n7100: implement SE policy

selinux: let's add some more

sepolicy: we need more!

sepolicy: are we there yet?

sepolicy: one more time

sepolicy: one more..

23 files changed, 173 insertions, 0 deletions

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 2f87c38..0f517dc 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -47,3 +47,31 @@ RECOVERY_FSTAB_VERSION := 2
 
 # Compatibility with pre-kitkat Sensor HALs
 SENSORS_NEED_SETRATE_ON_ENABLE := true
+
+#Selinux
+BOARD_SEPOLICY_DIRS +=\
+    device/samsung/n7100/sepolicy
+
+BOARD_SEPOLICY_UNION +=\
+    bluetooth.te \
+    bootanim.te \
+    device.te \
+    file_contexts \
+    file.te \
+    gpsd.te \
+    hostapd.te \
+    mediaserver.te \
+    netd.te \
+    nfc.te \
+    platform_app.te \
+    radio.te \
+    rild.te \
+    service_contexts \
+    servicemanager.te \
+    surfaceflinger.te \
+    system_app.te \
+    system_server.te \
+    ueventd.te \
+    untrusted_app.te \
+    vold.te \
+    wpa.te
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
new file mode 100644
index 0000000..7106722
--- /dev/null
+++ b/sepolicy/bluetooth.te
@@ -0,0 +1,4 @@
+allow bluetooth firmware_exynos:dir { read open search };
+allow bluetooth firmware_exynos:file { read open };
+allow bluetooth bluetooth_efs_file:dir search;
+allow bluetooth bluetooth_efs_file:file read;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644
index 0000000..8a18e92
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1 @@
+allow bootanim ump_device:chr_file { open read write ioctl };
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..ef8edbe
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,21 @@
+# Secure memory
+type secmem_device, dev_type;
+
+# Unified Memory Management       
+type ump_device, dev_type;
+
+# Efs block device
+type efs_block_device, dev_type;
+
+# Rfkill device
+type rfkill_device, dev_type;
+
+# MFC device
+type mfc_device, dev_type;
+
+# Fm radio device
+type  fm_radio_device, dev_type;
+
+# Gadget serial device
+type gadget_serial_device, dev_type;
+
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..6ada8e6
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,13 @@
+# MFC firmware
+type firmware_mfc, file_type;
+
+# Common Exynos firmware
+type firmware_exynos, file_type;
+
+# Sensors data
+type sensors_data_file, file_type, data_file_type;
+
+# Display sysfs
+type sysfs_display, fs_type, sysfs_type;
+
+
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..5b0abcb
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,60 @@
+# Graphics
+/dev/mali                               u:object_r:gpu_device:s0
+/dev/ump                                u:object_r:ump_device:s0
+/dev/fimg2d                             u:object_r:video_device:s0
+/dev/s5p-smem                           u:object_r:secmem_device:s0
+
+# RIL
+/dev/umts_boot0                         u:object_r:radio_device:s0
+/dev/umts_csd                           u:object_r:radio_device:s0
+/dev/umts_ipc0                          u:object_r:radio_device:s0
+/dev/umts_loopback0                     u:object_r:radio_device:s0
+/dev/umts_ramdump0                      u:object_r:radio_device:s0
+/dev/umts_rfs0                          u:object_r:radio_device:s0
+/dev/umts_router                        u:object_r:radio_device:s0
+
+# Efs
+/dev/block/mmcblk0p3                    u:object_r:efs_block_device:s0
+/factory(/.*)?                          u:object_r:efs_file:s0
+
+# Camera
+/data/ISP_CV                            u:object_r:camera_data_file:s0
+/dev/exynos-mem                         u:object_r:video_device:s0
+/dev/s3c-mfc                            u:object_r:mfc_device:s0
+/dev/video[0-3]*                        u:object_r:camera_device:s0
+
+# Bluetooth
+/dev/ttySAC0                            u:object_r:hci_attach_dev:s0
+/factory/bluetooth(/.*)?                u:object_r:bluetooth_efs_file:s0
+/sys/class/rfkill/rfkill0/state         u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill0/type          u:object_r:sysfs_bluetooth_writable:s0
+
+# Display
+/sys/class/mdnie/mdnie/scenario         u:object_r:sysfs_display:s0
+/sys/class/mdnie/mdnie/mode             u:object_r:sysfs_display:s0
+
+# GPS
+/dev/ttySAC1                            u:object_r:gps_device:s0
+/system/bin/gpsd                        u:object_r:gpsd_exec:s0
+
+# Sensors
+/dev/akm8963                            u:object_r:sensors_device:s0
+/efs/gyro_cal_data                      u:object_r:sensors_data_file:s0
+
+# Wifi
+/dev/rfkill                             u:object_r:rfkill_device:s0
+/factory/wifi/.mac.info                 u:object_r:wifi_data_file:s0
+
+# Firmwares
+/system/vendor/firmware(/.*)?           u:object_r:firmware_exynos:s0
+/system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
+/data/cfw(/.*)?                         u:object_r:firmware_exynos:s0
