From db70d22263602fb90fffdfa277eff287c3fee757 Mon Sep 17 00:00:00 2001
From: RGIB <gibellini.roberto@gmail.com>
Date: Mon, 4 Apr 2016 16:23:21 +0200
Subject: kona : MM sepolicy

Change-Id: Ib7816ea15871cc75d8cd68a5d0cbcf5e6fe66c18
---
 selinux/DR-daemon.te      |  11 +++++
 selinux/SMD-daemon.te     |   6 +++
 selinux/adbd.te           |   1 -
 selinux/at_distributor.te |  20 +++++++++
 selinux/bluetooth.te      |   5 +--
 selinux/bootanim.te       |   1 -
 selinux/cpboot-daemon.te  |  18 ++++++++
 selinux/debuggerd.te      |   3 --
 selinux/device.te         |  11 -----
 selinux/dex2oat.te        |   3 --
 selinux/dhcp.te           |   1 -
 selinux/domain.te         |   7 +--
 selinux/file.te           |   8 ----
 selinux/file_contexts     | 107 +++++++++++++---------------------------------
 selinux/gatekeeperd.te    |   1 -
 selinux/geomagneticd.te   |  11 +++++
 selinux/gpsd.te           |   4 ++
 selinux/init.te           |  25 +++--------
 selinux/installd.te       |   2 -
 selinux/keystore.te       |   2 -
 selinux/kickstart.te      |  44 -------------------
 selinux/lmkd.te           |   1 -
 selinux/logd.te           |   1 -
 selinux/mediaserver.te    |   9 ----
 selinux/netd.te           |   3 --
 selinux/netmgrd.te        |  29 -------------
 selinux/orientationd.te   |   7 +++
 selinux/perfprofd.te      |   1 -
 selinux/platform_app.te   |   3 --
 selinux/qmux.te           |  21 ---------
 selinux/radio.te          |   4 --
 selinux/rild.te           |  39 ++++-------------
 selinux/sdcardd.te        |   1 -
 selinux/secril.te         |  25 -----------
 selinux/servicemanager.te |   1 -
 selinux/shared_relro.te   |   1 -
 selinux/shell.te          |   2 -
 selinux/sysinit.te        |  14 +++---
 selinux/system.te         |  11 -----
 selinux/system_app.te     |   2 -
 selinux/system_server.te  |   8 ++--
 selinux/te_macros         |  12 ------
 selinux/ueventd.te        |   6 ---
 selinux/untrusted_app.te  |   5 ---
 selinux/vold.te           |   1 -
 selinux/wpa.te            |   3 --
 selinux/wpa_supplicant.te |  10 -----
 selinux/zygote.te         |   2 -
 48 files changed, 135 insertions(+), 378 deletions(-)
 create mode 100644 selinux/DR-daemon.te
 create mode 100644 selinux/SMD-daemon.te
 delete mode 100644 selinux/adbd.te
 create mode 100644 selinux/at_distributor.te
 delete mode 100644 selinux/bootanim.te
 create mode 100644 selinux/cpboot-daemon.te
 delete mode 100644 selinux/debuggerd.te
 delete mode 100644 selinux/device.te
 delete mode 100644 selinux/dex2oat.te
 delete mode 100755 selinux/dhcp.te
 delete mode 100644 selinux/file.te
 delete mode 100644 selinux/gatekeeperd.te
 create mode 100644 selinux/geomagneticd.te
 create mode 100644 selinux/gpsd.te
 delete mode 100644 selinux/installd.te
 delete mode 100644 selinux/keystore.te
 delete mode 100755 selinux/kickstart.te
 delete mode 100644 selinux/lmkd.te
 delete mode 100644 selinux/logd.te
 delete mode 100644 selinux/mediaserver.te
 delete mode 100644 selinux/netd.te
 delete mode 100755 selinux/netmgrd.te
 create mode 100644 selinux/orientationd.te
 delete mode 100644 selinux/perfprofd.te
 delete mode 100644 selinux/platform_app.te
 delete mode 100755 selinux/qmux.te
 delete mode 100644 selinux/radio.te
 mode change 100755 => 100644 selinux/rild.te
 delete mode 100644 selinux/sdcardd.te
 delete mode 100644 selinux/secril.te
 delete mode 100644 selinux/servicemanager.te
 delete mode 100644 selinux/shared_relro.te
 delete mode 100644 selinux/shell.te
 mode change 100755 => 100644 selinux/sysinit.te
 delete mode 100755 selinux/system.te
 delete mode 100644 selinux/system_app.te
 delete mode 100755 selinux/te_macros
 delete mode 100644 selinux/ueventd.te
 delete mode 100644 selinux/untrusted_app.te
 delete mode 100644 selinux/vold.te
 delete mode 100644 selinux/wpa.te
 delete mode 100755 selinux/wpa_supplicant.te
