From e752b23df936271a20a2da6f5818067535a2e7be Mon Sep 17 00:00:00 2001 From: mark Date: Fri, 16 Aug 2013 22:37:42 +1000 Subject: i9305: Add selinux policies Change-Id: I69d96e7084c7b0871c9d2cd318db05b461912a43 --- BoardConfig.mk | 22 ++++++++++++++ rootdir/fstab.smdk4x12 | 2 +- rootdir/init.target.rc | 13 ++++++++- selinux/device.te | 4 +++ selinux/dhcp.te | 1 + selinux/domain.te | 4 +++ selinux/file.te | 10 +++++++ selinux/file_contexts | 74 +++++++++++++++++++++++++++++++++++++++++++++++ selinux/init.te | 3 ++ selinux/kickstart.te | 44 ++++++++++++++++++++++++++++ selinux/mediaserver.te | 8 +++++ selinux/netmgrd.te | 29 +++++++++++++++++++ selinux/qmux.te | 21 ++++++++++++++ selinux/rild.te | 14 +++++++++ selinux/secril.te | 25 ++++++++++++++++ selinux/system.te | 12 ++++++++ selinux/te_macros | 12 ++++++++ selinux/ueventd.te | 11 +++++++ selinux/wpa_supplicant.te | 10 +++++++ 19 files changed, 317 insertions(+), 2 deletions(-) create mode 100644 selinux/device.te create mode 100755 selinux/dhcp.te create mode 100644 selinux/domain.te create mode 100644 selinux/file.te create mode 100644 selinux/file_contexts create mode 100644 selinux/init.te create mode 100755 selinux/kickstart.te create mode 100644 selinux/mediaserver.te create mode 100755 selinux/netmgrd.te create mode 100755 selinux/qmux.te create mode 100755 selinux/rild.te create mode 100644 selinux/secril.te create mode 100755 selinux/system.te create mode 100755 selinux/te_macros create mode 100644 selinux/ueventd.te create mode 100755 selinux/wpa_supplicant.te diff --git a/BoardConfig.mk b/BoardConfig.mk index 2fd541e..8dd1e25 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -44,3 +44,25 @@ TARGET_OTA_ASSERT_DEVICE := m3,m3xx,i9305,GT-I9305 # inherit from the proprietary version -include vendor/samsung/i9305/BoardConfigVendor.mk + +# Selinux +BOARD_SEPOLICY_DIRS := \ + device/samsung/i9305/selinux + +BOARD_SEPOLICY_UNION := \ + file_contexts \ + te_macros \ + device.te \ + dhcp.te \ + domain.te \ + file.te \ + init.te \ + kickstart.te \ + mediaserver.te \ + netmgrd.te \ + qmux.te \ + rild.te \ + secril.te \ + system.te \ + ueventd.te \ + wpa_supplicant.te diff --git a/rootdir/fstab.smdk4x12 b/rootdir/fstab.smdk4x12 index f600b4c..69749bd 100644 --- a/rootdir/fstab.smdk4x12 +++ b/rootdir/fstab.smdk4x12 @@ -8,7 +8,7 @@ /dev/block/mmcblk0p3 /efs ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check /dev/block/mmcblk0p12 /cache ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check /dev/block/mmcblk0p11 /tombstones ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check -/dev/block/mmcblk0p10 /firmware vfat ro,shortname=lower,fmask=0133,dmask=0022 wait +/dev/block/mmcblk0p10 /firmware vfat ro,shortname=lower,fmask=0133,dmask=0022,context=u:object_r:radio_efs_file:s0 wait /dev/block/mmcblk0p16 /data ext4 noatime,nosuid,nodev,discard,noauto_da_alloc,journal_async_commit,errors=panic wait,check,encryptable=footer # vold-managed volumes ("block device" is actually a sysfs devpath) diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc index a94f606..f0eeac4 100644 --- a/rootdir/init.target.rc +++ b/rootdir/init.target.rc @@ -42,6 +42,14 @@ on post-fs-data # an ack packet comes out of order write /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal 1 +# Restorecon + restorecon /efs/bluetooth/bt_addr + restorecon /efs/FactoryApp/keystr + restorecon /efs/FactoryApp/factorymode + restorecon /efs/FactoryApp/serial_no + restorecon /efs/imei/mps_code.dat + restorecon /efs/wifi/.mac.info + # for AT distributor chown system radio /sys/module/cpuidle_exynos4/parameters/enable_mask chmod 0664 /sys/module/cpuidle_exynos4/parameters/enable_mask @@ -91,11 +99,13 @@ service SMD-daemon /system/bin/smdexe service qc_kickstart /system/bin/qcks s class core user root + seclabel u:r:kickstart:s0 group radio cache inet misc audio sdcard_rw log service secril-daemon /system/bin/sec-ril class main user root + seclabel u:r:secril-daemon:s0 