diff options
author | RGIB <gibellini.roberto@gmail.com> | 2016-01-16 23:00:52 +0100 |
---|---|---|
committer | RGIB <gibellini.roberto@gmail.com> | 2016-01-16 23:00:52 +0100 |
commit | b1b8ee6ff1bf975a1c02c11360e8faee3276a655 (patch) | |
tree | d329a009eb3466e213e08b0ea75b738ee7d6d3bf /selinux | |
parent | b1298aa0863613f0b2338f323b696d2e34db41fc (diff) | |
download | device_samsung_kona-common-b1b8ee6ff1bf975a1c02c11360e8faee3276a655.zip device_samsung_kona-common-b1b8ee6ff1bf975a1c02c11360e8faee3276a655.tar.gz device_samsung_kona-common-b1b8ee6ff1bf975a1c02c11360e8faee3276a655.tar.bz2 |
kona : selinux update
Change-Id: I45081a265850b0df959830133cc942e55865f92c
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/bluetooth.te | 3 | ||||
-rw-r--r-- | selinux/bootanim.te | 1 | ||||
-rw-r--r-- | selinux/debuggerd.te | 3 | ||||
-rw-r--r-- | selinux/gatekeeperd.te | 1 | ||||
-rw-r--r-- | selinux/init.te | 15 | ||||
-rw-r--r-- | selinux/installd.te | 2 | ||||
-rw-r--r-- | selinux/keystore.te | 2 | ||||
-rw-r--r-- | selinux/lmkd.te | 1 | ||||
-rw-r--r-- | selinux/logd.te | 1 | ||||
-rw-r--r-- | selinux/mediaserver.te | 2 | ||||
-rw-r--r-- | selinux/perfprofd.te | 1 | ||||
-rw-r--r-- | selinux/radio.te | 2 | ||||
-rwxr-xr-x | selinux/rild.te | 8 | ||||
-rw-r--r-- | selinux/servicemanager.te | 1 | ||||
-rw-r--r-- | selinux/shell.te | 2 | ||||
-rwxr-xr-x | selinux/sysinit.te | 5 | ||||
-rw-r--r-- | selinux/system_server.te | 3 | ||||
-rw-r--r-- | selinux/untrusted_app.te | 1 | ||||
-rw-r--r-- | selinux/vold.te | 1 | ||||
-rw-r--r-- | selinux/zygote.te | 1 |
20 files changed, 48 insertions, 8 deletions
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te index a6e68b8..903cc85 100644 --- a/selinux/bluetooth.te +++ b/selinux/bluetooth.te @@ -1,2 +1,3 @@ allow bluetooth smd_device:chr_file { read write ioctl open }; -allow bluetooth sysfs:file { write };
\ No newline at end of file +allow bluetooth sysfs:file { write }; +allow bluetooth log_device:chr_file write; diff --git a/selinux/bootanim.te b/selinux/bootanim.te new file mode 100644 index 0000000..4033188 --- /dev/null +++ b/selinux/bootanim.te @@ -0,0 +1 @@ +allow bootanim log_device:chr_file open; diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te index 1a03fb4..22547e8 100644 --- a/selinux/debuggerd.te +++ b/selinux/debuggerd.te @@ -1,2 +1,3 @@ -allow debuggerd log_device:chr_file { read open }; +allow debuggerd log_device:chr_file { write read open }; allow debuggerd log_device:dir search; +allow debuggerd kernel:system module_request; diff --git a/selinux/gatekeeperd.te b/selinux/gatekeeperd.te new file mode 100644 index 0000000..1d177e0 --- /dev/null +++ b/selinux/gatekeeperd.te @@ -0,0 +1 @@ +allow gatekeeperd kernel:system module_request; diff --git a/selinux/init.te b/selinux/init.te index d231f03..892872c 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -4,4 +4,17 @@ allow init init:tcp_socket { read write create }; allow init port:tcp_socket name_connect; allow init self:tcp_socket { read write getopt connect }; allow init kernel:system syslog_read; -#allow init system_file:file execute_no_trans; +allow init input_device:chr_file ioctl; +allow init system_data_file:file lock; +allow init fwmarkd_socket:sock_file write; +allow init netd:unix_stream_socket { connectto write }; +allow init ril_device:chr_file ioctl; +allow init input_device:chr_file write; +allow init property_socket:sock_file write; +allow init device:chr_file { create unlink }; +allow init devpts:chr_file { getattr ioctl }; +allow init kernel:system module_request; +allow init log_device:chr_file write; +allow init ril_device:chr_file write; +allow init rild:unix_stream_socket connectto; +allow init system_data_file:fifo_file write; diff --git a/selinux/installd.te b/selinux/installd.te new file mode 100644 index 0000000..ea127bc --- /dev/null +++ b/selinux/installd.te @@ -0,0 +1,2 @@ +allow installd kernel:system module_request; +allow installd log_device:chr_file { write open }; diff --git a/selinux/keystore.te b/selinux/keystore.te new file mode 100644 index 0000000..34e2779 --- /dev/null +++ b/selinux/keystore.te @@ -0,0 +1,2 @@ +allow keystore kernel:system module_request; +allow keystore log_device:chr_file { write open }; diff --git a/selinux/lmkd.te b/selinux/lmkd.te new file mode 100644 index 0000000..5f7bd53 --- /dev/null +++ b/selinux/lmkd.te @@ -0,0 +1 @@ +allow lmkd log_device:chr_file { write open }; diff --git a/selinux/logd.te b/selinux/logd.te new file mode 100644 index 0000000..74e23a8 --- /dev/null +++ b/selinux/logd.te @@ -0,0 +1 @@ +allow logd log_device:chr_file { write open }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 0a3970e..9722653 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -6,4 +6,4 @@ allow mediaserver camera_data_file:file rw_file_perms; allow mediaserver volume_data_file:file create_file_perms; allow mediaserver volume_data_file:dir create_dir_perms; allow mediaserver mfc_device:chr_file rw_file_perms; -# allow mediaserver system_data_file:file { write open }; +allow mediaserver log_device:chr_file { write open }; diff --git a/selinux/perfprofd.te b/selinux/perfprofd.te new file mode 100644 index 0000000..82f4377 --- /dev/null +++ b/selinux/perfprofd.te @@ -0,0 +1 @@ +allow perfprofd kernel:system module_request; diff --git a/selinux/radio.te b/selinux/radio.te index 427a4c6..026de1b 100644 --- a/selinux/radio.te +++ b/selinux/radio.te @@ -1,2 +1,4 @@ allow radio kernel:system module_request; allow radio log_device:chr_file { write open }; +allow radio system_app_data_file:dir search; +allow radio system_app_data_file:file getattr; diff --git a/selinux/rild.te b/selinux/rild.te index f88bea5..f022c36 100755 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -19,7 +19,13 @@ allow rild radio_data_file:dir setattr; allow rild self:capability dac_override; allow rild unlabeled:dir search; allow rild unlabeled:file { read getattr open setattr }; - allow rild dumpstate_exec:file getattr; allow rild system_data_file:dir write; allow rild unlabeled:file write; +allow rild log_device:chr_file { write open }; +allow rild proc_net:file { write }; +allow rild init:dir search; +allow rild init:file { read getattr open }; +allow rild init:unix_stream_socket { listen write getopt read accept }; +allow rild system_data_file:dir { remove_name add_name setattr }; +allow rild devpts:chr_file ioctl; diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te new file mode 100644 index 0000000..6ff9249 --- /dev/null +++ b/selinux/servicemanager.te @@ -0,0 +1 @@ +allow servicemanager log_device:chr_file { write open }; diff --git a/selinux/shell.te b/selinux/shell.te new file mode 100644 index 0000000..af2c15c --- /dev/null +++ b/selinux/shell.te @@ -0,0 +1,2 @@ +allow shell kernel:system { module_request }; +allow shell su:process signal; diff --git a/selinux/sysinit.te b/selinux/sysinit.te index 96a4719..087beb7 100755 --- a/selinux/sysinit.te +++ b/selinux/sysinit.te @@ -1,7 +1,8 @@ -#allow sysinit mmc_block_device:file read; -allow sysinit firmware_camera:dir { read search open getattr }; allow sysinit userinit_exec:file { getattr execute execute_no_trans read open }; allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name }; allow sysinit firmware_camera:file { read open write getattr setattr create unlink }; allow sysinit sysinit:capability { dac_override chown fowner fsetid }; allow sysinit unlabeled:dir { search }; +allow sysinit kernel:system module_request; +allow sysinit log_device:chr_file { write open }; +allow sysinit unlabeled:file { write open }; diff --git a/selinux/system_server.te b/selinux/system_server.te index c8fa3e4..0ba4b3f 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -1,5 +1,6 @@ allow system_server efs_file:dir search; -# allow system_server default_prop:property_service set; allow system_server dex2oat_exec:file execute; allow system_server log_device:dir search; allow system_server system_file:file execmod; +allow system_server log_device:chr_file { write open }; +allow system_server unlabeled:file write; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te index 369e87a..70ab006 100644 --- a/selinux/untrusted_app.te +++ b/selinux/untrusted_app.te @@ -2,3 +2,4 @@ allow untrusted_app unlabeled:file getattr; allow untrusted_app efs_file:dir getattr; allow untrusted_app kernel:system module_request; allow untrusted_app log_device:dir search; +allow untrusted_app log_device:chr_file { write read open }; diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..29eff5b --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1 @@ +allow vold efs_file:dir { read ioctl open }; diff --git a/selinux/zygote.te b/selinux/zygote.te index 04fc7d3..7d039e6 100644 --- a/selinux/zygote.te +++ b/selinux/zygote.te @@ -1 +1,2 @@ allow zygote kernel:system module_request; +allow zygote log_device:chr_file { write open }; |