diff options
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/bluetooth.te | 7 | ||||
-rw-r--r-- | selinux/cpboot-daemon.te | 25 | ||||
-rw-r--r-- | selinux/device.te | 4 | ||||
-rw-r--r-- | selinux/domain.te | 1 | ||||
-rw-r--r-- | selinux/file.te | 11 | ||||
-rw-r--r-- | selinux/file_contexts | 65 | ||||
-rw-r--r-- | selinux/gpsd.te | 25 | ||||
-rw-r--r-- | selinux/init.te | 15 | ||||
-rw-r--r-- | selinux/log.te | 3 | ||||
-rw-r--r-- | selinux/macloader.te | 9 | ||||
-rw-r--r-- | selinux/mediaserver.te | 11 | ||||
-rw-r--r-- | selinux/netd.te | 3 | ||||
-rw-r--r-- | selinux/nfc.te | 2 | ||||
-rw-r--r-- | selinux/rild.te | 20 | ||||
-rw-r--r-- | selinux/service_contexts | 3 | ||||
-rw-r--r-- | selinux/servicemanager.te | 3 | ||||
-rw-r--r-- | selinux/surfaceflinger.te | 1 | ||||
-rw-r--r-- | selinux/sysinit.te | 7 | ||||
-rw-r--r-- | selinux/system_app.te | 2 | ||||
-rw-r--r-- | selinux/system_server.te | 33 | ||||
-rw-r--r-- | selinux/tinyplay.te | 6 | ||||
-rw-r--r-- | selinux/ueventd.te | 5 | ||||
-rw-r--r-- | selinux/untrusted_app.te | 5 | ||||
-rw-r--r-- | selinux/vold.te | 12 | ||||
-rw-r--r-- | selinux/wpa_supplicant.te | 12 | ||||
-rw-r--r-- | selinux/zygote.te | 1 |
26 files changed, 291 insertions, 0 deletions
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te new file mode 100644 index 0000000..dbfbe0e --- /dev/null +++ b/selinux/bluetooth.te @@ -0,0 +1,7 @@ +allow bluetooth bluetooth_efs_file:dir search; +allow bluetooth bluetooth_efs_file:file read; +allow bluetooth firmware_exynos:dir { open read search }; +allow bluetooth firmware_exynos:file { open read }; +allow bluetooth sysfs:file write; +allow bluetooth efs_device_file:dir search; +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te new file mode 100644 index 0000000..9974ff2 --- /dev/null +++ b/selinux/cpboot-daemon.te @@ -0,0 +1,25 @@ +type cpboot-daemon, domain; + +permissive cpboot-daemon; + +allow cpboot-daemon cgroup:dir { create add_name }; +allow cpboot-daemon device:dir { write remove_name add_name }; +allow cpboot-daemon efs_block_device:blk_file { read open }; +allow cpboot-daemon efs_device_file:dir search; +allow cpboot-daemon efs_file:file { read write open }; +allow cpboot-daemon init:unix_stream_socket connectto; +allow cpboot-daemon log_device:chr_file { write open }; +allow cpboot-daemon log_device:dir search; +allow cpboot-daemon property_socket:sock_file write; +allow cpboot-daemon radio_device:chr_file { read write ioctl open }; +allow cpboot-daemon radio_prop:property_service set; +allow cpboot-daemon self:capability { setuid }; +allow cpboot-daemon sysfs_radio:file { read write open }; +allow cpboot-daemon usbfs:dir search; +allow cpboot-daemon self:capability dac_override; +allow cpboot-daemon cbd_device:chr_file create_file_perms; + +# FIX ME +# allow cpboot-daemon usbfs:filesystem mount; +# allow cpboot-daemon self:capability { mknod }; + diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..854958d --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,4 @@ +type rfkill_device, dev_type; +type efs_block_device, dev_type; +type hpd_device, dev_type; +type mfc_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..c8d8d53 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1 @@ +dontaudit domain kernel:system module_request; diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..12b280a --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,11 @@ +type firmware_mfc, file_type; +type firmware_exynos, file_type; + +type sensors_data_file, file_type, data_file_type; +type sysfs_display, fs_type, sysfs_type; + +type efs_device_file, file_type; +type radio_data, file_type; +type sysfs_radio, fs_type, sysfs_type; +type sysfs_sensor, fs_type, sysfs_type; +type cbd_device, dev_type; diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..988ef9a --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,65 @@ +# GFX +/dev/mali u:object_r:gpu_device:s0 +/dev/ump u:object_r:gpu_device:s0 +/dev/fimg2d u:object_r:gpu_device:s0 + +# RIL +/dev/link_pm u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/__cbd_msg_ u:object_r:cbd_device:s0 + +/efs u:object_r:efs_device_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data:s0 +/sys/devices/platform/s5p-ohci/ohci_power u:object_r:sysfs_radio:s0 +/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0 + +# Partitions +/dev/block/mmcblk0(.