From aef65ac5b00bd1948816abae5232e70ee126e844 Mon Sep 17 00:00:00 2001
From: Andreas Blaesius <skate4life@gmx.de>
Date: Sat, 18 Jul 2015 17:59:44 +0200
Subject: P51XX: Update SELinux Policies [2/2]

- Move common policies to omap4-common
- remove redundant seclabel in init.espresso10.rc
- address some denials

Change-Id: I396215f3eb1316c3ba96e5eb98a03b98b77543fd
---
 sepolicy/device.te          |  3 +++
 sepolicy/dock_kbd_attach.te |  8 ++++++++
 sepolicy/file.te            |  2 ++
 sepolicy/file_contexts      | 19 +++++++++++++++++++
 sepolicy/geomagneticd.te    | 12 ++++++++++++
 sepolicy/gpsd.te            |  8 ++++++++
 sepolicy/orientationd.te    |  9 +++++++++
 sepolicy/smc_pa.te          |  8 ++++++++
 sepolicy/sysinit.te         |  2 ++
 9 files changed, 71 insertions(+)
 create mode 100644 sepolicy/device.te
 create mode 100644 sepolicy/dock_kbd_attach.te
 create mode 100644 sepolicy/file.te
 create mode 100644 sepolicy/file_contexts
 create mode 100644 sepolicy/geomagneticd.te
 create mode 100644 sepolicy/gpsd.te
 create mode 100644 sepolicy/orientationd.te
 create mode 100644 sepolicy/smc_pa.te
 create mode 100644 sepolicy/sysinit.te

(limited to 'sepolicy')

diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..d938e5e
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,3 @@
+# Device types
+type dock_device, dev_type;
+type smc_device, dev_type;
diff --git a/sepolicy/dock_kbd_attach.te b/sepolicy/dock_kbd_attach.te
new file mode 100644
index 0000000..267763a
--- /dev/null
+++ b/sepolicy/dock_kbd_attach.te
@@ -0,0 +1,8 @@
+# dock_kbd_attach
+type dock_kbd_attach, domain;
+type dock_kbd_attach_exec, exec_type, file_type;
+
+init_daemon_domain(dock_kbd_attach)
+
+allow dock_kbd_attach dock_device:chr_file { open read write ioctl };
+allow dock_kbd_attach self:capability { sys_admin };
\ No newline at end of file
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..ee55a50
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+# Filesystem types
+type sensor_data_file, file_type, data_file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..58bf32a
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,19 @@
+# Dock
+/dev/ttyO3                                  u:object_r:dock_device:s0
+/system/bin/dock_kbd_attach                 u:object_r:dock_kbd_attach_exec:s0
+
+# DRM
+/dev/tf_ctrl                                u:object_r:smc_device:s0
+/system/bin/smc_pa_ctrl                     u:object_r:smc_pa_exec:s0
+
+# EFS
+/dev/block/mmcblk0p1                        u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p8                        u:object_r:efs_block_device:s0
+
+# GPS
+/system/bin/gpsd                            u:object_r:gpsd_exec:s0
+
+# Sensors
+/data/system/yas*.cfg                       u:object_r:sensor_data_file:s0
+/system/bin/geomagneticd                    u:object_r:geomagneticd_exec:s0
+/system/bin/orientationd                    u:object_r:orientationd_exec:s0
diff --git a/sepolicy/geomagneticd.te b/sepolicy/geomagneticd.te
new file mode 100644
index 0000000..fe1dd42
--- /dev/null
+++ b/sepolicy/geomagneticd.te
@@ -0,0 +1,12 @@
+# geomagneticd
+type geomagneticd, domain;
+type geomagneticd_exec, exec_type, file_type;
+
+init_daemon_domain(geomagneticd)
+
+allow geomagneticd input_device:chr_file { read open ioctl };
+allow geomagneticd input_device:dir { search read open };
+allow geomagneticd self:process { execmem };
+allow geomagneticd sensor_data_file:dir { write add_name remove_name create };
+allow geomagneticd sensor_data_file:file { create open read write getattr setattr rename };
+allow geomagneticd sysfs:file { write };
diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te
new file mode 100644
index 0000000..6fabca6
--- /dev/null
+++ b/sepolicy/gpsd.te
@@ -0,0 +1,8 @@
+# gpsd - GPS daemon
+allow gpsd rild:unix_stream_socket { connectto };
+allow gpsd self:process { execmem };
+allow gpsd sysfs_wake_lock:file { read write };
+
+# TODO - Label with gps_data_file
+allow gpsd system_data_file:dir { write add_name };
+allow gpsd system_data_file:fifo_file { create setattr write open };
diff --git a/sepolicy/orientationd.te b/sepolicy/orientationd.te
new file mode 100644
index 0000000..672c473
--- /dev/null
+++ b/sepolicy/orientationd.te
@@ -0,0 +1,9 @@
+# orientationd
+type orientationd, domain;
+type orientationd_exec, exec_type, file_type;
+
+init_daemon_domain(orientationd)
+
+allow orientationd input_device:chr_file { read write open ioctl };
+allow orientationd input_device:dir { search read open };
+allow orientationd self:process { execmem };
diff --git a/sepolicy/smc_pa.te b/sepolicy/smc_pa.te
new file mode 100644
index 0000000..de15f41
--- /dev/null
+++ b/sepolicy/smc_pa.te
@@ -0,0 +1,8 @@
+# smc_pa
+type smc_pa, domain;
+type smc_pa_exec, exec_type, file_type;
+
+init_daemon_domain(smc_pa)
+
+allow smc_pa self:capability { dac_override };
+allow smc_pa smc_device:chr_file { read write open ioctl };
diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
new file mode 100644
index 0000000..2907f73
--- /dev/null
+++ b/sepolicy/sysinit.te
@@ -0,0 +1,2 @@
+# sysinit
+allow sysinit surfaceflinger_exec:file { getattr };
-- 
cgit v1.1