diff options
| author | RGIB <gibellini.roberto@gmail.com> | 2015-11-11 09:28:53 +0100 |
|---|---|---|
| committer | RGIB <gibellini.roberto@gmail.com> | 2015-11-11 09:28:53 +0100 |
| commit | 2204ce90e769255d28128b386534887a1985c2e1 (patch) | |
| tree | 659409ac6412110f36ad5e6deaa19f879120716f /selinux | |
| parent | 60f60d92bbc80777090ac6d6da19734b254c8687 (diff) | |
| download | device_samsung_kona-common-2204ce90e769255d28128b386534887a1985c2e1.zip device_samsung_kona-common-2204ce90e769255d28128b386534887a1985c2e1.tar.gz device_samsung_kona-common-2204ce90e769255d28128b386534887a1985c2e1.tar.bz2 | |
kona-common: update SElinux
Change-Id: Ie567c28195e029980e1dd2554c9f0ad489b0a4ba
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/adbd.te | 1 | ||||
| -rw-r--r-- | selinux/debuggerd.te | 1 | ||||
| -rw-r--r-- | selinux/dex2oat.te | 2 | ||||
| -rw-r--r-- | selinux/init.te | 6 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 2 | ||||
| -rw-r--r-- | selinux/platform_app.te | 1 | ||||
| -rw-r--r-- | selinux/radio.te | 2 | ||||
| -rw-r--r-- | selinux/sdcardd.te | 1 | ||||
| -rw-r--r-- | selinux/secril.te | 4 | ||||
| -rw-r--r-- | selinux/shared_relro.te | 1 | ||||
| -rw-r--r-- | selinux/shell.te | 4 | ||||
| -rw-r--r-- | selinux/system_app.te | 2 | ||||
| -rw-r--r-- | selinux/system_server.te | 5 | ||||
| -rw-r--r-- | selinux/untrusted_app.te | 2 | ||||
| -rw-r--r-- | selinux/wpa.te | 1 | ||||
| -rw-r--r-- | selinux/zygote.te | 1 |
16 files changed, 31 insertions, 5 deletions
diff --git a/selinux/adbd.te b/selinux/adbd.te new file mode 100644 index 0000000..8776373 --- /dev/null +++ b/selinux/adbd.te @@ -0,0 +1 @@ +allow adbd kernel:system module_request; diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te new file mode 100644 index 0000000..f60e6e3 --- /dev/null +++ b/selinux/debuggerd.te @@ -0,0 +1 @@ +allow debuggerd log_device:chr_file { read open }; diff --git a/selinux/dex2oat.te b/selinux/dex2oat.te new file mode 100644 index 0000000..52e724a --- /dev/null +++ b/selinux/dex2oat.te @@ -0,0 +1,2 @@ +allow dex2oat kernel:system module_request; +allow dex2oat log_device:chr_file { write open }; diff --git a/selinux/init.te b/selinux/init.te index 5b87e48..62841da 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -4,3 +4,9 @@ allow init init:tcp_socket { read write create }; allow init port:tcp_socket name_connect; allow init self:tcp_socket { read write getopt connect }; allow init kernel:system syslog_read; +allow init kernel:system module_request; +allow init log_device:chr_file write; +allow init property_socket:sock_file write; +allow init ril_device:chr_file write; +allow init sdcardd_exec:file { read execute open getattr execute_no_trans }; +allow init system_file:file execute_no_trans; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index d2c07f4..0a3970e 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -6,4 +6,4 @@ allow mediaserver camera_data_file:file rw_file_perms; allow mediaserver volume_data_file:file create_file_perms; allow mediaserver volume_data_file:dir create_dir_perms; allow mediaserver mfc_device:chr_file rw_file_perms; -allow mediaserver system_data_file:file { write open };
