From 7fb9174903c3415abc027c9d4de508946c3011e5 Mon Sep 17 00:00:00 2001 From: sbrissen Date: Wed, 13 Nov 2013 09:01:02 -0500 Subject: kona-common: 4.4 updates Change-Id: I99fae341e0f1e827608f43a14c9648a9476721ed --- selinux/device.te | 4 +++ selinux/dhcp.te | 1 + selinux/domain.te | 4 +++ selinux/file.te | 10 +++++++ selinux/file_contexts | 70 +++++++++++++++++++++++++++++++++++++++++++++++ selinux/init.te | 3 ++ selinux/kickstart.te | 44 +++++++++++++++++++++++++++++ selinux/mediaserver.te | 7 +++++ selinux/netmgrd.te | 29 ++++++++++++++++++++ selinux/qmux.te | 21 ++++++++++++++ selinux/rild.te | 14 ++++++++++ selinux/secril.te | 25 +++++++++++++++++ selinux/system.te | 12 ++++++++ selinux/te_macros | 12 ++++++++ selinux/ueventd.te | 6 ++++ selinux/wpa_supplicant.te | 10 +++++++ 16 files changed, 272 insertions(+) create mode 100644 selinux/device.te create mode 100755 selinux/dhcp.te create mode 100644 selinux/domain.te create mode 100644 selinux/file.te create mode 100644 selinux/file_contexts create mode 100644 selinux/init.te create mode 100755 selinux/kickstart.te create mode 100644 selinux/mediaserver.te create mode 100755 selinux/netmgrd.te create mode 100755 selinux/qmux.te create mode 100755 selinux/rild.te create mode 100644 selinux/secril.te create mode 100755 selinux/system.te create mode 100755 selinux/te_macros create mode 100644 selinux/ueventd.te create mode 100755 selinux/wpa_supplicant.te (limited to 'selinux') diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..c95050b --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,4 @@ +type mali_device, dev_type, mlstrustedobject; +type rfkill_device, dev_type; +type diagnostic_device, dev_type; +type efs_block_device, dev_type; diff --git a/selinux/dhcp.te b/selinux/dhcp.te new file mode 100755 index 0000000..c403b9b --- /dev/null +++ b/selinux/dhcp.te @@ -0,0 +1 @@ +allow dhcp self:rawip_socket { create write setopt }; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..1be0633 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,4 @@ +## /dev/mali, /dev/ump +allow domain mali_device:chr_file rw_file_perms; + + diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..3f045f6 --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,10 @@ +type radio_efs_file, fs_type; + +type firmware_mfc, file_type; +type firmware_camera, file_type; + +type qmuxd_socket, file_type; +type camera_data_file, file_type, data_file_type; +type kickstart_data_file, file_type, data_file_type; +type sensors_data_file, file_type, data_file_type; +type volume_data_file, file_type, data_file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..db34e45 --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,70 @@ +# GFX +/dev/mali u:object_r:mali_device:s0 +/dev/ump u:object_r:mali_device:s0 +/dev/fimg2d u:object_r:mali_device:s0 + +# RIL +/dev/mdm u:object_r:radio_device:s0 +/dev/hsicctl[0-3]* u:object_r:radio_device:s0 +/dev/ttyUSB0 u:object_r:radio_device:s0 +/dev/diag u:object_r:diagnostic_device:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 + +# Sensors +/dev/akm8963 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 + +# Camera +/data/ISP_CV u:object_r:camera_data_file:s0 +/dev/exynos-mem u:object_r:video_device:s0 + +# for wpa_supp +/dev/rfkill u:object_r:rfkill_device:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/data/cfw(/.*)? u:object_r:firmware_camera:s0 +/tombstones/qcks(/.*)? u:object_r:kickstart_data_file:s0 +/tombstones(/.*)? u:object_r:tombstone_data_file:s0 + +# Vibrator +/dev/tspdrv u:object_r:input_device:s0 + +#Wifi +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +#Sec-ril +/efs/FactoryApp/keystr u:object_r:efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:efs_file:s0 +/efs/FactoryApp/serial_no u:object_r:efs_file:s0 +/data/misc/radio/ramdumpmode.txt u:object_r:radio_data_file:s0 +/data/misc/radio/dlnk u:object_r:radio_data_file:s0 + +#Binaries +/system/bin/qmuxd u:object_r:qmux_exec:s0 +/system/bin/netmgrd u:object_r:netmgrd_exec:s0 +/system/bin/efsks u:object_r:kickstart_exec:s0 +/system/bin/ks u:object_r:kickstart_exec:s0 +/system/bin/qcks u:object_r:kickstart_exec:s0 +/system/bin/sec-ril u:object_r:secril-daemon_exec:s0 + +# Sockets +/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 + +# Block devices +/dev/block/mmcblk0p[3-6]* u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p10 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:efs_block_device:s0 + +# Audio related +/data/local/audio(/.