diff options
| author | Ziyan <jaraidaniel@gmail.com> | 2016-03-04 12:24:37 +0100 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2016-04-19 00:23:48 -0700 |
| commit | 8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6 (patch) | |
| tree | 601797ab771e81d818173183bed51cfe547723d6 | |
| parent | 7ba368eefea595ea4e07be5ad7eb041a3c42fedb (diff) | |
| download | device_samsung_espressowifi-8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6.zip device_samsung_espressowifi-8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6.tar.gz device_samsung_espressowifi-8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6.tar.bz2 | |
sepolicy: address current denials
Change-Id: Ied12c2b588856e7cb874e8693da7e07d9b8d0e6c
| -rw-r--r-- | rootdir/etc/init.tab2.rc | 9 | ||||
| -rw-r--r-- | sepolicy/bluetooth.te | 4 | ||||
| -rw-r--r-- | sepolicy/cpboot-daemon.te | 1 | ||||
| -rw-r--r-- | sepolicy/device.te | 1 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 22 | ||||
| -rw-r--r-- | sepolicy/fsck.te | 2 | ||||
| -rw-r--r-- | sepolicy/init.te | 12 | ||||
| -rw-r--r-- | sepolicy/mediaserver.te | 3 | ||||
| -rw-r--r-- | sepolicy/sysinit.te | 2 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 6 | ||||
| -rw-r--r-- | sepolicy/vold.te | 1 | ||||
| -rw-r--r-- | sepolicy/wpa_supplicant.te | 3 |
12 files changed, 41 insertions, 25 deletions
diff --git a/rootdir/etc/init.tab2.rc b/rootdir/etc/init.tab2.rc index aaa10c7..40efd2c 100644 --- a/rootdir/etc/init.tab2.rc +++ b/rootdir/etc/init.tab2.rc @@ -51,7 +51,7 @@ on fs # increase read-ahead value to 256 kb write /sys/block/mmcblk0/queue/read_ahead_kb 256 - mount debugfs /sys/kernel/debug /sys/kernel/debug + mount debugfs debugfs /sys/kernel/debug on post-fs-data mkdir /data/misc/wifi 0770 wifi system @@ -93,17 +93,13 @@ on post-fs-data chmod 0660 /sys/class/rfkill/rfkill0/state chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type - restorecon /sys/class/rfkill/rfkill0/state - restorecon /sys/class/rfkill/rfkill0/type # for samsung factory. chown radio radio /efs/bluetooth chmod 0755 /efs/bluetooth chmod 0644 /efs/bluetooth/bt_addr -# Change permission for sensor rev00 - chmod 755 /system/bin/geomagneticd - + # Change permission for sensor chown system input /sys/class/input/input2/enable chown system input /sys/class/input/input2/poll_delay @@ -347,6 +343,7 @@ service cpboot-daemon /sbin/cbd -d -p 8 class main user root group radio cache inet misc audio sdcard_rw log sdcard_r + seclabel u:r:cpboot-daemon:s0 disabled on property:init.svc.pvrsrvinit=stopped diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te deleted file mode 100644 index 07e4a68..0000000 --- a/sepolicy/bluetooth.te +++ /dev/null @@ -1,4 +0,0 @@ -# Bluetooth -allow bluetooth bluetooth_efs_file:file rw_file_perms; -allow bluetooth efs_block_device:dir { search }; -allow bluetooth sysfs:file rw_file_perms; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te new file mode 100644 index 0000000..6e38177 --- /dev/null +++ b/sepolicy/cpboot-daemon.te @@ -0,0 +1 @@ +type cpboot-daemon, domain; diff --git a/sepolicy/device.te b/sepolicy/device.te index 314777b..dcc9d53 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -2,4 +2,3 @@ type dock_device, dev_type; type smc_device, dev_type; type efs_block_device, dev_type; -type rfkill_device, dev_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 44fd317..0a6e40e 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -22,21 +22,29 @@ /dev/gcioctl u:object_r:video_device:s0 # Bluetooth -/dev/ttyO1 u:object_r:hci_attach_dev:s0 -/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/dev/ttyO1 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 # GPS /dev/ttyO0 u:object_r:gps_device:s0 # Wifi -/dev/rfkill u:object_r:rfkill_device:s0 /efs/wifi/.mac.info u:object_r:wifi_data_file:s0 -# System binaries -/system/vendor/bin/pvrsrvctl_SGX540_120 u:object_r:pvrsrvinit_exec:s0 - # Firmwares -/system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0 +/system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0 # variant setup /system/bin/init\.espresso\.variant\.sh u:object_r:variant_setup_exec:s0 + +# Block devices +/dev/block/mmcblk0 u:object_r:root_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.1/by-name/KERNEL u:object_r:boot_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.1/by-name/RECOVERY u:object_r:recovery_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS u:object_r:system_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.1/by-name/CACHE u:object_r:cache_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.1/by-name/DATAFS u:object_r:userdata_block_device:s0 + +# Swap +/dev/block/zram(.*) u:object_r:swap_block_device:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..d10d9fc --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,2 @@ +# sadly, the EFS partition is mounted as rw, so it makes sense to check it +allow fsck efs_block_device:blk_file rw_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index 10790dc..61d39c2 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,3 +1,11 @@ -# init +# allow insmod allow init self:capability sys_module; -allow init self:process execmem; + +# chmod/chown rfkill device +allow init sysfs_bluetooth_writable:file getattr; + +# allow creating /sdcard symlink +allow init tmpfs:lnk_file create; + +# For mounting debugfs +allow init debugfs:dir mounton; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..98a7cb0 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,3 @@ +allow mediaserver system_server:unix_stream_socket { read write }; + +allow mediaserver sensorservice_service:service_manager find; diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te deleted file mode 100644 index 2907f73..0000000 --- a/sepolicy/sysinit.te +++ /dev/null @@ -1,2 +0,0 @@ -# sysinit -allow sysinit surfaceflinger_exec:file { getattr }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..555792e --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,6 @@ +allow system_server self:capability sys_module; + +allow system_server gps_data_file:dir search; +allow system_server gps_data_file:fifo_file { write read open setattr }; + +allow system_server efs_file:dir search; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..04062d3 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1 @@ +allow vold efs_file:dir r_dir_perms; diff --git a/sepolicy/wpa_supplicant.te b/sepolicy/wpa_supplicant.te deleted file mode 100644 index 6e99dea..0000000 --- a/sepolicy/wpa_supplicant.te +++ /dev/null @@ -1,3 +0,0 @@ -# wpa_supplicant -allow wpa rfkill_device:chr_file rw_file_perms; -allow wpa_socket wifi_data_file:sock_file unlink; |