From aef65ac5b00bd1948816abae5232e70ee126e844 Mon Sep 17 00:00:00 2001 From: Andreas Blaesius Date: Sat, 18 Jul 2015 17:59:44 +0200 Subject: P51XX: Update SELinux Policies [2/2] - Move common policies to omap4-common - remove redundant seclabel in init.espresso10.rc - address some denials Change-Id: I396215f3eb1316c3ba96e5eb98a03b98b77543fd --- BoardConfigCommon.mk | 13 +++++-------- rootdir/etc/init.espresso10.rc | 7 +------ selinux/device.te | 2 -- selinux/dock_kbd_attach.te | 5 ----- selinux/domain.te | 5 ----- selinux/file.te | 1 - selinux/file_contexts | 38 -------------------------------------- selinux/geomagneticd.te | 5 ----- selinux/gpsd.te | 6 ------ selinux/init.te | 5 ----- selinux/orientationd.te | 5 ----- selinux/pvrsrvinit.te | 16 ---------------- selinux/rild.te | 7 ------- selinux/smc_pa.te | 5 ----- selinux/wpa_supplicant.te | 2 -- sepolicy/device.te | 3 +++ sepolicy/dock_kbd_attach.te | 8 ++++++++ sepolicy/file.te | 2 ++ sepolicy/file_contexts | 19 +++++++++++++++++++ sepolicy/geomagneticd.te | 12 ++++++++++++ sepolicy/gpsd.te | 8 ++++++++ sepolicy/orientationd.te | 9 +++++++++ sepolicy/smc_pa.te | 8 ++++++++ sepolicy/sysinit.te | 2 ++ 24 files changed, 77 insertions(+), 116 deletions(-) delete mode 100644 selinux/device.te delete mode 100644 selinux/dock_kbd_attach.te delete mode 100644 selinux/domain.te delete mode 100644 selinux/file.te delete mode 100644 selinux/file_contexts delete mode 100644 selinux/geomagneticd.te delete mode 100644 selinux/gpsd.te delete mode 100644 selinux/init.te delete mode 100644 selinux/orientationd.te delete mode 100644 selinux/pvrsrvinit.te delete mode 100644 selinux/rild.te delete mode 100644 selinux/smc_pa.te delete mode 100644 selinux/wpa_supplicant.te create mode 100644 sepolicy/device.te create mode 100644 sepolicy/dock_kbd_attach.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/geomagneticd.te create mode 100644 sepolicy/gpsd.te create mode 100644 sepolicy/orientationd.te create mode 100644 sepolicy/smc_pa.te create mode 100644 sepolicy/sysinit.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 3013fa3..ad43bbb 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -92,21 +92,18 @@ BOARD_USES_SECURE_SERVICES := true # Selinux BOARD_SEPOLICY_DIRS += \ - device/samsung/p5100/selinux + device/samsung/p5100/sepolicy BOARD_SEPOLICY_UNION += \ - file_contexts \ - file.te \ device.te \ dock_kbd_attach.te \ - domain.te \ + file.te \ + file_contexts \ geomagneticd.te \ - init.te \ orientationd.te \ - pvrsrvinit.te \ - rild.te \ + gpsd.te \ smc_pa.te \ - wpa_supplicant.te + sysinit.te # Recovery TARGET_RECOVERY_PIXEL_FORMAT := "BGRA_8888" diff --git a/rootdir/etc/init.espresso10.rc b/rootdir/etc/init.espresso10.rc index 9c7e0bf..78d21a7 100755 --- a/rootdir/etc/init.espresso10.rc +++ b/rootdir/etc/init.espresso10.rc @@ -56,6 +56,7 @@ on fs mount debugfs /sys/kernel/debug /sys/kernel/debug # Restorecon + restorecon /efs/nv.log restorecon /efs/nv_data.bin restorecon /efs/nv_data.bin.md5 restorecon /efs/.nv_core.bak @@ -283,7 +284,6 @@ service pvrsrvinit /system/bin/pvrsrvinit class core user root group root - seclabel u:r:pvrsrvinit:s0 oneshot service pvrsrvctl /system/vendor/bin/pvrsrvctl_SGX540_120 --start --no-module @@ -307,20 +307,17 @@ service smc_pa /system/bin/smc_pa_ctrl \ class core user root group root - seclabel u:r:smc_pa:s0 oneshot service orientationd /system/bin/orientationd class main user compass group input - seclabel u:r:orientationd:s0 service geomagneticd /system/bin/geomagneticd class main user compass group system input - seclabel u:r:geomagneticd:s0 # create virtual SD card at /storage/sdcard0, based on the /data/media directory # daemon will drop to user/group system/media_rw after initializing @@ -412,7 +409,6 @@ service gpsd /system/bin/gpsd -c /system/etc/gps.xml socket gps seqpacket 0660 gps system user gps group system inet sdcard_rw - seclabel u:r:gpsd:s0 # TVout service TvoutService_C /system/bin/bintvoutservice @@ -424,7 +420,6 @@ service TvoutService_C /system/bin/bintvoutservice service dock_kbd_attach /system/bin/dock_kbd_attach /dev/ttyO3 class main user root - seclabel u:r:dock_kbd_attach:s0 oneshot # LPM diff --git a/selinux/device.te b/selinux/device.te deleted file mode 100644 index 7c28653..0000000 --- a/selinux/device.te +++ /dev/null @@ -1,2 +0,0 @@ -type efs_block_device, dev_type; -type rfkill_device, dev_type; diff --git a/selinux/dock_kbd_attach.te b/selinux/dock_kbd_attach.te deleted file mode 100644 index 4858f15..0000000 --- a/selinux/dock_kbd_attach.te +++ /dev/null @@ -1,5 +0,0 @@ -# dock_kbd_attach -type dock_kbd_attach, domain; -type dock_kbd_attach_exec, exec_type, file_type; - -init_daemon_domain(dock_kbd_attach) diff --git a/selinux/domain.te b/selinux/domain.te deleted file mode 100644 index 98b0e6b..0000000 --- a/selinux/domain.te +++ /dev/null @@ -1,5 +0,0 @@ -## Pvrsrvinit -# allow domain powervr_device:chr_file rw_file_perms; - -## Firmwares -allow ueventd { firmware_ducati }:file r_file_perms; diff --git a/selinux/file.te b/selinux/file.te deleted file mode 100644 index 60c3dc6..0000000 --- a/selinux/file.te +++ /dev/null @@ -1 +0,0 @@ -type firmware_ducati, file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts deleted file mode 100644 index 7c6b3ff..0000000 --- a/selinux/file_contexts +++ /dev/null @@ -1,38 +0,0 @@ -# GFX -/dev/dsscomp u:object_r:video_device:s0 - -# RIL -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_boot1 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ramdump0 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 - -/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0 - -# Bluetooth -/dev/ttyO1 u:object_r:hci_attach_dev:s0 -/efs/bluetooth/(/.*)? u:object_r:bluetooth_efs_file:s0 - -# GPS -/dev/ttyO0 u:object_r:gps_device:s0 -/system/bin/gpsd u:object_r:gpsd_exec:s0 - -# Sensors -/system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 -/system/bin/orientationd u:object_r:orientationd_exec:s0 - -# Wifi -/dev/rfkill u:object_r:rfkill_device:s0 -/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 - -# System binaries -/system/bin/pvrsrvinit u:object_r:pvrsrvinit_exec:s0 -/system/vendor/bin/pvrsrvinit u:object_r:pvrsrvinit_exec:s0 -/system/vendor/bin/pvrsrvctl_SGX540_120 u:object_r:pvrsrvinit_exec:s0 - -/system/bin/dock_kbd_attach u:object_r:dock_kbd_attach_exec:s0 -/system/bin/smc_pa_ctrl u:object_r:smc_pa_exec:s0 - -# Firmwares -/system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0 diff --git a/selinux/geomagneticd.te b/selinux/geomagneticd.te