From 1e3c6c4a20cde875b23c69afd4025c492511e822 Mon Sep 17 00:00:00 2001 From: RGIB Date: Sun, 27 Nov 2016 23:45:35 +0100 Subject: i9305 : update selinux policies for MM Change-Id: Ia96cb118083b20e87b94412ab5072be34cd6e806 --- selinux/bluetooth.te | 4 ++ selinux/device.te | 7 ++- selinux/dhcp.te | 1 - selinux/domain.te | 4 -- selinux/efsks.te | 6 +++ selinux/file.te | 9 ---- selinux/file_contexts | 122 ++++++++++++++++++++-------------------------- selinux/fsck.te | 3 ++ selinux/init.te | 10 ++-- selinux/kickstart.te | 44 ----------------- selinux/ks.te | 6 +++ selinux/macloader.te | 1 + selinux/mediaserver.te | 19 +++++--- selinux/netmgrd.te | 29 ----------- selinux/qcks.te | 23 +++++++++ selinux/qmiproxy.te | 11 +++++ selinux/qmux.te | 21 -------- selinux/qmuxd.te | 13 +++++ selinux/radio_device.te | 1 + selinux/rild.te | 20 +++----- selinux/secril.te | 25 ---------- selinux/sysinit.te | 5 ++ selinux/system.te | 12 ----- selinux/system_server.te | 8 +++ selinux/te_macros | 12 ----- selinux/ueventd.te | 13 +---- selinux/wpa.te | 1 + selinux/wpa_supplicant.te | 10 ---- 28 files changed, 164 insertions(+), 276 deletions(-) create mode 100644 selinux/bluetooth.te delete mode 100755 selinux/dhcp.te delete mode 100644 selinux/domain.te create mode 100644 selinux/efsks.te delete mode 100644 selinux/file.te create mode 100644 selinux/fsck.te delete mode 100755 selinux/kickstart.te create mode 100644 selinux/ks.te create mode 100644 selinux/macloader.te delete mode 100755 selinux/netmgrd.te create mode 100644 selinux/qcks.te create mode 100644 selinux/qmiproxy.te delete mode 100755 selinux/qmux.te create mode 100644 selinux/qmuxd.te create mode 100644 selinux/radio_device.te mode change 100755 => 100644 selinux/rild.te delete mode 100644 selinux/secril.te create mode 100644 selinux/sysinit.te delete mode 100755 selinux/system.te create mode 100644 selinux/system_server.te delete mode 100755 selinux/te_macros create mode 100644 selinux/wpa.te delete mode 100755 selinux/wpa_supplicant.te diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te new file mode 100644 index 0000000..42c91ec --- /dev/null +++ b/selinux/bluetooth.te @@ -0,0 +1,4 @@ +allow bluetooth bluetooth_data_file:file { read open }; +allow bluetooth serial_device:chr_file { read write ioctl open }; +allow bluetooth wifi_data_file:file { read open }; +allow bluetooth radio_device:file write; diff --git a/selinux/device.te b/selinux/device.te index c95050b..53e4bf4 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,4 +1,3 @@ -type mali_device, dev_type, mlstrustedobject; -type rfkill_device, dev_type; -type diagnostic_device, dev_type; -type efs_block_device, dev_type; +type mmc_block_device, dev_type; +type efs_device_file, file_type; + diff --git a/selinux/dhcp.te b/selinux/dhcp.te deleted file mode 100755 index c403b9b..0000000 --- a/selinux/dhcp.te +++ /dev/null @@ -1 +0,0 @@ -allow dhcp self:rawip_socket { create write setopt }; diff --git a/selinux/domain.te b/selinux/domain.te deleted file mode 100644 index 1be0633..0000000 --- a/selinux/domain.te +++ /dev/null @@ -1,4 +0,0 @@ -## /dev/mali, /dev/ump -allow domain mali_device:chr_file rw_file_perms; - - diff --git a/selinux/efsks.te b/selinux/efsks.te new file mode 100644 index 0000000..3635159 --- /dev/null +++ b/selinux/efsks.te @@ -0,0 +1,6 @@ +type efsks, domain; +type efsks_exec, exec_type, file_type; + +init_daemon_domain(efsks) +domain_trans(init, rootfs, efsks) + diff --git a/selinux/file.te b/selinux/file.te deleted file mode 100644 index 185b1c2..0000000 --- a/selinux/file.te +++ /dev/null @@ -1,9 +0,0 @@ -type radio_efs_file, fs_type; - -type firmware_mfc, file_type; -type firmware_camera, file_type; - -type