From 2204ce90e769255d28128b386534887a1985c2e1 Mon Sep 17 00:00:00 2001
From: RGIB <gibellini.roberto@gmail.com>
Date: Wed, 11 Nov 2015 09:28:53 +0100
Subject: kona-common: update SElinux

Change-Id: Ie567c28195e029980e1dd2554c9f0ad489b0a4ba
---
 selinux/adbd.te          | 1 +
 selinux/debuggerd.te     | 1 +
 selinux/dex2oat.te       | 2 ++
 selinux/init.te          | 6 ++++++
 selinux/mediaserver.te   | 2 +-
 selinux/platform_app.te  | 1 +
 selinux/radio.te         | 2 ++
 selinux/sdcardd.te       | 1 +
 selinux/secril.te        | 4 ++--
 selinux/shared_relro.te  | 1 +
 selinux/shell.te         | 4 +++-
 selinux/system_app.te    | 2 ++
 selinux/system_server.te | 5 ++++-
 selinux/untrusted_app.te | 2 ++
 selinux/wpa.te           | 1 +
 selinux/zygote.te        | 1 +
 16 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 selinux/adbd.te
 create mode 100644 selinux/debuggerd.te
 create mode 100644 selinux/dex2oat.te
 create mode 100644 selinux/platform_app.te
 create mode 100644 selinux/radio.te
 create mode 100644 selinux/sdcardd.te
 create mode 100644 selinux/shared_relro.te
 create mode 100644 selinux/system_app.te
 create mode 100644 selinux/wpa.te
 create mode 100644 selinux/zygote.te

(limited to 'selinux')

diff --git a/selinux/adbd.te b/selinux/adbd.te
new file mode 100644
index 0000000..8776373
--- /dev/null
+++ b/selinux/adbd.te
@@ -0,0 +1 @@
+allow adbd kernel:system module_request;
diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te
new file mode 100644
index 0000000..f60e6e3
--- /dev/null
+++ b/selinux/debuggerd.te
@@ -0,0 +1 @@
+allow debuggerd log_device:chr_file { read open };
diff --git a/selinux/dex2oat.te b/selinux/dex2oat.te
new file mode 100644
index 0000000..52e724a
--- /dev/null
+++ b/selinux/dex2oat.te
@@ -0,0 +1,2 @@
+allow dex2oat kernel:system module_request;
+allow dex2oat log_device:chr_file { write open };
diff --git a/selinux/init.te b/selinux/init.te
index 5b87e48..62841da 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -4,3 +4,9 @@ allow init init:tcp_socket { read write create };
 allow init port:tcp_socket name_connect;
 allow init self:tcp_socket { read write getopt connect };
 allow init kernel:system syslog_read;
+allow init kernel:system module_request;
+allow init log_device:chr_file write;
+allow init property_socket:sock_file write;
+allow init ril_device:chr_file write;
+allow init sdcardd_exec:file { read execute open getattr execute_no_trans };
+allow init system_file:file execute_no_trans;
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index d2c07f4..0a3970e 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -6,4 +6,4 @@ allow mediaserver camera_data_file:file rw_file_perms;
 allow mediaserver volume_data_file:file create_file_perms;
 allow mediaserver volume_data_file:dir create_dir_perms;
 allow mediaserver mfc_device:chr_file rw_file_perms;
-allow mediaserver system_data_file:file { write open };
\ No newline at end of file
+# allow mediaserver system_data_file:file { write open };
diff --git a/selinux/platform_app.te b/selinux/platform_app.te
new file mode 100644
index 0000000..717139a
--- /dev/null
+++ b/selinux/platform_app.te
@@ -0,0 +1 @@
+allow platform_app log_device:chr_file write;
diff --git a/selinux/radio.te b/selinux/radio.te
new file mode 100644
index 0000000..427a4c6
--- /dev/null
+++ b/selinux/radio.te
@@ -0,0 +1,2 @@
+allow radio kernel:system module_request;
+allow radio log_device:chr_file { write open };
diff --git a/selinux/sdcardd.te b/selinux/sdcardd.te
new file mode 100644
index 0000000..223cbfa
--- /dev/null
+++ b/selinux/sdcardd.te
@@ -0,0 +1 @@
+allow sdcardd kernel:system module_request;
diff --git a/selinux/secril.te b/selinux/secril.te
index 7761d80..e025a04 100644
--- a/selinux/secril.te
+++ b/selinux/secril.te
@@ -12,7 +12,7 @@ unix_socket_connect(secril-daemon, rild, rild)
 
 allow secril-daemon { efs_file }:file rw_file_perms;
 allow secril-daemon system_data_file:dir create_dir_perms;
-allow secril-daemon system_data_file:file unlink;
+# allow secril-daemon system_data_file:file unlink;
 allow secril-daemon radio_data_file:file { create_file_perms };
 allow secril-daemon kernel:system module_request;
 allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
@@ -22,4 +22,4 @@ allow secril-daemon shell_exec:file rx_file_perms;
 allow secril-daemon app_data_file:file rw_file_perms;
 allow secril-daemon app_data_file:dir search;
 allow secril-daemon zygote_exec:file rx_file_perms;
-allow secril-daemon ashmem_device:chr_file x_file_perms;
\ No newline at end of file
+allow secril-daemon ashmem_device:chr_file x_file_perms;
diff --git a/selinux/shared_relro.te b/selinux/shared_relro.te
new file mode 100644
index 0000000..1c319ce
--- /dev/null
+++ b/selinux/shared_relro.te
@@ -0,0 +1 @@
+allow shared_relro log_device:chr_file write;
diff --git a/selinux/shell.te b/selinux/shell.te
index f528d9c..aff526f 100644
--- a/selinux/shell.te
+++ b/selinux/shell.te
@@ -1 +1,3 @@
-allow shell dalvikcache_data_file:file write;
+# allow shell dalvikcache_data_file:file write;
+allow shell kernel:system module_request;
+
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..8422942
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1,2 @@
+allow system_app log_device:chr_file write;
+allow system_app sysfs:file write;
diff --git a/selinux/system_server.te b/selinux/system_server.te
index f017b31..f1456dc 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -1,2 +1,5 @@
 allow system_server efs_file:dir search;
-allow system_server default_prop:property_service set;
+# allow system_server default_prop:property_service set;
+allow system_server dex2oat_exec:file { read execute open execute_no_trans };
+allow system_server log_device:chr_file { write open };
+allow system_server system_file:file execmod;
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
index c81150b..b4f8b51 100644
--- a/selinux/untrusted_app.te
+++ b/selinux/untrusted_app.te
@@ -1,2 +1,4 @@
 allow untrusted_app unlabeled:file getattr;
 allow untrusted_app efs_file:dir getattr;
+allow untrusted_app kernel:system module_request;
+allow untrusted_app log_device:chr_file { write open };
diff --git a/selinux/wpa.te b/selinux/wpa.te
new file mode 100644
index 0000000..09bbb8f
--- /dev/null
+++ b/selinux/wpa.te
@@ -0,0 +1 @@
+allow wpa log_device:chr_file { write open };
diff --git a/selinux/zygote.te b/selinux/zygote.te
new file mode 100644
index 0000000..04fc7d3
--- /dev/null
+++ b/selinux/zygote.te
@@ -0,0 +1 @@
+allow zygote kernel:system module_request;
-- 
cgit v1.1