aboutsummaryrefslogtreecommitdiffstats
path: root/selinux
diff options
context:
space:
mode:
authorRGIB <gibellini.roberto@gmail.com>2016-01-16 23:00:52 +0100
committerRGIB <gibellini.roberto@gmail.com>2016-01-16 23:00:52 +0100
commitb1b8ee6ff1bf975a1c02c11360e8faee3276a655 (patch)
treed329a009eb3466e213e08b0ea75b738ee7d6d3bf /selinux
parentb1298aa0863613f0b2338f323b696d2e34db41fc (diff)
downloaddevice_samsung_kona-common-b1b8ee6ff1bf975a1c02c11360e8faee3276a655.zip
device_samsung_kona-common-b1b8ee6ff1bf975a1c02c11360e8faee3276a655.tar.gz
device_samsung_kona-common-b1b8ee6ff1bf975a1c02c11360e8faee3276a655.tar.bz2
kona : selinux update
Change-Id: I45081a265850b0df959830133cc942e55865f92c
Diffstat (limited to 'selinux')
-rw-r--r--selinux/bluetooth.te3
-rw-r--r--selinux/bootanim.te1
-rw-r--r--selinux/debuggerd.te3
-rw-r--r--selinux/gatekeeperd.te1
-rw-r--r--selinux/init.te15
-rw-r--r--selinux/installd.te2
-rw-r--r--selinux/keystore.te2
-rw-r--r--selinux/lmkd.te1
-rw-r--r--selinux/logd.te1
-rw-r--r--selinux/mediaserver.te2
-rw-r--r--selinux/perfprofd.te1
-rw-r--r--selinux/radio.te2
-rwxr-xr-xselinux/rild.te8
-rw-r--r--selinux/servicemanager.te1
-rw-r--r--selinux/shell.te2
-rwxr-xr-xselinux/sysinit.te5
-rw-r--r--selinux/system_server.te3
-rw-r--r--selinux/untrusted_app.te1
-rw-r--r--selinux/vold.te1
-rw-r--r--selinux/zygote.te1
20 files changed, 48 insertions, 8 deletions
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
index a6e68b8..903cc85 100644
--- a/selinux/bluetooth.te
+++ b/selinux/bluetooth.te
@@ -1,2 +1,3 @@
allow bluetooth smd_device:chr_file { read write ioctl open };
-allow bluetooth sysfs:file { write }; \ No newline at end of file
+allow bluetooth sysfs:file { write };
+allow bluetooth log_device:chr_file write;
diff --git a/selinux/bootanim.te b/selinux/bootanim.te
new file mode 100644
index 0000000..4033188
--- /dev/null
+++ b/selinux/bootanim.te
@@ -0,0 +1 @@
+allow bootanim log_device:chr_file open;
diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te
index 1a03fb4..22547e8 100644
--- a/selinux/debuggerd.te
+++ b/selinux/debuggerd.te
@@ -1,2 +1,3 @@
-allow debuggerd log_device:chr_file { read open };
+allow debuggerd log_device:chr_file { write read open };
allow debuggerd log_device:dir search;
+allow debuggerd kernel:system module_request;
diff --git a/selinux/gatekeeperd.te b/selinux/gatekeeperd.te
new file mode 100644
index 0000000..1d177e0
--- /dev/null
+++ b/selinux/gatekeeperd.te
@@ -0,0 +1 @@
+allow gatekeeperd kernel:system module_request;
diff --git a/selinux/init.te b/selinux/init.te
index d231f03..892872c 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -4,4 +4,17 @@ allow init init:tcp_socket { read write create };
allow init port:tcp_socket name_connect;
allow init self:tcp_socket { read write getopt connect };
allow init kernel:system syslog_read;
-#allow init system_file:file execute_no_trans;
+allow init input_device:chr_file ioctl;
+allow init system_data_file:file lock;
+allow init fwmarkd_socket:sock_file write;
+allow init netd:unix_stream_socket { connectto write };
+allow init ril_device:chr_file ioctl;
+allow init input_device:chr_file write;
+allow init property_socket:sock_file write;
+allow init device:chr_file { create unlink };
+allow init devpts:chr_file { getattr ioctl };
+allow init kernel:system module_request;
+allow init log_device:chr_file write;
+allow init ril_device:chr_file write;
+allow init rild:unix_stream_socket connectto;
+allow init system_data_file:fifo_file write;
diff --git a/selinux/installd.te b/selinux/installd.te
new file mode 100644
index 0000000..ea127bc
--- /dev/null
+++ b/selinux/installd.te
@@ -0,0 +1,2 @@
+allow installd kernel:system module_request;
+allow installd log_device:chr_file { write open };
diff --git a/selinux/keystore.te b/selinux/keystore.te
new file mode 100644
index 0000000..34e2779
--- /dev/null
+++ b/selinux/keystore.te
@@ -0,0 +1,2 @@
+allow keystore kernel:system module_request;
+allow keystore log_device:chr_file { write open };
diff --git a/selinux/lmkd.te b/selinux/lmkd.te
new file mode 100644
index 0000000..5f7bd53
--- /dev/null
+++ b/selinux/lmkd.te
@@ -0,0 +1 @@
+allow lmkd log_device:chr_file { write open };
diff --git a/selinux/logd.te b/selinux/logd.te
