P51XX: Update SELinux Policies [2/2]

- Move common policies to omap4-common
- remove redundant seclabel in init.espresso10.rc
- address some denials

Change-Id: I396215f3eb1316c3ba96e5eb98a03b98b77543fd

23 files changed, 72 insertions, 111 deletions

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 3013fa3..ad43bbb 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -92,21 +92,18 @@ BOARD_USES_SECURE_SERVICES := true
 
 # Selinux
 BOARD_SEPOLICY_DIRS += \
-    device/samsung/p5100/selinux
+    device/samsung/p5100/sepolicy
 
 BOARD_SEPOLICY_UNION += \
-    file_contexts \
-    file.te \
     device.te \
     dock_kbd_attach.te \
-    domain.te \
+    file.te \
+    file_contexts \
     geomagneticd.te \
-    init.te \
     orientationd.te \
-    pvrsrvinit.te \
-    rild.te \
+    gpsd.te \
     smc_pa.te \
-    wpa_supplicant.te
+    sysinit.te
 
 # Recovery
 TARGET_RECOVERY_PIXEL_FORMAT := "BGRA_8888"
diff --git a/rootdir/etc/init.espresso10.rc b/rootdir/etc/init.espresso10.rc
index 9c7e0bf..78d21a7 100755
--- a/rootdir/etc/init.espresso10.rc
+++ b/rootdir/etc/init.espresso10.rc
@@ -56,6 +56,7 @@ on fs
     mount debugfs /sys/kernel/debug /sys/kernel/debug
 
 # Restorecon
+    restorecon /efs/nv.log
     restorecon /efs/nv_data.bin
     restorecon /efs/nv_data.bin.md5
     restorecon /efs/.nv_core.bak
@@ -283,7 +284,6 @@ service pvrsrvinit /system/bin/pvrsrvinit
     class core
     user root
     group root
-    seclabel u:r:pvrsrvinit:s0
     oneshot
 
 service pvrsrvctl /system/vendor/bin/pvrsrvctl_SGX540_120 --start --no-module
@@ -307,20 +307,17 @@ service smc_pa /system/bin/smc_pa_ctrl \
     class core
     user root
     group root
-    seclabel u:r:smc_pa:s0
     oneshot
 
 service orientationd /system/bin/orientationd
     class main
     user compass
     group input
-    seclabel u:r:orientationd:s0
 
 service geomagneticd /system/bin/geomagneticd
     class main
     user compass
     group system input
-    seclabel u:r:geomagneticd:s0
 
 # create virtual SD card at /storage/sdcard0, based on the /data/media directory
 # daemon will drop to user/group system/media_rw after initializing
@@ -412,7 +409,6 @@ service gpsd /system/bin/gpsd -c /system/etc/gps.xml
     socket gps seqpacket 0660 gps system
     user gps
     group system inet sdcard_rw
-    seclabel u:r:gpsd:s0
 
 # TVout
 service TvoutService_C /system/bin/bintvoutservice
@@ -424,7 +420,6 @@ service TvoutService_C /system/bin/bintvoutservice
 service dock_kbd_attach /system/bin/dock_kbd_attach /dev/ttyO3
     class main
     user root
-    seclabel u:r:dock_kbd_attach:s0
     oneshot
 