 delete mode 100644 selinux/zygote.te

(limited to 'selinux')

diff --git a/selinux/DR-daemon.te b/selinux/DR-daemon.te
new file mode 100644
index 0000000..c031d3f
--- /dev/null
+++ b/selinux/DR-daemon.te
@@ -0,0 +1,11 @@
+type DR-daemon, domain;
+type DR-daemon_exec, exec_type, file_type;
+init_daemon_domain(DR-daemon)
+domain_trans(init, rootfs, DR-daemon)
+
+allow DR-daemon radio_data_file:sock_file unlink;
+allow DR-daemon self:capability setuid;
+allow DR-daemon serial_device:chr_file { read write ioctl open };
+allow DR-daemon system_data_file:dir { write remove_name };
+allow DR-daemon system_data_file:dir add_name;
+allow DR-daemon system_data_file:sock_file create;
diff --git a/selinux/SMD-daemon.te b/selinux/SMD-daemon.te
new file mode 100644
index 0000000..36cfb12
--- /dev/null
+++ b/selinux/SMD-daemon.te
@@ -0,0 +1,6 @@
+type SMD-daemon, domain;
+type SMD-daemon_exec, exec_type, file_type;
+init_daemon_domain(SMD-daemon)
+domain_trans(init, rootfs, SMD-daemon)
+
+allow SMD-daemon self:capability setuid;
diff --git a/selinux/adbd.te b/selinux/adbd.te
deleted file mode 100644
index 8776373..0000000
--- a/selinux/adbd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow adbd kernel:system module_request;
diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te
new file mode 100644
index 0000000..676e4ce
--- /dev/null
+++ b/selinux/at_distributor.te
@@ -0,0 +1,20 @@
+type at_distributor, domain;
+type at_distributor_exec, exec_type, file_type;
+init_daemon_domain(at_distributor)
+domain_trans(init, rootfs, at_distributor)
+
+allow at_distributor DR-daemon:unix_stream_socket connectto;
+allow at_distributor property_socket:sock_file write;
+allow at_distributor radio_data_file:file { read getattr open };
+allow at_distributor radio_prop:property_service set;
+allow at_distributor rild:unix_stream_socket connectto;
+allow at_distributor self:capability dac_override;
+allow at_distributor serial_device:chr_file { read write ioctl open };
+allow at_distributor sysfs_wake_lock:file { read write open };
+allow at_distributor system_data_file:sock_file write;
+allow at_distributor efs_file:file getattr;
+allow at_distributor init:unix_stream_socket connectto;
+allow at_distributor efs_file:file { read open setattr };
+allow at_distributor self:capability { setuid fowner chown fsetid };
+allow at_distributor radio_data_file:dir search;
+allow at_distributor efs_file:dir search;
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
index 903cc85..185f799 100644
--- a/selinux/bluetooth.te
+++ b/selinux/bluetooth.te
@@ -1,3 +1,2 @@
-allow bluetooth smd_device:chr_file { read write ioctl open };
-allow bluetooth sysfs:file { write };
-allow bluetooth log_device:chr_file write;
+allow bluetooth serial_device:chr_file { read write ioctl open };
+allow bluetooth sysfs:file write;
diff --git a/selinux/bootanim.te b/selinux/bootanim.te
deleted file mode 100644
index 4033188..0000000
--- a/selinux/bootanim.te
+++ /dev/null
@@ -1 +0,0 @@
-allow bootanim log_device:chr_file open;
diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te
new file mode 100644
index 0000000..c4e592f
--- /dev/null
+++ b/selinux/cpboot-daemon.te
@@ -0,0 +1,18 @@
+type cpboot-daemon, domain;
+type cpboot-daemon_exec, exec_type, file_type;
+init_daemon_domain(cpboot-daemon)
+domain_trans(init, rootfs, cpboot-daemon)
+
+dontaudit cpboot-daemon usbfs:dir search;
+dontaudit cpboot-daemon usbfs:filesystem mount;
+
+allow cpboot-daemon cgroup:dir { create add_name };
+allow cpboot-daemon efs_file:file { read write open };
+allow cpboot-daemon init:unix_stream_socket connectto;
+allow cpboot-daemon property_socket:sock_file write;
+allow cpboot-daemon radio_device:chr_file { read write ioctl open };
+allow cpboot-daemon radio_prop:property_service set;
+allow cpboot-daemon self:capability { setuid dac_override };
+allow cpboot-daemon sysfs:file write;