*) u:object_r:boot_block_device:s0 +/dev/block/mmcblk0p3 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p12 u:object_r:cache_block_device:s0 +/dev/block/mmcblk0p13 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p16 u:object_r:userdata_block_device:s0 + +# Camera +/data/ISP_CV u:object_r:camera_data_file:s0 +/dev/exynos-mem u:object_r:video_device:s0 +/dev/s3c-mfc u:object_r:mfc_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 + +# Display +/sys/class/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 +/system/bin/gps_daemon.sh u:object_r:gpsd_exec:s0 + +# Sensors +/dev/akm8963 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 +/sys/class/sensors/accelerometer_sensor u:object_r:sysfs_sensor:s0 + +# Wifi +/dev/rfkill u:object_r:rfkill_device:s0 +/data/.cid.info u:object_r:wifi_data_file:s0 +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_exynos:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/data/cfw(/.*)? u:object_r:firmware_exynos:s0 + +# Vibrator +/dev/tspdrv u:object_r:input_device:s0 + +# Misc +/dev/HPD u:object_r:hpd_device:s0 +/system/bin/macloader u:object_r:macloader_exec:s0 +/system/bin/tinyplay u:object_r:tinyplay_exec:s0 diff --git a/selinux/gpsd.te b/selinux/gpsd.te new file mode 100644 index 0000000..4aa2b04 --- /dev/null +++ b/selinux/gpsd.te @@ -0,0 +1,25 @@ +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd) + +allow gpsd shell_exec:file { rx_file_perms entrypoint }; + +#for text relocs & execution +allow gpsd system_file:file { execute_no_trans execmod }; +allow gpsd gps_device:chr_file { getattr setattr }; +allow gpsd gps_data_file:dir { search write add_name remove_name }; +allow gpsd gps_data_file:file { create rw_file_perms }; +allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow gpsd node:udp_socket { node_bind name_bind }; +allow gpsd port:tcp_socket name_connect; +allow gpsd self:tcp_socket { getopt write read }; + +allow gpsd sysfs:file { setattr write }; +allow gpsd gps_device:chr_file { ioctl open read write }; +allow gpsd gpsd:udp_socket { create bind }; +allow gpsd gpsd:tcp_socket { create connect }; +allow gpsd fwmarkd_socket:sock_file write; +allow gpsd dnsproxyd_socket:sock_file write; +allow gpsd netd:unix_stream_socket connectto; diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..b4c11fb --- /dev/null +++ b/selinux/init.te @@ -0,0 +1,15 @@ +allow init wpa_socket:unix_dgram_socket { bind create }; +allow init init:process { execmem }; +allow init init:tcp_socket { create }; + +allow init sysfs_display:lnk_file { read setattr }; + +allow init tmpfs:lnk_file create; +allow init sysfs_sensor:lnk_file { setattr read }; + +allow init rild:process noatsecure; + +domain_trans(init, rootfs, gpsd) +domain_trans(init, rootfs, cpboot-daemon) +domain_trans(init, rootfs, tinyplay) +domain_trans(init, rootfs, macloader) diff --git a/selinux/log.te b/selinux/log.te new file mode 100644 index 0000000..c3dfc80 --- /dev/null +++ b/selinux/log.te @@ -0,0 +1,3 @@ +allow domain log_device:chr_file { open write }; +allow domain log_device:dir { search }; +allow { shell debuggerd } log_device:chr_file { read }; diff --git a/selinux/macloader.te b/selinux/macloader.te new file mode 100644 index 0000000..464f201 --- /dev/null +++ b/selinux/macloader.te @@ -0,0 +1,9 @@ +type macloader, domain; +type macloader_exec, exec_type, file_type; +init_daemon_domain(macloader); + +allow macloader efs_file:dir search; +allow macloader efs_device_file:dir search; +allow macloader wifi_data_file:file { read getattr open write