qmuxd_socket, file_type; -type kickstart_data_file, file_type, data_file_type; -type sensors_data_file, file_type, data_file_type; -type volume_data_file, file_type, data_file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 36dc14c..1b3d289 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -1,70 +1,54 @@ -# GFX -/dev/mali u:object_r:mali_device:s0 -/dev/ump u:object_r:mali_device:s0 -/dev/fimg2d u:object_r:mali_device:s0 +/dev/s3c-mfc u:object_r:gpu_device:s0 +/dev/ump u:object_r:gpu_device:s0 +/dev/mali u:object_r:gpu_device:s0 + +/data/ISP_CV u:object_r:camera_data_file:s0 +/system/vendor/firmware/SlimISP(/.*)? u:object_r:camera_data_file:s0 +/data/cfw(/.*)? u:object_r:camera_data_file:s0 + +/data/.cid.info u:object_r:wifi_data_file:s0 + +/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0 + +/dev/akm8975 u:object_r:sensors_device:s0 + +/system/bin/ks u:object_r:ks_exec:s0 +/system/bin/qcks u:object_r:qcks_exec:s0 +/system/bin/efsks u:object_r:efsks_exec:s0 +/system/bin/qmuxd u:object_r:qmuxd_exec:s0 +/system/bin/qmiproxy u:object_r:qmiproxy_exec:s0 + +/dev/ttyUSB0 u:object_r:serial_device:s0 +/dev/ttySAC0 u:object_r:serial_device:s0 + +/dev/mdm u:object_r:radio_device:s0 +/dev/rfkill u:object_r:radio_device:s0 +/dev/hsicctl0 u:object_r:radio_device:s0 +/dev/hsicctl1 u:object_r:radio_device:s0 +/dev/hsicctl2 u:object_r:radio_device:s0 +/dev/hsicctl3 u:object_r:radio_device:s0 +/sys/devices/virtual/hsicctl(/.*)? u:object_r:radio_device:s0 +/dev/block/modem(/.*)? u:object_r:radio_device:s0 +/sys/devices/platform/bcm(/.*)? u:object_r:radio_device:s0 + +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 +/tombstones/qcks(/.*)? u:object_r:radio_data_file:s0 + +/dev/block/mmcblk0p0 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p1 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p2 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p3 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p4 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p5 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p6 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p7 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p8 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p9 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p10 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p12 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p13 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p14 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p15 u:object_r:mmc_block_device:s0 +/dev/block/mmcblk0p16 u:object_r:mmc_block_device:s0 -# RIL -/dev/mdm u:object_r:radio_device:s0 -/dev/hsicctl[0-3]* u:object_r:radio_device:s0 -/dev/ttyUSB0 u:object_r:radio_device:s0 -/dev/diag u:object_r:diagnostic_device:s0 - -# GPS -/dev/ttySAC1 u:object_r:gps_device:s0 - -# Bluetooth -/dev/ttySAC0 u:object_r:hci_attach_dev:s0 -/efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 - -# Sensors -/dev/akm8975 u:object_r:sensors_device:s0 -/efs/gyro_cal_data u:object_r:sensors_data_file:s0 - -# Camera -/data/ISP_CV u:object_r:camera_data_file:s0 -/dev/exynos-mem u:object_r:video_device:s0 - -# for wpa_supp -/dev/rfkill u:object_r:rfkill_device:s0 - -# Firmwares -/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 -/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 -/system/vendor/firmware/fimc_is_fw.bin u:object_r:firmware_camera:s0 -/data/cfw(/.*)? u:object_r:firmware_camera:s0 -/tombstones u:object_r:system_data_file:s0 -/tombstones(/.*)? u:object_r:tombstone_data_file:s0 -/tombstones/qcks(/.