*)? u:object_r:volume_data_file:s0 diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..2f29889 --- /dev/null +++ b/selinux/init.te @@ -0,0 +1,3 @@ +allow init wpa_socket:unix_dgram_socket { bind create }; + + diff --git a/selinux/kickstart.te b/selinux/kickstart.te new file mode 100755 index 0000000..14e1ad5 --- /dev/null +++ b/selinux/kickstart.te @@ -0,0 +1,44 @@ +# kickstart processes and scripts +type kickstart, domain; +type kickstart_exec, exec_type, file_type; + +# kickstart_checker.sh talks to init over the property socket +unix_socket_connect(kickstart, property, init) + +# Start /system/bin/qcks from init +init_daemon_domain(kickstart) + +# Spawn /system/bin/efsks and /system/bin/ks +allow kickstart kickstart_exec:file { open execute_no_trans getattr }; + +# Run dd on m9kefs[123] block devices; write to /data/qcks/ +# Run cat on firmware and m9kefs[123] data; write to /data/qcks/ +allow kickstart efs_block_device:blk_file rw_file_perms; +allow kickstart kickstart_data_file:file create_file_perms; +allow kickstart kickstart_data_file:dir rw_dir_perms; +allow kickstart radio_efs_file:file r_file_perms; +allow kickstart radio_efs_file:dir search; + +# Let qcks access /dev/mdm node (modem driver) +allow kickstart radio_device:chr_file rw_file_perms; + +# Allow /dev/ttyUSB0 access +allow kickstart radio_device:chr_file { write ioctl getattr }; + +# Allow to run toolbox commands +allow kickstart shell_exec:file rx_file_perms; +# Toolbox commands for firmware dd +allow kickstart system_file:file execute_no_trans; + +# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2 +allow kickstart block_device:dir { getattr write search }; + +# Set system property key +allow kickstart radio_prop:property_service set; + +allow kickstart shell_exec:file entrypoint; +# ls on /data/qcks/ +allow kickstart self:capability { dac_override setuid }; + +# XXX Label sysfs files with a specific type? +allow kickstart sysfs:file rw_file_perms; \ No newline at end of file diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te new file mode 100644 index 0000000..011f7c6 --- /dev/null +++ b/selinux/mediaserver.te @@ -0,0 +1,7 @@ +qmux_socket(mediaserver) +allow mediaserver self:socket create_socket_perms; +allow mediaserver { firmware_camera }:file r_file_perms; +allow mediaserver firmware_camera:dir r_dir_perms; +allow mediaserver camera_data_file:file rw_file_perms; +allow mediaserver volume_data_file:file create_file_perms; +allow mediaserver volume_data_file:dir create_dir_perms; diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te new file mode 100755 index 0000000..11159a4 --- /dev/null +++ b/selinux/netmgrd.te @@ -0,0 +1,29 @@ +# Network utilities (radio process) +type netmgrd, domain; +type netmgrd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(netmgrd) + +allow netmgrd self:udp_socket { create ioctl }; +# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket +allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; +allow netmgrd self:packet_socket { write bind read create }; +allow netmgrd self:netlink_socket { write read create bind setopt }; +allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr }; +allow netmgrd kernel:system module_request; + +# Talk to qmuxd +qmux_socket(netmgrd) + +# Allow logging diagnostic items +allow netmgrd diagnostic_device:chr_file rw_file_perms; + +# /data/data_test/ access with shell +allow netmgrd shell_exec:file { execute read open execute_no_trans }; +allow netmgrd system_file:file { execute_no_trans }; + +# Talk to init over the property socket +unix_socket_connect(netmgrd, property, init) +# Set net.rmnet_usb0. values +allow netmgrd radio_prop:property_service set; diff --git a/selinux/qmux.te b/selinux/qmux.te new file mode 100755 index 0000000..e2a5bbf --- /dev/null +++ b/selinux/qmux.te @@ -0,0 +1,21 @@ +# Qualcomm Management Interface Multiplexer +type qmux, domain; +type qmux_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(qmux) + +# Create local qmux_connect_socket +allow qmux qmuxd_socket:dir w_dir_perms; +allow qmux qmuxd_socket:sock_file { create