From d4c68ff6311509354fdb64d33221d0ba6fb418f1 Mon Sep 17 00:00:00 2001 From: RGIB Date: Wed, 22 Jun 2016 12:23:00 +0200 Subject: kona : selinux update for qcom Change-Id: Ic3302e9642c7a0b76604de5786a0073629a9fc37 --- selinux/at_distributor.te | 5 +++++ selinux/diag_uart_log.te | 7 +++++++ selinux/domain.te | 5 ++++- selinux/file_contexts | 29 ++++++++++++++++++++++++++++- selinux/init.te | 5 ++++- selinux/qc_kickstart.te | 15 +++++++++++++++ selinux/qmiproxy.te | 11 +++++++++++ selinux/qmuxd.te | 13 +++++++++++++ selinux/rild.te | 8 +++++++- selinux/sysinit.te | 5 ++++- 10 files changed, 98 insertions(+), 5 deletions(-) create mode 100644 selinux/diag_uart_log.te create mode 100644 selinux/qc_kickstart.te create mode 100644 selinux/qmiproxy.te create mode 100644 selinux/qmuxd.te (limited to 'selinux') diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te index b700a33..039b540 100644 --- a/selinux/at_distributor.te +++ b/selinux/at_distributor.te @@ -25,3 +25,8 @@ allow at_distributor shell_exec:file { read execute open }; allow at_distributor system_file:file execute_no_trans; allow at_distributor zygote_exec:file { read getattr open execute execute_no_trans }; allow at_distributor system_server:binder { transfer call }; +allow at_distributor diag_uart_log_exec:file getattr; +allow at_distributor gps_device:chr_file { read write ioctl open }; +allow at_distributor shell_exec:file execute_no_trans; +allow at_distributor radio_data_file:dir search; +allow at_distributor radio_data_file:file { read getattr open setattr }; diff --git a/selinux/diag_uart_log.te b/selinux/diag_uart_log.te new file mode 100644 index 0000000..38429db --- /dev/null +++ b/selinux/diag_uart_log.te @@ -0,0 +1,7 @@ +type diag_uart_log, domain; +type diag_uart_log_exec, exec_type, file_type; +init_daemon_domain(diag_uart_log) +domain_trans(init, rootfs, diag_uart_log) + +allow diag_uart_log at_distributor:unix_stream_socket connectto; +allow diag_uart_log self:capability setuid; diff --git a/selinux/domain.te b/selinux/domain.te index f55b780..56f028c 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -2,4 +2,7 @@ allow domain kernel:system module_request; allow domain log_device:chr_file { write read open }; allow domain log_device:dir search; -type efs_device_file, dev_type; \ No newline at end of file +type efs_device_file, dev_type; + +# load SHIM libraries +allow init { domain -lmkd }:process noatsecure; diff --git a/selinux/file_contexts b/selinux/file_contexts index b9b57ac..a1d9f80 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -6,7 +6,17 @@ /system/bin/orientationd u:object_r:orientationd_exec:s0 /system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 +/system/bin/diag_uart_log u:object_r:diag_uart_log_exec:s0 +/system/bin/qcks u:object_r:qc_kickstart_exec:s0 +/system/bin/ks u:object_r:qc_kickstart_exec:s0 +/system/bin/efsks u:object_r:qc_kickstart_exec:s0 +/system/bin/qmiproxy u:object_r:qmiproxy_exec:s0 +/system/bin/qmuxd u:object_r:qmuxd_exec:s0 + /efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 +/efs/imei(/.*)? u:object_r:radio_data_file:s0 +/efs/FactoryApp(/.*)? u:object_r:radio_data_file:s0 + /data/system/yas.cfg u:object_r:gps_data_file:s0 /data/system/yas-backup.cfg u:object_r:gps_data_file:s0 /data/system/gps(/.*)? u:object_r:gps_data_file:s0 @@ -26,9 +36,26 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/link_pm u:object_r:radio_device:s0 /dev/rfkill u:object_r:radio_device:s0 +/dev/mdm u:object_r:radio_device:s0 +/dev/hsicctl0 u:object_r:radio_device:s0 +/dev/hsicctl1 u:object_r:radio_device:s0 +/dev/hsicctl2 u:object_r:radio_device:s0 +/dev/hsicctl3 u:object_r:radio_device:s0 +/dev/diag u:object_r:radio_device:s0 +/dev/ttyUSB0 u:object_r:radio_device:s0 +/dev/ttyUSB1 u:object_r:radio_device:s0 +/dev/ttyUSB2 u:object_r:radio_device:s0 +/dev/block/modem/m9kefs1 u:object_r:radio_device:s0 +/tombstones/qcks(/.