From 50a1bdc2081282d5340ddee956f8b0548c3f1d4a Mon Sep 17 00:00:00 2001
From: Simon Shields <keepcalm444@gmail.com>
Date: Thu, 11 Feb 2016 23:42:52 +1100
Subject: i9300: allow system_server access to mdnie sysfs

needed for any mdnie stuff that ends up in cmhw

Change-Id: I6efe58e295cae59f074abc4a1fd64258fb5d8188
---
 selinux/system_server.te | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'selinux')

diff --git a/selinux/system_server.te b/selinux/system_server.te
index b9cc2f2..b20927b 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -4,6 +4,9 @@ allow system_server sensors_data_file:file r_file_perms;
 allow system_server wpa_socket:unix_dgram_socket sendto;
 
 allow system_server sysfs:file { read open write };
+allow system_server sysfs_display:lnk_file rw_file_perms;
+allow system_server sysfs_display:dir rw_dir_perms;
+allow system_server sysfs_display:file rw_file_perms;
 allow system_server self:capability { sys_module };
 
 allow system_server efs_file:dir search;
-- 
cgit v1.1


From bcb3068019136761aaa95c82fd060cf56c863d8a Mon Sep 17 00:00:00 2001
From: Simon Shields <keepcalm444@gmail.com>
Date: Tue, 9 Feb 2016 12:23:15 +1100
Subject: i9300: move macloader and tinyplay sepolicy up to -common [2/2]

Change-Id: I874a9f2f6590755e5815e18bcdc5d1e0cdac4523
---
 selinux/file_contexts | 2 --
 selinux/init.te       | 2 --
 selinux/macloader.te  | 9 ---------
 selinux/tinyplay.te   | 6 ------
 4 files changed, 19 deletions(-)
 delete mode 100644 selinux/macloader.te
 delete mode 100644 selinux/tinyplay.te

(limited to 'selinux')

diff --git a/selinux/file_contexts b/selinux/file_contexts
index 12bbd51..6e54311 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -62,5 +62,3 @@
 
 # Misc
 /dev/HPD                                u:object_r:hpd_device:s0
-/system/bin/macloader                   u:object_r:macloader_exec:s0
-/system/bin/tinyplay                    u:object_r:tinyplay_exec:s0
diff --git a/selinux/init.te b/selinux/init.te
index 795e077..6056a94 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -11,5 +11,3 @@ allow init rild:process noatsecure;
 
 domain_trans(init, rootfs, glgps)
 domain_trans(init, rootfs, cpboot-daemon)
-domain_trans(init, rootfs, tinyplay)
-domain_trans(init, rootfs, macloader)
diff --git a/selinux/macloader.te b/selinux/macloader.te
deleted file mode 100644
index 464f201..0000000
--- a/selinux/macloader.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type macloader, domain;
-type macloader_exec, exec_type, file_type;
-init_daemon_domain(macloader);
-
-allow macloader efs_file:dir search;
-allow macloader efs_device_file:dir search;
-allow macloader wifi_data_file:file { read getattr open write setattr };
-allow macloader self:capability { dac_override chown fowner fsetid };
-allow macloader system_data_file:dir w_dir_perms;
diff --git a/selinux/tinyplay.te b/selinux/tinyplay.te
deleted file mode 100644
index ef7de81..0000000
--- a/selinux/tinyplay.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type tinyplay, domain;
-type tinyplay_exec, exec_type, file_type;
-init_daemon_domain(tinyplay)
-
-allow tinyplay audio_device:chr_file { open read write ioctl };
-allow tinyplay audio_device:dir search;
-- 
cgit v1.1


From 5339fe1e8ffc87f04ed2692c2e6d1c892f63a0c1 Mon Sep 17 00:00:00 2001
From: Simon Shields <keepcalm444@gmail.com>
Date: Thu, 18 Feb 2016 17:27:25 +1100
Subject: i9300: fix selinux denial

Change-Id: I3e8a8ca2e35cca22bdd248c1bfe9433f2d8285fb
---
 selinux/system_server.te | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'selinux')

diff --git a/selinux/system_server.te b/selinux/system_server.te
index b20927b..edf79dc 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -22,6 +22,8 @@ allow system_server system_file:file execmod;
 # /efs/wifi/.mac.info
 allow system_server wifi_data_file:file { read open };
 
+allow system_server radio_data:dir r_dir_perms;
+
 allow system_server glgps:binder transfer;
 type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni";
 
-- 
cgit v1.1


From e292f77eff94cfb47673ff8bc6aaceaf9733d532 Mon Sep 17 00:00:00 2001
From: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Date: Fri, 25 Mar 2016 20:51:06 +0100
Subject: selinux: allow to write the firmware files from recovery mode

Change-Id: I061c9d67b171099a3c5cf21c5961e15a2bc114fc
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
---
 selinux/recovery.te | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 selinux/recovery.te

(limited to 'selinux')

diff --git a/selinux/recovery.te b/selinux/recovery.te
new file mode 100644
index 0000000..531f480
--- /dev/null
+++ b/selinux/recovery.te
@@ -0,0 +1,7 @@
+recovery_only(`
+
+# firmware files
+allow recovery firmware_exynos:dir { create setattr relabelto relabelfrom };
+allow recovery firmware_exynos:file { create write open setattr relabelto relabelfrom };
+allow recovery firmware_mfc:file { create write open setattr relabelto relabelfrom };
+')
-- 
cgit v1.1


From 81ec5d14e7e2bfa78d6967a51b04822d4e646398 Mon Sep 17 00:00:00 2001
From: H4RTI3 <sebastian.haderecker@gmail.com>
Date: Thu, 15 Sep 2016 23:30:25 +0200
Subject: Added SELinux rule for nfc QS tile

Change-Id: I5f80a383b0e72bcbc86bf51bd935149ee981ac86
---
 selinux/platform_app.te | 1 +
 1 file changed, 1 insertion(+)
 create mode 100755 selinux/platform_app.te

(limited to 'selinux')

diff --git a/selinux/platform_app.te b/selinux/platform_app.te
new file mode 100755
index 0000000..4d92e6b
--- /dev/null
+++ b/selinux/platform_app.te
@@ -0,0 +1 @@
+allow platform_app nfc_service:service_manager find;
-- 
cgit v1.1