setattr }; +allow macloader self:capability { dac_override chown fowner fsetid }; +allow macloader system_data_file:dir w_dir_perms; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te new file mode 100644 index 0000000..cbcdcb8 --- /dev/null +++ b/selinux/mediaserver.te @@ -0,0 +1,11 @@ +allow mediaserver { firmware_exynos }:file r_file_perms; +allow mediaserver firmware_exynos:dir r_dir_perms; +allow mediaserver camera_data_file:file rw_file_perms; +allow mediaserver mfc_device:chr_file rw_file_perms; + +# Bluetooth audio +allow mediaserver bluetooth:unix_stream_socket { connectto }; + +allow mediaserver { storage_file mnt_user_file }:dir { search read }; +allow mediaserver storage_file:lnk_file read; +allow mediaserver mnt_user_file:lnk_file read; diff --git a/selinux/netd.te b/selinux/netd.te new file mode 100644 index 0000000..bce2700 --- /dev/null +++ b/selinux/netd.te @@ -0,0 +1,3 @@ +allow netd init:tcp_socket { read write getopt }; +allow netd gpsd:fd use; +allow netd gpsd:tcp_socket { read write getopt setopt }; diff --git a/selinux/nfc.te b/selinux/nfc.te new file mode 100644 index 0000000..b5afda7 --- /dev/null +++ b/selinux/nfc.te @@ -0,0 +1,2 @@ +allow nfc firmware_exynos:dir search; +allow nfc log_device:chr_file write; diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100644 index 0000000..5da4924 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,20 @@ +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; +allow rild self:netlink_kobject_uevent_socket { create bind read write setopt }; +allow rild rild:process { execmem }; + +allow rild radio_data_file:dir setattr; +allow rild unlabeled:dir search; + +allow radio log_device:chr_file w_file_perms; +allow rild log_device:chr_file w_file_perms; +allow rild system_file:file execmod; +allow rild radio_data:file create_file_perms; +allow rild radio_data:dir create_dir_perms; + +allow rild radio_device:chr_file rw_file_perms; +allow rild efs_block_device:blk_file rw_file_perms; +allow rild efs_file:file { read open write setattr }; + +allow rild efs_device_file:dir create_dir_perms; +allow rild efs_device_file:file { setattr create create_file_perms }; diff --git a/selinux/service_contexts b/selinux/service_contexts new file mode 100644 index 0000000..fb14cf2 --- /dev/null +++ b/selinux/service_contexts @@ -0,0 +1,3 @@ +SecTVOutService u:object_r:surfaceflinger_service:s0 +Exynos.HWCService u:object_r:surfaceflinger_service:s0 +Exynos.IPService u:object_r:surfaceflinger_service:s0 diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te new file mode 100644 index 0000000..40a665d --- /dev/null +++ b/selinux/servicemanager.te @@ -0,0 +1,3 @@ +allow servicemanager gpsd:dir { search read write }; +allow servicemanager gpsd:file { open read write }; +allow servicemanager gpsd:process getattr; diff --git a/selinux/surfaceflinger.te b/selinux/surfaceflinger.te new file mode 100644 index 0000000..00fa1e9 --- /dev/null +++ b/selinux/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger hpd_device:chr_file rw_file_perms; diff --git a/selinux/sysinit.te b/selinux/sysinit.te new file mode 100644 index 0000000..0436ffe --- /dev/null +++ b/selinux/sysinit.te @@ -0,0 +1,7 @@ +allow sysinit firmware_exynos:dir { read search open getattr }; +allow sysinit userinit_exec:file { getattr execute execute_no_trans read open }; +allow sysinit firmware_exynos:dir { read search open getattr write remove_name add_name }; +allow sysinit firmware_exynos:file { read open write getattr setattr create unlink }; +allow sysinit sysinit:capability { dac_override chown fowner fsetid }; +allow sysinit unlabeled:dir { search }; +allow sysinit surfaceflinger_exec:file { getattr }; diff --git a/selinux/system_app.te b/selinux/system_app.te new file mode 100644 index 0000000..8542dc2 --- /dev/null +++ b/selinux/system_app.te @@ -0,0 +1,2 @@ +allow system_app sysfs_display:{ file lnk_file } { getattr open read write }; +allow system_app