From 2aa1146201ea9b422f7c72c01250f415ef712c4a Mon Sep 17 00:00:00 2001
From: Daniel Hillenbrand <codeworkx@cyanogenmod.org>
Date: Wed, 14 Aug 2013 20:02:51 +0200
Subject: i9300: add selinux policies

Change-Id: I0304c2efeb06b583a28ea9c9dcc874254ee3930f
---
 BoardConfig.mk            | 17 +++++++++++++++++
 rootdir/init.target.rc    | 17 +++++++++++++++++
 selinux/device.te         |  3 +++
 selinux/domain.te         |  2 ++
 selinux/file.te           |  5 +++++
 selinux/file_contexts     | 40 ++++++++++++++++++++++++++++++++++++++++
 selinux/init.te           |  1 +
 selinux/mediaserver.te    |  3 +++
 selinux/rild.te           |  7 +++++++
 selinux/system.te         | 10 ++++++++++
 selinux/ueventd.te        |  3 +++
 selinux/vold.te           |  2 ++
 selinux/wpa_supplicant.te | 10 ++++++++++
 13 files changed, 120 insertions(+)
 create mode 100644 selinux/device.te
 create mode 100644 selinux/domain.te
 create mode 100644 selinux/file.te
 create mode 100644 selinux/file_contexts
 create mode 100644 selinux/init.te
 create mode 100644 selinux/mediaserver.te
 create mode 100644 selinux/rild.te
 create mode 100644 selinux/system.te
 create mode 100644 selinux/ueventd.te
 create mode 100644 selinux/vold.te
 create mode 100755 selinux/wpa_supplicant.te

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 594770a..d69d753 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -35,6 +35,23 @@ TARGET_KERNEL_CONFIG := cyanogenmod_i9300_defconfig
 TARGET_RECOVERY_FSTAB := device/samsung/i9300/rootdir/fstab.smdk4x12
 RECOVERY_FSTAB_VERSION := 2
 
+# Selinux
+BOARD_SEPOLICY_DIRS := \
+    device/samsung/i9300/selinux
+
+BOARD_SEPOLICY_UNION := \
+    device.te \
+    domain.te \
+    file.te \
+    file_contexts \
+    init.te \
+    mediaserver.te \
+    rild.te \
+    system.te \
+    ueventd.te \
+    vold.te \
+    wpa_supplicant.te
+
 # assert
 TARGET_OTA_ASSERT_DEVICE := m0,i9300,GT-I9300
 
diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc
index d573657..8a9c68b 100644
--- a/rootdir/init.target.rc
+++ b/rootdir/init.target.rc
@@ -2,6 +2,23 @@ on post-fs-data
     # make param block device link for SysScope
     symlink /dev/block/mmcblk0p4 /dev/block/param
 
+# Restorecon
+    restorecon /efs/nv_data.bin
+    restorecon /efs/nv_data.bin.md5
+    restorecon /efs/.nv_core.bak
+    restorecon /efs/.nv_core.bak.md5
+    restorecon /efs/.nv_data.bak
+    restorecon /efs/.nv_data.bak.md5
+    restorecon /efs/.nv_state
+    restorecon /efs/bluetooth/bt_addr
+    restorecon /efs/FactoryApp/factorymode
+    restorecon /efs/FactoryApp/hw_ver
+    restorecon /efs/FactoryApp/keystr
+    restorecon /efs/FactoryApp/serial_no
+    restorecon /efs/imei/mps_code.dat
+    restorecon /efs/gyro_cal_data
+    restorecon /efs/wifi/.mac.info
+
 on boot
 
