p51xx: add selinux policies

Change-Id: I106ce4ba51bf5d46dac6984ef2f2c6bb53a22ee8
author: Daniel Hillenbrand <codeworkx@cyanogenmod.org> 2013-08-11 16:36:58 +0200
committer: Daniel Hillenbrand <codeworkx@cyanogenmod.org> 2013-08-11 16:38:48 +0200
commit: 8d4807089d438f4b7dd9cc08716d0e10b2a032df (patch)
tree: 6ae8ade4cd48658c8ec850226edfbb9a42df99e9
parent: 52d4b594311ccc551e6781bd33bddf32b68b9aa9 (diff)
download: device_samsung_espresso3g-8d4807089d438f4b7dd9cc08716d0e10b2a032df.zip
device_samsung_espresso3g-8d4807089d438f4b7dd9cc08716d0e10b2a032df.tar.gz
device_samsung_espresso3g-8d4807089d438f4b7dd9cc08716d0e10b2a032df.tar.bz2
7 files changed, 80 insertions, 0 deletions
diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 755d3b6..559aea9 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -89,6 +89,18 @@ BOARD_USE_LEGACY_SENSORS_FUSION := false
 # Security
 BOARD_USES_SECURE_SERVICES := true
 
+# Selinux
+BOARD_SEPOLICY_DIRS := \
+    device/samsung/p5100/selinux
+
+BOARD_SEPOLICY_UNION := \
+    file_contexts \
+    file.te \
+    device.te \
+    domain.te \
+    pvrsrvinit.te \
+    rild.te
+
 # Recovery
 TARGET_RECOVERY_INITRC := device/samsung/p5100/rootdir/recovery.rc
 TARGET_RECOVERY_PIXEL_FORMAT := "BGRA_8888"
diff --git a/selinux/device.te b/selinux/device.te
new file mode 100644
index 0000000..5d39a97
--- /dev/null
+++ b/selinux/device.te
@@ -0,0 +1,3 @@
+type efs_block_device, dev_type;
+type powervr_device, dev_type, mlstrustedobject;
+type rfkill_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
new file mode 100644
index 0000000..7cf1def
--- /dev/null
+++ b/selinux/domain.te
@@ -0,0 +1,8 @@
+## Pvrsrvinit
+allow domain powervr_device:chr_file rw_file_perms;
+
+## /dev/rfkill for wpa_supp
+allow wpa rfkill_device:chr_file rw_file_perms;
+
+## Firmwares
+allow ueventd { firmware_ducati }:file r_file_perms;
diff --git a/selinux/file.te b/selinux/file.te
new file mode 100644
index 0000000..60c3dc6
--- /dev/null
+++ b/selinux/file.te
@@ -0,0 +1 @@
+type firmware_ducati, file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
new file mode 100644
index 0000000..027c2de
--- /dev/null
+++ b/selinux/file_contexts
@@ -0,0 +1,34 @@
+# GFX
+/dev/dsscomp                                u:object_r:video_device:s0
+/dev/pvrsrvkm                               u:object_r:powervr_device:s0
+
+# RIL
+/dev/umts_boot0                             u:object_r:radio_device:s0
+/dev/umts_boot1                             u:object_r:radio_device:s0
+/dev/umts_ipc0                              u:object_r:radio_device:s0
+/dev/umts_ramdump0                          u:object_r:radio_device:s0
+/dev/umts_rfs0                              u:object_r:radio_device:s0
+
+/dev/block/mmcblk0p8                        u:object_r:efs_block_device:s0
+
+/efs/imei/mps_code.dat                      u:object_r:radio_data_file:s0
+/efs/nv_data.bin                            u:object_r:radio_data_file:s0
+/efs/nv_data.bin.md5                        u:object_r:radio_data_file:s0
+/efs/upgaddr                                u:object_r:efs_file:s0
+
+# Bluetooth
+/dev/ttyO1                                  u:object_r:hci_attach_dev:s0
+/efs/bluetooth/(/.*)?                       u:object_r:bluetooth_efs_file:s0
+
+# GPS
+/dev/ttyO0                                  u:object_r:gps_device:s0
+
+# for wpa_supp
+/dev/rfkill                                 u:object_r:rfkill_device:s0
+
+# System binaries
+/system/vendor/bin/pvrsrvinit               u:object_r:pvrsrvinit_exec:s0
+/system/vendor/bin/pvrsrvinit_SGX540_120    u:object_r:pvrsrvinit_exec:s0
+
+# Firmwares
+/system/vendor/firmware/ducati-m3.bin       u:object_r:firmware_ducati:s0
diff --git a/selinux/pvrsrvinit.te b/selinux/pvrsrvinit.te
new file mode 100644
index 0000000..1ef06ff
--- /dev/null
+++ b/selinux/pvrsrvinit.te
@@ -0,0 +1,12 @@
+# pvrsrvinit
+type pvrsrvinit, domain;
+type pvrsrvinit_exec, exec_type, file_type;
+
+init_daemon_domain(pvrsrvinit)
+
+allow pvrsrvinit kernel:system module_request;
+allow pvrsrvinit self:capability { sys_module };
+allow pvrsrvinit system_file:file x_file_perms;
+allow pvrsrvinit shell_exec:file rx_file_perms;
+allow pvrsrvinit pvrsrvinit_exec:file rx_file_perms;
+allow pvrsrvinit property_socket:sock_file write;
diff --git a/selinux/rild.te b/selinux/rild.te
new file mode 100644
index 0000000..5711ef0
--- /dev/null
+++ b/selinux/rild.te
@@ -0,0 +1,10 @@
+allow rild self:netlink_socket { create bind read write };
+allow rild self:netlink_route_socket { write };
+allow rild self:netlink_kobject_uevent_socket { create bind read write };
+
+allow rild radio_device:chr_file rw_file_perms;
+
+allow rild efs_block_device:blk_file rw_file_perms;
+
+allow rild radio_data_file:file { read open write setattr };
+allow rild efs_file:file { read open write getattr };
author	Daniel Hillenbrand <codeworkx@cyanogenmod.org>	2013-08-11 16:36:58 +0200
committer	Daniel Hillenbrand <codeworkx@cyanogenmod.org>	2013-08-11 16:38:48 +0200
commit	8d4807089d438f4b7dd9cc08716d0e10b2a032df (patch)
tree	6ae8ade4cd48658c8ec850226edfbb9a42df99e9
parent	52d4b594311ccc551e6781bd33bddf32b68b9aa9 (diff)
download	device_samsung_espresso3g-8d4807089d438f4b7dd9cc08716d0e10b2a032df.zip device_samsung_espresso3g-8d4807089d438f4b7dd9cc08716d0e10b2a032df.tar.gz device_samsung_espresso3g-8d4807089d438f4b7dd9cc08716d0e10b2a032df.tar.bz2