+
+# Vibrator
+/dev/tspdrv                             u:object_r:input_device:s0
+/sys/vibrator/pwm_val                   u:object_r:sysfs:s0
+
+# Misc
+/dev/HPD                                u:object_r:video_device:s0
+/dev/fmradio                            u:object_r:fm_radio_device:s0
+/dev/ttyGS[0-9]*                        u:object_r:gadget_serial_device:s0
diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te
new file mode 100644
index 0000000..309ab1a
--- /dev/null
+++ b/sepolicy/gpsd.te
@@ -0,0 +1,9 @@
+allow gpsd rild:unix_stream_socket connectto;
+allow gpsd system_data_file:dir { add_name write };
+allow gpsd system_data_file:file { create write lock open };
+allow gpsd system_data_file:fifo_file { create read write open setattr };
+allow gpsd sysfs_wake_lock:file { read write open };
+allow gpsd servicemanager:binder call;
+allow gpsd system_server:binder call;
+allow gpsd system_server:unix_stream_socket { read write };
+
diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te
new file mode 100644
index 0000000..7e0b91b
--- /dev/null
+++ b/sepolicy/hostapd.te
@@ -0,0 +1 @@
+allow hostapd rfkill_device:chr_file { read open };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..8d43cdb
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,3 @@
+allow mediaserver camera_data_file:file write;
+allow mediaserver mfc_device:chr_file { read write ioctl open };
+allow mediaserver ump_device:chr_file { read write ioctl open };
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..ee1496b
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1 @@
+allow netd self:capability fsetid;
diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te
new file mode 100644
index 0000000..6a6e324
--- /dev/null
+++ b/sepolicy/nfc.te
@@ -0,0 +1 @@
+allow nfc firmware_exynos:dir search;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 0000000..fd825e9
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1 @@
+allow platform_app ump_device:chr_file { read write ioctl open };
diff --git a/sepolicy/radio.te b/sepolicy/radio.te
new file mode 100644
index 0000000..c19e0cf
--- /dev/null
+++ b/sepolicy/radio.te
@@ -0,0 +1,2 @@
+allow radio ump_device:chr_file { read write ioctl open };
+
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644
index 0000000..061742a
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,3 @@
+allow rild self:process execmem;
+allow rild system_data_file:dir { write remove_name add_name setattr };
+allow rild system_data_file:file { write create unlink setattr };
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 0000000..c01caa2
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+Exynos.HWCService                         u:object_r:surfaceflinger_service:s0
+Exynos.IPService                          u:object_r:surfaceflinger_service:s0
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..3b3bda8
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,4 @@
+allow servicemanager gpsd:dir search;
+allow servicemanager gpsd:file { read open };
+allow servicemanager gpsd:process getattr;
+
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..a9a8d6a
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger ump_device:chr_file { open read write ioctl };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..2cb531f
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1,3 @@
+allow system_app sysfs_display:file { write getattr open };
+allow system_app ump_device:chr_file { ioctl open read write };
+
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..f18517d
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,7 @@
+allow system_server efs_file:file { read open };
+allow system_server efs_file:dir search;
+allow system_server sensors_data_file:file { read open };
+allow system_server uhid_device:chr_file { read write ioctl open };
+allow system_server ump_device:chr_file { read write ioctl open };
+allow system_server gpsd:binder transfer;
+
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..af59995
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1,3 @@
+allow ueventd firmware_mfc:file { read getattr open };
+allow ueventd firmware_exynos:dir search;
+allow ueventd firmware_exynos:file { read getattr open };
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644
index 0000000..adaf51a
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1,2 @@
+allow untrusted_app ump_device:chr_file { open read write ioctl };
+
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..8068d38
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,2 @@
+allow vold efs_file:dir { read getattr open ioctl };
+
diff --git a/sepolicy/wpa.te b/sepolicy/wpa.te
new file mode 100644
index 0000000..4f5ef08
--- /dev/null
+++ b/sepolicy/wpa.te
@@ -0,0 +1 @@
+allow wpa rfkill_device:chr_file { read open };