*)? u:object_r:kickstart_data_file:s0 - -# Vibrator -/dev/tspdrv u:object_r:input_device:s0 - -# Wifi -/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 - -# Sec-ril -/efs/FactoryApp/keystr u:object_r:efs_file:s0 -/efs/FactoryApp/factorymode u:object_r:efs_file:s0 -/efs/FactoryApp/serial_no u:object_r:efs_file:s0 -/data/misc/radio/ramdumpmode.txt u:object_r:radio_data_file:s0 -/data/misc/radio/dlnk u:object_r:radio_data_file:s0 - -# Binaries -/system/bin/qmuxd u:object_r:qmux_exec:s0 -/system/bin/efsks u:object_r:kickstart_exec:s0 -/system/bin/ks u:object_r:kickstart_exec:s0 -/system/bin/qcks u:object_r:kickstart_exec:s0 - -# Sockets -/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 - -# Block devices -/dev/block/mmcblk0p[3-6]* u:object_r:efs_block_device:s0 -/dev/block/mmcblk0p10 u:object_r:efs_block_device:s0 -/dev/block/mmcblk0p11 u:object_r:efs_block_device:s0 - -# Audio related -/data/local/audio(/.*)? u:object_r:volume_data_file:s0 diff --git a/selinux/fsck.te b/selinux/fsck.te new file mode 100644 index 0000000..d2fcb8f --- /dev/null +++ b/selinux/fsck.te @@ -0,0 +1,3 @@ +allow fsck mmc_block_device:blk_file ioctl; +allow fsck self:capability dac_override; +allow fsck mmc_block_device:blk_file { read write getattr open }; diff --git a/selinux/init.te b/selinux/init.te index 2f29889..7abe7a5 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1,3 +1,7 @@ -allow init wpa_socket:unix_dgram_socket { bind create }; - - +allow init debugfs:dir mounton; +allow init radio_device:dir relabelto; +allow init radio_device:file { relabelto setattr }; +allow init radio_device:lnk_file relabelto; +allow init sysfs:lnk_file setattr; +allow init radio_device:lnk_file setattr; +allow init tmpfs:lnk_file create; diff --git a/selinux/kickstart.te b/selinux/kickstart.te deleted file mode 100755 index 14e1ad5..0000000 --- a/selinux/kickstart.te +++ /dev/null @@ -1,44 +0,0 @@ -# kickstart processes and scripts -type kickstart, domain; -type kickstart_exec, exec_type, file_type; - -# kickstart_checker.sh talks to init over the property socket -unix_socket_connect(kickstart, property, init) - -# Start /system/bin/qcks from init -init_daemon_domain(kickstart) - -# Spawn /system/bin/efsks and /system/bin/ks -allow kickstart kickstart_exec:file { open execute_no_trans getattr }; - -# Run dd on m9kefs[123] block devices; write to /data/qcks/ -# Run cat on firmware and m9kefs[123] data; write to /data/qcks/ -allow kickstart efs_block_device:blk_file rw_file_perms; -allow kickstart kickstart_data_file:file create_file_perms; -allow kickstart kickstart_data_file:dir rw_dir_perms; -allow kickstart radio_efs_file:file r_file_perms; -allow kickstart radio_efs_file:dir search; - -# Let qcks access /dev/mdm node (modem driver) -allow kickstart radio_device:chr_file rw_file_perms; - -# Allow /dev/ttyUSB0 access -allow kickstart radio_device:chr_file { write ioctl getattr }; - -# Allow to run toolbox commands -allow kickstart shell_exec:file rx_file_perms; -# Toolbox commands for firmware dd -allow kickstart system_file:file execute_no_trans; - -# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2 -allow kickstart block_device:dir { getattr write search }; - -# Set system property key -allow kickstart radio_prop:property_service set; - -allow kickstart shell_exec:file entrypoint; -# ls on /data/qcks/ -allow kickstart self:capability { dac_override setuid }; - -# XXX Label sysfs files with a specific type? -allow kickstart sysfs:file rw_file_perms; \ No newline at end of file diff --git a/selinux/ks.te b/selinux/ks.te new file mode 100644 index 0000000..62dc281 --- /dev/null +++ b/selinux/ks.te @@ -0,0 +1,6 @@ +type ks, domain; +type ks_exec, exec_type, file_type; + +init_daemon_domain(ks) +domain_trans(init, rootfs, ks) + diff --git a/selinux/macloader.te b/selinux/macloader.te new file mode 100644 index 