+allow cpboot-daemon userdata_block_device:blk_file { read open };
+allow cpboot-daemon efs_file:dir search;
diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te
deleted file mode 100644
index 22547e8..0000000
--- a/selinux/debuggerd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow debuggerd log_device:chr_file { write read open };
-allow debuggerd log_device:dir search;
-allow debuggerd kernel:system module_request;
diff --git a/selinux/device.te b/selinux/device.te
deleted file mode 100644
index d3b63c0..0000000
--- a/selinux/device.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type mali_device, dev_type, mlstrustedobject;
-type mfc_device, dev_type;
-type rfkill_device, dev_type;
-type diagnostic_device, dev_type;
-type efs_block_device, dev_type;
-
-#device type for smd device nodes, ie /dev/smd*
-type smd_device, dev_type;
-
-# RIL /dev/umts_*
-type ril_device, dev_type;
diff --git a/selinux/dex2oat.te b/selinux/dex2oat.te
deleted file mode 100644
index 73bde71..0000000
--- a/selinux/dex2oat.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow dex2oat kernel:system module_request;
-allow dex2oat log_device:chr_file { write open };
-allow dex2oat log_device:dir search;
diff --git a/selinux/dhcp.te b/selinux/dhcp.te
deleted file mode 100755
index c403b9b..0000000
--- a/selinux/dhcp.te
+++ /dev/null
@@ -1 +0,0 @@
-allow dhcp self:rawip_socket { create write setopt };
diff --git a/selinux/domain.te b/selinux/domain.te
index 1be0633..f55b780 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -1,4 +1,5 @@
-## /dev/mali, /dev/ump
-allow domain mali_device:chr_file rw_file_perms;
-
+allow domain kernel:system module_request;
+allow domain log_device:chr_file { write read open };
+allow domain log_device:dir search;
 
+type efs_device_file, dev_type;
\ No newline at end of file
diff --git a/selinux/file.te b/selinux/file.te
deleted file mode 100644
index ae249a4..0000000
--- a/selinux/file.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type radio_efs_file, fs_type;
-type firmware_mfc, file_type;
-type firmware_camera, file_type;
-type qmuxd_socket, file_type;
-type kickstart_data_file, file_type, data_file_type;
-type sensors_data_file, file_type, data_file_type;
-type volume_data_file, file_type, data_file_type;
-type efs_device_file, file_type;
\ No newline at end of file
diff --git a/selinux/file_contexts b/selinux/file_contexts
index e733c9e..460cfc9 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -1,77 +1,30 @@
-# GFX
-/dev/mali                               u:object_r:mali_device:s0
-/dev/ump                                u:object_r:mali_device:s0
-/dev/fimg2d                             u:object_r:mali_device:s0
-
-/dev/s3c-mfc                            u:object_r:mfc_device:s0
-
-# RIL
-/dev/mdm                                u:object_r:radio_device:s0
-/dev/hsicctl[0-3]*                      u:object_r:radio_device:s0
-/dev/ttyUSB0                            u:object_r:radio_device:s0
-/dev/diag                               u:object_r:diagnostic_device:s0
-
-/dev/umts_boot0				u:object_r:ril_device:s0
-/dev/umts_ipc0				u:object_r:ril_device:s0
-/dev/umts_rfs0				u:object_r:ril_device:s0
-
-# GPS
-/dev/ttySAC1                            u:object_r:gps_device:s0
-
-# Bluetooth
-/dev/ttySAC0                            u:object_r:hci_attach_dev:s0
-/efs/bluetooth(/.*)?                    u:object_r:bluetooth_data_file:s0
-
-# Sensors
-/dev/akm8963                            u:object_r:sensors_device:s0
-/efs/gyro_cal_data                      u:object_r:sensors_data_file:s0
-
-# Camera
-/data/ISP_CV                            u:object_r:camera_data_file:s0
-/dev/exynos-mem                         u:object_r:video_device:s0
-
-# For wpa_supp
-/dev/rfkill                             u:object_r:rfkill_device:s0
-
-# Firmwares
-/system/vendor/firmware(/.*)?           u:object_r:firmware_camera:s0
