From 3f39a972108430b02161d161764eed7a001324bd Mon Sep 17 00:00:00 2001 From: Jiangyi Date: Sun, 22 Mar 2015 11:31:17 -0400 Subject: espresso-common: Update SELinux Policies [1/2] Update policies, as well as commonize them here. Big thanks to Andreas B. for starting this off! Note: moved to espresso-common, needs some cleanup later Change-Id: I52c676e1ebd0bfb040cdd10eae429ee94e666fc6 --- sepolicy/bluetooth.te | 4 ++++ sepolicy/device.te | 2 ++ sepolicy/domain.te | 2 ++ sepolicy/file.te | 1 + sepolicy/file_contexts | 29 +++++++++++++++++++++++++++++ sepolicy/init.te | 3 +++ sepolicy/pvrsrvinit.te | 15 +++++++++++++++ sepolicy/radio.te | 2 ++ sepolicy/rild.te | 16 ++++++++++++++++ sepolicy/wpa_supplicant.te | 3 +++ 10 files changed, 77 insertions(+) create mode 100644 sepolicy/bluetooth.te create mode 100644 sepolicy/domain.te create mode 100644 sepolicy/init.te create mode 100644 sepolicy/pvrsrvinit.te create mode 100644 sepolicy/radio.te create mode 100644 sepolicy/rild.te create mode 100644 sepolicy/wpa_supplicant.te (limited to 'sepolicy') diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..07e4a68 --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,4 @@ +# Bluetooth +allow bluetooth bluetooth_efs_file:file rw_file_perms; +allow bluetooth efs_block_device:dir { search }; +allow bluetooth sysfs:file rw_file_perms; diff --git a/sepolicy/device.te b/sepolicy/device.te index d938e5e..314777b 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,3 +1,5 @@ # Device types type dock_device, dev_type; type smc_device, dev_type; +type efs_block_device, dev_type; +type rfkill_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..817fd17 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1,2 @@ +## Firmwares +allow ueventd { firmware_ducati }:file r_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te index ee55a50..62633e5 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,2 +1,3 @@ # Filesystem types type sensor_data_file, file_type, data_file_type; +type firmware_ducati, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 58bf32a..b699ab6 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -17,3 +17,32 @@ /data/system/yas*.cfg u:object_r:sensor_data_file:s0 /system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 /system/bin/orientationd u:object_r:orientationd_exec:s0 + +# GFX +/dev/dsscomp u:object_r:video_device:s0 +/dev/gcioctl u:object_r:video_device:s0 + +# RIL +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 + +# Bluetooth +/dev/ttyO1 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 + +# GPS +/dev/ttyO0 u:object_r:gps_device:s0 + +# Wifi +/dev/rfkill u:object_r:rfkill_device:s0 +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +# System binaries +/system/bin/pvrsrvinit u:object_r:pvrsrvinit_exec:s0 +/system/vendor/bin/pvrsrvctl_SGX540_120 u:object_r:pvrsrvinit_exec:s0 + +# Firmwares +/system/vendor/firmware/ducati-m3.bin u:object_r:firmware_ducati:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..10790dc --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,3 @@ +# init +allow init self:capability sys_module; +allow init self:process execmem; diff --git a/sepolicy/pvrsrvinit.te b/sepolicy/pvrsrvinit.te new file mode 100644 index 0000000..689f5a7 --- /dev/null +++ b/sepolicy/pvrsrvinit.te @@ -0,0 +1,15 @@ +# pvrsrvinit +type pvrsrvinit, domain; +type pvrsrvinit_exec, exec_type, file_type; + +init_daemon_domain(pvrsrvinit) + +allow pvrsrvinit block_device:dir search; +allow pvrsrvinit gpu_device:chr_file rw_file_perms; +allow pvrsrvinit init:unix_stream_socket connectto; +allow pvrsrvinit kernel:system module_request; +allow pvrsrvinit property_socket:sock_file write; +allow pvrsrvinit pvrsrvinit_exec:file rx_file_perms; +allow pvrsrvinit self:capability { sys_module }; +allow pvrsrvinit shell_exec:file rx_file_perms; +allow pvrsrvinit system_file:file x_file_perms; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..9d2274c --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1,2 @@ +# radio +allow radio system_app_data_file:file getattr; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..f23a4ca --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,16 @@ +# rild +allow rild block_device:dir { search }; +allow rild dumpstate_exec:file getattr; +allow rild efs_block_device:blk_file rw_file_perms; +allow rild efs_block_device:dir { search }; +allow rild efs_file:file { read open write getattr setattr append }; +allow rild efs_file:dir { search }; +allow rild radio_data_file:dir { setattr }; +allow rild radio_device:chr_file rw_file_perms; +allow rild self:netlink_kobject_uevent_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; +allow rild self:netlink_socket { create bind read write }; +allow rild self:process { execmem }; +allow rild system_data_file:dir { getattr setattr write remove_name add_name search }; +allow rild system_data_file:file { getattr unlink create write setattr read open append }; +allow rild unlabeled:dir search; diff --git a/sepolicy/wpa_supplicant.te b/sepolicy/wpa_supplicant.te new file mode 100644 index 0000000..6e99dea --- /dev/null +++ b/sepolicy/wpa_supplicant.te @@ -0,0 +1,3 @@ +# wpa_supplicant +allow wpa rfkill_device:chr_file rw_file_perms; +allow wpa_socket wifi_data_file:sock_file unlink; -- cgit v1.1