0000000..000a711 --- /dev/null +++ b/selinux/macloader.te @@ -0,0 +1 @@ +allow macloader efs_file:file { read getattr open }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 35dce7b..3ebbf85 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -1,8 +1,11 @@ -qmux_socket(mediaserver) -allow mediaserver self:socket create_socket_perms; -allow mediaserver { firmware_camera }:file r_file_perms; -allow mediaserver firmware_camera:dir r_dir_perms; -allow mediaserver camera_data_file:file rw_file_perms; - -# Bluetooth audio -allow mediaserver bluetooth:unix_stream_socket { connectto }; +allow mediaserver camera_data_file:file write; +allow mediaserver mnt_user_file:dir search; +allow mediaserver storage_file:dir search; +allow mediaserver storage_file:lnk_file read; +allow mediaserver self:socket create; +allow mediaserver socket_device:dir write; +allow mediaserver socket_device:dir add_name; +allow mediaserver socket_device:sock_file create; +allow mediaserver socket_device:sock_file write; +allow mediaserver qmuxd:unix_stream_socket connectto; +allow mediaserver socket_device:sock_file setattr; diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te deleted file mode 100755 index 11159a4..0000000 --- a/selinux/netmgrd.te +++ /dev/null @@ -1,29 +0,0 @@ -# Network utilities (radio process) -type netmgrd, domain; -type netmgrd_exec, exec_type, file_type; - -# Started by init -init_daemon_domain(netmgrd) - -allow netmgrd self:udp_socket { create ioctl }; -# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket -allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; -allow netmgrd self:packet_socket { write bind read create }; -allow netmgrd self:netlink_socket { write read create bind setopt }; -allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr }; -allow netmgrd kernel:system module_request; - -# Talk to qmuxd -qmux_socket(netmgrd) - -# Allow logging diagnostic items -allow netmgrd diagnostic_device:chr_file rw_file_perms; - -# /data/data_test/ access with shell -allow netmgrd shell_exec:file { execute read open execute_no_trans }; -allow netmgrd system_file:file { execute_no_trans }; - -# Talk to init over the property socket -unix_socket_connect(netmgrd, property, init) -# Set net.rmnet_usb0. values -allow netmgrd radio_prop:property_service set; diff --git a/selinux/qcks.te b/selinux/qcks.te new file mode 100644 index 0000000..cb72379 --- /dev/null +++ b/selinux/qcks.te @@ -0,0 +1,23 @@ +type qcks, domain; +type qcks_exec, exec_type, file_type; + +init_daemon_domain(qcks) +domain_trans(init, rootfs, qcks) + +allow qcks efsks_exec:file { read getattr open execute execute_no_trans }; +allow qcks ks_exec:file { read getattr open execute execute_no_trans }; +allow qcks mmc_block_device:blk_file getattr; +allow qcks radio_device:chr_file { read getattr open ioctl }; +allow qcks self:capability setuid; +allow qcks serial_device:chr_file { read write getattr open ioctl }; +allow qcks shell_exec:file execute_no_trans; +allow qcks vfat:file { read getattr open }; +allow qcks mmc_block_device:blk_file { read open }; +allow qcks radio_data_file:dir search; +allow qcks radio_data_file:file { read write getattr open }; +allow qcks radio_data_file:file setattr; +allow qcks mmc_block_device:blk_file write; +allow qcks vfat:dir search; +allow qcks shell_exec:file { read execute open }; +allow qcks radio_device:dir search; +allow qcks unlabeled:dir search; diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te new file mode 100644 index 0000000..ae0a0b7 --- /dev/null +++ b/selinux/qmiproxy.te @@ -0,0 +1,11 @@ +type qmiproxy, domain; +type qmiproxy_exec, exec_type, file_type; + +init_daemon_domain(qmiproxy) +domain_trans(init, rootfs, qmiproxy) + +allow