-/system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
-/data/cfw(/.*)?                         u:object_r:firmware_camera:s0
-/tombstones                             u:object_r:system_data_file:s0
-/tombstones(/.*)?                       u:object_r:tombstone_data_file:s0
-/tombstones/qcks(/.*)?                  u:object_r:kickstart_data_file:s0
-
-# Vibrator
-/dev/tspdrv                             u:object_r:input_device:s0
-
-# Wifi
-/efs/wifi/.mac.info                     u:object_r:wifi_data_file:s0
-
-# Sec-ril
-/efs/FactoryApp/keystr                  u:object_r:efs_file:s0
-/efs/FactoryApp/factorymode             u:object_r:efs_file:s0
-/efs/FactoryApp/serial_no               u:object_r:efs_file:s0
-/data/misc/radio/ramdumpmode.txt        u:object_r:radio_data_file:s0
-/data/misc/radio/dlnk                   u:object_r:radio_data_file:s0
-
-# Binaries
-/system/bin/qmuxd                u:object_r:qmux_exec:s0
-/system/bin/netmgrd              u:object_r:netmgrd_exec:s0
-/system/bin/efsks                u:object_r:kickstart_exec:s0
-/system/bin/ks                   u:object_r:kickstart_exec:s0
-/system/bin/qcks                 u:object_r:kickstart_exec:s0
-/system/bin/sec-ril              u:object_r:secril-daemon_exec:s0
-
-# Sockets
-/dev/socket/qmux_audio(/.*)?     u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_gps(/.*)?       u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_radio(/.*)?     u:object_r:qmuxd_socket:s0
-
-# Block devices
-/dev/block/mmcblk0p[3-6]*       u:object_r:efs_block_device:s0
-/dev/block/mmcblk0p13           u:object_r:efs_block_device:s0
-/dev/block/mmcblk0p14           u:object_r:efs_block_device:s0
-
-# Audio related
-/data/local/audio(/.*)?         u:object_r:volume_data_file:s0
+/sbin/cbd			u:object_r:cpboot-daemon_exec:s0
+/system/bin/gpsd		u:object_r:gpsd_exec:s0
+/system/bin/at_distributor	u:object_r:at_distributor_exec:s0
+/system/bin/smdexe		u:object_r:SMD-daemon_exec:s0
+/system/bin/ddexe		u:object_r:DR-daemon_exec:s0
+/system/bin/orientationd	u:object_r:orientationd_exec:s0
+/system/bin/geomagneticd	u:object_r:geomagneticd_exec:s0
+
+/data/system/yas.cfg		u:object_r:gps_data_file:s0
+/data/system/gps(/.*)?		u:object_r:gps_data_file:s0
+/data/misc/radio(/.*)?		u:object_r:radio_data_file:s0
+/data/.socket_stream		u:object_r:radio_data_file:s0
+/data/cfw(/.*)?			u:object_r:camera_data_file:s0
+
+/dev/__cbd_msg_			u:object_r:radio_device:s0
+/dev/ttySAC0			u:object_r:serial_device:s0
+/dev/ttySAC2			u:object_r:serial_device:s0
+/dev/ttyGS0			u:object_r:serial_device:s0
+/dev/mali			u:object_r:gpu_device:s0
+/dev/ump			u:object_r:gpu_device:s0
+/dev/umts_boot0			u:object_r:radio_device:s0
+/dev/umts_ipc0			u:object_r:radio_device:s0
+/dev/umts_rfs0			u:object_r:radio_device:s0
+/dev/link_pm			u:object_r:radio_device:s0
+
+/dev/block/mmcblk0p3		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p7		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p8		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p9		u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p12		u:object_r:userdata_block_device:s0
diff --git a/selinux/gatekeeperd.te b/selinux/gatekeeperd.te
deleted file mode 100644
index 1d177e0..0000000
--- a/selinux/gatekeeperd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow gatekeeperd kernel:system module_request;
diff --git a/selinux/geomagneticd.te b/selinux/geomagneticd.te
new file mode 100644
index 0000000..60bd916
--- /dev/null
+++ b/selinux/geomagneticd.te
@@ -0,0 +1,11 @@
+type geomagneticd, domain;
+type geomagneticd_exec, exec_type, file_type;
+init_daemon_domain(geomagneticd)
+domain_trans(init, rootfs, geomagneticd)
+
+allow geomagneticd gps_data_file:file write;
+allow geomagneticd input_device:chr_file { read ioctl open };
+allow geomagneticd input_device:dir { read open };
