From 2ad4014ecfc85e42c8a5a1dabc36ca0203afe576 Mon Sep 17 00:00:00 2001 From: RGIB Date: Mon, 11 Apr 2016 22:22:27 +0200 Subject: kona : update selinux Change-Id: I6b4f818e32654119ec7ba7b33f2feb48d29e40de --- selinux/at_distributor.te | 5 +++-- selinux/bluetooth.te | 2 +- selinux/cpboot-daemon.te | 3 +++ selinux/file_contexts | 5 ++++- selinux/geomagneticd.te | 4 ++++ selinux/gpsd.te | 3 +++ selinux/init.te | 2 +- selinux/macloader.te | 2 ++ selinux/rild.te | 1 + selinux/sysinit.te | 4 +++- selinux/system_server.te | 1 + selinux/untrusted_app.te | 2 ++ selinux/wpa.te | 1 + 13 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 selinux/macloader.te create mode 100644 selinux/untrusted_app.te create mode 100644 selinux/wpa.te (limited to 'selinux') diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te index 676e4ce..d099d16 100644 --- a/selinux/at_distributor.te +++ b/selinux/at_distributor.te @@ -5,7 +5,7 @@ domain_trans(init, rootfs, at_distributor) allow at_distributor DR-daemon:unix_stream_socket connectto; allow at_distributor property_socket:sock_file write; -allow at_distributor radio_data_file:file { read getattr open }; +allow at_distributor radio_data_file:file { write create read getattr open }; allow at_distributor radio_prop:property_service set; allow at_distributor rild:unix_stream_socket connectto; allow at_distributor self:capability dac_override; @@ -16,5 +16,6 @@ allow at_distributor efs_file:file getattr; allow at_distributor init:unix_stream_socket connectto; allow at_distributor efs_file:file { read open setattr }; allow at_distributor self:capability { setuid fowner chown fsetid }; -allow at_distributor radio_data_file:dir search; allow at_distributor efs_file:dir search; +allow at_distributor radio_data_file:dir { search add_name write }; +allow at_distributor efs_file:dir { search getattr }; \ No newline at end of file diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te index 185f799..f016625 100644 --- a/selinux/bluetooth.te +++ b/selinux/bluetooth.te @@ -1,2 +1,2 @@ allow bluetooth serial_device:chr_file { read write ioctl open }; -allow bluetooth sysfs:file write; +allow bluetooth sysfs:file write; \ No newline at end of file diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te index c4e592f..eab7ee6 100644 --- a/selinux/cpboot-daemon.te +++ b/selinux/cpboot-daemon.te @@ -5,6 +5,7 @@ domain_trans(init, rootfs, cpboot-daemon) dontaudit cpboot-daemon usbfs:dir search; dontaudit cpboot-daemon usbfs:filesystem mount; +dontaudit cpboot-daemon self:capability mknod; allow cpboot-daemon cgroup:dir { create add_name }; allow cpboot-daemon efs_file:file { read write open }; @@ -16,3 +17,5 @@ allow cpboot-daemon self:capability { setuid dac_override }; allow cpboot-daemon sysfs:file write; allow cpboot-daemon userdata_block_device:blk_file { read open }; allow cpboot-daemon efs_file:dir search; +allow cpboot-daemon efs_file:file { read write }; +allow cpboot-daemon device:dir { write }; \ No newline at end of file diff --git a/selinux/file_contexts b/selinux/file_contexts index 460cfc9..2e11eea 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -7,6 +7,7 @@ /system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 /data/system/yas.cfg u:object_r:gps_data_file:s0 +/data/system/yas-backup.cfg u:object_r:gps_data_file:s0 /data/system/gps(/.*)? u:object_r:gps_data_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /data/.socket_stream u:object_r:radio_data_file:s0 @@ -14,6 +15,7 @@ /dev/__cbd_msg_ u:object_r:radio_device:s0 /dev/ttySAC0 u:object_r:serial_device:s0 +/dev/ttySAC1 u:object_r:gps_device:s0 /dev/ttySAC2 u:object_r:serial_device:s0 /dev/ttyGS0 u:object_r:serial_device:s0 /dev/mali u:object_r:gpu_device:s0 @@ -22,9 +24,10 @@ /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/link_pm u:object_r:radio_device:s0 +/dev/rfkill u:object_r:radio_device:s0 /dev/block/mmcblk0p3 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p7 