh u:object_r:glgps_exec:s0 # Sensors /dev/akm8975 u:object_r:sensors_device:s0 /efs/gyro_cal_data u:object_r:sensors_data_file:s0 +/sys/class/sensors/accelerometer_sensor u:object_r:sysfs_sensor:s0 # Wifi /dev/rfkill u:object_r:rfkill_device:s0 +/data/.cid.info u:object_r:wifi_data_file:s0 /efs/wifi/.mac.info u:object_r:wifi_data_file:s0 # Firmwares @@ -46,5 +57,10 @@ # Vibrator /dev/tspdrv u:object_r:input_device:s0 +# Swap +/dev/block/zram(.*) u:object_r:swap_block_device:s0 + # Misc /dev/HPD u:object_r:hpd_device:s0 +/system/bin/macloader u:object_r:macloader_exec:s0 +/system/bin/tinyplay u:object_r:tinyplay_exec:s0 diff --git a/selinux/gpsd.te b/selinux/gpsd.te index 8eca21c..a65f3da 100644 --- a/selinux/gpsd.te +++ b/selinux/gpsd.te @@ -1,9 +1,21 @@ -allow gpsd self:process execmem; -allow gpsd rild:unix_stream_socket connectto; -allow gpsd system_data_file:fifo_file { create read write setattr open }; -allow gpsd servicemanager:binder call; -allow gpsd sysfs_wake_lock:file { read write open }; -allow gpsd system_data_file:file { read open }; -allow gpsd system_data_file:dir { read write setattr open add_name }; -allow gpsd system_server:binder call; -allow gpsd system_server:unix_stream_socket { read write }; +type glgps, domain; +type glgps_exec, exec_type, file_type; + +init_daemon_domain(glgps) + +allow glgps shell_exec:file { rx_file_perms entrypoint }; + +#for text relocs & execution +allow glgps system_file:file { execute_no_trans execmod }; +allow glgps gps_device:chr_file { getattr setattr }; +allow glgps gps_data_file:dir { search write add_name remove_name }; +allow glgps gps_data_file:file { create rw_file_perms }; +allow glgps gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow glgps node:udp_socket { node_bind name_bind }; + +allow glgps sysfs:file { setattr write }; +allow glgps gps_device:chr_file { ioctl open read write }; +allow glgps glgps:udp_socket { create bind }; +allow glgps dnsproxyd_socket:sock_file write; +allow glgps netd:unix_stream_socket connectto; diff --git a/selinux/init.te b/selinux/init.te index 57397c6..d9d20c2 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1,3 +1,13 @@ allow init wpa_socket:unix_dgram_socket { bind create }; allow init init:process { execmem }; allow init init:tcp_socket { create }; + +allow init sysfs_display:lnk_file { read setattr }; + +allow init tmpfs:lnk_file create; +allow init sysfs_sensor:lnk_file { setattr read }; + +domain_trans(init, rootfs, glgps) +domain_trans(init, rootfs, cpboot-daemon) +domain_trans(init, rootfs, tinyplay) +domain_trans(init, rootfs, macloader) diff --git a/selinux/log.te b/selinux/log.te new file mode 100644 index 0000000..c3dfc80 --- /dev/null +++ b/selinux/log.te @@ -0,0 +1,3 @@ +allow domain log_device:chr_file { open write }; +allow domain log_device:dir { search }; +allow { shell debuggerd } log_device:chr_file { read }; diff --git a/selinux/macloader.te b/selinux/macloader.te new file mode 100644 index 0000000..580f0d1 --- /dev/null +++ b/selinux/macloader.te @@ -0,0 +1,8 @@ +type macloader, domain; +type macloader_exec, exec_type, file_type; +init_daemon_domain(macloader); + +allow macloader efs_file:dir search; +allow macloader efs_device_file:dir search; +allow macloader wifi_data_file:file { read getattr open write setattr }; +allow macloader self:capability { dac_override chown fowner fsetid }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 43f5b21..cbcdcb8 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -5,3 +5,7 @@ allow mediaserver mfc_device:chr_file rw_file_perms; # Bluetooth audio allow mediaserver bluetooth:unix_stream_socket { connectto }; + +allow mediaserver { storage_file mnt_user_file }:dir { search read }; +allow mediaserver storage_file:lnk_file read; +allow mediaserver mnt_user_file:lnk_file read; diff --git a/selinux/netd.te b/selinux/netd.te index 98db7f5..2fdb809 100644 --- a/selinux/netd.te +++ b/selinux/netd.te @@ -1,2 +1 @@ allow netd init:tcp_socket { read write getopt }; -allow netd kernel:system module_request; diff --git a/selinux/nfc.te b/selinux/nfc.te index 6a6e324..b5afda7 100644 --- a/selinux/nfc.te +++ b/selinux/nfc.te @@ -1 +1,2 @@ allow nfc firmware_exynos:dir search; +allow nfc log_device:chr_file write; diff --git a/selinux/rild.te b/selinux/rild.te index 3339eaf..5da4924 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -6,6 +6,12 @@ allow rild rild:process { execmem }; allow rild radio_data_file:dir setattr; allow rild unlabeled:dir search; +allow radio log_device:chr_file w_file_perms; +allow rild log_device:chr_file w_file_perms; +allow