+allow geomagneticd gps_data_file:file { read getattr open };
+allow geomagneticd sysfs:file write;
+allow geomagneticd input_device:dir search;
diff --git a/selinux/gpsd.te b/selinux/gpsd.te
new file mode 100644
index 0000000..853ec78
--- /dev/null
+++ b/selinux/gpsd.te
@@ -0,0 +1,4 @@
+domain_trans(init, rootfs, gpsd)
+
+allow gpsd rild:unix_stream_socket connectto;
+allow gpsd sysfs_wake_lock:file { read write open };
diff --git a/selinux/init.te b/selinux/init.te
index 892872c..9e53753 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1,20 +1,5 @@
-allow init wpa_socket:unix_dgram_socket { bind create };
-allow init init:process { execmem };
-allow init init:tcp_socket { read write create };
-allow init port:tcp_socket name_connect;
-allow init self:tcp_socket { read write getopt connect };
-allow init kernel:system syslog_read;
-allow init input_device:chr_file ioctl;
-allow init system_data_file:file lock;
-allow init fwmarkd_socket:sock_file write;
-allow init netd:unix_stream_socket { connectto write };
-allow init ril_device:chr_file ioctl;
-allow init input_device:chr_file write;
-allow init property_socket:sock_file write;
-allow init device:chr_file { create unlink };
-allow init devpts:chr_file { getattr ioctl };
-allow init kernel:system module_request;
-allow init log_device:chr_file write;
-allow init ril_device:chr_file write;
-allow init rild:unix_stream_socket connectto;
-allow init system_data_file:fifo_file write;
+allow init debugfs:dir mounton;
+allow init sysfs:lnk_file setattr;
+allow init tmpfs:lnk_file create;
+# load SHIM libraries
+allow init rild:process noatsecure;
diff --git a/selinux/installd.te b/selinux/installd.te
deleted file mode 100644
index ea127bc..0000000
--- a/selinux/installd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow installd kernel:system module_request;
-allow installd log_device:chr_file { write open };
diff --git a/selinux/keystore.te b/selinux/keystore.te
deleted file mode 100644
index 34e2779..0000000
--- a/selinux/keystore.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow keystore kernel:system module_request;
-allow keystore log_device:chr_file { write open };
diff --git a/selinux/kickstart.te b/selinux/kickstart.te
deleted file mode 100755
index 14e1ad5..0000000
--- a/selinux/kickstart.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# kickstart processes and scripts
-type kickstart, domain;
-type kickstart_exec, exec_type, file_type;
-
-# kickstart_checker.sh talks to init over the property socket
-unix_socket_connect(kickstart, property, init)
-
-# Start /system/bin/qcks from init
-init_daemon_domain(kickstart)
-
-# Spawn /system/bin/efsks and /system/bin/ks
-allow kickstart kickstart_exec:file { open execute_no_trans getattr };
-
-# Run dd on m9kefs[123] block devices; write to /data/qcks/
-# Run cat on firmware and m9kefs[123] data; write to /data/qcks/
-allow kickstart efs_block_device:blk_file rw_file_perms;
-allow kickstart kickstart_data_file:file create_file_perms;
-allow kickstart kickstart_data_file:dir rw_dir_perms;
-allow kickstart radio_efs_file:file r_file_perms;
-allow kickstart radio_efs_file:dir search;
-
-# Let qcks access /dev/mdm node (modem driver)
-allow kickstart radio_device:chr_file rw_file_perms;
-
-# Allow /dev/ttyUSB0 access
-allow kickstart radio_device:chr_file { write ioctl getattr };
-
-# Allow to run toolbox commands
-allow kickstart shell_exec:file rx_file_perms;
-# Toolbox commands for firmware dd
-allow kickstart system_file:file execute_no_trans;
-
-# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2
-allow kickstart block_device:dir { getattr write search };
-
-# Set system property key
-allow kickstart radio_prop:property_service set;
-
-allow kickstart shell_exec:file entrypoint;
-# ls on /data/qcks/
-allow kickstart self:capability { dac_override setuid };
-
-# XXX Label sysfs files with a specific type?