group radio cache inet misc audio sdcard_rw qcom_diag log #For EncryptionMode - remove disabled, Modify class main @@ -106,7 +116,8 @@ service qmiproxy /system/bin/qmiproxy service qmuxd /system/bin/qmuxd class main - user root + user system + seclabel u:r:qmux:s0 group radio log audio bluetooth gps log #start GNSS/Sensor interface daemon diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..c95050b --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,4 @@ +type mali_device, dev_type, mlstrustedobject; +type rfkill_device, dev_type; +type diagnostic_device, dev_type; +type efs_block_device, dev_type; diff --git a/selinux/dhcp.te b/selinux/dhcp.te new file mode 100755 index 0000000..c403b9b --- /dev/null +++ b/selinux/dhcp.te @@ -0,0 +1 @@ +allow dhcp self:rawip_socket { create write setopt }; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..1be0633 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,4 @@ +## /dev/mali, /dev/ump +allow domain mali_device:chr_file rw_file_perms; + + diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..3f045f6 --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,10 @@ +type radio_efs_file, fs_type; + +type firmware_mfc, file_type; +type firmware_camera, file_type; + +type qmuxd_socket, file_type; +type camera_data_file, file_type, data_file_type; +type kickstart_data_file, file_type, data_file_type; +type sensors_data_file, file_type, data_file_type; +type volume_data_file, file_type, data_file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..856bdd5 --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,74 @@ +# GFX +/dev/mali u:object_r:mali_device:s0 +/dev/ump u:object_r:mali_device:s0 +/dev/fimg2d u:object_r:mali_device:s0 + +# NFC +/dev/pn544 u:object_r:nfc_device:s0 + +# RIL +/dev/mdm u:object_r:radio_device:s0 +/dev/hsicctl[0-3]* u:object_r:radio_device:s0 +/dev/ttyUSB0 u:object_r:radio_device:s0 +/dev/diag u:object_r:diagnostic_device:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 + +# Sensors +/dev/akm8975 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 + +# Camera +/data/ISP_CV u:object_r:camera_data_file:s0 +/dev/exynos-mem u:object_r:video_device:s0 + +# for wpa_supp +/dev/rfkill u:object_r:rfkill_device:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/system/vendor/firmware/fimc_is_fw.bin u:object_r:firmware_camera:s0 +/data/cfw(/.*)? u:object_r:firmware_camera:s0 +/tombstones/qcks(/.*)? u:object_r:kickstart_data_file:s0 +/tombstones(/.*)? u:object_r:tombstone_data_file:s0 + +# Vibrator +/dev/tspdrv u:object_r:input_device:s0 + +# Wifi +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +# Sec-ril +/efs/FactoryApp/keystr u:object_r:efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:efs_file:s0 +/efs/FactoryApp/serial_no u:object_r:efs_file:s0 +/data/misc/radio/ramdumpmode.txt u:object_r:radio_data_file:s0 +/data/misc/radio/dlnk u:object_r:radio_data_file:s0 + +# Binaries +/system/bin/qmuxd u:object_r:qmux_exec:s0 +/system/bin/netmgrd u:object_r:netmgrd_exec:s0 +/system/bin/efsks u:object_r:kickstart_exec:s0 +/system/bin/ks u:object_r:kickstart_exec:s0 +/system/bin/qcks u:object_r:kickstart_exec:s0 +/system/bin/sec-ril u:object_r:secril-daemon_exec:s0 + +# Sockets +/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 + +# Block devices +/dev/block/mmcblk0p[3-6]* u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p10 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:efs_block_device:s0 + +# Audio related +/data/local/audio(/.