kona : selinux update for qcom

Change-Id: Ic3302e9642c7a0b76604de5786a0073629a9fc37

10 files changed, 98 insertions, 5 deletions

diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te
index b700a33..039b540 100644
--- a/selinux/at_distributor.te
+++ b/selinux/at_distributor.te
@@ -25,3 +25,8 @@ allow at_distributor shell_exec:file { read execute open };
 allow at_distributor system_file:file execute_no_trans;
 allow at_distributor zygote_exec:file { read getattr open execute execute_no_trans };
 allow at_distributor system_server:binder { transfer call };
+allow at_distributor diag_uart_log_exec:file getattr;
+allow at_distributor gps_device:chr_file { read write ioctl open };
+allow at_distributor shell_exec:file execute_no_trans;
+allow at_distributor radio_data_file:dir search;
+allow at_distributor radio_data_file:file { read getattr open setattr };
diff --git a/selinux/diag_uart_log.te b/selinux/diag_uart_log.te
new file mode 100644
index 0000000..38429db
--- /dev/null
+++ b/selinux/diag_uart_log.te
@@ -0,0 +1,7 @@
+type diag_uart_log, domain;
+type diag_uart_log_exec, exec_type, file_type;
+init_daemon_domain(diag_uart_log)
+domain_trans(init, rootfs, diag_uart_log)
+
+allow diag_uart_log at_distributor:unix_stream_socket connectto;
+allow diag_uart_log self:capability setuid;
diff --git a/selinux/domain.te b/selinux/domain.te
index f55b780..56f028c 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -2,4 +2,7 @@ allow domain kernel:system module_request;
 allow domain log_device:chr_file { write read open };
 allow domain log_device:dir search;
 
-type efs_device_file, dev_type;
\ No newline at end of file
+type efs_device_file, dev_type;
+
+# load SHIM libraries
+allow init { domain -lmkd }:process noatsecure;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index b9b57ac..a1d9f80 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -6,7 +6,17 @@
 /system/bin/orientationd	u:object_r:orientationd_exec:s0
 /system/bin/geomagneticd	u:object_r:geomagneticd_exec:s0
 
+/system/bin/diag_uart_log	u:object_r:diag_uart_log_exec:s0
+/system/bin/qcks		u:object_r:qc_kickstart_exec:s0
+/system/bin/ks			u:object_r:qc_kickstart_exec:s0
+/system/bin/efsks		u:object_r:qc_kickstart_exec:s0
+/system/bin/qmiproxy		u:object_r:qmiproxy_exec:s0
+/system/bin/qmuxd		u:object_r:qmuxd_exec:s0
+
 /efs/bluetooth(/.*)?		u:object_r:bluetooth_data_file:s0
+/efs/imei(/.*)?			u:object_r:radio_data_file:s0
+/efs/FactoryApp(/.*)?		u:object_r:radio_data_file:s0
+
 /data/system/yas.cfg		u:object_r:gps_data_file:s0
 /data/system/yas-backup.cfg	u:object_r:gps_data_file:s0
 /data/system/gps(/.*)?		u:object_r:gps_data_file:s0
@@ -26,9 +36,26 @@
 /dev/umts_rfs0			u:object_r:radio_device:s0
 /dev/link_pm			u:object_r:radio_device:s0
 /dev/rfkill			u:object_r:radio_device:s0
+/dev/mdm			u:object_r:radio_device:s0
+/dev/hsicctl0			u:object_r:radio_device:s0
+/dev/hsicctl1			u:object_r:radio_device:s0
+/dev/hsicctl2			u:object_r:radio_device:s0
+/dev/hsicctl3			u:object_r:radio_device:s0
+/dev/diag			u:object_r:radio_device:s0
+/dev/ttyUSB0			u:object_r:radio_device:s0
+/dev/ttyUSB1			u:object_r:radio_device:s0
+/dev/ttyUSB2			u:object_r:radio_device:s0
+/dev/block/modem/m9kefs1	u:object_r:radio_device:s0
+/tombstones/qcks(/.*)?		u:object_r:tombstone_data_file:s0
 
