From 21c3f3ea72eebfaf3c2889bf4de1876d3d3e5fbb Mon Sep 17 00:00:00 2001 From: RGIB Date: Sun, 15 May 2016 14:24:00 +0200 Subject: kona : selinux update Change-Id: I29e006b5bdb1a72455e830a083d122aeae40b2f3 --- selinux/at_distributor.te | 3 ++- selinux/cpboot-daemon.te | 6 +++--- selinux/file_contexts | 4 ++-- selinux/system_server.te | 7 ++++--- selinux/untrusted_app.te | 1 + selinux/vold.te | 1 + 6 files changed, 13 insertions(+), 9 deletions(-) create mode 100644 selinux/vold.te diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te index d099d16..16ad482 100644 --- a/selinux/at_distributor.te +++ b/selinux/at_distributor.te @@ -18,4 +18,5 @@ allow at_distributor efs_file:file { read open setattr }; allow at_distributor self:capability { setuid fowner chown fsetid }; allow at_distributor efs_file:dir search; allow at_distributor radio_data_file:dir { search add_name write }; -allow at_distributor efs_file:dir { search getattr }; \ No newline at end of file +allow at_distributor efs_file:dir { search getattr }; +allow at_distributor radio_data_file:file setattr; \ No newline at end of file diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te index eab7ee6..26b877c 100644 --- a/selinux/cpboot-daemon.te +++ b/selinux/cpboot-daemon.te @@ -6,6 +6,8 @@ domain_trans(init, rootfs, cpboot-daemon) dontaudit cpboot-daemon usbfs:dir search; dontaudit cpboot-daemon usbfs:filesystem mount; dontaudit cpboot-daemon self:capability mknod; +dontaudit cpboot-daemon device:chr_file { read write create unlink open }; +dontaudit cpboot-daemon device:dir { write add_name remove_name }; allow cpboot-daemon cgroup:dir { create add_name }; allow cpboot-daemon efs_file:file { read write open }; @@ -16,6 +18,4 @@ allow cpboot-daemon radio_prop:property_service set; allow cpboot-daemon self:capability { setuid dac_override }; allow cpboot-daemon sysfs:file write; allow cpboot-daemon userdata_block_device:blk_file { read open }; -allow cpboot-daemon efs_file:dir search; -allow cpboot-daemon efs_file:file { read write }; -allow cpboot-daemon device:dir { write }; \ No newline at end of file +allow cpboot-daemon efs_file:dir search; \ No newline at end of file diff --git a/selinux/file_contexts b/selinux/file_contexts index 2e11eea..8dc1eab 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -6,8 +6,8 @@ /system/bin/orientationd u:object_r:orientationd_exec:s0 /system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 -/data/system/yas.cfg u:object_r:gps_data_file:s0 -/data/system/yas-backup.cfg u:object_r:gps_data_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 +/data/system/yas(/.*)? u:object_r:gps_data_file:s0 /data/system/gps(/.*)? u:object_r:gps_data_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /data/.socket_stream u:object_r:radio_data_file:s0 diff --git a/selinux/system_server.te b/selinux/system_server.te index 1d1ba9f..8f30fdc 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -1,5 +1,6 @@ -allow system_server gps_data_file:fifo_file { write read open setattr }; +allow system_server gps_data_file:fifo_file { create write read open setattr }; allow system_server self:capability sys_module; allow system_server efs_file:dir search; -allow system_server gps_data_file:dir search; -allow system_server efs_file:file { read write open }; \ No newline at end of file +allow system_server efs_file:file { read write open }; +allow system_server gps_data_file:file setattr; +allow system_server gps_data_file:dir { search write add_name }; \ No newline at end of file diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te index ca9e731..2486863 100644 --- a/selinux/untrusted_app.te +++ b/selinux/untrusted_app.te @@ -1,5 +1,6 @@ allow untrusted_app domain:dir { getattr search }; allow untrusted_app domain:file { read open }; +allow untrusted_app storage_stub_file:dir getattr; # S-Pen detection allow untrusted_app input_device:dir { search write open read }; allow untrusted_app input_device:chr_file { getattr write ioctl read open }; \ No newline at end of file diff --git a/selinux/vold.te b/selinux/vold.te new file mode 100644 index 0000000..1f59131 --- /dev/null +++ b/selinux/vold.te @@ -0,0 +1 @@ +allow vold efs_file:dir { ioctl open }; \ No newline at end of file -- cgit v1.1