 # LPM
diff --git a/selinux/device.te b/selinux/device.te
deleted file mode 100644
index 7c28653..0000000
--- a/selinux/device.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type efs_block_device, dev_type;
-type rfkill_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
deleted file mode 100644
index 98b0e6b..0000000
--- a/selinux/domain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-## Pvrsrvinit
-# allow domain powervr_device:chr_file rw_file_perms;
-
-## Firmwares
-allow ueventd { firmware_ducati }:file r_file_perms;
diff --git a/selinux/file.te b/selinux/file.te
deleted file mode 100644
index 60c3dc6..0000000
--- a/selinux/file.te
+++ /dev/null
@@ -1 +0,0 @@
-type firmware_ducati, file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
deleted file mode 100644
index 7c6b3ff..0000000
--- a/selinux/file_contexts
+++ /dev/null
@@ -1,38 +0,0 @@
-# GFX
-/dev/dsscomp                                u:object_r:video_device:s0
-
-# RIL
-/dev/umts_boot0                             u:object_r:radio_device:s0
-/dev/umts_boot1                             u:object_r:radio_device:s0
-/dev/umts_ipc0                              u:object_r:radio_device:s0
-/dev/umts_ramdump0                          u:object_r:radio_device:s0
-/dev/umts_rfs0                              u:object_r:radio_device:s0
-
-/dev/block/mmcblk0p8                        u:object_r:efs_block_device:s0
-
-# Bluetooth
-/dev/ttyO1                                  u:object_r:hci_attach_dev:s0
-/efs/bluetooth/(/.*)?                       u:object_r:bluetooth_efs_file:s0
-
-# GPS
-/dev/ttyO0                                  u:object_r:gps_device:s0
-/system/bin/gpsd                            u:object_r:gpsd_exec:s0
-
-# Sensors
-/system/bin/geomagneticd                    u:object_r:geomagneticd_exec:s0
-/system/bin/orientationd                    u:object_r:orientationd_exec:s0
-
-# Wifi
-/dev/rfkill                                 u:object_r:rfkill_device:s0
-/efs/wifi/.mac.info                         u:object_r:wifi_data_file:s0
-
-# System binaries
-/system/bin/pvrsrvinit                      u:object_r:pvrsrvinit_exec:s0
-/system/vendor/bin/pvrsrvinit               u:object_r:pvrsrvinit_exec:s0
-/system/vendor/bin/pvrsrvctl_SGX540_120     u:object_r:pvrsrvinit_exec:s0
-
-/system/bin/dock_kbd_attach                 u:object_r:dock_kbd_attach_exec:s0
-/system/bin/smc_pa_ctrl                     u:object_r:smc_pa_exec:s0
-
-# Firmwares
-/system/vendor/firmware/ducati-m3.bin       u:object_r:firmware_ducati:s0
diff --git a/selinux/geomagneticd.te b/selinux/geomagneticd.te
deleted file mode 100644
index c286497..0000000
--- a/selinux/geomagneticd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# geomagneticd
-type geomagneticd, domain;
-type geomagneticd_exec, exec_type, file_type;
-
-init_daemon_domain(geomagneticd)
diff --git a/selinux/gpsd.te b/selinux/gpsd.te
deleted file mode 100644
index 36b93fb..0000000
--- a/selinux/gpsd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# gpsd - GPS daemon
-type gpsd, domain;
-type gpsd_exec, exec_type, file_type;
-
-init_daemon_domain(gpsd)
-net_domain(gpsd)
diff --git a/selinux/init.te b/selinux/init.te
deleted file mode 100644
index 23a3621..0000000
--- a/selinux/init.te
+++ /dev/null
@@ -1,5 +0,0 @@
-#init
-
-allow init self:process execmem;
-allow init self:capability sys_module;
-
diff --git a/selinux/orientationd.te b/selinux/orientationd.te
deleted file mode 100644
index 284b0cb..0000000
--- a/selinux/orientationd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# orientationd
-type orientationd, domain;
-type orientationd_exec, exec_type, file_type;
-
-init_daemon_domain(orientationd)
diff --git a/selinux/pvrsrvinit.te b/selinux/pvrsrvinit.te
deleted file mode 100644
index 3d82777..0000000
--- a/selinux/pvrsrvinit.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# pvrsrvinit
-type pvrsrvinit, domain;
-type pvrsrvinit_exec, exec_type, file_type;
-
-init_daemon_domain(pvrsrvinit)
-
-allow pvrsrvinit gpu_device:chr_file rw_file_perms;
-allow pvrsrvinit kernel:system module_request;
-allow pvrsrvinit self:capability { sys_module };
-allow pvrsrvinit system_file:file x_file_perms;
-allow pvrsrvinit shell_exec:file rx_file_perms;
-allow pvrsrvinit pvrsrvinit_exec:file rx_file_perms;
-allow pvrsrvinit property_socket:sock_file write;
-allow pvrsrvinit init:unix_stream_socket connectto;
-allow pvrsrvinit block_device:dir search;
-allow pvrsrvinit gpu_device:chr_file { read write ioctl open };
diff --git a/selinux/rild.te b/selinux/rild.te
deleted file mode 100644
index 40406e3..0000000
--- a/selinux/rild.te
+++ /dev/null
@@ -1,7 +0,0 @@
-allow rild self:netlink_socket { create bind read write };
-allow rild self:netlink_route_socket { write };
-allow rild self:netlink_kobject_uevent_socket { create bind read write };
-
-allow rild radio_device:chr_file rw_file_perms;
-allow rild efs_block_device:blk_file rw_file_perms;
-allow rild efs_file:file { read open write setattr };
diff --git a/selinux/smc_pa.te b/selinux/smc_pa.te
deleted file mode 100644
index b836ec6..0000000
--- a/selinux/smc_pa.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# smc_pa
-type smc_pa, domain;
-type smc_pa_exec, exec_type, file_type;
-
-init_daemon_domain(smc_pa)
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
deleted file mode 100644
index f93d624..0000000
--- a/selinux/wpa_supplicant.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow wpa_socket wifi_data_file:sock_file unlink;
-allow wpa rfkill_device:chr_file rw_file_perms;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..d938e5e
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,3 @@
+# Device types
+type dock_device, dev_type;
+type smc_device, dev_type;
diff --git a/selinux/dock_kbd_attach.te b/sepolicy/dock_kbd_attach.te
index 4858f15..267763a 100644
--- a/selinux/dock_kbd_attach.te
+++ b/sepolicy/dock_kbd_attach.te
@@ -3,3 +3,6 @@ type dock_kbd_attach, domain;
 type dock_kbd_attach_exec, exec_type, file_type;
 