-allow kickstart sysfs:file rw_file_perms;
\ No newline at end of file
diff --git a/selinux/lmkd.te b/selinux/lmkd.te
deleted file mode 100644
index 5f7bd53..0000000
--- a/selinux/lmkd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow lmkd log_device:chr_file { write open };
diff --git a/selinux/logd.te b/selinux/logd.te
deleted file mode 100644
index 74e23a8..0000000
--- a/selinux/logd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow logd log_device:chr_file { write open };
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
deleted file mode 100644
index 9722653..0000000
--- a/selinux/mediaserver.te
+++ /dev/null
@@ -1,9 +0,0 @@
-qmux_socket(mediaserver);
-allow mediaserver self:socket create_socket_perms;
-allow mediaserver { firmware_camera }:file r_file_perms;
-allow mediaserver firmware_camera:dir r_dir_perms;
-allow mediaserver camera_data_file:file rw_file_perms;
-allow mediaserver volume_data_file:file create_file_perms;
-allow mediaserver volume_data_file:dir create_dir_perms;
-allow mediaserver mfc_device:chr_file rw_file_perms;
-allow mediaserver log_device:chr_file { write open };
diff --git a/selinux/netd.te b/selinux/netd.te
deleted file mode 100644
index 0983293..0000000
--- a/selinux/netd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow netd init:tcp_socket { read write getopt setopt };
-allow netd kernel:system module_request;
-allow netd unlabeled:file { read getattr open };
diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te
deleted file mode 100755
index 11159a4..0000000
--- a/selinux/netmgrd.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# Network utilities (radio process)
-type netmgrd, domain;
-type netmgrd_exec, exec_type, file_type;
-
-# Started by init
-init_daemon_domain(netmgrd)
-
-allow netmgrd self:udp_socket { create ioctl };
-# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
-allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
-allow netmgrd self:packet_socket { write bind read create };
-allow netmgrd self:netlink_socket { write read create bind setopt };
-allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };
-allow netmgrd kernel:system module_request;
-
-# Talk to qmuxd
-qmux_socket(netmgrd)
-
-# Allow logging diagnostic items
-allow netmgrd diagnostic_device:chr_file rw_file_perms;
-
-# /data/data_test/ access with shell
-allow netmgrd shell_exec:file { execute read open execute_no_trans };
-allow netmgrd system_file:file { execute_no_trans };
-
-# Talk to init over the property socket
-unix_socket_connect(netmgrd, property, init)
-# Set net.rmnet_usb0. values
-allow netmgrd radio_prop:property_service set;
diff --git a/selinux/orientationd.te b/selinux/orientationd.te
new file mode 100644
index 0000000..21caaa4
--- /dev/null
+++ b/selinux/orientationd.te
@@ -0,0 +1,7 @@
+type orientationd, domain;
+type orientationd_exec, exec_type, file_type;
+init_daemon_domain(orientationd)
+domain_trans(init, rootfs, orientationd)
+
+allow orientationd input_device:chr_file { write read ioctl open };
+allow orientationd input_device:dir { search read open };
diff --git a/selinux/perfprofd.te b/selinux/perfprofd.te
deleted file mode 100644
index 82f4377..0000000
--- a/selinux/perfprofd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow perfprofd kernel:system module_request;
diff --git a/selinux/platform_app.te b/selinux/platform_app.te
deleted file mode 100644
index 815dfd0..0000000
--- a/selinux/platform_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow platform_app log_device:chr_file write;
-allow platform_app kernel:system module_request;
-allow platform_app log_device:dir search;
diff --git a/selinux/qmux.te b/selinux/qmux.te
deleted file mode 100755
index e2a5bbf..0000000
--- a/selinux/qmux.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# Qualcomm Management Interface Multiplexer
-type qmux, domain;
-type qmux_exec, exec_type, file_type;
-
-# Started by init
-init_daemon_domain(qmux)
-
-# Create local qmux_connect_socket
-allow qmux qmuxd_socket:dir w_dir_perms;
-allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };
-
-# /dev/hsicctl* node access
-allow qmux radio_device:chr_file rw_file_perms;
-
-# Allow logging diagnostic items
-allow qmux diagnostic_device:chr_file rw_file_perms;
-
-allow qmux self:capability { dac_override setuid };
-
-# XXX Should we label with own type
-allow qmux sysfs:file { open write append read getattr };
diff --git a/selinux/radio.te b/selinux/radio.te
deleted file mode 100644
index 026de1b..0000000
--- a/selinux/radio.te
+++ /dev/null
@@ -1,4 +0,0 @@
-allow radio kernel:system module_request;
-allow radio log_device:chr_file { write open };
-allow radio system_app_data_file:dir search;
-allow radio system_app_data_file:file getattr;
diff --git a/selinux/rild.te b/selinux/rild.te
old mode 100755
new mode 100644
index f022c36..0f2f6dc
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -1,31 +1,8 @@
-## RIL
-allow rild radio_device:chr_file rw_file_perms;
-allow rild { efs_file }:file rw_file_perms;
-allow rild self:netlink_socket { create bind read write };
-allow rild self:netlink_route_socket { write };
-allow rild rild:process { execmem };
-
-# Talk to qmuxd
-qmux_socket(rild)
-
-# Allow logging diagnostic items
-allow rild diagnostic_device:chr_file rw_file_perms;
-
-# XXX label with own type?
