From f67fec7384380943d97b9a5f2187e7e61bb17451 Mon Sep 17 00:00:00 2001 From: Andreas Blaesius Date: Mon, 10 Nov 2014 20:31:00 +0100 Subject: P51XX: Update SELinux rules Change-Id: I09f21459165d795da13ebe4572e16176be358f03 --- BoardConfigCommon.mk | 7 ++++++- rootdir/init.espresso10.rc | 5 +++++ selinux/dock_kbd_attach.te | 5 +++++ selinux/domain.te | 2 +- selinux/file_contexts | 10 +++++++++- selinux/geomagneticd.te | 5 +++++ selinux/gpsd.te | 6 ++++++ selinux/init.te | 5 +++++ selinux/orientationd.te | 5 +++++ selinux/pvrsrvinit.te | 2 ++ selinux/smc_pa.te | 5 +++++ 11 files changed, 54 insertions(+), 3 deletions(-) create mode 100644 selinux/dock_kbd_attach.te create mode 100644 selinux/geomagneticd.te create mode 100644 selinux/gpsd.te create mode 100644 selinux/init.te create mode 100644 selinux/orientationd.te create mode 100644 selinux/smc_pa.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 981f660..4cb25ba 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -31,7 +31,7 @@ BOARD_NAND_PAGE_SIZE := 4096 BOARD_NAND_SPARE_SIZE := 128 BOARD_KERNEL_PAGESIZE := 2048 BOARD_KERNEL_BASE := 0x40000000 -BOARD_KERNEL_CMDLINE := +# BOARD_KERNEL_CMDLINE := # Init TARGET_PROVIDES_INIT := true @@ -101,9 +101,14 @@ BOARD_SEPOLICY_UNION += \ file_contexts \ file.te \ device.te \ + dock_kbd_attach.te \ domain.te \ + geomagneticd.te \ + init.te \ + orientationd.te \ pvrsrvinit.te \ rild.te \ + smc_pa.te \ wpa_supplicant.te # Recovery diff --git a/rootdir/init.espresso10.rc b/rootdir/init.espresso10.rc index 33ab958..7a5265a 100755 --- a/rootdir/init.espresso10.rc +++ b/rootdir/init.espresso10.rc @@ -307,17 +307,20 @@ service smc_pa /system/bin/smc_pa_ctrl \ class core user root group root + seclabel u:r:smc_pa:s0 oneshot service orientationd /system/bin/orientationd class main user compass group input + seclabel u:r:orientationd:s0 service geomagneticd /system/bin/geomagneticd class main user compass group system input + seclabel u:r:geomagneticd:s0 # create virtual SD card at /storage/sdcard0, based on the /data/media directory # daemon will drop to user/group system/media_rw after initializing @@ -411,6 +414,7 @@ service gpsd /system/bin/gpsd -c /system/etc/gps.xml socket gps seqpacket 0660 gps system user gps group system inet sdcard_rw + u:object_r:gpsd:s0 # TVout service TvoutService_C /system/bin/bintvoutservice @@ -422,6 +426,7 @@ service TvoutService_C /system/bin/bintvoutservice service dock_kbd_attach /system/bin/dock_kbd_attach /dev/ttyO3 class main user root + seclabel u:r:dock_kbd_attach:s0 oneshot # LPM diff --git a/selinux/dock_kbd_attach.te b/selinux/dock_kbd_attach.te new file mode 100644 index 0000000..4858f15 --- /dev/null +++ b/selinux/dock_kbd_attach.te @@ -0,0 +1,5 @@ +# dock_kbd_attach +type dock_kbd_attach, domain; +type dock_kbd_attach_exec, exec_type, file_type; + +init_daemon_domain(dock_kbd_attach) diff --git a/selinux/domain.te b/selinux/domain.te index ebb4d8b..98b0e6b 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,5 +1,5 @@ ## Pvrsrvinit -allow domain powervr_device:chr_file rw_file_perms; +# allow domain powervr_device:chr_file rw_file_perms; ## Firmwares allow ueventd { firmware_ducati }:file r_file_perms; diff --git a/selinux/file_contexts b/selinux/file_contexts index c928bb0..6027ea4 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -16,14 +16,22 @@ # GPS /dev/ttyO0 u:object_r:gps_device:s0 +/system/bin/gpsd u:object_r:gpsd_exec:s0 + +# Sensors +/system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 +/system/bin/orientationd u:object_r:orientationd_exec:s0 # Wifi /dev/rfkill u:object_r:rfkill_device:s0 /efs/wifi/.mac.info u:object_r:wifi_data_file:s0 # System binaries -/system/vendor/bin/pvrsrvinit u:object_r:pvrsrvinit_exec:s0 +/system/bin/pvrsrvinit u:object_r:pvrsrvinit_exec:s0 /system/vendor/bin/pvrsrvctl_SGX540_120 u:object_r:pvrsrvinit_exec:s0 +/system/bin/dock_kbd_attach u:object_r:dock_kbd_attach_exec:s0 +/system/bin/smc_pa_ctrl u:object_r:smc_pa_exec:s0 + # Firmwares /system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0 diff --git a/selinux/geomagneticd.te b/selinux/geomagneticd.te new file mode 100644 index 0000000..c286497 --- /dev/null +++ b/selinux/geomagneticd.te @@ -0,0 +1,5 @@ +# geomagneticd +type geomagneticd, domain; +type geomagneticd_exec, exec_type, file_type; + +init_daemon_domain(geomagneticd) diff --git a/selinux/gpsd.te b/selinux/gpsd.te new file mode 100644 index 0000000..36b93fb --- /dev/null +++ b/selinux/gpsd.te @@ -0,0 +1,6 @@ +# gpsd - GPS daemon +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd) +net_domain(gpsd) diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..23a3621 --- /dev/null +++ b/selinux/init.te @@ -0,0 +1,5 @@ +#init + +allow init self:process execmem; +allow init self:capability sys_module; + diff --git a/selinux/orientationd.te b/selinux/orientationd.te new file mode 100644 index 0000000..284b0cb --- /dev/null +++ b/selinux/orientationd.te @@ -0,0 +1,5 @@ +# orientationd +type orientationd, domain; +type orientationd_exec, exec_type, file_type; + +init_daemon_domain(orientationd) diff --git a/selinux/pvrsrvinit.te b/selinux/pvrsrvinit.te index d35bac9..ae1ee0b 100644 --- a/selinux/pvrsrvinit.te +++ b/selinux/pvrsrvinit.te @@ -11,3 +11,5 @@ allow pvrsrvinit shell_exec:file rx_file_perms; allow pvrsrvinit pvrsrvinit_exec:file rx_file_perms; allow pvrsrvinit property_socket:sock_file write; allow pvrsrvinit init:unix_stream_socket connectto; +allow pvrsrvinit block_device:dir search; +allow pvrsrvinit gpu_device:chr_file { read write ioctl open }; diff --git a/selinux/smc_pa.te b/selinux/smc_pa.te new file mode 100644 index 0000000..b836ec6 --- /dev/null +++ b/selinux/smc_pa.te @@ -0,0 +1,5 @@ +# smc_pa +type smc_pa, domain; +type smc_pa_exec, exec_type, file_type; + +init_daemon_domain(smc_pa) -- cgit v1.1