deleted file mode 100644 index c286497..0000000 --- a/selinux/geomagneticd.te +++ /dev/null @@ -1,5 +0,0 @@ -# geomagneticd -type geomagneticd, domain; -type geomagneticd_exec, exec_type, file_type; - -init_daemon_domain(geomagneticd) diff --git a/selinux/gpsd.te b/selinux/gpsd.te deleted file mode 100644 index 36b93fb..0000000 --- a/selinux/gpsd.te +++ /dev/null @@ -1,6 +0,0 @@ -# gpsd - GPS daemon -type gpsd, domain; -type gpsd_exec, exec_type, file_type; - -init_daemon_domain(gpsd) -net_domain(gpsd) diff --git a/selinux/init.te b/selinux/init.te deleted file mode 100644 index 23a3621..0000000 --- a/selinux/init.te +++ /dev/null @@ -1,5 +0,0 @@ -#init - -allow init self:process execmem; -allow init self:capability sys_module; - diff --git a/selinux/orientationd.te b/selinux/orientationd.te deleted file mode 100644 index 284b0cb..0000000 --- a/selinux/orientationd.te +++ /dev/null @@ -1,5 +0,0 @@ -# orientationd -type orientationd, domain; -type orientationd_exec, exec_type, file_type; - -init_daemon_domain(orientationd) diff --git a/selinux/pvrsrvinit.te b/selinux/pvrsrvinit.te deleted file mode 100644 index 3d82777..0000000 --- a/selinux/pvrsrvinit.te +++ /dev/null @@ -1,16 +0,0 @@ -# pvrsrvinit -type pvrsrvinit, domain; -type pvrsrvinit_exec, exec_type, file_type; - -init_daemon_domain(pvrsrvinit) - -allow pvrsrvinit gpu_device:chr_file rw_file_perms; -allow pvrsrvinit kernel:system module_request; -allow pvrsrvinit self:capability { sys_module }; -allow pvrsrvinit system_file:file x_file_perms; -allow pvrsrvinit shell_exec:file rx_file_perms; -allow pvrsrvinit pvrsrvinit_exec:file rx_file_perms; -allow pvrsrvinit property_socket:sock_file write; -allow pvrsrvinit init:unix_stream_socket connectto; -allow pvrsrvinit block_device:dir search; -allow pvrsrvinit gpu_device:chr_file { read write ioctl open }; diff --git a/selinux/rild.te b/selinux/rild.te deleted file mode 100644 index 40406e3..0000000 --- a/selinux/rild.te +++ /dev/null @@ -1,7 +0,0 @@ -allow rild self:netlink_socket { create bind read write }; -allow rild self:netlink_route_socket { write }; -allow rild self:netlink_kobject_uevent_socket { create bind read write }; - -allow rild radio_device:chr_file rw_file_perms; -allow rild efs_block_device:blk_file rw_file_perms; -allow rild efs_file:file { read open write setattr }; diff --git a/selinux/smc_pa.te b/selinux/smc_pa.te deleted file mode 100644 index b836ec6..0000000 --- a/selinux/smc_pa.te +++ /dev/null @@ -1,5 +0,0 @@ -# smc_pa -type smc_pa, domain; -type smc_pa_exec, exec_type, file_type; - -init_daemon_domain(smc_pa) diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te deleted file mode 100644 index f93d624..0000000 --- a/selinux/wpa_supplicant.te +++ /dev/null @@ -1,2 +0,0 @@ -allow wpa_socket wifi_data_file:sock_file unlink; -allow wpa rfkill_device:chr_file rw_file_perms; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..d938e5e --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,3 @@ +# Device types +type dock_device, dev_type; +type smc_device, dev_type; diff --git a/sepolicy/dock_kbd_attach.te b/sepolicy/dock_kbd_attach.te new file mode 100644 index 0000000..267763a --- /dev/null +++ b/sepolicy/dock_kbd_attach.te @@ -0,0 +1,8 @@ +# dock_kbd_attach +type