diff options
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/bluetooth.te | 7 | ||||
| -rw-r--r-- | selinux/cpboot-daemon.te | 25 | ||||
| -rw-r--r-- | selinux/device.te | 3 | ||||
| -rw-r--r-- | selinux/domain.te | 3 | ||||
| -rw-r--r-- | selinux/file.te | 10 | ||||
| -rw-r--r-- | selinux/file_contexts | 41 | ||||
| -rw-r--r-- | selinux/gpsd.te | 17 | ||||
| -rw-r--r-- | selinux/init.te | 12 | ||||
| -rw-r--r-- | selinux/log.te | 3 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 11 | ||||
| -rw-r--r-- | selinux/netd.te | 3 | ||||
| -rw-r--r-- | selinux/nfc.te | 2 | ||||
| -rw-r--r-- | selinux/rild.te | 13 | ||||
| -rw-r--r-- | selinux/service_contexts | 3 | ||||
| -rw-r--r-- | selinux/servicemanager.te | 3 | ||||
| -rw-r--r-- | selinux/surfaceflinger.te | 1 | ||||
| -rw-r--r-- | selinux/sysinit.te | 7 | ||||
| -rw-r--r-- | selinux/system.te | 11 | ||||
| -rw-r--r-- | selinux/system_app.te | 2 | ||||
| -rw-r--r-- | selinux/system_server.te | 38 | ||||
| -rw-r--r-- | selinux/ueventd.te | 9 | ||||
| -rw-r--r-- | selinux/untrusted_app.te | 5 | ||||
| -rw-r--r-- | selinux/vold.te | 10 | ||||
| -rw-r--r--[-rwxr-xr-x] | selinux/wpa_supplicant.te | 5 | ||||
| -rw-r--r-- | selinux/zygote.te | 1 |
25 files changed, 209 insertions, 36 deletions
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te new file mode 100644 index 0000000..dbfbe0e --- /dev/null +++ b/selinux/bluetooth.te @@ -0,0 +1,7 @@ +allow bluetooth bluetooth_efs_file:dir search; +allow bluetooth bluetooth_efs_file:file read; +allow bluetooth firmware_exynos:dir { open read search }; +allow bluetooth firmware_exynos:file { open read }; +allow bluetooth sysfs:file write; +allow bluetooth efs_device_file:dir search; +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te new file mode 100644 index 0000000..9974ff2 --- /dev/null +++ b/selinux/cpboot-daemon.te @@ -0,0 +1,25 @@ +type cpboot-daemon, domain; + +permissive cpboot-daemon; + +allow cpboot-daemon cgroup:dir { create add_name }; +allow cpboot-daemon device:dir { write remove_name add_name }; +allow cpboot-daemon efs_block_device:blk_file { read open }; +allow cpboot-daemon efs_device_file:dir search; +allow cpboot-daemon efs_file:file { read write open }; +allow cpboot-daemon init:unix_stream_socket connectto; +allow cpboot-daemon log_device:chr_file { write open }; +allow cpboot-daemon log_device:dir search; +allow cpboot-daemon property_socket:sock_file write; +allow cpboot-daemon radio_device:chr_file { read write ioctl open }; +allow cpboot-daemon radio_prop:property_service set; +allow cpboot-daemon self:capability { setuid }; +allow cpboot-daemon sysfs_radio:file { read write open }; +allow cpboot-daemon usbfs:dir search; +allow cpboot-daemon self:capability dac_override; +allow cpboot-daemon cbd_device:chr_file create_file_perms; + +# FIX ME +# allow cpboot-daemon usbfs:filesystem mount; +# allow cpboot-daemon self:capability { mknod }; + diff --git a/selinux/device.te b/selinux/device.te index cca8ee1..854958d 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,3 +1,4 @@ -type mali_device, dev_type, mlstrustedobject; type rfkill_device, dev_type; type efs_block_device, dev_type; +type hpd_device, dev_type; +type mfc_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te index 26e8033..c8d8d53 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,2 +1 @@ -## /dev/mali, /dev/ump -allow domain mali_device:chr_file rw_file_perms; +dontaudit domain kernel:system module_request; diff --git a/selinux/file.te b/selinux/file.te index facc492..12b280a 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -1,5 +1,11 @@ type firmware_mfc, file_type; -type firmware_camera, file_type; +type firmware_exynos, file_type; type sensors_data_file, file_type, data_file_type; -type volume_data_file, file_type, data_file_type; +type sysfs_display, fs_type, sysfs_type; + +type efs_device_file, file_type; +type radio_data, file_type; +type sysfs_radio, fs_type, sysfs_type; +type sysfs_sensor, fs_type, sysfs_type; +type cbd_device, dev_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index a5ce2c5..fc824b3 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -1,42 +1,63 @@ # GFX -/dev/mali u:object_r:mali_device:s0 -/dev/ump u:object_r:mali_device:s0 -/dev/fimg2d u:object_r:mali_device:s0 +/dev/mali u:object_r:gpu_device:s0 +/dev/ump u:object_r:gpu_device:s0 +/dev/fimg2d u:object_r:gpu_device:s0 # RIL +/dev/link_pm u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_csd u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_loopback0 u:object_r:radio_device:s0 /dev/umts_ramdump0 u:object_r:radio_device:s0 /dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 +/dev/__cbd_msg_ u:object_r:cbd_device:s0 -/dev/block/mmcblk0p10 u:object_r:efs_block_device:s0 +/efs u:object_r:efs_device_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data:s0 +/sys/devices/platform/s5p-ohci/ohci_power u:object_r:sysfs_radio:s0 +/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0 + +# Partitions +/dev/block/mmcblk0(.