summaryrefslogtreecommitdiffstats
path: root/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'selinux')
-rw-r--r--selinux/bluetooth.te7
-rw-r--r--selinux/cpboot-daemon.te25
-rw-r--r--selinux/device.te4
-rw-r--r--selinux/domain.te1
-rw-r--r--selinux/file.te11
-rw-r--r--selinux/file_contexts65
-rw-r--r--selinux/gpsd.te25
-rw-r--r--selinux/init.te15
-rw-r--r--selinux/log.te3
-rw-r--r--selinux/macloader.te9
-rw-r--r--selinux/mediaserver.te11
-rw-r--r--selinux/netd.te3
-rw-r--r--selinux/nfc.te2
-rw-r--r--selinux/rild.te20
-rw-r--r--selinux/service_contexts3
-rw-r--r--selinux/servicemanager.te3
-rw-r--r--selinux/surfaceflinger.te1
-rw-r--r--selinux/sysinit.te7
-rw-r--r--selinux/system_app.te2
-rw-r--r--selinux/system_server.te33
-rw-r--r--selinux/tinyplay.te6
-rw-r--r--selinux/ueventd.te5
-rw-r--r--selinux/untrusted_app.te5
-rw-r--r--selinux/vold.te12
-rw-r--r--selinux/wpa_supplicant.te12
-rw-r--r--selinux/zygote.te1
26 files changed, 291 insertions, 0 deletions
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
new file mode 100644
index 0000000..dbfbe0e
--- /dev/null
+++ b/selinux/bluetooth.te
@@ -0,0 +1,7 @@
+allow bluetooth bluetooth_efs_file:dir search;
+allow bluetooth bluetooth_efs_file:file read;
+allow bluetooth firmware_exynos:dir { open read search };
+allow bluetooth firmware_exynos:file { open read };
+allow bluetooth sysfs:file write;
+allow bluetooth efs_device_file:dir search;
+allow bluetooth wifi_data_file:file r_file_perms;
diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te
new file mode 100644
index 0000000..9974ff2
--- /dev/null
+++ b/selinux/cpboot-daemon.te
@@ -0,0 +1,25 @@
+type cpboot-daemon, domain;
+
+permissive cpboot-daemon;
+
+allow cpboot-daemon cgroup:dir { create add_name };
+allow cpboot-daemon device:dir { write remove_name add_name };
+allow cpboot-daemon efs_block_device:blk_file { read open };
+allow cpboot-daemon efs_device_file:dir search;
+allow cpboot-daemon efs_file:file { read write open };
+allow cpboot-daemon init:unix_stream_socket connectto;
+allow cpboot-daemon log_device:chr_file { write open };
+allow cpboot-daemon log_device:dir search;
+allow cpboot-daemon property_socket:sock_file write;
+allow cpboot-daemon radio_device:chr_file { read write ioctl open };
+allow cpboot-daemon radio_prop:property_service set;
+allow cpboot-daemon self:capability { setuid };
+allow cpboot-daemon sysfs_radio:file { read write open };
+allow cpboot-daemon usbfs:dir search;
+allow cpboot-daemon self:capability dac_override;
+allow cpboot-daemon cbd_device:chr_file create_file_perms;
+
+# FIX ME
+# allow cpboot-daemon usbfs:filesystem mount;
+# allow cpboot-daemon self:capability { mknod };
+
diff --git a/selinux/device.te b/selinux/device.te
new file mode 100644
index 0000000..854958d
--- /dev/null
+++ b/selinux/device.te
@@ -0,0 +1,4 @@
+type rfkill_device, dev_type;
+type efs_block_device, dev_type;
+type hpd_device, dev_type;
+type mfc_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
new file mode 100644
index 0000000..c8d8d53
--- /dev/null
+++ b/selinux/domain.te
@@ -0,0 +1 @@
+dontaudit domain kernel:system module_request;
diff --git a/selinux/file.te b/selinux/file.te
new file mode 100644
index 0000000..12b280a
--- /dev/null
+++ b/selinux/file.te
@@ -0,0 +1,11 @@
+type firmware_mfc, file_type;
+type firmware_exynos, file_type;
+
+type sensors_data_file, file_type, data_file_type;
+type sysfs_display, fs_type, sysfs_type;
+
+type efs_device_file, file_type;
+type radio_data, file_type;
+type sysfs_radio, fs_type, sysfs_type;
+type sysfs_sensor, fs_type, sysfs_type;
+type cbd_device, dev_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
new file mode 100644
index 0000000..988ef9a
--- /dev/null
+++ b/selinux/file_contexts
@@ -0,0 +1,65 @@
+# GFX
+/dev/mali u:object_r:gpu_device:s0
+/dev/ump u:object_r:gpu_device:s0
+/dev/fimg2d u:object_r:gpu_device:s0
+
+# RIL
+/dev/link_pm u:object_r:radio_device:s0
+/dev/umts_boot0 u:object_r:radio_device:s0
+/dev/umts_boot1 u:object_r:radio_device:s0
+/dev/umts_ipc0 u:object_r:radio_device:s0