qmiproxy radio_prop:property_service set; +allow qmiproxy init:unix_stream_socket connectto; +allow qmiproxy property_socket:sock_file write; +allow qmiproxy socket_device:dir { write add_name }; +allow qmiproxy socket_device:sock_file create; diff --git a/selinux/qmux.te b/selinux/qmux.te deleted file mode 100755 index e2a5bbf..0000000 --- a/selinux/qmux.te +++ /dev/null @@ -1,21 +0,0 @@ -# Qualcomm Management Interface Multiplexer -type qmux, domain; -type qmux_exec, exec_type, file_type; - -# Started by init -init_daemon_domain(qmux) - -# Create local qmux_connect_socket -allow qmux qmuxd_socket:dir w_dir_perms; -allow qmux qmuxd_socket:sock_file { create setattr getattr unlink }; - -# /dev/hsicctl* node access -allow qmux radio_device:chr_file rw_file_perms; - -# Allow logging diagnostic items -allow qmux diagnostic_device:chr_file rw_file_perms; - -allow qmux self:capability { dac_override setuid }; - -# XXX Should we label with own type -allow qmux sysfs:file { open write append read getattr }; diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te new file mode 100644 index 0000000..4ef03ec --- /dev/null +++ b/selinux/qmuxd.te @@ -0,0 +1,13 @@ +type qmuxd, domain; +type qmuxd_exec, exec_type, file_type; + +init_daemon_domain(qmuxd) +domain_trans(init, rootfs, qmuxd) + +allow qmuxd radio_device:chr_file { read write open }; +allow qmuxd radio_device:dir search; +allow qmuxd radio_device:file { write open }; +allow qmuxd socket_device:dir { write remove_name add_name }; +allow qmuxd socket_device:sock_file { create unlink getattr setattr }; +allow qmuxd self:capability { setuid setpcap }; +allow qmuxd sysfs_wake_lock:file { open append }; diff --git a/selinux/radio_device.te b/selinux/radio_device.te new file mode 100644 index 0000000..2f1fd45 --- /dev/null +++ b/selinux/radio_device.te @@ -0,0 +1 @@ +allow radio_device sysfs:filesystem associate; diff --git a/selinux/rild.te b/selinux/rild.te old mode 100755 new mode 100644 index 04209b0..d55d205 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -1,14 +1,6 @@ -## RIL -allow rild radio_device:chr_file rw_file_perms; -allow rild { efs_file }:file rw_file_perms; -allow rild self:netlink_socket { create bind read write }; -allow rild self:netlink_route_socket { write }; - -# Talk to qmuxd -qmux_socket(rild) - -# Allow logging diagnostic items -allow rild diagnostic_device:chr_file rw_file_perms; - -# XXX label with own type? -allow rild sysfs:file { read open write getattr }; +allow rild proc_net:file write; +allow rild qmuxd:unix_stream_socket connectto; +allow rild socket_device:dir { write add_name }; +allow rild socket_device:sock_file { write create setattr }; +allow rild socket_device:dir remove_name; +allow rild socket_device:sock_file unlink; diff --git a/selinux/secril.te b/selinux/secril.te deleted file mode 100644 index 7761d80..0000000 --- a/selinux/secril.te +++ /dev/null @@ -1,25 +0,0 @@ -# sec-ril -type secril-daemon, domain; -type secril-daemon_exec, exec_type, file_type; - -# Start /system/bin/sec-ril from init -init_daemon_domain(secril-daemon) - -allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr }; -allow secril-daemon self:udp_socket { create ioctl }; -unix_socket_connect(secril-daemon, property, init) -unix_socket_connect(secril-daemon, rild, rild) - -allow secril-daemon { efs_file }:file rw_file_perms; -allow secril-daemon system_data_file:dir create_dir_perms; -allow secril-daemon system_data_file:file unlink; -allow secril-daemon radio_data_file:file { create_file_perms }; -allow secril-daemon kernel:system module_request; -allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; -allow secril-daemon system_file:file x_file_perms; -allow