rild system_file:file execmod; +allow rild radio_data:file create_file_perms; +allow rild radio_data:dir create_dir_perms; + allow rild radio_device:chr_file rw_file_perms; allow rild efs_block_device:blk_file rw_file_perms; allow rild efs_file:file { read open write setattr }; diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te index 40a665d..65337ed 100644 --- a/selinux/servicemanager.te +++ b/selinux/servicemanager.te @@ -1,3 +1,3 @@ -allow servicemanager gpsd:dir { search read write }; -allow servicemanager gpsd:file { open read write }; -allow servicemanager gpsd:process getattr; +allow servicemanager glgps:dir { search read write }; +allow servicemanager glgps:file { open read write }; +allow servicemanager glgps:process getattr; diff --git a/selinux/system_app.te b/selinux/system_app.te index bc716f2..8542dc2 100644 --- a/selinux/system_app.te +++ b/selinux/system_app.te @@ -1 +1,2 @@ -allow system_app sysfs_display:file { getattr open read write }; +allow system_app sysfs_display:{ file lnk_file } { getattr open read write }; +allow system_app sysfs_display:dir { search }; diff --git a/selinux/system_server.te b/selinux/system_server.te index 28085f4..b9cc2f2 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -10,18 +10,21 @@ allow system_server efs_file:dir search; allow system_server efs_file:file read; allow system_server efs_device_file:dir search; allow system_server uhid_device:chr_file { read ioctl write open }; +allow system_server storage_stub_file:dir getattr; + + +# for sensors +allow system_server system_file:file execmod; # /efs/wifi/.mac.info allow system_server wifi_data_file:file { read open }; -#allow system_server default_prop:property_service set; - -allow system_server gpsd:binder transfer; +allow system_server glgps:binder transfer; type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; # Access .gps.interface.pipe.to_gpsd. -allow system_server gps_data_file:dir search; -allow system_server gps_data_file:fifo_file { write setattr rw_file_perms }; +allow system_server gps_data_file:dir rw_dir_perms; +allow system_server gps_data_file:fifo_file { setattr rw_file_perms create }; # Access /data/sensors/gps* socket allow system_server gps_data_file:sock_file create_file_perms; diff --git a/selinux/tinyplay.te b/selinux/tinyplay.te new file mode 100644 index 0000000..ef7de81 --- /dev/null +++ b/selinux/tinyplay.te @@ -0,0 +1,6 @@ +type tinyplay, domain; +type tinyplay_exec, exec_type, file_type; +init_daemon_domain(tinyplay) + +allow tinyplay audio_device:chr_file { open read write ioctl }; +allow tinyplay audio_device:dir search; diff --git a/selinux/ueventd.te b/selinux/ueventd.te index 8044d34..315ccb3 100644 --- a/selinux/ueventd.te +++ b/selinux/ueventd.te @@ -2,3 +2,4 @@ allow ueventd { firmware_mfc }:file r_file_perms; allow ueventd { firmware_exynos }:dir search; allow ueventd { firmware_exynos }:file { read getattr open }; +allow ueventd sysfs_display:file { write open }; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te new file mode 100644 index 0000000..f9c5bde --- /dev/null +++ b/selinux/untrusted_app.te @@ -0,0 +1,5 @@ +allow untrusted_app storage_stub_file:dir getattr; +allow untrusted_app log_device:chr_file { read write }; +allow untrusted_app self:udp_socket ioctl; +allow untrusted_app app_data_file:file create_file_perms; +allow untrusted_app app_data_file:dir create_dir_perms; diff --git a/selinux/vold.te b/selinux/vold.te index a2cbe68..b39e3e3 100644 --- a/selinux/vold.te +++ b/selinux/vold.te @@ -1,5 +1,11 @@ allow vold kernel:process setsched; allow vold sdcardd_exec:file { read open execute execute_no_trans }; +allow vold log_device:dir search; +allow vold storage_stub_file:dir { read open }; +allow vold blkid_exec:file { getattr execute read open execute_no_trans }; + +allow vold log_device:chr_file { write open }; + allow vold efs_device_file:dir rw_file_perms; allow vold efs_device_file:file rw_file_perms; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te index c7568f3..9b806e0 100644 --- a/selinux/wpa_supplicant.te +++ b/selinux/wpa_supplicant.te @@ -2,6 +2,7 @@ allow wpa init:unix_dgram_socket { read write }; # logwrapper used with wpa_supplicant allow wpa devpts:chr_file { read write }; +allow wpa log_device:chr_file { write }; allow wpa wpa_socket:unix_dgram_socket { read write }; allow wpa_socket system_app:unix_dgram_socket sendto; diff --git a/selinux/zygote.te b/selinux/zygote.te new file mode 100644 index 0000000..4de92c2 --- /dev/null +++ b/selinux/zygote.te @@ -0,0 +1 @@ +allow zygote log_device:dir search; -- cgit v1.1