*)? u:object_r:volume_data_file:s0 diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..2f29889 --- /dev/null +++ b/selinux/init.te @@ -0,0 +1,3 @@ +allow init wpa_socket:unix_dgram_socket { bind create }; + + diff --git a/selinux/kickstart.te b/selinux/kickstart.te new file mode 100755 index 0000000..14e1ad5 --- /dev/null +++ b/selinux/kickstart.te @@ -0,0 +1,44 @@ +# kickstart processes and scripts +type kickstart, domain; +type kickstart_exec, exec_type, file_type; + +# kickstart_checker.sh talks to init over the property socket +unix_socket_connect(kickstart, property, init) + +# Start /system/bin/qcks from init +init_daemon_domain(kickstart) + +# Spawn /system/bin/efsks and /system/bin/ks +allow kickstart kickstart_exec:file { open execute_no_trans getattr }; + +# Run dd on m9kefs[123] block devices; write to /data/qcks/ +# Run cat on firmware and m9kefs[123] data; write to /data/qcks/ +allow kickstart efs_block_device:blk_file rw_file_perms; +allow kickstart kickstart_data_file:file create_file_perms; +allow kickstart kickstart_data_file:dir rw_dir_perms; +allow kickstart radio_efs_file:file r_file_perms; +allow kickstart radio_efs_file:dir search; + +# Let qcks access /dev/mdm node (modem driver) +allow kickstart radio_device:chr_file rw_file_perms; + +# Allow /dev/ttyUSB0 access +allow kickstart radio_device:chr_file { write ioctl getattr }; + +# Allow to run toolbox commands +allow kickstart shell_exec:file rx_file_perms; +# Toolbox commands for firmware dd +allow kickstart system_file:file execute_no_trans; + +# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2 +allow kickstart block_device:dir { getattr write search }; + +# Set system property key +allow kickstart radio_prop:property_service set; + +allow kickstart shell_exec:file entrypoint; +# ls on /data/qcks/ +allow kickstart self:capability { dac_override setuid }; + +# XXX Label sysfs files with a specific type? +allow kickstart sysfs:file rw_file_perms; \ No newline at end of file diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te new file mode 100644 index 0000000..35dce7b --- /dev/null +++ b/selinux/mediaserver.te @@ -0,0 +1,8 @@ +qmux_socket(mediaserver) +allow mediaserver self:socket create_socket_perms; +allow mediaserver { firmware_camera }:file r_file_perms; +allow mediaserver firmware_camera:dir r_dir_perms; +allow mediaserver camera_data_file:file rw_file_perms; + +# Bluetooth audio +allow mediaserver bluetooth:unix_stream_socket { connectto }; diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te new file mode 100755 index 0000000..11159a4 --- /dev/null +++ b/selinux/netmgrd.te @@ -0,0 +1,29 @@ +# Network utilities (radio process) +type netmgrd, domain; +type netmgrd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(netmgrd) + +allow netmgrd self:udp_socket { create ioctl }; +# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket +allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; +allow netmgrd self:packet_socket { write bind read create }; +allow netmgrd self:netlink_socket { write read create bind setopt }; +allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr }; +allow netmgrd kernel:system module_request; + +# Talk to qmuxd +qmux_socket(netmgrd) + +# Allow logging diagnostic items +allow netmgrd diagnostic_device:chr_file rw_file_perms; + +# /data/data_test/ access with shell +allow netmgrd shell_exec:file { execute read open execute_no_trans }; +allow netmgrd system_file:file { execute_no_trans }; + +# Talk to init over the property socket +unix_socket_connect(netmgrd, property, init) +# Set net.rmnet_usb0. values +allow netmgrd radio_prop:property_service set; diff --git a/selinux/qmux.te b/selinux/qmux.te new file mode 100755 index 0000000..e2a5bbf --- /dev/null +++ b/selinux/qmux.te @@ -0,0 +1,21 @@ +# Qualcomm Management Interface Multiplexer +type qmux, domain; +type qmux_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(qmux) + +# Create local qmux_connect_socket +allow qmux qmuxd_socket:dir w_dir_perms; +allow qmux qmuxd_socket:sock_file { create setattr getattr unlink }; + +# /dev/hsicctl* node access +allow qmux radio_device:chr_file rw_file_perms; + +# Allow logging diagnostic items +allow qmux diagnostic_device:chr_file rw_file_perms; + +allow qmux self:capability { dac_override setuid }; + +# XXX Should we label with own type +allow qmux sysfs:file { open write append read getattr }; diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100755 index 0000000..04209b0 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,14 @@ +## RIL +allow rild radio_device:chr_file rw_file_perms; +allow rild { efs_file }:file rw_file_perms; +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; + +# Talk to qmuxd +qmux_socket(rild) + +# Allow logging diagnostic items +allow rild diagnostic_device:chr_file rw_file_perms; + +# XXX label with own type? +allow rild sysfs:file { read open write getattr }; diff --git a/selinux/secril.te b/selinux/secril.te new file mode 100644 index 0000000..7761d80 --- /dev/null +++ b/selinux/secril.te @@ -0,0 +1,25 @@ +# sec-ril +type secril-daemon, domain; +type secril-daemon_exec, exec_type, file_type; + +# Start /system/bin/sec-ril from init +init_daemon_domain(secril-daemon) + +allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr }; +allow secril-daemon self:udp_socket { create ioctl }; +unix_socket_connect(secril-daemon, property, init) +unix_socket_connect(secril-daemon, rild, rild) + +allow secril-daemon { efs_file }:file rw_file_perms; +allow secril-daemon system_data_file:dir create_dir_perms; +allow secril-daemon system_data_file:file unlink; +allow secril-daemon radio_data_file:file { create_file_perms }; +allow secril-daemon kernel:system module_request; +allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; +allow secril-daemon system_file:file x_file_perms; +allow secril-daemon sysfs:file rw_file_perms; +allow secril-daemon shell_exec:file rx_file_perms; +allow secril-daemon app_data_file:file rw_file_perms; +allow secril-daemon app_data_file:dir search; +allow secril-daemon zygote_exec:file rx_file_perms; +allow secril-daemon ashmem_device:chr_file x_file_perms; \ No newline at end of file diff --git a/selinux/system.te b/selinux/system.te new file mode 100755 index 0000000..73de1ee --- /dev/null +++ b/selinux/system.te @@ -0,0 +1,12 @@ +# Talk to qmuxd +qmux_socket(system) + +allow system diagnostic_device:chr_file rw_file_perms; +allow system uinput_device:chr_file { read ioctl write open }; +allow system sensors_device:chr_file { read open }; +allow system sensors_data_file:file r_file_perms; +allow system wpa_socket:unix_dgram_socket sendto; +allow system_app volume_data_file:file { read write open getattr }; + +allow system sysfs:file { read open write }; +allow system self:capability { sys_module }; \ No newline at end of file diff --git a/selinux/te_macros b/selinux/te_macros new file mode 100755 index 0000000..274fd55 --- /dev/null +++ b/selinux/te_macros @@ -0,0 +1,12 @@ +##################################### +# qmux_socket(clientdomain) +# Allow client to send via a local +# socket to the qmux domain. +define(`qmux_socket', ` +type $1_qmuxd_socket, file_type; +file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket) +unix_socket_connect($1, qmuxd, qmux) +allow qmux $1_qmuxd_socket:sock_file { getattr unlink }; +') + + diff --git a/selinux/ueventd.te b/selinux/ueventd.te new file mode 100644 index 0000000..fd1852b --- /dev/null +++ b/selinux/ueventd.te @@ -0,0 +1,11 @@ +# Drivers read firmware files /firmware/image +allow ueventd { radio_efs_file }:file r_file_perms; +allow ueventd { radio_efs_file }:dir search; + +# MFC firmware +allow ueventd { firmware_mfc }:file r_file_perms; + +# Camera related firmwares +allow ueventd { firmware_camera }:dir search; +allow ueventd { firmware_camera }:file r_file_perms; + diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te new file mode 100755 index 0000000..ab5fb24 --- /dev/null +++ b/selinux/wpa_supplicant.te @@ -0,0 +1,10 @@ +allow wpa init:unix_dgram_socket { read write }; + +# logwrapper used with wpa_supplicant +allow wpa devpts:chr_file { read write }; + +allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa_socket system:unix_dgram_socket sendto; + +allow wpa_socket wifi_data_file:sock_file unlink; +allow wpa rfkill_device:chr_file rw_file_perms; \ No newline at end of file -- cgit v1.1