From 8f9d6bd93fa8f59f86fc287c742ebda0e3d19ee6 Mon Sep 17 00:00:00 2001
From: Ziyan <jaraidaniel@gmail.com>
Date: Fri, 4 Mar 2016 12:24:37 +0100
Subject: sepolicy: address current denials

Change-Id: Ied12c2b588856e7cb874e8693da7e07d9b8d0e6c
---
 rootdir/etc/init.tab2.rc   |  9 +++------
 sepolicy/bluetooth.te      |  4 ----
 sepolicy/cpboot-daemon.te  |  1 +
 sepolicy/device.te         |  1 -
 sepolicy/file_contexts     | 22 +++++++++++++++-------
 sepolicy/fsck.te           |  2 ++
 sepolicy/init.te           | 12 ++++++++++--
 sepolicy/mediaserver.te    |  3 +++
 sepolicy/sysinit.te        |  2 --
 sepolicy/system_server.te  |  6 ++++++
 sepolicy/vold.te           |  1 +
 sepolicy/wpa_supplicant.te |  3 ---
 12 files changed, 41 insertions(+), 25 deletions(-)
 delete mode 100644 sepolicy/bluetooth.te
 create mode 100644 sepolicy/cpboot-daemon.te
 create mode 100644 sepolicy/fsck.te
 create mode 100644 sepolicy/mediaserver.te
 delete mode 100644 sepolicy/sysinit.te
 create mode 100644 sepolicy/system_server.te
 create mode 100644 sepolicy/vold.te
 delete mode 100644 sepolicy/wpa_supplicant.te

diff --git a/rootdir/etc/init.tab2.rc b/rootdir/etc/init.tab2.rc
index aaa10c7..40efd2c 100644
--- a/rootdir/etc/init.tab2.rc
+++ b/rootdir/etc/init.tab2.rc
@@ -51,7 +51,7 @@ on fs
     # increase read-ahead value to 256 kb
     write /sys/block/mmcblk0/queue/read_ahead_kb 256
 
-    mount debugfs /sys/kernel/debug /sys/kernel/debug
+    mount debugfs debugfs /sys/kernel/debug
 
 on post-fs-data
     mkdir /data/misc/wifi 0770 wifi system
@@ -93,17 +93,13 @@ on post-fs-data
     chmod 0660 /sys/class/rfkill/rfkill0/state
     chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
     chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
-    restorecon /sys/class/rfkill/rfkill0/state
-    restorecon /sys/class/rfkill/rfkill0/type
 
 # for samsung factory.
     chown radio radio /efs/bluetooth
     chmod 0755 /efs/bluetooth
     chmod 0644 /efs/bluetooth/bt_addr
 
-# Change permission for sensor rev00
-    chmod 755 /system/bin/geomagneticd
-
+    # Change permission for sensor
     chown system input /sys/class/input/input2/enable
     chown system input /sys/class/input/input2/poll_delay
 
@@ -347,6 +343,7 @@ service cpboot-daemon /sbin/cbd -d -p 8
     class main
     user root
     group radio cache inet misc audio sdcard_rw log sdcard_r
+    seclabel u:r:cpboot-daemon:s0
     disabled
 
 on property:init.svc.pvrsrvinit=stopped
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
deleted file mode 100644
index 07e4a68..0000000
--- a/sepolicy/bluetooth.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Bluetooth
-allow bluetooth bluetooth_efs_file:file rw_file_perms;
-allow bluetooth efs_block_device:dir { search };
-allow bluetooth sysfs:file rw_file_perms;
diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te
new file mode 100644
index 0000000..6e38177
--- /dev/null
+++ b/sepolicy/cpboot-daemon.te
@@ -0,0 +1 @@
+type cpboot-daemon, domain;
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 314777b..dcc9d53 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -2,4 +2,3 @@
 type dock_device, dev_type;
 type smc_device, dev_type;
 type efs_block_device, dev_type;
-type rfkill_device, dev_type; 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 44fd317..0a6e40e 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -22,21 +22,29 @@
 /dev/gcioctl                                u:object_r:video_device:s0
 
 # Bluetooth
-/dev/ttyO1                                  u:object_r:hci_attach_dev:s0
-/efs/bluetooth(/.*)?                        u:object_r:bluetooth_efs_file:s0
+/dev/ttyO1                                                   u:object_r:hci_attach_dev:s0
+/efs/bluetooth(/.*)?                                         u:object_r:bluetooth_efs_file:s0
+/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
 
 # GPS
 /dev/ttyO0                                  u:object_r:gps_device:s0
 
 # Wifi
-/dev/rfkill                                 u:object_r:rfkill_device:s0
 /efs/wifi/.mac.info                         u:object_r:wifi_data_file:s0
 
-# System binaries
-/system/vendor/bin/pvrsrvctl_SGX540_120     u:object_r:pvrsrvinit_exec:s0
-
 # Firmwares
-/system/vendor/firmware/ducati-m3.bin       u:object_r:firmware_ducati:s0 
+/system/vendor/firmware/ducati-m3.bin       u:object_r:firmware_ducati:s0
 
 # variant setup
 /system/bin/init\.espresso\.variant\.sh     u:object_r:variant_setup_exec:s0
+
+# Block devices
+/dev/block/mmcblk0                                      u:object_r:root_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/KERNEL    u:object_r:boot_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/RECOVERY  u:object_r:recovery_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS u:object_r:system_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/CACHE     u:object_r:cache_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.1/by-name/DATAFS    u:object_r:userdata_block_device:s0
+
+# Swap
+/dev/block/zram(.*)                                     u:object_r:swap_block_device:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
new file mode 100644
index 0000000..d10d9fc
--- /dev/null
+++ b/sepolicy/fsck.te
@@ -0,0 +1,2 @@
+# sadly, the EFS partition is mounted as rw, so it makes sense to check it
+allow fsck efs_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 10790dc..61d39c2 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,3 +1,11 @@
-# init
+# allow insmod
 allow init self:capability sys_module;
-allow init self:process execmem;
+
+# chmod/chown rfkill device
+allow init sysfs_bluetooth_writable:file getattr;
+
+# allow creating /sdcard symlink
+allow init tmpfs:lnk_file create;
+
+# For mounting debugfs
+allow init debugfs:dir mounton;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..98a7cb0
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,3 @@
+allow mediaserver system_server:unix_stream_socket { read write };
+
+allow mediaserver sensorservice_service:service_manager find;
diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
deleted file mode 100644
index 2907f73..0000000
--- a/sepolicy/sysinit.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# sysinit
-allow sysinit surfaceflinger_exec:file { getattr };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..555792e
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,6 @@
+allow system_server self:capability sys_module;
+
+allow system_server gps_data_file:dir search;
+allow system_server gps_data_file:fifo_file { write read open setattr };
+
+allow system_server efs_file:dir search;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..04062d3
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1 @@
+allow vold efs_file:dir r_dir_perms;
diff --git a/sepolicy/wpa_supplicant.te b/sepolicy/wpa_supplicant.te
deleted file mode 100644
index 6e99dea..0000000
--- a/sepolicy/wpa_supplicant.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# wpa_supplicant
-allow wpa rfkill_device:chr_file rw_file_perms;
-allow wpa_socket wifi_data_file:sock_file unlink;
-- 
cgit v1.1