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p8 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p9 u:object_r:userdata_block_device:s0 -/dev/block/mmcblk0p12 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p12 u:object_r:userdata_block_device:s0 \ No newline at end of file diff --git a/selinux/geomagneticd.te b/selinux/geomagneticd.te index 60bd916..8b477ad 100644 --- a/selinux/geomagneticd.te +++ b/selinux/geomagneticd.te @@ -9,3 +9,7 @@ allow geomagneticd input_device:dir { read open }; allow geomagneticd gps_data_file:file { read getattr open }; allow geomagneticd sysfs:file write; allow geomagneticd input_device:dir search; +allow geomagneticd gps_data_file:dir { write remove_name add_name }; +allow geomagneticd gps_data_file:file { write rename create open setattr }; +# load SHIM libraries +allow init geomagneticd:process noatsecure; \ No newline at end of file diff --git a/selinux/gpsd.te b/selinux/gpsd.te index 853ec78..3022b98 100644 --- a/selinux/gpsd.te +++ b/selinux/gpsd.te @@ -2,3 +2,6 @@ domain_trans(init, rootfs, gpsd) allow gpsd rild:unix_stream_socket connectto; allow gpsd sysfs_wake_lock:file { read write open }; +allow gpsd gps_device:chr_file { read write ioctl open }; +# load SHIM libraries +allow init gpsd:process noatsecure; \ No newline at end of file diff --git a/selinux/init.te b/selinux/init.te index 9e53753..c7885f5 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -2,4 +2,4 @@ allow init debugfs:dir mounton; allow init sysfs:lnk_file setattr; allow init tmpfs:lnk_file create; # load SHIM libraries -allow init rild:process noatsecure; +allow init rild:process noatsecure; \ No newline at end of file diff --git a/selinux/macloader.te b/selinux/macloader.te new file mode 100644 index 0000000..48e1e96 --- /dev/null +++ b/selinux/macloader.te @@ -0,0 +1,2 @@ +allow macloader efs_file:file { read open getattr }; +allow macloader efs_file:dir search; \ No newline at end of file diff --git a/selinux/rild.te b/selinux/rild.te index 0f2f6dc..ae36ac5 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -6,3 +6,4 @@ allow rild proc_net:file write; allow rild sysfs:file write; allow rild userdata_block_device:blk_file { read open }; allow rild mediaserver:dir search; +allow rild efs_file:file { read getattr unlink append }; \ No newline at end of file diff --git a/selinux/sysinit.te b/selinux/sysinit.te index d81d161..0299755 100644 --- a/selinux/sysinit.te +++ b/selinux/sysinit.te @@ -1,6 +1,8 @@ allow sysinit camera_data_file:dir { read getattr open }; -allow sysinit camera_data_file:file { read write getattr open setattr }; +allow sysinit camera_data_file:file { create read write getattr open setattr }; allow sysinit self:capability { fowner chown fsetid }; allow sysinit wifi_data_file:file { read write open }; allow sysinit camera_data_file:dir search; allow sysinit efs_file:dir search; +allow sysinit camera_data_file:dir { write add_name }; +allow sysinit efs_file:file { open read write }; \ No newline at end of file diff --git a/selinux/system_server.te b/selinux/system_server.te index 659c32b..1d1ba9f 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -2,3 +2,4 @@ allow system_server gps_data_file:fifo_file { write read open setattr }; allow system_server self:capability sys_module; allow system_server efs_file:dir search; allow system_server gps_data_file:dir search; +allow system_server efs_file:file { read write open }; \ No newline at end of file diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te new file mode 100644 index 0000000..b9358f0 --- /dev/null +++ b/selinux/untrusted_app.te @@ -0,0 +1,2 @@ +allow untrusted_app domain:dir { getattr search }; +allow untrusted_app domain:file { read open }; \ No newline at end of file diff --git a/selinux/wpa.te b/selinux/wpa.te new file mode 100644 index 0000000..27750f6 --- /dev/null +++ b/selinux/wpa.te @@ -0,0 +1 @@ +allow wpa radio_device:chr_file { read open }; \ No newline at end of file -- cgit v1.1