diff options
| author | Andreas Blaesius <skate4life@gmx.de> | 2015-07-18 17:59:44 +0200 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2015-07-31 11:46:21 -0700 |
| commit | aef65ac5b00bd1948816abae5232e70ee126e844 (patch) | |
| tree | df61e06ea980146735326432eaab398da6728342 /sepolicy | |
| parent | 97c8812fa1683f97cec6e549dfbe91732544c3b4 (diff) | |
| download | device_samsung_espresso3g-aef65ac5b00bd1948816abae5232e70ee126e844.zip device_samsung_espresso3g-aef65ac5b00bd1948816abae5232e70ee126e844.tar.gz device_samsung_espresso3g-aef65ac5b00bd1948816abae5232e70ee126e844.tar.bz2 | |
P51XX: Update SELinux Policies [2/2]
- Move common policies to omap4-common
- remove redundant seclabel in init.espresso10.rc
- address some denials
Change-Id: I396215f3eb1316c3ba96e5eb98a03b98b77543fd
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/device.te | 3 | ||||
| -rw-r--r-- | sepolicy/dock_kbd_attach.te | 8 | ||||
| -rw-r--r-- | sepolicy/file.te | 2 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 19 | ||||
| -rw-r--r-- | sepolicy/geomagneticd.te | 12 | ||||
| -rw-r--r-- | sepolicy/gpsd.te | 8 | ||||
| -rw-r--r-- | sepolicy/orientationd.te | 9 | ||||
| -rw-r--r-- | sepolicy/smc_pa.te | 8 | ||||
| -rw-r--r-- | sepolicy/sysinit.te | 2 |
9 files changed, 71 insertions, 0 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..d938e5e --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,3 @@ +# Device types +type dock_device, dev_type; +type smc_device, dev_type; diff --git a/sepolicy/dock_kbd_attach.te b/sepolicy/dock_kbd_attach.te new file mode 100644 index 0000000..267763a --- /dev/null +++ b/sepolicy/dock_kbd_attach.te @@ -0,0 +1,8 @@ +# dock_kbd_attach +type dock_kbd_attach, domain; +type dock_kbd_attach_exec, exec_type, file_type; + +init_daemon_domain(dock_kbd_attach) + +allow dock_kbd_attach dock_device:chr_file { open read write ioctl }; +allow dock_kbd_attach self:capability { sys_admin };
\ No newline at end of file diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..ee55a50 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,2 @@ +# Filesystem types +type sensor_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..58bf32a --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,19 @@ +# Dock +/dev/ttyO3 u:object_r:dock_device:s0 +/system/bin/dock_kbd_attach u:object_r:dock_kbd_attach_exec:s0 + +# DRM +/dev/tf_ctrl u:object_r:smc_device:s0 +/system/bin/smc_pa_ctrl u:object_r:smc_pa_exec:s0 + +# EFS +/dev/block/mmcblk0p1 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0 + +# GPS +/system/bin/gpsd u:object_r:gpsd_exec:s0 + +# Sensors +/data/system/yas*.cfg u:object_r:sensor_data_file:s0 +/system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 +/system/bin/orientationd u:object_r:orientationd_exec:s0 diff --git a/sepolicy/geomagneticd.te b/sepolicy/geomagneticd.te new file mode 100644 index 0000000..fe1dd42 --- /dev/null +++ b/sepolicy/geomagneticd.te @@ -0,0 +1,12 @@ +# geomagneticd +type geomagneticd, domain; +type geomagneticd_exec, exec_type, file_type; + +init_daemon_domain(geomagneticd) + +allow geomagneticd input_device:chr_file { read open ioctl }; +allow geomagneticd input_device:dir { search read open }; +allow geomagneticd self:process { execmem }; +allow geomagneticd sensor_data_file:dir { write add_name remove_name create }; +allow geomagneticd sensor_data_file:file { create open read write getattr setattr rename }; +allow geomagneticd sysfs:file { write }; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..6fabca6 --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,8 @@ +# gpsd - GPS daemon +allow gpsd rild:unix_stream_socket { connectto }; +allow gpsd self:process { execmem }; +allow gpsd sysfs_wake_lock:file { read write }; + +# TODO - Label with gps_data_file +allow gpsd system_data_file:dir { write add_name }; +allow gpsd system_data_file:fifo_file { create setattr write open }; diff --git a/sepolicy/orientationd.te b/sepolicy/orientationd.te new file mode 100644 index 0000000..672c473 --- /dev/null +++ b/sepolicy/orientationd.te @@ -0,0 +1,9 @@ +# orientationd +type orientationd, domain; +type orientationd_exec, exec_type, file_type; + +init_daemon_domain(orientationd) + +allow orientationd input_device:chr_file { read write open ioctl }; +allow orientationd input_device:dir { search read open }; +allow orientationd self:process { execmem }; diff --git a/sepolicy/smc_pa.te b/sepolicy/smc_pa.te new file mode 100644 index 0000000..de15f41 --- /dev/null +++ b/sepolicy/smc_pa.te @@ -0,0 +1,8 @@ +# smc_pa +type smc_pa, domain; +type smc_pa_exec, exec_type, file_type; + +init_daemon_domain(smc_pa) + +allow smc_pa self:capability { dac_override }; +allow smc_pa smc_device:chr_file { read write open ioctl }; diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te new file mode 100644 index 0000000..2907f73 --- /dev/null +++ b/sepolicy/sysinit.te @@ -0,0 +1,2 @@ +# sysinit +allow sysinit surfaceflinger_exec:file { getattr }; |