From ecc3d13410f7821659f7cc1ef806dfb9378853a3 Mon Sep 17 00:00:00 2001
From: Caio Schnepper <caioschnepper@gmail.com>
Date: Fri, 1 May 2015 23:55:43 -0300
Subject: galaxys2: initial L bringup

Change-Id: Ia356da8437917be3355eba59c1df3943bb33f905
---
 selinux/bluetooth.te     |  1 +
 selinux/device.te        |  2 ++
 selinux/domain.te        |  3 +++
 selinux/drmserver.te     |  1 +
 selinux/dumpstate.te     |  1 +
 selinux/file.te          |  2 ++
 selinux/file_contexts    | 22 +++++++++++++++++-----
 selinux/init.te          |  1 +
 selinux/mediaserver.te   |  2 ++
 selinux/rild.te          | 10 ++++++++++
 selinux/system_app.te    |  1 +
 selinux/system_server.te |  5 +++++
 selinux/vold.te          |  2 ++
 13 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 selinux/bluetooth.te
 create mode 100644 selinux/dumpstate.te
 create mode 100644 selinux/init.te
 create mode 100644 selinux/mediaserver.te
 create mode 100644 selinux/system_app.te
 create mode 100644 selinux/system_server.te

(limited to 'selinux')

diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
new file mode 100644
index 0000000..d31e1df
--- /dev/null
+++ b/selinux/bluetooth.te
@@ -0,0 +1 @@
+allow bluetooth efs_device_file:dir search;
diff --git a/selinux/device.te b/selinux/device.te
index 6de8078..a12b98c 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -1,2 +1,4 @@
+type mali_device, dev_type, mlstrustedobject;
 type rfkill_device, dev_type;
 type efs_block_device, dev_type;
+type mfc_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
index bafc37d..fd893cc 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -1,2 +1,5 @@
 ## Firmwares
 allow ueventd { firmware_mfc }:file r_file_perms;
+
+## /dev/mali, /dev/ump
+allow domain mali_device:chr_file rw_file_perms;
diff --git a/selinux/drmserver.te b/selinux/drmserver.te
index a456bbf..fea10e4 100644
--- a/selinux/drmserver.te
+++ b/selinux/drmserver.te
@@ -1 +1,2 @@
 allow drmserver sdcard_external:file open;
+allow drmserver self:process execmem;
diff --git a/selinux/dumpstate.te b/selinux/dumpstate.te
new file mode 100644
index 0000000..1eb992e
--- /dev/null
+++ b/selinux/dumpstate.te
@@ -0,0 +1 @@
+unix_socket_connect(dumpstate, dumpstate, init);
diff --git a/selinux/file.te b/selinux/file.te
index 51cf771..b8c9390 100644
--- a/selinux/file.te
+++ b/selinux/file.te
@@ -1,2 +1,4 @@
 type radio_efs_file, fs_type;
 type firmware_mfc, file_type;
+type sysfs_display, fs_type, sysfs_type;
+type efs_device_file, file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index 3dc49e7..0e01fb0 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -1,7 +1,7 @@
 # GFX
-/dev/mali                               u:object_r:graphics_device:s0
-/dev/ump                                u:object_r:graphics_device:s0
-/dev/fimg2d                             u:object_r:graphics_device:s0
+/dev/mali                               u:object_r:mali_device:s0
+/dev/ump                                u:object_r:mali_device:s0
+/dev/fimg2d                             u:object_r:mali_device:s0
 
 # RIL
 /dev/umts_boot0                         u:object_r:radio_device:s0
@@ -10,11 +10,17 @@
 /dev/umts_ramdump0                      u:object_r:radio_device:s0
 /dev/umts_rfs0                          u:object_r:radio_device:s0
 
-/dev/block/mmcblk0p7                    u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p8                    u:object_r:efs_block_device:s0
+/efs                                    u:object_r:efs_device_file:s0
+
+# Camera
+/dev/s3c-mfc                            u:object_r:mfc_device:s0
+/dev/s5p-jpeg                           u:object_r:video_device:s0
 
 # Bluetooth
 /dev/ttySAC0                            u:object_r:hci_attach_dev:s0
-/efs/bluetooth(/.*)?                    u:object_r:bluetooth_data_file:s0
+/efs/bluetooth/bt_addr                  u:object_r:bluetooth_data_file:s0
+/sys/class/rfkill/rfkill0/state         u:object_r:sysfs_bluetooth_writable:s0
 
 # GPS
 /dev/ttySAC1                            u:object_r:gps_device:s0
@@ -27,3 +33,9 @@
 
 # Firmwares
 /system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
+
+# Display
+/sys/class/lcd/panel/power_reduce       u:object_r:sysfs_display:s0
+/sys/class/mdnie/mdnie/scenario         u:object_r:sysfs_display:s0
+/sys/class/mdnie/mdnie/mode             u:object_r:sysfs_display:s0
+/sys/class/mdnie/mdnie/negative         u:object_r:sysfs_display:s0
diff --git a/selinux/init.te b/selinux/init.te
new file mode 100644
index 0000000..74b1400
--- /dev/null
+++ b/selinux/init.te
@@ -0,0 +1 @@
+allow init self:capability sys_module;
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
new file mode 100644
index 0000000..2697346
--- /dev/null
+++ b/selinux/mediaserver.te
@@ -0,0 +1,2 @@
+allow mediaserver mfc_device:chr_file rw_file_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/selinux/rild.te b/selinux/rild.te
index 40406e3..3c8040a 100644
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -1,7 +1,17 @@
 allow rild self:netlink_socket { create bind read write };
 allow rild self:netlink_route_socket { write };
 allow rild self:netlink_kobject_uevent_socket { create bind read write };
+allow rild self:process execmem;
 
 allow rild radio_device:chr_file rw_file_perms;
 allow rild efs_block_device:blk_file rw_file_perms;
 allow rild efs_file:file { read open write setattr };
+allow rild radio_data_file:dir setattr;
+allow rild block_device:dir search;
+allow rild efs_device_file:dir { search write };
+allow rild efs_device_file:file { read write append getattr open setattr };
+allow rild system_data_file:dir { write add_name };
+allow rild system_data_file:file { write create setattr };
+
+allow rild dumpstate_exec:file { read open getattr execute };
+unix_socket_connect(rild, dumpstate, dumpstate)
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..bc716f2
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1 @@
+allow system_app sysfs_display:file { getattr open read write };
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..970da27
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,5 @@
+allow system_server uhid_device:chr_file { read write ioctl open };
+allow system_server sysfs_display:file { read write getattr open };
+allow system_server efs_file:dir { search };
+allow system_server efs_file:file { read open write };
+allow system_server efs_device_file:dir search;
diff --git a/selinux/vold.te b/selinux/vold.te
index d179865..7bf2310 100644
--- a/selinux/vold.te
+++ b/selinux/vold.te
@@ -1 +1,3 @@
 allow vold sdcard_external:file rw_file_perms;
+allow vold efs_device_file:dir rw_file_perms;
+allow vold efs_device_file:file rw_file_perms;
-- 
cgit v1.1