-allow rild sysfs:file { read open write getattr };
-
-allow rild ril_device:chr_file { read write ioctl open };
-allow rild radio_data_file:dir setattr;
-allow rild self:capability dac_override;
-allow rild unlabeled:dir search;
-allow rild unlabeled:file { read getattr open setattr };
-allow rild dumpstate_exec:file getattr;
-allow rild system_data_file:dir write;
-allow rild unlabeled:file write;
-allow rild log_device:chr_file { write open };
-allow rild proc_net:file { write };
-allow rild init:dir search;
-allow rild init:file { read getattr open };
-allow rild init:unix_stream_socket { listen write getopt read accept };
-allow rild system_data_file:dir { remove_name add_name setattr };
-allow rild devpts:chr_file ioctl;
+allow rild at_distributor:dir search;
+allow rild at_distributor:file { read getattr open };
+allow rild gpsd:dir search;
+allow rild gpsd:file { read getattr open };
+allow rild proc_net:file write;
+allow rild sysfs:file write;
+allow rild userdata_block_device:blk_file { read open };
+allow rild mediaserver:dir search;
diff --git a/selinux/sdcardd.te b/selinux/sdcardd.te
deleted file mode 100644
index 223cbfa..0000000
--- a/selinux/sdcardd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow sdcardd kernel:system module_request;
diff --git a/selinux/secril.te b/selinux/secril.te
deleted file mode 100644
index e025a04..0000000
--- a/selinux/secril.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# sec-ril
-type secril-daemon, domain;
-type secril-daemon_exec, exec_type, file_type;
-
-# Start /system/bin/sec-ril from init
-init_daemon_domain(secril-daemon)
-
-allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr };
-allow secril-daemon self:udp_socket { create ioctl };
-unix_socket_connect(secril-daemon, property, init)
-unix_socket_connect(secril-daemon, rild, rild)
-
-allow secril-daemon { efs_file }:file rw_file_perms;
-allow secril-daemon system_data_file:dir create_dir_perms;
-# allow secril-daemon system_data_file:file unlink;
-allow secril-daemon radio_data_file:file { create_file_perms };
-allow secril-daemon kernel:system module_request;
-allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
-allow secril-daemon system_file:file x_file_perms;
-allow secril-daemon sysfs:file rw_file_perms;
-allow secril-daemon shell_exec:file rx_file_perms;
-allow secril-daemon app_data_file:file rw_file_perms;
-allow secril-daemon app_data_file:dir search;
-allow secril-daemon zygote_exec:file rx_file_perms;
-allow secril-daemon ashmem_device:chr_file x_file_perms;
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
deleted file mode 100644
index 6ff9249..0000000
--- a/selinux/servicemanager.te
+++ /dev/null
@@ -1 +0,0 @@
-allow servicemanager log_device:chr_file { write open };
diff --git a/selinux/shared_relro.te b/selinux/shared_relro.te
deleted file mode 100644
index 1c319ce..0000000
--- a/selinux/shared_relro.te
+++ /dev/null
@@ -1 +0,0 @@
-allow shared_relro log_device:chr_file write;
diff --git a/selinux/shell.te b/selinux/shell.te
deleted file mode 100644
index af2c15c..0000000
--- a/selinux/shell.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow shell kernel:system { module_request };
-allow shell su:process signal;
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
old mode 100755
new mode 100644
index 087beb7..d81d161
--- a/selinux/sysinit.te
+++ b/selinux/sysinit.te
@@ -1,8 +1,6 @@
-allow sysinit userinit_exec:file { getattr execute execute_no_trans read open };
-allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
-allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
-allow sysinit sysinit:capability { dac_override chown fowner fsetid };
-allow sysinit unlabeled:dir { search };
-allow sysinit kernel:system module_request;
-allow sysinit log_device:chr_file { write open };
-allow sysinit unlabeled:file { write open };
+allow sysinit camera_data_file:dir { read getattr open };
+allow sysinit camera_data_file:file { read write getattr open setattr };
+allow sysinit self:capability { fowner chown fsetid };
+allow sysinit wifi_data_file:file { read write open };
+allow sysinit camera_data_file:dir search;
+allow sysinit efs_file:dir search;
