P51XX: Update SELinux rules

Change-Id: I09f21459165d795da13ebe4572e16176be358f03

11 files changed, 54 insertions, 3 deletions

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 981f660..4cb25ba 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -31,7 +31,7 @@ BOARD_NAND_PAGE_SIZE := 4096
 BOARD_NAND_SPARE_SIZE := 128
 BOARD_KERNEL_PAGESIZE := 2048
 BOARD_KERNEL_BASE := 0x40000000
-BOARD_KERNEL_CMDLINE :=
+# BOARD_KERNEL_CMDLINE :=
 
 # Init
 TARGET_PROVIDES_INIT := true
@@ -101,9 +101,14 @@ BOARD_SEPOLICY_UNION += \
     file_contexts \
     file.te \
     device.te \
+    dock_kbd_attach.te \
     domain.te \
+    geomagneticd.te \
+    init.te \
+    orientationd.te \
     pvrsrvinit.te \
     rild.te \
+    smc_pa.te \
     wpa_supplicant.te
 
 # Recovery
diff --git a/rootdir/init.espresso10.rc b/rootdir/init.espresso10.rc
index 33ab958..7a5265a 100755
--- a/rootdir/init.espresso10.rc
+++ b/rootdir/init.espresso10.rc
@@ -307,17 +307,20 @@ service smc_pa /system/bin/smc_pa_ctrl \
     class core
     user root
     group root
+    seclabel u:r:smc_pa:s0
     oneshot
 
 service orientationd /system/bin/orientationd
     class main
     user compass
     group input
+    seclabel u:r:orientationd:s0
 
 service geomagneticd /system/bin/geomagneticd
     class main
     user compass
     group system input
+    seclabel u:r:geomagneticd:s0
 
 # create virtual SD card at /storage/sdcard0, based on the /data/media directory
 # daemon will drop to user/group system/media_rw after initializing
@@ -411,6 +414,7 @@ service gpsd /system/bin/gpsd -c /system/etc/gps.xml
     socket gps seqpacket 0660 gps system
     user gps
     group system inet sdcard_rw
+    u:object_r:gpsd:s0
 
 # TVout
 service TvoutService_C /system/bin/bintvoutservice
@@ -422,6 +426,7 @@ service TvoutService_C /system/bin/bintvoutservice
 service dock_kbd_attach /system/bin/dock_kbd_attach /dev/ttyO3
     class main
     user root
+    seclabel u:r:dock_kbd_attach:s0
     oneshot
 
 # LPM
diff --git a/selinux/dock_kbd_attach.te b/selinux/dock_kbd_attach.te
new file mode 100644
index 0000000..4858f15
--- /dev/null
+++ b/selinux/dock_kbd_attach.te
@@ -0,0 +1,5 @@
+# dock_kbd_attach
+type dock_kbd_attach, domain;
+type dock_kbd_attach_exec, exec_type, file_type;
+
+init_daemon_domain(dock_kbd_attach)
diff --git a/selinux/domain.te b/selinux/domain.te
index ebb4d8b..98b0e6b 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -1,5 +1,5 @@
 ## Pvrsrvinit
-allow domain powervr_device:chr_file rw_file_perms;
+# allow domain powervr_device:chr_file rw_file_perms;
 
 ## Firmwares
 allow ueventd { firmware_ducati }:file r_file_perms;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index c928bb0..6027ea4 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -16,14 +16,22 @@
 
 # GPS
 /dev/ttyO0                                  u:object_r:gps_device:s0
+/system/bin/gpsd                            u:object_r:gpsd_exec:s0
+
+# Sensors
+/system/bin/geomagneticd                    u:object_r:geomagneticd_exec:s0
+/system/bin/orientationd                    u:object_r:orientationd_exec:s0
 
 # Wifi
 /dev/rfkill                                 u:object_r:rfkill_device:s0
 /efs/wifi/.mac.info                         u:object_r:wifi_data_file:s0
 
 # System binaries
-/system/vendor/bin/pvrsrvinit               u:object_r:pvrsrvinit_exec:s0
+/system/bin/pvrsrvinit                      u:object_r:pvrsrvinit_exec:s0
 /system/vendor/bin/pvrsrvctl_SGX540_120     u:object_r:pvrsrvinit_exec:s0
 
+/system/bin/dock_kbd_attach                 u:object_r:dock_kbd_attach_exec:s0
+/system/bin/smc_pa_ctrl                     u:object_r:smc_pa_exec:s0
+
 # Firmwares
 /system/vendor/firmware/ducati-m3.bin       u:object_r:firmware_ducati:s0
diff --git a/selinux/geomagneticd.te b/selinux/geomagneticd.te
new file mode 100644
index 0000000..c286497
--- /dev/null
+++ b/selinux/geomagneticd.te
@@ -0,0 +1,5 @@
+# geomagneticd
+type geomagneticd, domain;
+type geomagneticd_exec, exec_type, file_type;
+
+init_daemon_domain(geomagneticd)
diff --git a/selinux/gpsd.te b/selinux/gpsd.te
new file mode 100644
index 0000000..36b93fb
--- /dev/null
+++ b/selinux/gpsd.te
@@ -0,0 +1,6 @@
+# gpsd - GPS daemon
+type gpsd, domain;
+type gpsd_exec, exec_type, file_type;
+
+init_daemon_domain(gpsd)
+net_domain(gpsd)
diff --git a/selinux/init.te b/selinux/init.te
new file mode 100644
index 0000000..23a3621
--- /dev/null
+++ b/selinux/init.te
@@ -0,0 +1,5 @@
+#init
+
+allow init self:process execmem;
+allow init self:capability sys_module;
+
diff --git a/selinux/orientationd.te b/selinux/orientationd.te
new file mode 100644
index 0000000..284b0cb
--- /dev/null
+++ b/selinux/orientationd.te
@@ -0,0 +1,5 @@
+# orientationd
+type orientationd, domain;
+type orientationd_exec, exec_type, file_type;
+
+init_daemon_domain(orientationd)
diff --git a/selinux/pvrsrvinit.te b/selinux/pvrsrvinit.te
index d35bac9..ae1ee0b 100644
--- a/selinux/pvrsrvinit.te
+++ b/selinux/pvrsrvinit.te
@@ -11,3 +11,5 @@ allow pvrsrvinit shell_exec:file rx_file_perms;
 allow pvrsrvinit pvrsrvinit_exec:file rx_file_perms;
 allow pvrsrvinit property_socket:sock_file write;
 allow pvrsrvinit init:unix_stream_socket connectto;
+allow pvrsrvinit block_device:dir search;
+allow pvrsrvinit gpu_device:chr_file { read write ioctl open };
diff --git a/selinux/smc_pa.te b/selinux/smc_pa.te
new file mode 100644
index 0000000..b836ec6
--- /dev/null
+++ b/selinux/smc_pa.te
@@ -0,0 +1,5 @@
+# smc_pa
+type smc_pa, domain;
+type smc_pa_exec, exec_type, file_type;
+
+init_daemon_domain(smc_pa)