+/dev/umts_ramdump0 u:object_r:radio_device:s0
+/dev/umts_rfs0 u:object_r:radio_device:s0
+/dev/__cbd_msg_ u:object_r:cbd_device:s0
+
+/efs u:object_r:efs_device_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_data:s0
+/sys/devices/platform/s5p-ohci/ohci_power u:object_r:sysfs_radio:s0
+/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0
+
+# Partitions
+/dev/block/mmcblk0(.*) u:object_r:boot_block_device:s0
+/dev/block/mmcblk0p3 u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p12 u:object_r:cache_block_device:s0
+/dev/block/mmcblk0p13 u:object_r:system_block_device:s0
+/dev/block/mmcblk0p16 u:object_r:userdata_block_device:s0
+
+# Camera
+/data/ISP_CV u:object_r:camera_data_file:s0
+/dev/exynos-mem u:object_r:video_device:s0
+/dev/s3c-mfc u:object_r:mfc_device:s0
+
+# Bluetooth
+/dev/ttySAC0 u:object_r:hci_attach_dev:s0
+/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
+
+# Display
+/sys/class/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0
+/sys/devices/platform/samsung-pd.2/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0
+
+# GPS
+/dev/ttySAC1 u:object_r:gps_device:s0
+/system/bin/gps_daemon.sh u:object_r:gpsd_exec:s0
+
+# Sensors
+/dev/akm8963 u:object_r:sensors_device:s0
+/efs/gyro_cal_data u:object_r:sensors_data_file:s0
+/sys/class/sensors/accelerometer_sensor u:object_r:sysfs_sensor:s0
+
+# Wifi
+/dev/rfkill u:object_r:rfkill_device:s0
+/data/.cid.info u:object_r:wifi_data_file:s0
+/efs/wifi/.mac.info u:object_r:wifi_data_file:s0
+
+# Firmwares
+/system/vendor/firmware(/.*)? u:object_r:firmware_exynos:s0
+/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
+/data/cfw(/.*)? u:object_r:firmware_exynos:s0
+
+# Vibrator
+/dev/tspdrv u:object_r:input_device:s0
+
+# Misc
+/dev/HPD u:object_r:hpd_device:s0
+/system/bin/macloader u:object_r:macloader_exec:s0
+/system/bin/tinyplay u:object_r:tinyplay_exec:s0
diff --git a/selinux/gpsd.te b/selinux/gpsd.te
new file mode 100644
index 0000000..4aa2b04
--- /dev/null
+++ b/selinux/gpsd.te
@@ -0,0 +1,25 @@
+type gpsd, domain;
+type gpsd_exec, exec_type, file_type;
+
+init_daemon_domain(gpsd)
+
+allow gpsd shell_exec:file { rx_file_perms entrypoint };
+
+#for text relocs & execution
+allow gpsd system_file:file { execute_no_trans execmod };
+allow gpsd gps_device:chr_file { getattr setattr };
+allow gpsd gps_data_file:dir { search write add_name remove_name };
+allow gpsd gps_data_file:file { create rw_file_perms };
+allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms };
+
+allow gpsd node:udp_socket { node_bind name_bind };
+allow gpsd port:tcp_socket name_connect;
+allow gpsd self:tcp_socket { getopt write read };
+
+allow gpsd sysfs:file { setattr write };
+allow gpsd gps_device:chr_file { ioctl open read write };
+allow gpsd gpsd:udp_socket { create bind };
+allow gpsd gpsd:tcp_socket { create connect };
+allow gpsd fwmarkd_socket:sock_file write;
+allow gpsd dnsproxyd_socket:sock_file write;
+allow gpsd netd:unix_stream_socket connectto;
diff --git a/selinux/init.te b/selinux/init.te
new file mode 100644
index 0000000..b4c11fb
--- /dev/null
+++ b/selinux/init.te
@@ -0,0 +1,15 @@
+allow init wpa_socket:unix_dgram_socket { bind create };
+allow init init:process { execmem };
+allow init init:tcp_socket { create };
+
+allow init sysfs_display:lnk_file { read setattr };
+
+allow init tmpfs:lnk_file create;
+allow init sysfs_sensor:lnk_file { setattr read };
+
+allow init rild:process noatsecure;
+
+domain_trans(init, rootfs, gpsd)
+domain_trans(init, rootfs, cpboot-daemon)
+domain_trans(init, rootfs, tinyplay)
+domain_trans(init, rootfs, macloader)
diff --git a/selinux/log.te b/selinux/log.te
new file mode 100644
index 0000000..c3dfc80
--- /dev/null
+++ b/selinux/log.te
@@ -0,0 +1,3 @@
+allow domain log_device:chr_file { open write };
+allow domain log_device:dir { search };
+allow { shell debuggerd } log_device:chr_file { read };
diff --git a/selinux/macloader.te b/selinux/macloader.te
new file mode 100644
index 0000000..464f201
--- /dev/null
+++ b/selinux/macloader.te
