From 21ab75dbbec3cc2023ac32e1c31b6eb6288bcd0c Mon Sep 17 00:00:00 2001 From: RGIB Date: Tue, 29 Nov 2016 00:38:19 +0100 Subject: i9305 : update selinux and fstab to avoid bootloop Change-Id: Id3b4503f328b4dcc353cec4cf7b8d9d30c4e5e97 --- rootdir/fstab.smdk4x12 | 25 +++++++++++++------------ rootdir/init.target.rc | 26 +++++++++++++------------- selinux/device.te | 1 - selinux/domain.te | 3 +++ selinux/efsks.te | 1 - selinux/file_contexts | 2 ++ selinux/fsck.te | 3 +-- selinux/ks.te | 1 - selinux/macloader.te | 1 + selinux/mediaserver.te | 10 ++++------ selinux/qcks.te | 10 +++------- selinux/rild.te | 6 ++---- selinux/sysinit.te | 6 ++---- selinux/system_server.te | 10 +++++----- selinux/ueventd.te | 3 +-- selinux/vold.te | 1 + 16 files changed, 51 insertions(+), 58 deletions(-) create mode 100644 selinux/domain.te create mode 100644 selinux/vold.te diff --git a/rootdir/fstab.smdk4x12 b/rootdir/fstab.smdk4x12 index 375320d..a8ce248 100644 --- a/rootdir/fstab.smdk4x12 +++ b/rootdir/fstab.smdk4x12 @@ -1,20 +1,21 @@ # Android fstab file. -# +# # The filesystem that contains the filesystem checker binary (typically /system) cannot # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK # data partition must be located at the bottom for supporting device encryption -/dev/block/platform/dw_mmc/by-name/SYSTEM /system ext4 ro wait -/dev/block/platform/dw_mmc/by-name/EFS /efs ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check -/dev/block/platform/dw_mmc/by-name/CACHE /cache ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check -/dev/block/platform/dw_mmc/by-name/RADIO /firmware vfat ro,shortname=lower,fmask=0133,dmask=0022 wait -/dev/block/platform/dw_mmc/by-name/USERDATA /data ext4 noatime,nosuid,nodev,noauto_da_alloc,journal_async_commit,errors=panic wait,check,encryptable=footer -/dev/block/platform/dw_mmc/by-name/TOMBSTONES /tombstones ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check + +/dev/block/platform/dw_mmc/by-name/SYSTEM /system ext4 ro wait +/dev/block/platform/dw_mmc/by-name/EFS /efs ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check +/dev/block/platform/dw_mmc/by-name/CACHE /cache ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check +/dev/block/platform/dw_mmc/by-name/RADIO /firmware vfat ro,shortname=lower,fmask=0133,dmask=0022 wait +/dev/block/platform/dw_mmc/by-name/USERDATA /data ext4 noatime,nosuid,nodev,noauto_da_alloc,discard,journal_async_commit,errors=panic wait,check,encryptable=footer +/dev/block/platform/dw_mmc/by-name/TOMBSTONES /tombstones ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check # vold-managed volumes ("block device" is actually a sysfs devpath) -/devices/platform/s3c-sdhci.2/mmc_host/mmc1* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata -/devices/platform/s5p-ehci* auto auto defaults voldmanaged=usb:auto,noemulatedsd +/devices/platform/s3c-sdhci.2/mmc_host/mmc1* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata +/devices/platform/s5p-ehci* auto auto defaults voldmanaged=usb:auto,noemulatedsd # recovery -/dev/block/platform/dw_mmc/by-name/BOOT /boot emmc defaults recoveryonly -/dev/block/platform/dw_mmc/by-name/RECOVERY /recovery emmc defaults recoveryonly -/dev/block/platform/dw_mmc/by-name/RADIO /modem emmc defaults recoveryonly +/dev/block/platform/dw_mmc/by-name/BOOT /boot emmc defaults recoveryonly +/dev/block/platform/dw_mmc/by-name/RECOVERY /recovery emmc defaults recoveryonly +/dev/block/platform/dw_mmc/by-name/RADIO /modem emmc defaults recoveryonly diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc index 6593331..6060a85 100644 --- a/rootdir/init.target.rc +++ b/rootdir/init.target.rc @@ -41,6 +41,10 @@ on init on post-fs-data ######################################################################################################################### +# wifi + write /data/.cid.info 0 + restorecon /data/.cid.info + chown system radio /dev/block/platform/dw_mmc/by-name chmod 0775 /dev/block/platform/dw_mmc/by-name @@ -67,20 +71,10 @@ on post-fs-data write /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal 1 # Restorecon - restorecon /efs/bluetooth/bt_addr - restorecon /efs/FactoryApp/keystr - restorecon /efs/FactoryApp/factorymode - restorecon /efs/FactoryApp/serial_no - restorecon /efs/imei/mps_code.dat - restorecon /efs/wifi/.mac.info - restorecon /tombstones - restorecon /tombstones/qcks - restorecon /tombstones/qcks/acdb.bin - restorecon /tombstones/qcks/efs1.bin - restorecon /tombstones/qcks/efs2.bin - restorecon /tombstones/qcks/efs3.bin - restorecon /tombstones/qcks/temp.dump + restorecon_recursive /efs + restorecon_recursive /tombstones restorecon /data/.cid.info + restorecon /data/ISP_CV # Waketime fot fast dormancy chown system radio /sys/devices/platform/mdm_hsic_pm0/waketime @@ -110,6 +104,12 @@ on property:sys.boot_completed=1 write /sys/power/cpufreq_min_limit -1 # SISO-ANDR_PERF :: END +on property:init.svc.macloader=stopped + chown system root /data/.cid.info + chmod 0666 /data/.cid.info + chown system root /data/.rev + chmod 0666 /data/.rev + ######################################################################################################################### on boot ######################################################################################################################### diff --git a/selinux/device.te b/selinux/device.te index 53e4bf4..abb0e19 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,3 +1,2 @@ type mmc_block_device, dev_type; type efs_device_file, file_type; - diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..74c7d76 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,3 @@ +allow domain kernel:system module_request; +allow domain log_device:chr_file { read write open }; +allow domain log_device:dir search; diff --git a/selinux/efsks.te b/selinux/efsks.te index 3635159..2fb76b1 100644 --- a/selinux/efsks.te +++ b/selinux/efsks.te @@ -3,4 +3,3 @@ type efsks_exec, exec_type, file_type; init_daemon_domain(efsks) domain_trans(init, rootfs, efsks) - diff --git a/selinux/file_contexts b/selinux/file_contexts index 1b3d289..a0cddd3 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -33,6 +33,8 @@ /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /tombstones/qcks(/.*)? u:object_r:radio_data_file:s0 +/efs/FactoryApp(/.*)? u:object_r:radio_data_file:s0 +/efs/imei u:object_r:radio_data_file:s0 /dev/block/mmcblk0p0 u:object_r:mmc_block_device:s0 /dev/block/mmcblk0p1 u:object_r:mmc_block_device:s0 diff --git a/selinux/fsck.te b/selinux/fsck.te index d2fcb8f..533eedd 100644 --- a/selinux/fsck.te +++ b/selinux/fsck.te @@ -1,3 +1,2 @@ -allow fsck mmc_block_device:blk_file ioctl; allow fsck self:capability dac_override; -allow fsck mmc_block_device:blk_file { read write getattr open }; +allow fsck mmc_block_device:blk_file { ioctl read write getattr open }; diff --git a/selinux/ks.te b/selinux/ks.te index 62dc281..e4667b3 100644 --- a/selinux/ks.te +++ b/selinux/ks.te @@ -3,4 +3,3 @@ type ks_exec, exec_type, file_type; init_daemon_domain(ks) domain_trans(init, rootfs, ks) - diff --git a/selinux/macloader.te b/selinux/macloader.te index 000a711..386dfe5 100644 --- a/selinux/macloader.te +++ b/selinux/macloader.te @@ -1 +1,2 @@ allow macloader efs_file:file { read getattr open }; +allow macloader wifi_data_file:file create; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 3ebbf85..5f41f1a 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -1,11 +1,9 @@ -allow mediaserver camera_data_file:file write; +allow mediaserver camera_data_file:file { write open }; allow mediaserver mnt_user_file:dir search; allow mediaserver storage_file:dir search; allow mediaserver storage_file:lnk_file read; allow mediaserver self:socket create; -allow mediaserver socket_device:dir write; -allow mediaserver socket_device:dir add_name; -allow mediaserver socket_device:sock_file create; -allow mediaserver socket_device:sock_file