 # icd
diff --git a/selinux/device.te b/selinux/device.te
new file mode 100644
index 0000000..cca8ee1
--- /dev/null
+++ b/selinux/device.te
@@ -0,0 +1,3 @@
+type mali_device, dev_type, mlstrustedobject;
+type rfkill_device, dev_type;
+type efs_block_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
new file mode 100644
index 0000000..26e8033
--- /dev/null
+++ b/selinux/domain.te
@@ -0,0 +1,2 @@
+## /dev/mali, /dev/ump
+allow domain mali_device:chr_file rw_file_perms;
diff --git a/selinux/file.te b/selinux/file.te
new file mode 100644
index 0000000..2a01dac
--- /dev/null
+++ b/selinux/file.te
@@ -0,0 +1,5 @@
+type firmware_mfc, file_type;
+type firmware_camera, file_type;
+
+type camera_data_file, file_type, data_file_type;
+type sensors_data_file, file_type, data_file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
new file mode 100644
index 0000000..93065b8
--- /dev/null
+++ b/selinux/file_contexts
@@ -0,0 +1,40 @@
+# GFX
+/dev/mali                               u:object_r:mali_device:s0
+/dev/ump                                u:object_r:mali_device:s0
+/dev/fimg2d                             u:object_r:mali_device:s0
+
+# NFC
+/dev/pn544                              u:object_r:nfc_device:s0
+
+# RIL
+/dev/umts_boot0                         u:object_r:radio_device:s0
+/dev/umts_boot1                         u:object_r:radio_device:s0
+/dev/umts_ipc0                          u:object_r:radio_device:s0
+/dev/umts_ramdump0                      u:object_r:radio_device:s0
+/dev/umts_rfs0                          u:object_r:radio_device:s0
+
+/dev/block/mmcblk0p7                    u:object_r:efs_block_device:s0
+
+# Camera
+/data/ISP_CV                            u:object_r:camera_data_file:s0
+/dev/exynos-mem                         u:object_r:video_device:s0
+
+# Bluetooth
+/dev/ttySAC0                            u:object_r:hci_attach_dev:s0
+/efs/bluetooth/(/.*)?                   u:object_r:bluetooth_efs_file:s0
+
+# GPS
+/dev/ttySAC1                            u:object_r:gps_device:s0
+
+# Sensors
+/dev/akm8975                            u:object_r:sensors_device:s0
+/efs/gyro_cal_data                      u:object_r:sensors_data_file:s0
+
+# Wifi
+/dev/rfkill                             u:object_r:rfkill_device:s0
+/efs/wifi/.mac.info                     u:object_r:wifi_data_file:s0
+
+# Firmwares
+/system/vendor/firmware(/.*)?           u:object_r:firmware_camera:s0
+/system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
+/data/cfw(/.*)?                         u:object_r:firmware_camera:s0
diff --git a/selinux/init.te b/selinux/init.te
new file mode 100644
index 0000000..3f11893
--- /dev/null
+++ b/selinux/init.te
@@ -0,0 +1 @@
+allow init wpa_socket:unix_dgram_socket { bind create };
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
new file mode 100644
index 0000000..520da3a
--- /dev/null
+++ b/selinux/mediaserver.te
@@ -0,0 +1,3 @@
+allow mediaserver { firmware_camera }:file r_file_perms;
+allow mediaserver firmware_camera:dir r_dir_perms;
+allow mediaserver camera_data_file:file rw_file_perms;
diff --git a/selinux/rild.te b/selinux/rild.te
new file mode 100644
index 0000000..7f817d0
--- /dev/null
+++ b/selinux/rild.te
@@ -0,0 +1,7 @@
+allow rild self:netlink_socket { create bind read write };
+allow rild self:netlink_route_socket { write };
+allow rild self:netlink_kobject_uevent_socket { create bind read write setopt };
+
+allow rild radio_device:chr_file rw_file_perms;
+allow rild efs_block_device:blk_file rw_file_perms;
+allow rild efs_file:file { read open write setattr };
diff --git a/selinux/system.te b/selinux/system.te
new file mode 100644
index 0000000..0ac9cfc
--- /dev/null
+++ b/selinux/system.te
@@ -0,0 +1,10 @@
+allow system uinput_device:chr_file { read ioctl write open };
+allow system sensors_device:chr_file { read open };
+allow system sensors_data_file:file r_file_perms;
+allow system wpa_socket:unix_dgram_socket sendto;
+
+allow system sysfs:file { read open write };
+allow system self:capability { sys_module };
+
+# /efs/wifi/.mac.info
+allow system wifi_data_file:file { read open };
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
new file mode 100644
index 0000000..4037e57
--- /dev/null
+++ b/selinux/ueventd.te
@@ -0,0 +1,3 @@
+# Firmwares
+allow ueventd { firmware_mfc }:file r_file_perms;
+allow ueventd { firmware_camera }:dir search;
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..9452abf
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1,2 @@
+allow vold kernel:process setsched;
+allow vold sdcardd_exec:file { read open execute execute_no_trans };
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
new file mode 100755
index 0000000..ab5fb24
--- /dev/null
+++ b/selinux/wpa_supplicant.te
@@ -0,0 +1,10 @@
+allow wpa init:unix_dgram_socket { read write };
+
+# logwrapper used with wpa_supplicant
+allow wpa devpts:chr_file { read write };
+
+allow wpa wpa_socket:unix_dgram_socket { read write };
+allow wpa_socket system:unix_dgram_socket sendto;
+
+allow wpa_socket wifi_data_file:sock_file unlink;
+allow wpa rfkill_device:chr_file rw_file_perms;
\ No newline at end of file
-- 
cgit v1.1