@@ -0,0 +1,9 @@
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+init_daemon_domain(macloader);
+
+allow macloader efs_file:dir search;
+allow macloader efs_device_file:dir search;
+allow macloader wifi_data_file:file { read getattr open write setattr };
+allow macloader self:capability { dac_override chown fowner fsetid };
+allow macloader system_data_file:dir w_dir_perms;
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
new file mode 100644
index 0000000..cbcdcb8
--- /dev/null
+++ b/selinux/mediaserver.te
@@ -0,0 +1,11 @@
+allow mediaserver { firmware_exynos }:file r_file_perms;
+allow mediaserver firmware_exynos:dir r_dir_perms;
+allow mediaserver camera_data_file:file rw_file_perms;
+allow mediaserver mfc_device:chr_file rw_file_perms;
+
+# Bluetooth audio
+allow mediaserver bluetooth:unix_stream_socket { connectto };
+
+allow mediaserver { storage_file mnt_user_file }:dir { search read };
+allow mediaserver storage_file:lnk_file read;
+allow mediaserver mnt_user_file:lnk_file read;
diff --git a/selinux/netd.te b/selinux/netd.te
new file mode 100644
index 0000000..bce2700
--- /dev/null
+++ b/selinux/netd.te
@@ -0,0 +1,3 @@
+allow netd init:tcp_socket { read write getopt };
+allow netd gpsd:fd use;
+allow netd gpsd:tcp_socket { read write getopt setopt };
diff --git a/selinux/nfc.te b/selinux/nfc.te
new file mode 100644
index 0000000..b5afda7
--- /dev/null
+++ b/selinux/nfc.te
@@ -0,0 +1,2 @@
+allow nfc firmware_exynos:dir search;
+allow nfc log_device:chr_file write;
diff --git a/selinux/rild.te b/selinux/rild.te
new file mode 100644
index 0000000..5da4924
--- /dev/null
+++ b/selinux/rild.te
@@ -0,0 +1,20 @@
+allow rild self:netlink_socket { create bind read write };
+allow rild self:netlink_route_socket { write };
+allow rild self:netlink_kobject_uevent_socket { create bind read write setopt };
+allow rild rild:process { execmem };
+
+allow rild radio_data_file:dir setattr;
+allow rild unlabeled:dir search;
+
+allow radio log_device:chr_file w_file_perms;
+allow rild log_device:chr_file w_file_perms;
+allow rild system_file:file execmod;
+allow rild radio_data:file create_file_perms;
+allow rild radio_data:dir create_dir_perms;
+
+allow rild radio_device:chr_file rw_file_perms;
+allow rild efs_block_device:blk_file rw_file_perms;
+allow rild efs_file:file { read open write setattr };
+
+allow rild efs_device_file:dir create_dir_perms;
+allow rild efs_device_file:file { setattr create create_file_perms };
diff --git a/selinux/service_contexts b/selinux/service_contexts
new file mode 100644
index 0000000..fb14cf2
--- /dev/null
+++ b/selinux/service_contexts
@@ -0,0 +1,3 @@
+SecTVOutService u:object_r:surfaceflinger_service:s0
+Exynos.HWCService u:object_r:surfaceflinger_service:s0
+Exynos.IPService u:object_r:surfaceflinger_service:s0
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..40a665d
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager gpsd:dir { search read write };
+allow servicemanager gpsd:file { open read write };
+allow servicemanager gpsd:process getattr;
diff --git a/selinux/surfaceflinger.te b/selinux/surfaceflinger.te
new file mode 100644
index 0000000..00fa1e9
--- /dev/null
+++ b/selinux/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger hpd_device:chr_file rw_file_perms;
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
new file mode 100644
index 0000000..0436ffe
--- /dev/null
+++ b/selinux/sysinit.te
@@ -0,0 +1,7 @@
+allow sysinit firmware_exynos:dir { read search open getattr };
+allow sysinit userinit_exec:file { getattr execute execute_no_trans read open };
+allow sysinit firmware_exynos:dir { read search open getattr write remove_name add_name };
+allow sysinit firmware_exynos:file { read open write getattr setattr create unlink };
+allow sysinit sysinit:capability { dac_override chown fowner fsetid };
+allow sysinit unlabeled:dir { search };
+allow sysinit surfaceflinger_exec:file { getattr };
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..8542dc2
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1,2 @@
