aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZiyan <jaraidaniel@gmail.com>2016-03-04 12:24:37 +0100
committerAndreas Blaesius <skate4life@gmx.de>2016-04-19 00:23:48 -0700
commit8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6 (patch)
tree601797ab771e81d818173183bed51cfe547723d6
parent7ba368eefea595ea4e07be5ad7eb041a3c42fedb (diff)
downloaddevice_samsung_espressowifi-8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6.zip
device_samsung_espressowifi-8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6.tar.gz
device_samsung_espressowifi-8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6.tar.bz2
sepolicy: address current denials
Change-Id: Ied12c2b588856e7cb874e8693da7e07d9b8d0e6c
-rw-r--r--rootdir/etc/init.tab2.rc9
-rw-r--r--sepolicy/bluetooth.te4
-rw-r--r--sepolicy/cpboot-daemon.te1
-rw-r--r--sepolicy/device.te1
-rw-r--r--sepolicy/file_contexts22
-rw-r--r--sepolicy/fsck.te2
-rw-r--r--sepolicy/init.te12
-rw-r--r--sepolicy/mediaserver.te3
-rw-r--r--sepolicy/sysinit.te2
-rw-r--r--sepolicy/system_server.te6
-rw-r--r--sepolicy/vold.te1
-rw-r--r--sepolicy/wpa_supplicant.te3
12 files changed, 41 insertions, 25 deletions
diff --git a/rootdir/etc/init.tab2.rc b/rootdir/etc/init.tab2.rc
index aaa10c7..40efd2c 100644
--- a/rootdir/etc/init.tab2.rc
+++ b/rootdir/etc/init.tab2.rc
@@ -51,7 +51,7 @@ on fs
# increase read-ahead value to 256 kb
write /sys/block/mmcblk0/queue/read_ahead_kb 256
- mount debugfs /sys/kernel/debug /sys/kernel/debug
+ mount debugfs debugfs /sys/kernel/debug
on post-fs-data
mkdir /data/misc/wifi 0770 wifi system
@@ -93,17 +93,13 @@ on post-fs-data
chmod 0660 /sys/class/rfkill/rfkill0/state
chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
- restorecon /sys/class/rfkill/rfkill0/state
- restorecon /sys/class/rfkill/rfkill0/type
# for samsung factory.
chown radio radio /efs/bluetooth
chmod 0755 /efs/bluetooth
chmod 0644 /efs/bluetooth/bt_addr
-# Change permission for sensor rev00
- chmod 755 /system/bin/geomagneticd
-
+ # Change permission for sensor
chown system input /sys/class/input/input2/enable
chown system input /sys/class/input/input2/poll_delay
@@ -347,6 +343,7 @@ service cpboot-daemon /sbin/cbd -d -p 8
class main
user root
group radio cache inet misc audio sdcard_rw log sdcard_r
+ seclabel u:r:cpboot-daemon:s0
disabled
on property:init.svc.pvrsrvinit=stopped
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
deleted file mode 100644
index 07e4a68..0000000
--- a/sepolicy/bluetooth.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Bluetooth
-allow bluetooth bluetooth_efs_file:file rw_file_perms;
-allow bluetooth efs_block_device:dir { search };
-allow bluetooth sysfs:file rw_file_perms;
diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te
new file mode 100644
index 0000000..6e38177
--- /dev/null
+++ b/sepolicy/cpboot-daemon.te
@@ -0,0 +1 @@
+type cpboot-daemon, domain;
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 314777b..dcc9d53 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -2,4 +2,3 @@
type dock_device, dev_type;
type smc_device, dev_type;
type efs_block_device, dev_type;
-type rfkill_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 44fd317..0a6e40e 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -22,21 +22,29 @@
/dev/gcioctl u:object_r:video_device:s0
# Bluetooth
-/dev/ttyO1 u:object_r:hci_attach_dev:s0
-/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
+/dev/ttyO1 u:object_r:hci_attach_dev:s0
+/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
+/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
# GPS
/dev/ttyO0 u:object_r:gps_device:s0
# Wifi
-/dev/rfkill u:object_r:rfkill_device:s0
/efs/wifi/.mac.info u:object_r:wifi_data_file:s0
-# System binaries
-/system/vendor/bin/pvrsrvctl_SGX540_120 u:object_r:pvrsrvinit_exec:s0
-
# Firmwares
-/system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0
+/system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0
# variant setup
/system/bin/init\.espresso\.variant\.sh u:object_r:variant_setup_exec:s0
+
+# Block devices
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/KERNEL u:object_r:boot_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/RECOVERY u:object_r:recovery_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS u:object_r:system_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/CACHE u:object_r:cache_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/DATAFS u:object_r:userdata_block_device:s0
+
+# Swap
+/dev/block/zram(.*) u:object_r:swap_block_device:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
new file mode 100644
index 0000000..d10d9fc
--- /dev/null
+++ b/sepolicy/fsck.te
@@ -0,0 +1,2 @@
+# sadly, the EFS partition is mounted as rw, so it makes sense to check it
+allow fsck efs_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 10790dc..61d39c2 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,3 +1,11 @@
-# init
+# allow insmod
allow init self:capability sys_module;
-allow init self:process execmem;
+
+# chmod/chown rfkill device
+allow init sysfs_bluetooth_writable:file getattr;
+
+# allow creating /sdcard symlink
+allow init tmpfs:lnk_file create;
+
+# For mounting debugfs
+allow init debugfs:dir mounton;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..98a7cb0
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,3 @@
+allow mediaserver system_server:unix_stream_socket { read write };
+
+allow mediaserver sensorservice_service:service_manager find;
diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
deleted file mode 100644
index 2907f73..0000000
--- a/sepolicy/sysinit.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# sysinit
-allow sysinit surfaceflinger_exec:file { getattr };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..555792e
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,6 @@
+allow system_server self:capability sys_module;
+
+allow system_server gps_data_file:dir search;
+allow system_server gps_data_file:fifo_file { write read open setattr };
+
+allow system_server efs_file:dir search;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..04062d3
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1 @@
+allow vold efs_file:dir r_dir_perms;
diff --git a/sepolicy/wpa_supplicant.te b/sepolicy/wpa_supplicant.te
deleted file mode 100644
index 6e99dea..0000000
--- a/sepolicy/wpa_supplicant.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# wpa_supplicant
-allow wpa rfkill_device:chr_file rw_file_perms;
-allow wpa_socket wifi_data_file:sock_file unlink;