From b1b8ee6ff1bf975a1c02c11360e8faee3276a655 Mon Sep 17 00:00:00 2001
From: RGIB <gibellini.roberto@gmail.com>
Date: Sat, 16 Jan 2016 23:00:52 +0100
Subject: kona : selinux update

Change-Id: I45081a265850b0df959830133cc942e55865f92c
---
 selinux/bluetooth.te      |  3 ++-
 selinux/bootanim.te       |  1 +
 selinux/debuggerd.te      |  3 ++-
 selinux/gatekeeperd.te    |  1 +
 selinux/init.te           | 15 ++++++++++++++-
 selinux/installd.te       |  2 ++
 selinux/keystore.te       |  2 ++
 selinux/lmkd.te           |  1 +
 selinux/logd.te           |  1 +
 selinux/mediaserver.te    |  2 +-
 selinux/perfprofd.te      |  1 +
 selinux/radio.te          |  2 ++
 selinux/rild.te           |  8 +++++++-
 selinux/servicemanager.te |  1 +
 selinux/shell.te          |  2 ++
 selinux/sysinit.te        |  5 +++--
 selinux/system_server.te  |  3 ++-
 selinux/untrusted_app.te  |  1 +
 selinux/vold.te           |  1 +
 selinux/zygote.te         |  1 +
 20 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100644 selinux/bootanim.te
 create mode 100644 selinux/gatekeeperd.te
 create mode 100644 selinux/installd.te
 create mode 100644 selinux/keystore.te
 create mode 100644 selinux/lmkd.te
 create mode 100644 selinux/logd.te
 create mode 100644 selinux/perfprofd.te
 create mode 100644 selinux/servicemanager.te
 create mode 100644 selinux/shell.te
 create mode 100644 selinux/vold.te

(limited to 'selinux')

diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
index a6e68b8..903cc85 100644
--- a/selinux/bluetooth.te
+++ b/selinux/bluetooth.te
@@ -1,2 +1,3 @@
 allow bluetooth smd_device:chr_file { read write ioctl open };
-allow bluetooth sysfs:file { write };
\ No newline at end of file
+allow bluetooth sysfs:file { write };
+allow bluetooth log_device:chr_file write;
diff --git a/selinux/bootanim.te b/selinux/bootanim.te
new file mode 100644
index 0000000..4033188
--- /dev/null
+++ b/selinux/bootanim.te
@@ -0,0 +1 @@
+allow bootanim log_device:chr_file open;
diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te
index 1a03fb4..22547e8 100644
--- a/selinux/debuggerd.te
+++ b/selinux/debuggerd.te
@@ -1,2 +1,3 @@
-allow debuggerd log_device:chr_file { read open };
+allow debuggerd log_device:chr_file { write read open };
 allow debuggerd log_device:dir search;
+allow debuggerd kernel:system module_request;
diff --git a/selinux/gatekeeperd.te b/selinux/gatekeeperd.te
new file mode 100644
index 0000000..1d177e0
--- /dev/null
+++ b/selinux/gatekeeperd.te
@@ -0,0 +1 @@
+allow gatekeeperd kernel:system module_request;
diff --git a/selinux/init.te b/selinux/init.te
index d231f03..892872c 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -4,4 +4,17 @@ allow init init:tcp_socket { read write create };
 allow init port:tcp_socket name_connect;
 allow init self:tcp_socket { read write getopt connect };
 allow init kernel:system syslog_read;
-#allow init system_file:file execute_no_trans;
+allow init input_device:chr_file ioctl;
+allow init system_data_file:file lock;
+allow init fwmarkd_socket:sock_file write;
+allow init netd:unix_stream_socket { connectto write };
+allow init ril_device:chr_file ioctl;
+allow init input_device:chr_file write;
+allow init property_socket:sock_file write;
+allow init device:chr_file { create unlink };
+allow init devpts:chr_file { getattr ioctl };
+allow init kernel:system module_request;
+allow init log_device:chr_file write;
+allow init ril_device:chr_file write;
+allow init rild:unix_stream_socket connectto;
+allow init system_data_file:fifo_file write;
diff --git a/selinux/installd.te b/selinux/installd.te
new file mode 100644
index 0000000..ea127bc
--- /dev/null
+++ b/selinux/installd.te
@@ -0,0 +1,2 @@
+allow installd kernel:system module_request;
+allow installd log_device:chr_file { write open };
diff --git a/selinux/keystore.te b/selinux/keystore.te
new file mode 100644
index 0000000..34e2779
--- /dev/null
+++ b/selinux/keystore.te
@@ -0,0 +1,2 @@
+allow keystore kernel:system module_request;
+allow keystore log_device:chr_file { write open };
diff --git a/selinux/lmkd.te b/selinux/lmkd.te
new file mode 100644
index 0000000..5f7bd53
--- /dev/null
+++ b/selinux/lmkd.te
@@ -0,0 +1 @@
+allow lmkd log_device:chr_file { write open };
diff --git a/selinux/logd.te b/selinux/logd.te
new file mode 100644
index 0000000..74e23a8
--- /dev/null
+++ b/selinux/logd.te
@@ -0,0 +1 @@
+allow logd log_device:chr_file { write open };
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index 0a3970e..9722653 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -6,4 +6,4 @@ allow mediaserver camera_data_file:file rw_file_perms;
 allow mediaserver volume_data_file:file create_file_perms;
 allow mediaserver volume_data_file:dir create_dir_perms;
 allow mediaserver mfc_device:chr_file rw_file_perms;
-# allow mediaserver system_data_file:file { write open };
+allow mediaserver log_device:chr_file { write open };
diff --git a/selinux/perfprofd.te b/selinux/perfprofd.te
new file mode 100644
index 0000000..82f4377
--- /dev/null
+++ b/selinux/perfprofd.te
@@ -0,0 +1 @@
+allow perfprofd kernel:system module_request;
diff --git a/selinux/radio.te b/selinux/radio.te
index 427a4c6..026de1b 100644
--- a/selinux/radio.te
+++ b/selinux/radio.te
@@ -1,2 +1,4 @@
 allow radio kernel:system module_request;
 allow radio log_device:chr_file { write open };
+allow radio system_app_data_file:dir search;
+allow radio system_app_data_file:file getattr;
diff --git a/selinux/rild.te b/selinux/rild.te
index f88bea5..f022c36 100755
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -19,7 +19,13 @@ allow rild radio_data_file:dir setattr;
 allow rild self:capability dac_override;
 allow rild unlabeled:dir search;
 allow rild unlabeled:file { read getattr open setattr };
-
 allow rild dumpstate_exec:file getattr;
 allow rild system_data_file:dir write;
 allow rild unlabeled:file write;
+allow rild log_device:chr_file { write open };
+allow rild proc_net:file { write };
+allow rild init:dir search;
+allow rild init:file { read getattr open };
+allow rild init:unix_stream_socket { listen write getopt read accept };
+allow rild system_data_file:dir { remove_name add_name setattr };
+allow rild devpts:chr_file ioctl;
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..6ff9249
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1 @@
+allow servicemanager log_device:chr_file { write open };
diff --git a/selinux/shell.te b/selinux/shell.te
new file mode 100644
index 0000000..af2c15c
--- /dev/null
+++ b/selinux/shell.te
@@ -0,0 +1,2 @@
+allow shell kernel:system { module_request };
+allow shell su:process signal;
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
index 96a4719..087beb7 100755
--- a/selinux/sysinit.te
+++ b/selinux/sysinit.te
@@ -1,7 +1,8 @@
-#allow sysinit mmc_block_device:file read;
-allow sysinit firmware_camera:dir { read search open getattr };
 allow sysinit userinit_exec:file { getattr execute execute_no_trans read open };
 allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
 allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
 allow sysinit sysinit:capability { dac_override chown fowner fsetid };
 allow sysinit unlabeled:dir { search };
+allow sysinit kernel:system module_request;
+allow sysinit log_device:chr_file { write open };
+allow sysinit unlabeled:file { write open };
diff --git a/selinux/system_server.te b/selinux/system_server.te
index c8fa3e4..0ba4b3f 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -1,5 +1,6 @@
 allow system_server efs_file:dir search;
-# allow system_server default_prop:property_service set;
 allow system_server dex2oat_exec:file execute;
 allow system_server log_device:dir search;
 allow system_server system_file:file execmod;
+allow system_server log_device:chr_file { write open };
+allow system_server unlabeled:file write;
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
index 369e87a..70ab006 100644
--- a/selinux/untrusted_app.te
+++ b/selinux/untrusted_app.te
@@ -2,3 +2,4 @@ allow untrusted_app unlabeled:file getattr;
 allow untrusted_app efs_file:dir getattr;
 allow untrusted_app kernel:system module_request;
 allow untrusted_app log_device:dir search;
+allow untrusted_app log_device:chr_file { write read open };
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..29eff5b
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1 @@
+allow vold efs_file:dir { read ioctl open };
diff --git a/selinux/zygote.te b/selinux/zygote.te
index 04fc7d3..7d039e6 100644
--- a/selinux/zygote.te
+++ b/selinux/zygote.te
@@ -1 +1,2 @@
 allow zygote kernel:system module_request;
+allow zygote log_device:chr_file { write open };
-- 
cgit v1.1