diff --git a/selinux/system.te b/selinux/system.te
deleted file mode 100755
index 1160fd7..0000000
--- a/selinux/system.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Talk to qmuxd
-qmux_socket(system_server)
-
-allow system_server diagnostic_device:chr_file rw_file_perms;
-allow system_server sensors_device:chr_file { read open };
-allow system_server sensors_data_file:file r_file_perms;
-allow system_server wpa_socket:unix_dgram_socket sendto;
-allow system_app volume_data_file:file { read write open getattr };
-
-allow system_server sysfs:file { read open write };
-allow system_server self:capability { sys_module };
\ No newline at end of file
diff --git a/selinux/system_app.te b/selinux/system_app.te
deleted file mode 100644
index 2e162b8..0000000
--- a/selinux/system_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow system_app log_device:chr_file write;
-# allow system_app sysfs:file write;
diff --git a/selinux/system_server.te b/selinux/system_server.te
index 0ba4b3f..659c32b 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -1,6 +1,4 @@
+allow system_server gps_data_file:fifo_file { write read open setattr };
+allow system_server self:capability sys_module;
 allow system_server efs_file:dir search;
-allow system_server dex2oat_exec:file execute;
-allow system_server log_device:dir search;
-allow system_server system_file:file execmod;
-allow system_server log_device:chr_file { write open };
-allow system_server unlabeled:file write;
+allow system_server gps_data_file:dir search;
diff --git a/selinux/te_macros b/selinux/te_macros
deleted file mode 100755
index 274fd55..0000000
--- a/selinux/te_macros
+++ /dev/null
@@ -1,12 +0,0 @@
-#####################################
-# qmux_socket(clientdomain)
-# Allow client to send via a local
-# socket to the qmux domain.
-define(`qmux_socket', `
-type $1_qmuxd_socket, file_type;
-file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
-unix_socket_connect($1, qmuxd, qmux)
-allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
-')
-
-
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
deleted file mode 100644
index 489b31a..0000000
--- a/selinux/ueventd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# Drivers read firmware files /firmware/image
-allow ueventd { radio_efs_file }:file r_file_perms;
-allow ueventd { radio_efs_file }:dir search;
-## More Firmwares
-allow ueventd { firmware_mfc }:file r_file_perms;
-allow ueventd { firmware_camera }:dir search;
\ No newline at end of file
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
deleted file mode 100644
index 70ab006..0000000
--- a/selinux/untrusted_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow untrusted_app unlabeled:file getattr;
-allow untrusted_app efs_file:dir getattr;
-allow untrusted_app kernel:system module_request;
-allow untrusted_app log_device:dir search;
-allow untrusted_app log_device:chr_file { write read open };
diff --git a/selinux/vold.te b/selinux/vold.te
deleted file mode 100644
index 29eff5b..0000000
--- a/selinux/vold.te
+++ /dev/null
@@ -1 +0,0 @@
-allow vold efs_file:dir { read ioctl open };
diff --git a/selinux/wpa.te b/selinux/wpa.te
deleted file mode 100644
index 27e1c1a..0000000
--- a/selinux/wpa.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow wpa log_device:chr_file { write open };
-allow wpa log_device:dir search;
-
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
deleted file mode 100755
index da2bed9..0000000
--- a/selinux/wpa_supplicant.te
+++ /dev/null
@@ -1,10 +0,0 @@
-allow wpa init:unix_dgram_socket { read write };
-
-# logwrapper used with wpa_supplicant
-allow wpa devpts:chr_file { read write };
-
-allow wpa wpa_socket:unix_dgram_socket { read write };
-allow wpa_socket system_app:unix_dgram_socket sendto;
-
-allow wpa_socket wifi_data_file:sock_file unlink;
-allow wpa rfkill_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/selinux/zygote.te b/selinux/zygote.te
deleted file mode 100644
index 7d039e6..0000000
--- a/selinux/zygote.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow zygote kernel:system module_request;
-allow zygote log_device:chr_file { write open };
-- 
cgit v1.1