 /dev/block/mmcblk0p3		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p4		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p5		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p6		u:object_r:userdata_block_device:s0
 /dev/block/mmcblk0p7		u:object_r:userdata_block_device:s0
 /dev/block/mmcblk0p8		u:object_r:userdata_block_device:s0
 /dev/block/mmcblk0p9		u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0p12		u:object_r:userdata_block_device:s0
\ No newline at end of file
+/dev/block/mmcblk0p12		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p14		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p19		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p21		u:object_r:userdata_block_device:s0
diff --git a/selinux/init.te b/selinux/init.te
index c7885f5..53ec2b7 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1,5 +1,8 @@
 allow init debugfs:dir mounton;
 allow init sysfs:lnk_file setattr;
 allow init tmpfs:lnk_file create;
+allow init vfat:dir mounton;
+allow init block_device:lnk_file setattr;
+
 # load SHIM libraries
-allow init rild:process noatsecure;
\ No newline at end of file
+allow init rild:process noatsecure;
diff --git a/selinux/qc_kickstart.te b/selinux/qc_kickstart.te
new file mode 100644
index 0000000..af7665b
--- /dev/null
+++ b/selinux/qc_kickstart.te
@@ -0,0 +1,15 @@
+type qc_kickstart, domain;
+type qc_kickstart_exec, exec_type, file_type;
+init_daemon_domain(qc_kickstart)
+domain_trans(init, rootfs, qc_kickstart)
+
+allow qc_kickstart userdata_block_device:blk_file { read open };
+allow qc_kickstart radio_device:chr_file { read write getattr open ioctl };
+allow qc_kickstart self:capability setuid;
+allow qc_kickstart shell_exec:file { read execute open execute_no_trans };
+allow qc_kickstart system_file:file execute_no_trans;
+allow qc_kickstart tombstone_data_file:file { read write getattr open setattr };
+allow qc_kickstart vfat:file { read getattr open };
+allow qc_kickstart qc_kickstart_exec:file execute_no_trans;
+allow qc_kickstart tombstone_data_file:dir search;
+allow qc_kickstart userdata_block_device:blk_file write;
diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te
new file mode 100644
index 0000000..9642261
--- /dev/null
+++ b/selinux/qmiproxy.te
@@ -0,0 +1,11 @@
+type qmiproxy, domain;
+type qmiproxy_exec, exec_type, file_type;
+init_daemon_domain(qmiproxy)
+domain_trans(init, rootfs, qmiproxy)
+
+allow qmiproxy radio_device:chr_file { read write open };
+allow qmiproxy init:unix_stream_socket connectto;
+allow qmiproxy property_socket:sock_file write;
+allow qmiproxy radio_prop:property_service set;
+allow qmiproxy socket_device:dir { write add_name };
+allow qmiproxy socket_device:sock_file create;
diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te
new file mode 100644
index 0000000..a69ee6c
--- /dev/null
+++ b/selinux/qmuxd.te
@@ -0,0 +1,13 @@
+type qmuxd, domain;
+type qmuxd_exec, exec_type, file_type;
+init_daemon_domain(qmuxd)
+domain_trans(init, rootfs, qmuxd)
+
+allow qmuxd radio_device:chr_file { read write open };
+allow qmuxd self:capability { setuid dac_override };
+allow qmuxd socket_device:dir { write add_name };
+allow qmuxd socket_device:sock_file { create setattr };
+allow qmuxd sysfs:file write;
+allow qmuxd sysfs_wake_lock:file { open append };
+allow qmuxd socket_device:dir remove_name;
+allow qmuxd socket_device:sock_file { getattr unlink };
diff --git a/selinux/rild.te b/selinux/rild.te
index c9f2b16..b0608c8 100644
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -7,4 +7,10 @@ allow rild sysfs:file write;
 allow rild userdata_block_device:blk_file { read open };
 allow rild mediaserver:dir search;
 allow rild efs_file:file { read getattr unlink append };
-allow rild mediaserver:file { read getattr open };
\ No newline at end of file
+allow rild mediaserver:file { read getattr open };
+allow rild qmuxd:unix_stream_socket connectto;
+allow rild socket_device:dir { write add_name };
+allow rild socket_device:sock_file { write create setattr };
+allow rild devpts:chr_file { read write getattr };
+allow rild init:unix_stream_socket { read write listen accept getopt };
+allow rild radio_data_file:file { read getattr open };
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
index 0299755..3bb4d51 100644
--- a/selinux/sysinit.te
+++ b/selinux/sysinit.te
@@ -5,4 +5,7 @@ allow sysinit wifi_data_file:file { read write open };
 allow sysinit camera_data_file:dir search;
 allow sysinit efs_file:dir search;
 allow sysinit camera_data_file:dir { write add_name };
-allow sysinit efs_file:file { open read write };
\ No newline at end of file
+allow sysinit efs_file:file { open read write };
+allow sysinit cache_file:dir { write add_name };
+allow sysinit cache_file:file { write create open };
+allow sysinit kernel:system syslog_read;