\ No newline at end of file +# allow mediaserver system_data_file:file { write open }; diff --git a/selinux/platform_app.te b/selinux/platform_app.te new file mode 100644 index 0000000..717139a --- /dev/null +++ b/selinux/platform_app.te @@ -0,0 +1 @@ +allow platform_app log_device:chr_file write; diff --git a/selinux/radio.te b/selinux/radio.te new file mode 100644 index 0000000..427a4c6 --- /dev/null +++ b/selinux/radio.te @@ -0,0 +1,2 @@ +allow radio kernel:system module_request; +allow radio log_device:chr_file { write open }; diff --git a/selinux/sdcardd.te b/selinux/sdcardd.te new file mode 100644 index 0000000..223cbfa --- /dev/null +++ b/selinux/sdcardd.te @@ -0,0 +1 @@ +allow sdcardd kernel:system module_request; diff --git a/selinux/secril.te b/selinux/secril.te index 7761d80..e025a04 100644 --- a/selinux/secril.te +++ b/selinux/secril.te @@ -12,7 +12,7 @@ unix_socket_connect(secril-daemon, rild, rild) allow secril-daemon { efs_file }:file rw_file_perms; allow secril-daemon system_data_file:dir create_dir_perms; -allow secril-daemon system_data_file:file unlink; +# allow secril-daemon system_data_file:file unlink; allow secril-daemon radio_data_file:file { create_file_perms }; allow secril-daemon kernel:system module_request; allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; @@ -22,4 +22,4 @@ allow secril-daemon shell_exec:file rx_file_perms; allow secril-daemon app_data_file:file rw_file_perms; allow secril-daemon app_data_file:dir search; allow secril-daemon zygote_exec:file rx_file_perms; -allow secril-daemon ashmem_device:chr_file x_file_perms;
\ No newline at end of file +allow secril-daemon ashmem_device:chr_file x_file_perms; diff --git a/selinux/shared_relro.te b/selinux/shared_relro.te new file mode 100644 index 0000000..1c319ce --- /dev/null +++ b/selinux/shared_relro.te @@ -0,0 +1 @@ +allow shared_relro log_device:chr_file write; diff --git a/selinux/shell.te b/selinux/shell.te index f528d9c..aff526f 100644 --- a/selinux/shell.te +++ b/selinux/shell.te @@ -1 +1,3 @@ -allow shell dalvikcache_data_file:file write; +# allow shell dalvikcache_data_file:file write; +allow shell kernel:system module_request; + diff --git a/selinux/system_app.te b/selinux/system_app.te new file mode 100644 index 0000000..8422942 --- /dev/null +++ b/selinux/system_app.te @@ -0,0 +1,2 @@ +allow system_app log_device:chr_file write; +allow system_app sysfs:file write; diff --git a/selinux/system_server.te b/selinux/system_server.te index f017b31..f1456dc 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -1,2 +1,5 @@ allow system_server efs_file:dir search; -allow system_server default_prop:property_service set; +# allow system_server default_prop:property_service set; +allow system_server dex2oat_exec:file { read execute open execute_no_trans }; +allow system_server log_device:chr_file { write open }; +allow system_server system_file:file execmod; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te index c81150b..b4f8b51 100644 --- a/selinux/untrusted_app.te +++ b/selinux/untrusted_app.te @@ -1,2 +1,4 @@ allow untrusted_app unlabeled:file getattr; allow untrusted_app efs_file:dir getattr; +allow untrusted_app kernel:system module_request; +allow untrusted_app log_device:chr_file { write open }; diff --git a/selinux/wpa.te b/selinux/wpa.te new file mode 100644 index 0000000..09bbb8f --- /dev/null +++ b/selinux/wpa.te @@ -0,0 +1 @@ +allow wpa log_device:chr_file { write open }; diff --git a/selinux/zygote.te b/selinux/zygote.te new file mode 100644 index 0000000..04fc7d3 --- /dev/null +++ b/selinux/zygote.te @@ -0,0 +1 @@ +allow zygote kernel:system module_request; |