*) u:object_r:boot_block_device:s0 +/dev/block/mmcblk0p3 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p12 u:object_r:cache_block_device:s0 +/dev/block/mmcblk0p13 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p16 u:object_r:userdata_block_device:s0 # Camera /data/ISP_CV u:object_r:camera_data_file:s0 /dev/exynos-mem u:object_r:video_device:s0 +/dev/s3c-mfc u:object_r:mfc_device:s0 # Bluetooth /dev/ttySAC0 u:object_r:hci_attach_dev:s0 -/efs/bluetooth/(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 + +# Display +/sys/class/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie(/.*)? u:object_r:sysfs_display:s0 # GPS /dev/ttySAC1 u:object_r:gps_device:s0 +/system/bin/gps_daemon.sh u:object_r:gpsd_exec:s0 # Sensors /dev/akm8963 u:object_r:sensors_device:s0 /efs/gyro_cal_data u:object_r:sensors_data_file:s0 +/sys/class/sensors/accelerometer_sensor u:object_r:sysfs_sensor:s0 # Wifi /dev/rfkill u:object_r:rfkill_device:s0 +/data/.cid.info u:object_r:wifi_data_file:s0 /efs/wifi/.mac.info u:object_r:wifi_data_file:s0 # Firmwares -/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 +/system/vendor/firmware(/.*)? u:object_r:firmware_exynos:s0 /system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 -/data/cfw(/.*)? u:object_r:firmware_camera:s0 +/data/cfw(/.*)? u:object_r:firmware_exynos:s0 # Vibrator /dev/tspdrv u:object_r:input_device:s0 + +# Misc +/dev/HPD u:object_r:hpd_device:s0 diff --git a/selinux/gpsd.te b/selinux/gpsd.te new file mode 100644 index 0000000..6c54563 --- /dev/null +++ b/selinux/gpsd.te @@ -0,0 +1,17 @@ +#for text relocs & execution +allow gpsd system_file:file { execute_no_trans execmod }; +allow gpsd gps_device:chr_file { getattr setattr }; +allow gpsd gps_data_file:dir { search write add_name remove_name }; +allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow gpsd node:udp_socket { node_bind name_bind }; +allow gpsd port:tcp_socket name_connect; +allow gpsd self:tcp_socket { getopt write read }; + +allow gpsd sysfs:file { setattr write }; +allow gpsd gps_device:chr_file { ioctl open read write }; +allow gpsd gpsd:udp_socket { create bind }; +allow gpsd gpsd:tcp_socket { create connect }; +allow gpsd fwmarkd_socket:sock_file write; +allow gpsd dnsproxyd_socket:sock_file write; +allow gpsd netd:unix_stream_socket connectto; diff --git a/selinux/init.te b/selinux/init.te index 3f11893..c7393a9 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1 +1,13 @@ allow init wpa_socket:unix_dgram_socket { bind create }; +allow init init:process { execmem }; +allow init init:tcp_socket { create }; + +allow init sysfs_display:lnk_file { read setattr }; + +allow init tmpfs:lnk_file create; +allow init sysfs_sensor:lnk_file { setattr read }; + +allow init rild:process noatsecure; + +domain_trans(init, rootfs, gpsd) +domain_trans(init, rootfs, cpboot-daemon) diff --git a/selinux/log.te b/selinux/log.te new file mode 100644 index 0000000..c3dfc80 --- /dev/null +++ b/selinux/log.te @@ -0,0 +1,3 @@ +allow domain log_device:chr_file { open write }; +allow domain log_device:dir { search }; +allow { shell debuggerd } log_device:chr_file { read }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 7cc911c..cbcdcb8 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -1,8 +1,11 @@ -allow mediaserver { firmware_camera }:file r_file_perms; -allow mediaserver firmware_camera:dir r_dir_perms; +allow mediaserver { firmware_exynos }:file r_file_perms; +allow mediaserver firmware_exynos:dir r_dir_perms; allow mediaserver camera_data_file:file rw_file_perms; -allow mediaserver volume_data_file:file create_file_perms; -allow mediaserver volume_data_file:dir create_dir_perms; +allow mediaserver mfc_device:chr_file rw_file_perms; # Bluetooth audio allow mediaserver bluetooth:unix_stream_socket { connectto }; + +allow