sysfs_display:dir { search }; diff --git a/selinux/system_server.te b/selinux/system_server.te new file mode 100644 index 0000000..31db12d --- /dev/null +++ b/selinux/system_server.te @@ -0,0 +1,33 @@ +allow system_server input_device:chr_file { read ioctl write open }; +allow system_server sensors_device:chr_file { read open }; +allow system_server sensors_data_file:file r_file_perms; +allow system_server wpa_socket:unix_dgram_socket sendto; + +allow system_server sysfs:file { read open write }; +allow system_server self:capability { sys_module }; + +allow system_server efs_file:dir search; +allow system_server efs_file:file read; +allow system_server efs_device_file:dir search; +allow system_server uhid_device:chr_file { read ioctl write open }; +allow system_server storage_stub_file:dir getattr; + + +# for sensors +allow system_server system_file:file execmod; + +# /efs/wifi/.mac.info +allow system_server wifi_data_file:file { read open }; + +allow system_server gpsd:binder transfer; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; + +# Access .gps.interface.pipe.to_gpsd. +allow system_server gps_data_file:dir rw_dir_perms; +allow system_server gps_data_file:fifo_file { setattr rw_file_perms create }; + +# Access /data/sensors/gps* socket +allow system_server gps_data_file:sock_file create_file_perms; +allow system_server gps_data_file:dir rw_dir_perms; +allow system_server gps_data_file:file rw_file_perms; + diff --git a/selinux/tinyplay.te b/selinux/tinyplay.te new file mode 100644 index 0000000..ef7de81 --- /dev/null +++ b/selinux/tinyplay.te @@ -0,0 +1,6 @@ +type tinyplay, domain; +type tinyplay_exec, exec_type, file_type; +init_daemon_domain(tinyplay) + +allow tinyplay audio_device:chr_file { open read write ioctl }; +allow tinyplay audio_device:dir search; diff --git a/selinux/ueventd.te b/selinux/ueventd.te new file mode 100644 index 0000000..315ccb3 --- /dev/null +++ b/selinux/ueventd.te @@ -0,0 +1,5 @@ +# Firmwares +allow ueventd { firmware_mfc }:file r_file_perms; +allow ueventd { firmware_exynos }:dir search; +allow ueventd { firmware_exynos }:file { read getattr open }; +allow ueventd sysfs_display:file { write open }; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te new file mode 100644 index 0000000..f9c5bde --- /dev/null +++ b/selinux/untrusted_app.te @@ -0,0 +1,5 @@ +allow untrusted_app storage_stub_file:dir getattr; +allow untrusted_app log_device:chr_file { read write }; +allow untrusted_app self:udp_socket ioctl; +allow untrusted_app app_data_file:file create_file_perms; +allow untrusted_app app_data_file:dir create_dir_perms; diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..ba429d6 --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1,12 @@ +allow vold kernel:process setsched; +allow vold sdcardd_exec:file { read open execute execute_no_trans }; + +allow vold log_device:dir search; +allow vold storage_stub_file:dir { read open search write add_name }; +allow vold mnt_media_rw_stub_file:dir { read open }; +allow vold blkid_exec:file { getattr execute read open execute_no_trans }; + +allow vold log_device:chr_file { write open }; + +allow vold efs_device_file:dir rw_file_perms; +allow vold efs_device_file:file rw_file_perms; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te new file mode 100644 index 0000000..9b806e0 --- /dev/null +++ b/selinux/wpa_supplicant.te @@ -0,0 +1,12 @@ +allow wpa init:unix_dgram_socket { read write }; + +# logwrapper used with wpa_supplicant +allow wpa devpts:chr_file { read write }; +allow wpa log_device:chr_file { write }; + +allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa_socket system_app:unix_dgram_socket sendto; + +allow wpa_socket wifi_data_file:sock_file unlink; + +allow wpa rfkill_device:chr_file rw_file_perms; diff --git a/selinux/zygote.te b/selinux/zygote.te new file mode 100644 index 0000000..4de92c2 --- /dev/null +++ b/selinux/zygote.te @@ -0,0 +1 @@ +allow zygote log_device:dir search; |