+allow system_app sysfs_display:{ file lnk_file } { getattr open read write };
+allow system_app sysfs_display:dir { search };
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..31db12d
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,33 @@
+allow system_server input_device:chr_file { read ioctl write open };
+allow system_server sensors_device:chr_file { read open };
+allow system_server sensors_data_file:file r_file_perms;
+allow system_server wpa_socket:unix_dgram_socket sendto;
+
+allow system_server sysfs:file { read open write };
+allow system_server self:capability { sys_module };
+
+allow system_server efs_file:dir search;
+allow system_server efs_file:file read;
+allow system_server efs_device_file:dir search;
+allow system_server uhid_device:chr_file { read ioctl write open };
+allow system_server storage_stub_file:dir getattr;
+
+
+# for sensors
+allow system_server system_file:file execmod;
+
+# /efs/wifi/.mac.info
+allow system_server wifi_data_file:file { read open };
+
+allow system_server gpsd:binder transfer;
+type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni";
+
+# Access .gps.interface.pipe.to_gpsd.
+allow system_server gps_data_file:dir rw_dir_perms;
+allow system_server gps_data_file:fifo_file { setattr rw_file_perms create };
+
+# Access /data/sensors/gps* socket
+allow system_server gps_data_file:sock_file create_file_perms;
+allow system_server gps_data_file:dir rw_dir_perms;
+allow system_server gps_data_file:file rw_file_perms;
+
diff --git a/selinux/tinyplay.te b/selinux/tinyplay.te
new file mode 100644
index 0000000..ef7de81
--- /dev/null
+++ b/selinux/tinyplay.te
@@ -0,0 +1,6 @@
+type tinyplay, domain;
+type tinyplay_exec, exec_type, file_type;
+init_daemon_domain(tinyplay)
+
+allow tinyplay audio_device:chr_file { open read write ioctl };
+allow tinyplay audio_device:dir search;
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
new file mode 100644
index 0000000..315ccb3
--- /dev/null
+++ b/selinux/ueventd.te
@@ -0,0 +1,5 @@
+# Firmwares
+allow ueventd { firmware_mfc }:file r_file_perms;
+allow ueventd { firmware_exynos }:dir search;
+allow ueventd { firmware_exynos }:file { read getattr open };
+allow ueventd sysfs_display:file { write open };
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
new file mode 100644
index 0000000..f9c5bde
--- /dev/null
+++ b/selinux/untrusted_app.te
@@ -0,0 +1,5 @@
+allow untrusted_app storage_stub_file:dir getattr;
+allow untrusted_app log_device:chr_file { read write };
+allow untrusted_app self:udp_socket ioctl;
+allow untrusted_app app_data_file:file create_file_perms;
+allow untrusted_app app_data_file:dir create_dir_perms;
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..ba429d6
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1,12 @@
+allow vold kernel:process setsched;
+allow vold sdcardd_exec:file { read open execute execute_no_trans };
+
+allow vold log_device:dir search;
+allow vold storage_stub_file:dir { read open search write add_name };
+allow vold mnt_media_rw_stub_file:dir { read open };
+allow vold blkid_exec:file { getattr execute read open execute_no_trans };
+
+allow vold log_device:chr_file { write open };
+
+allow vold efs_device_file:dir rw_file_perms;
+allow vold efs_device_file:file rw_file_perms;
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
new file mode 100644
index 0000000..9b806e0
--- /dev/null
+++ b/selinux/wpa_supplicant.te
@@ -0,0 +1,12 @@
+allow wpa init:unix_dgram_socket { read write };
+
+# logwrapper used with wpa_supplicant
+allow wpa devpts:chr_file { read write };
+allow wpa log_device:chr_file { write };
+
+allow wpa wpa_socket:unix_dgram_socket { read write };
+allow wpa_socket system_app:unix_dgram_socket sendto;
+
+allow wpa_socket wifi_data_file:sock_file unlink;
+
+allow wpa rfkill_device:chr_file rw_file_perms;
diff --git a/selinux/zygote.te b/selinux/zygote.te
new file mode 100644
index 0000000..4de92c2
--- /dev/null
+++ b/selinux/zygote.te
@@ -0,0 +1 @@
+allow zygote log_device:dir search;