write; +allow mediaserver socket_device:dir { add_name write }; +allow mediaserver socket_device:sock_file { setattr write create }; allow mediaserver qmuxd:unix_stream_socket connectto; -allow mediaserver socket_device:sock_file setattr; +allow mediaserver mnt_user_file:lnk_file read; diff --git a/selinux/qcks.te b/selinux/qcks.te index cb72379..7e8ac4a 100644 --- a/selinux/qcks.te +++ b/selinux/qcks.te @@ -6,18 +6,14 @@ domain_trans(init, rootfs, qcks) allow qcks efsks_exec:file { read getattr open execute execute_no_trans }; allow qcks ks_exec:file { read getattr open execute execute_no_trans }; -allow qcks mmc_block_device:blk_file getattr; +allow qcks mmc_block_device:blk_file { read open write getattr }; allow qcks radio_device:chr_file { read getattr open ioctl }; allow qcks self:capability setuid; allow qcks serial_device:chr_file { read write getattr open ioctl }; -allow qcks shell_exec:file execute_no_trans; allow qcks vfat:file { read getattr open }; -allow qcks mmc_block_device:blk_file { read open }; allow qcks radio_data_file:dir search; -allow qcks radio_data_file:file { read write getattr open }; -allow qcks radio_data_file:file setattr; -allow qcks mmc_block_device:blk_file write; +allow qcks radio_data_file:file { setattr read write getattr open }; allow qcks vfat:dir search; -allow qcks shell_exec:file { read execute open }; +allow qcks shell_exec:file { execute_no_trans read execute open }; allow qcks radio_device:dir search; allow qcks unlabeled:dir search; diff --git a/selinux/rild.te b/selinux/rild.te index d55d205..45d2b59 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -1,6 +1,4 @@ allow rild proc_net:file write; allow rild qmuxd:unix_stream_socket connectto; -allow rild socket_device:dir { write add_name }; -allow rild socket_device:sock_file { write create setattr }; -allow rild socket_device:dir remove_name; -allow rild socket_device:sock_file unlink; +allow rild socket_device:dir { remove_name write add_name }; +allow rild socket_device:sock_file { unlink write create setattr }; diff --git a/selinux/sysinit.te b/selinux/sysinit.te index 1185361..6ba2577 100644 --- a/selinux/sysinit.te +++ b/selinux/sysinit.te @@ -1,5 +1,3 @@ -allow sysinit camera_data_file:dir { read open }; -allow sysinit camera_data_file:file setattr; allow sysinit self:capability { fowner chown fsetid }; -allow sysinit camera_data_file:dir getattr; -allow sysinit camera_data_file:file { read write getattr open }; +allow sysinit camera_data_file:file { create setattr read write getattr open }; +allow sysinit camera_data_file:dir { read open search write add_name getattr }; diff --git a/selinux/system_server.te b/selinux/system_server.te index 5f36b6f..0212c0a 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -1,8 +1,8 @@ allow system_server efs_file:dir search; -allow system_server uhid_device:chr_file { read write }; +allow system_server uhid_device:chr_file { ioctl open read write }; allow system_server self:capability sys_module; -allow system_server socket_device:dir write; allow system_server sensors_device:chr_file { read write }; -allow system_server socket_device:dir add_name; -allow system_server uhid_device:chr_file open; -allow system_server efs_file:file read; +allow system_server socket_device:dir { write add_name }; +allow system_server efs_file:file { open read }; +allow system_server qmuxd:unix_stream_socket connectto; +allow system_server socket_device:sock_file { write create setattr }; diff --git a/selinux/ueventd.te b/selinux/ueventd.te index c26cdeb..6cc7795 100644 --- a/selinux/ueventd.te +++ b/selinux/ueventd.te @@ -1,2 +1 @@ -allow ueventd radio_device:file getattr; -allow ueventd radio_device:file { write open }; +allow ueventd radio_device:file { getattr write open }; diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..e6b5f60 --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1 @@ +allow vold efs_file:dir { open read ioctl }; -- cgit v1.1