new file mode 100644
index 0000000..74e23a8
--- /dev/null
+++ b/selinux/logd.te
@@ -0,0 +1 @@
+allow logd log_device:chr_file { write open };
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index 0a3970e..9722653 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -6,4 +6,4 @@ allow mediaserver camera_data_file:file rw_file_perms;
allow mediaserver volume_data_file:file create_file_perms;
allow mediaserver volume_data_file:dir create_dir_perms;
allow mediaserver mfc_device:chr_file rw_file_perms;
-# allow mediaserver system_data_file:file { write open };
+allow mediaserver log_device:chr_file { write open };
diff --git a/selinux/perfprofd.te b/selinux/perfprofd.te
new file mode 100644
index 0000000..82f4377
--- /dev/null
+++ b/selinux/perfprofd.te
@@ -0,0 +1 @@
+allow perfprofd kernel:system module_request;
diff --git a/selinux/radio.te b/selinux/radio.te
index 427a4c6..026de1b 100644
--- a/selinux/radio.te
+++ b/selinux/radio.te
@@ -1,2 +1,4 @@
allow radio kernel:system module_request;
allow radio log_device:chr_file { write open };
+allow radio system_app_data_file:dir search;
+allow radio system_app_data_file:file getattr;
diff --git a/selinux/rild.te b/selinux/rild.te
index f88bea5..f022c36 100755
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -19,7 +19,13 @@ allow rild radio_data_file:dir setattr;
allow rild self:capability dac_override;
allow rild unlabeled:dir search;
allow rild unlabeled:file { read getattr open setattr };
-
allow rild dumpstate_exec:file getattr;
allow rild system_data_file:dir write;
allow rild unlabeled:file write;
+allow rild log_device:chr_file { write open };
+allow rild proc_net:file { write };
+allow rild init:dir search;
+allow rild init:file { read getattr open };
+allow rild init:unix_stream_socket { listen write getopt read accept };
+allow rild system_data_file:dir { remove_name add_name setattr };
+allow rild devpts:chr_file ioctl;
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..6ff9249
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1 @@
+allow servicemanager log_device:chr_file { write open };
diff --git a/selinux/shell.te b/selinux/shell.te
new file mode 100644
index 0000000..af2c15c
--- /dev/null
+++ b/selinux/shell.te
@@ -0,0 +1,2 @@
+allow shell kernel:system { module_request };
+allow shell su:process signal;
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
index 96a4719..087beb7 100755
--- a/selinux/sysinit.te
+++ b/selinux/sysinit.te
@@ -1,7 +1,8 @@
-#allow sysinit mmc_block_device:file read;
-allow sysinit firmware_camera:dir { read search open getattr };
allow sysinit userinit_exec:file { getattr execute execute_no_trans read open };
allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
allow sysinit sysinit:capability { dac_override chown fowner fsetid };
allow sysinit unlabeled:dir { search };
+allow sysinit kernel:system module_request;
+allow sysinit log_device:chr_file { write open };
+allow sysinit unlabeled:file { write open };
diff --git a/selinux/system_server.te b/selinux/system_server.te
index c8fa3e4..0ba4b3f 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -1,5 +1,6 @@
allow system_server efs_file:dir search;
-# allow system_server default_prop:property_service set;
allow system_server dex2oat_exec:file execute;
allow system_server log_device:dir search;
allow system_server system_file:file execmod;
+allow system_server log_device:chr_file { write open };
+allow system_server unlabeled:file write;
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
index 369e87a..70ab006 100644
--- a/selinux/untrusted_app.te
+++ b/selinux/untrusted_app.te
@@ -2,3 +2,4 @@ allow untrusted_app unlabeled:file getattr;
allow untrusted_app efs_file:dir getattr;
allow untrusted_app kernel:system module_request;
allow untrusted_app log_device:dir search;
+allow untrusted_app log_device:chr_file { write read open };
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..29eff5b
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1 @@
+allow vold efs_file:dir { read ioctl open };
diff --git a/selinux/zygote.te b/selinux/zygote.te
index 04fc7d3..7d039e6 100644
--- a/selinux/zygote.te
+++ b/selinux/zygote.te
@@ -1 +1,2 @@
allow zygote kernel:system module_request;
+allow zygote log_device:chr_file { write open };