secril-daemon sysfs:file rw_file_perms; -allow secril-daemon shell_exec:file rx_file_perms; -allow secril-daemon app_data_file:file rw_file_perms; -allow secril-daemon app_data_file:dir search; -allow secril-daemon zygote_exec:file rx_file_perms; -allow secril-daemon ashmem_device:chr_file x_file_perms; \ No newline at end of file diff --git a/selinux/sysinit.te b/selinux/sysinit.te new file mode 100644 index 0000000..1185361 --- /dev/null +++ b/selinux/sysinit.te @@ -0,0 +1,5 @@ +allow sysinit camera_data_file:dir { read open }; +allow sysinit camera_data_file:file setattr; +allow sysinit self:capability { fowner chown fsetid }; +allow sysinit camera_data_file:dir getattr; +allow sysinit camera_data_file:file { read write getattr open }; diff --git a/selinux/system.te b/selinux/system.te deleted file mode 100755 index bc8212b..0000000 --- a/selinux/system.te +++ /dev/null @@ -1,12 +0,0 @@ -# Talk to qmuxd -qmux_socket(system) - -allow system diagnostic_device:chr_file rw_file_perms; -allow system sensors_device:chr_file { read open }; -allow system sensors_data_file:file r_file_perms; -allow system wpa_socket:unix_dgram_socket sendto; -allow system_app volume_data_file:file { read write open getattr }; - -allow system sysfs:file { read open write }; -allow system self:capability { sys_module }; - diff --git a/selinux/system_server.te b/selinux/system_server.te new file mode 100644 index 0000000..5f36b6f --- /dev/null +++ b/selinux/system_server.te @@ -0,0 +1,8 @@ +allow system_server efs_file:dir search; +allow system_server uhid_device:chr_file { read write }; +allow system_server self:capability sys_module; +allow system_server socket_device:dir write; +allow system_server sensors_device:chr_file { read write }; +allow system_server socket_device:dir add_name; +allow system_server uhid_device:chr_file open; +allow system_server efs_file:file read; diff --git a/selinux/te_macros b/selinux/te_macros deleted file mode 100755 index 274fd55..0000000 --- a/selinux/te_macros +++ /dev/null @@ -1,12 +0,0 @@ -##################################### -# qmux_socket(clientdomain) -# Allow client to send via a local -# socket to the qmux domain. -define(`qmux_socket', ` -type $1_qmuxd_socket, file_type; -file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket) -unix_socket_connect($1, qmuxd, qmux) -allow qmux $1_qmuxd_socket:sock_file { getattr unlink }; -') - - diff --git a/selinux/ueventd.te b/selinux/ueventd.te index fd1852b..c26cdeb 100644 --- a/selinux/ueventd.te +++ b/selinux/ueventd.te @@ -1,11 +1,2 @@ -# Drivers read firmware files /firmware/image -allow ueventd { radio_efs_file }:file r_file_perms; -allow ueventd { radio_efs_file }:dir search; - -# MFC firmware -allow ueventd { firmware_mfc }:file r_file_perms; - -# Camera related firmwares -allow ueventd { firmware_camera }:dir search; -allow ueventd { firmware_camera }:file r_file_perms; - +allow ueventd radio_device:file getattr; +allow ueventd radio_device:file { write open }; diff --git a/selinux/wpa.te b/selinux/wpa.te new file mode 100644 index 0000000..af92d77 --- /dev/null +++ b/selinux/wpa.te @@ -0,0 +1 @@ +allow wpa radio_device:chr_file read; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te deleted file mode 100755 index ab5fb24..0000000 --- a/selinux/wpa_supplicant.te +++ /dev/null @@ -1,10 +0,0 @@ -allow wpa init:unix_dgram_socket { read write }; - -# logwrapper used with wpa_supplicant -allow wpa devpts:chr_file { read write }; - -allow wpa wpa_socket:unix_dgram_socket { read write }; -allow wpa_socket system:unix_dgram_socket sendto; - -allow wpa_socket wifi_data_file:sock_file unlink; -allow wpa rfkill_device:chr_file rw_file_perms; \ No newline at end of file -- cgit v1.1