setattr getattr unlink }; + +# /dev/hsicctl* node access +allow qmux radio_device:chr_file rw_file_perms; + +# Allow logging diagnostic items +allow qmux diagnostic_device:chr_file rw_file_perms; + +allow qmux self:capability { dac_override setuid }; + +# XXX Should we label with own type +allow qmux sysfs:file { open write append read getattr }; diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100755 index 0000000..04209b0 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,14 @@ +## RIL +allow rild radio_device:chr_file rw_file_perms; +allow rild { efs_file }:file rw_file_perms; +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; + +# Talk to qmuxd +qmux_socket(rild) + +# Allow logging diagnostic items +allow rild diagnostic_device:chr_file rw_file_perms; + +# XXX label with own type? +allow rild sysfs:file { read open write getattr }; diff --git a/selinux/secril.te b/selinux/secril.te new file mode 100644 index 0000000..7761d80 --- /dev/null +++ b/selinux/secril.te @@ -0,0 +1,25 @@ +# sec-ril +type secril-daemon, domain; +type secril-daemon_exec, exec_type, file_type; + +# Start /system/bin/sec-ril from init +init_daemon_domain(secril-daemon) + +allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr }; +allow secril-daemon self:udp_socket { create ioctl }; +unix_socket_connect(secril-daemon, property, init) +unix_socket_connect(secril-daemon, rild, rild) + +allow secril-daemon { efs_file }:file rw_file_perms; +allow secril-daemon system_data_file:dir create_dir_perms; +allow secril-daemon system_data_file:file unlink; +allow secril-daemon radio_data_file:file { create_file_perms }; +allow secril-daemon kernel:system module_request; +allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; +allow secril-daemon system_file:file x_file_perms; +allow secril-daemon sysfs:file rw_file_perms; +allow secril-daemon shell_exec:file rx_file_perms; +allow secril-daemon app_data_file:file rw_file_perms; +allow secril-daemon app_data_file:dir search; +allow secril-daemon zygote_exec:file rx_file_perms; +allow secril-daemon ashmem_device:chr_file x_file_perms; \ No newline at end of file diff --git a/selinux/system.te b/selinux/system.te new file mode 100755 index 0000000..3f9fc14 --- /dev/null +++ b/selinux/system.te @@ -0,0 +1,12 @@ +# Talk to qmuxd +qmux_socket(system) + +allow system diagnostic_device:chr_file rw_file_perms; +#allow system uinput_device:chr_file { read ioctl write open }; +allow system sensors_device:chr_file { read open }; +allow system sensors_data_file:file r_file_perms; +allow system wpa_socket:unix_dgram_socket sendto; +allow system_app volume_data_file:file { read write open getattr }; + +allow system sysfs:file { read open write }; +allow system self:capability { sys_module }; \ No newline at end of file diff --git a/selinux/te_macros b/selinux/te_macros new file mode 100755 index 0000000..274fd55 --- /dev/null +++ b/selinux/te_macros @@ -0,0 +1,12 @@ +##################################### +# qmux_socket(clientdomain) +# Allow client to send via a local +# socket to the qmux domain. +define(`qmux_socket', ` +type $1_qmuxd_socket, file_type; +file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket) +unix_socket_connect($1, qmuxd, qmux) +allow qmux $1_qmuxd_socket:sock_file { getattr unlink }; +') + + diff --git a/selinux/ueventd.te b/selinux/ueventd.te new file mode 100644 index 0000000..489b31a --- /dev/null +++ b/selinux/ueventd.te @@ -0,0 +1,6 @@ +# Drivers read firmware files /firmware/image +allow ueventd { radio_efs_file }:file r_file_perms; +allow ueventd { radio_efs_file }:dir search; +## More Firmwares +allow ueventd { firmware_mfc }:file r_file_perms; +allow ueventd { firmware_camera }:dir search; \ No newline at end of file diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te new file mode 100755 index 0000000..ab5fb24 --- /dev/null +++ b/selinux/wpa_supplicant.te @@ -0,0 +1,10 @@ +allow wpa init:unix_dgram_socket { read write }; + +# logwrapper used with wpa_supplicant +allow wpa devpts:chr_file { read write }; + +allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa_socket system:unix_dgram_socket sendto; + +allow wpa_socket wifi_data_file:sock_file unlink; +allow wpa rfkill_device:chr_file rw_file_perms; \ No newline at end of file -- cgit v1.1