From 05ce79559d433f082ad8edd916c72157a0182946 Mon Sep 17 00:00:00 2001 From: Andreas Blaesius Date: Mon, 18 Apr 2016 22:48:30 +0200 Subject: espresso3g: add espresso3g specific selinux rules Change-Id: I3c094d176007168626c99173f74d73fe1a0575c6 --- BoardConfig.mk | 4 ++++ sepolicy/cpboot-daemon.te | 16 ++++++++++++++++ sepolicy/domain.te | 1 + sepolicy/file.te | 2 ++ sepolicy/file_contexts | 17 +++++++++++++++++ sepolicy/init.te | 2 ++ sepolicy/rild.te | 4 ++++ 7 files changed, 46 insertions(+) create mode 100644 sepolicy/cpboot-daemon.te create mode 100644 sepolicy/domain.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/init.te create mode 100644 sepolicy/rild.te diff --git a/BoardConfig.mk b/BoardConfig.mk index c7cee56..c9abc0e 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -29,5 +29,9 @@ BOARD_MODEM_TYPE := xmm6260 BOARD_RIL_CLASS := ../../../device/samsung/espresso3g/ril COMMON_GLOBAL_CFLAGS += -DDISABLE_ASHMEM_TRACKING +# Selinux +BOARD_SEPOLICY_DIRS += \ + device/samsung/espresso3g/sepolicy + # Use the non-open-source parts, if they're present -include vendor/samsung/espresso3g/BoardConfigVendor.mk diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te new file mode 100644 index 0000000..c1bea9d --- /dev/null +++ b/sepolicy/cpboot-daemon.te @@ -0,0 +1,16 @@ +allow cpboot-daemon cbd_device:chr_file create_file_perms; +allow cpboot-daemon cgroup:dir { create add_name }; +allow cpboot-daemon device:dir { write add_name }; +allow cpboot-daemon efs_file:file { read write open }; +allow cpboot-daemon efs_block_device:blk_file r_file_perms; +allow cpboot-daemon radio_device:chr_file rw_file_perms; +allow cpboot-daemon self:capability setuid; +allow cpboot-daemon { block_device efs_file }:dir search; + +# Talk to init over the property socket +unix_socket_connect(cpboot-daemon, property, init) + +allow cpboot-daemon radio_prop:property_service set; + +# neverallow failures - FIX ME if needed +# allow cpboot-daemon self:capability mknod; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..2c6ccbb --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1 @@ +domain_trans(init, rootfs, cpboot-daemon) diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..c00237c --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,2 @@ +type cbd_device, dev_type; +type radio_data, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..1606d79 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,17 @@ +# RIL +/dev/modem_br u:object_r:radio_device:s0 +/dev/ttyGS1 u:object_r:radio_device:s0 +/dev/umts_boot(.*) u:object_r:radio_device:s0 +/dev/umts_csd u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_loopback0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/__cbd_msg_ u:object_r:cbd_device:s0 + +# Radio Data +/data/misc/radio(/.*)? u:object_r:radio_data:s0 + +# Block devices +/dev/block/platform/omap/omap_hsmmc.1/by-name/MODEM u:object_r:radio_device:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..bc775a9 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,2 @@ +# Requied to load shim libs +allow init rild:process noatsecure; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..3ac1ff3 --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,4 @@ +allow rild system_file:file execmod; +allow rild radio_data:dir { search write remove_name getattr setattr add_name}; +allow rild radio_data:file { getattr read write open setattr unlink create }; +allow rild storage_file:dir search; -- cgit v1.1