dock_kbd_attach, domain; +type dock_kbd_attach_exec, exec_type, file_type; + +init_daemon_domain(dock_kbd_attach) + +allow dock_kbd_attach dock_device:chr_file { open read write ioctl }; +allow dock_kbd_attach self:capability { sys_admin }; \ No newline at end of file diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..ee55a50 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,2 @@ +# Filesystem types +type sensor_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..58bf32a --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,19 @@ +# Dock +/dev/ttyO3 u:object_r:dock_device:s0 +/system/bin/dock_kbd_attach u:object_r:dock_kbd_attach_exec:s0 + +# DRM +/dev/tf_ctrl u:object_r:smc_device:s0 +/system/bin/smc_pa_ctrl u:object_r:smc_pa_exec:s0 + +# EFS +/dev/block/mmcblk0p1 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0 + +# GPS +/system/bin/gpsd u:object_r:gpsd_exec:s0 + +# Sensors +/data/system/yas*.cfg u:object_r:sensor_data_file:s0 +/system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 +/system/bin/orientationd u:object_r:orientationd_exec:s0 diff --git a/sepolicy/geomagneticd.te b/sepolicy/geomagneticd.te new file mode 100644 index 0000000..fe1dd42 --- /dev/null +++ b/sepolicy/geomagneticd.te @@ -0,0 +1,12 @@ +# geomagneticd +type geomagneticd, domain; +type geomagneticd_exec, exec_type, file_type; + +init_daemon_domain(geomagneticd) + +allow geomagneticd input_device:chr_file { read open ioctl }; +allow geomagneticd input_device:dir { search read open }; +allow geomagneticd self:process { execmem }; +allow geomagneticd sensor_data_file:dir { write add_name remove_name create }; +allow geomagneticd sensor_data_file:file { create open read write getattr setattr rename }; +allow geomagneticd sysfs:file { write }; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..6fabca6 --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,8 @@ +# gpsd - GPS daemon +allow gpsd rild:unix_stream_socket { connectto }; +allow gpsd self:process { execmem }; +allow gpsd sysfs_wake_lock:file { read write }; + +# TODO - Label with gps_data_file +allow gpsd system_data_file:dir { write add_name }; +allow gpsd system_data_file:fifo_file { create setattr write open }; diff --git a/sepolicy/orientationd.te b/sepolicy/orientationd.te new file mode 100644 index 0000000..672c473 --- /dev/null +++ b/sepolicy/orientationd.te @@ -0,0 +1,9 @@ +# orientationd +type orientationd, domain; +type orientationd_exec, exec_type, file_type; + +init_daemon_domain(orientationd) + +allow orientationd input_device:chr_file { read write open ioctl }; +allow orientationd input_device:dir { search read open }; +allow orientationd self:process { execmem }; diff --git a/sepolicy/smc_pa.te b/sepolicy/smc_pa.te new file mode 100644 index 0000000..de15f41 --- /dev/null +++ b/sepolicy/smc_pa.te @@ -0,0 +1,8 @@ +# smc_pa +type smc_pa, domain; +type smc_pa_exec, exec_type, file_type; + +init_daemon_domain(smc_pa) + +allow smc_pa self:capability { dac_override }; +allow smc_pa smc_device:chr_file { read write open ioctl }; diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te new file mode 100644 index 0000000..2907f73 --- /dev/null +++ b/sepolicy/sysinit.te @@ -0,0 +1,2 @@ +# sysinit +allow sysinit surfaceflinger_exec:file { getattr }; -- cgit v1.1