*)? u:object_r:tombstone_data_file:s0 /dev/block/mmcblk0p3 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p4 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p5 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p6 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p7 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p8 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p9 u:object_r:userdata_block_device:s0 -/dev/block/mmcblk0p12 u:object_r:userdata_block_device:s0 \ No newline at end of file +/dev/block/mmcblk0p12 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p14 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p19 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p21 u:object_r:userdata_block_device:s0 diff --git a/selinux/init.te b/selinux/init.te index c7885f5..53ec2b7 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1,5 +1,8 @@ allow init debugfs:dir mounton; allow init sysfs:lnk_file setattr; allow init tmpfs:lnk_file create; +allow init vfat:dir mounton; +allow init block_device:lnk_file setattr; + # load SHIM libraries -allow init rild:process noatsecure; \ No newline at end of file +allow init rild:process noatsecure; diff --git a/selinux/qc_kickstart.te b/selinux/qc_kickstart.te new file mode 100644 index 0000000..af7665b --- /dev/null +++ b/selinux/qc_kickstart.te @@ -0,0 +1,15 @@ +type qc_kickstart, domain; +type qc_kickstart_exec, exec_type, file_type; +init_daemon_domain(qc_kickstart) +domain_trans(init, rootfs, qc_kickstart) + +allow qc_kickstart userdata_block_device:blk_file { read open }; +allow qc_kickstart radio_device:chr_file { read write getattr open ioctl }; +allow qc_kickstart self:capability setuid; +allow qc_kickstart shell_exec:file { read execute open execute_no_trans }; +allow qc_kickstart system_file:file execute_no_trans; +allow qc_kickstart tombstone_data_file:file { read write getattr open setattr }; +allow qc_kickstart vfat:file { read getattr open }; +allow qc_kickstart qc_kickstart_exec:file execute_no_trans; +allow qc_kickstart tombstone_data_file:dir search; +allow qc_kickstart userdata_block_device:blk_file write; diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te new file mode 100644 index 0000000..9642261 --- /dev/null +++ b/selinux/qmiproxy.te @@ -0,0 +1,11 @@ +type qmiproxy, domain; +type qmiproxy_exec, exec_type, file_type; +init_daemon_domain(qmiproxy) +domain_trans(init, rootfs, qmiproxy) + +allow qmiproxy radio_device:chr_file { read write open }; +allow qmiproxy init:unix_stream_socket connectto; +allow qmiproxy property_socket:sock_file write; +allow qmiproxy radio_prop:property_service set; +allow qmiproxy socket_device:dir { write add_name }; +allow qmiproxy socket_device:sock_file create; diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te new file mode 100644 index 0000000..a69ee6c --- /dev/null +++ b/selinux/qmuxd.te @@ -0,0 +1,13 @@ +type qmuxd, domain; +type qmuxd_exec, exec_type, file_type; +init_daemon_domain(qmuxd) +domain_trans(init, rootfs, qmuxd) + +allow qmuxd radio_device:chr_file { read write open }; +allow qmuxd self:capability { setuid dac_override }; +allow qmuxd socket_device:dir { write add_name }; +allow qmuxd socket_device:sock_file { create setattr }; +allow qmuxd sysfs:file write; +allow qmuxd sysfs_wake_lock:file { open append }; +allow qmuxd socket_device:dir remove_name; +allow qmuxd socket_device:sock_file { getattr unlink }; diff --git a/selinux/rild.te b/selinux/rild.te index c9f2b16..b0608c8 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -7,4 +7,10 @@ allow rild sysfs:file write; allow rild userdata_block_device:blk_file { read open }; allow rild mediaserver:dir search; allow rild efs_file:file { read getattr unlink append }; -allow rild mediaserver:file { read getattr open }; \ No newline at end of file +allow rild mediaserver:file { read getattr open }; +allow rild qmuxd:unix_stream_socket connectto; +allow rild socket_device:dir { write add_name }; +allow rild socket_device:sock_file { write create setattr }; +allow rild devpts:chr_file { read write getattr }; +allow rild init:unix_stream_socket { read write listen accept getopt }; +allow rild radio_data_file:file { read getattr open }; diff --git a/selinux/sysinit.te b/selinux/sysinit.te index 0299755..3bb4d51 100644 --- a/selinux/sysinit.te +++ b/selinux/sysinit.te @@ -5,4 +5,7 @@ allow sysinit wifi_data_file:file { read write open }; allow sysinit camera_data_file:dir search; allow sysinit efs_file:dir search; allow sysinit camera_data_file:dir { write add_name }; -allow sysinit efs_file:file { open read write }; \ No newline at end of file +allow sysinit efs_file:file { open read write }; +allow sysinit cache_file:dir { write add_name }; +allow sysinit cache_file:file { write create open }; +allow sysinit kernel:system syslog_read; -- cgit v1.1