 init_daemon_domain(dock_kbd_attach)
+
+allow dock_kbd_attach dock_device:chr_file { open read write ioctl };
+allow dock_kbd_attach self:capability { sys_admin };
\ No newline at end of file
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..ee55a50
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+# Filesystem types
+type sensor_data_file, file_type, data_file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..58bf32a
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,19 @@
+# Dock
+/dev/ttyO3                                  u:object_r:dock_device:s0
+/system/bin/dock_kbd_attach                 u:object_r:dock_kbd_attach_exec:s0
+
+# DRM
+/dev/tf_ctrl                                u:object_r:smc_device:s0
+/system/bin/smc_pa_ctrl                     u:object_r:smc_pa_exec:s0
+
+# EFS
+/dev/block/mmcblk0p1                        u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p8                        u:object_r:efs_block_device:s0
+
+# GPS
+/system/bin/gpsd                            u:object_r:gpsd_exec:s0
+
+# Sensors
+/data/system/yas*.cfg                       u:object_r:sensor_data_file:s0
+/system/bin/geomagneticd                    u:object_r:geomagneticd_exec:s0
+/system/bin/orientationd                    u:object_r:orientationd_exec:s0
diff --git a/sepolicy/geomagneticd.te b/sepolicy/geomagneticd.te
new file mode 100644
index 0000000..fe1dd42
--- /dev/null
+++ b/sepolicy/geomagneticd.te
@@ -0,0 +1,12 @@
+# geomagneticd
+type geomagneticd, domain;
+type geomagneticd_exec, exec_type, file_type;
+
+init_daemon_domain(geomagneticd)
+
+allow geomagneticd input_device:chr_file { read open ioctl };
+allow geomagneticd input_device:dir { search read open };
+allow geomagneticd self:process { execmem };
+allow geomagneticd sensor_data_file:dir { write add_name remove_name create };
+allow geomagneticd sensor_data_file:file { create open read write getattr setattr rename };
+allow geomagneticd sysfs:file { write };
diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te
new file mode 100644
index 0000000..6fabca6
--- /dev/null
+++ b/sepolicy/gpsd.te
@@ -0,0 +1,8 @@
+# gpsd - GPS daemon
+allow gpsd rild:unix_stream_socket { connectto };
+allow gpsd self:process { execmem };
+allow gpsd sysfs_wake_lock:file { read write };
+
+# TODO - Label with gps_data_file
+allow gpsd system_data_file:dir { write add_name };
+allow gpsd system_data_file:fifo_file { create setattr write open };
diff --git a/sepolicy/orientationd.te b/sepolicy/orientationd.te
new file mode 100644
index 0000000..672c473
--- /dev/null
+++ b/sepolicy/orientationd.te
@@ -0,0 +1,9 @@
+# orientationd
+type orientationd, domain;
+type orientationd_exec, exec_type, file_type;
+
+init_daemon_domain(orientationd)
+
+allow orientationd input_device:chr_file { read write open ioctl };
+allow orientationd input_device:dir { search read open };
+allow orientationd self:process { execmem };
diff --git a/sepolicy/smc_pa.te b/sepolicy/smc_pa.te
new file mode 100644
index 0000000..de15f41
--- /dev/null
+++ b/sepolicy/smc_pa.te
@@ -0,0 +1,8 @@
+# smc_pa
+type smc_pa, domain;
+type smc_pa_exec, exec_type, file_type;
+
+init_daemon_domain(smc_pa)
+
+allow smc_pa self:capability { dac_override };
+allow smc_pa smc_device:chr_file { read write open ioctl };
diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
new file mode 100644
index 0000000..2907f73
--- /dev/null
+++ b/sepolicy/sysinit.te
@@ -0,0 +1,2 @@
+# sysinit
+allow sysinit surfaceflinger_exec:file { getattr };