mediaserver { storage_file mnt_user_file }:dir { search read }; +allow mediaserver storage_file:lnk_file read; +allow mediaserver mnt_user_file:lnk_file read; diff --git a/selinux/netd.te b/selinux/netd.te new file mode 100644 index 0000000..bce2700 --- /dev/null +++ b/selinux/netd.te @@ -0,0 +1,3 @@ +allow netd init:tcp_socket { read write getopt }; +allow netd gpsd:fd use; +allow netd gpsd:tcp_socket { read write getopt setopt }; diff --git a/selinux/nfc.te b/selinux/nfc.te new file mode 100644 index 0000000..b5afda7 --- /dev/null +++ b/selinux/nfc.te @@ -0,0 +1,2 @@ +allow nfc firmware_exynos:dir search; +allow nfc log_device:chr_file write; diff --git a/selinux/rild.te b/selinux/rild.te index 7f817d0..5da4924 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -1,7 +1,20 @@ allow rild self:netlink_socket { create bind read write }; allow rild self:netlink_route_socket { write }; allow rild self:netlink_kobject_uevent_socket { create bind read write setopt }; +allow rild rild:process { execmem }; + +allow rild radio_data_file:dir setattr; +allow rild unlabeled:dir search; + +allow radio log_device:chr_file w_file_perms; +allow rild log_device:chr_file w_file_perms; +allow rild system_file:file execmod; +allow rild radio_data:file create_file_perms; +allow rild radio_data:dir create_dir_perms; allow rild radio_device:chr_file rw_file_perms; allow rild efs_block_device:blk_file rw_file_perms; allow rild efs_file:file { read open write setattr }; + +allow rild efs_device_file:dir create_dir_perms; +allow rild efs_device_file:file { setattr create create_file_perms }; diff --git a/selinux/service_contexts b/selinux/service_contexts new file mode 100644 index 0000000..fb14cf2 --- /dev/null +++ b/selinux/service_contexts @@ -0,0 +1,3 @@ +SecTVOutService u:object_r:surfaceflinger_service:s0 +Exynos.HWCService u:object_r:surfaceflinger_service:s0 +Exynos.IPService u:object_r:surfaceflinger_service:s0 diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te new file mode 100644 index 0000000..40a665d --- /dev/null +++ b/selinux/servicemanager.te @@ -0,0 +1,3 @@ +allow servicemanager gpsd:dir { search read write }; +allow servicemanager gpsd:file { open read write }; +allow servicemanager gpsd:process getattr; diff --git a/selinux/surfaceflinger.te b/selinux/surfaceflinger.te new file mode 100644 index 0000000..00fa1e9 --- /dev/null +++ b/selinux/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger hpd_device:chr_file rw_file_perms; diff --git a/selinux/sysinit.te b/selinux/sysinit.te new file mode 100644 index 0000000..0436ffe --- /dev/null +++ b/selinux/sysinit.te @@ -0,0 +1,7 @@ +allow sysinit firmware_exynos:dir { read search open getattr }; +allow sysinit userinit_exec:file { getattr execute execute_no_trans read open }; +allow sysinit firmware_exynos:dir { read search open getattr write remove_name add_name }; +allow sysinit firmware_exynos:file { read open write getattr setattr create unlink }; +allow sysinit sysinit:capability { dac_override chown fowner fsetid }; +allow sysinit unlabeled:dir { search }; +allow sysinit surfaceflinger_exec:file { getattr }; diff --git a/selinux/system.te b/selinux/system.te deleted file mode 100644 index df7b6fc..0000000 --- a/selinux/system.te +++ /dev/null @@ -1,11 +0,0 @@ -allow system input_device:chr_file { read ioctl write open }; -allow system sensors_device:chr_file { read open }; -allow system sensors_data_file:file r_file_perms; -allow system wpa_socket:unix_dgram_socket sendto; -allow system_app volume_data_file:file { read write open getattr }; - -allow system sysfs:file { read open write }; -allow system self:capability { sys_module }; - -# /efs/wifi/.mac.info -allow system wifi_data_file:file { read open }; diff --git a/selinux/system_app.te b/selinux/system_app.te new file mode 100644 index 0000000..8542dc2 --- /dev/null +++ b/selinux/system_app.te @@ -0,0 +1,2 @@ +allow system_app sysfs_display:{ file lnk_file } { getattr open read write }; +allow system_app sysfs_display:dir { search }; diff --git a/selinux/system_server.te b/selinux/system_server.te new file mode 100644 index 0000000..789d734 --- /dev/null +++ b/selinux/system_server.te @@ -0,0 +1,38 @@ +allow system_server input_device:chr_file { read ioctl write open }; +allow system_server sensors_device:chr_file { read open }; +allow system_server sensors_data_file:file r_file_perms; +allow system_server wpa_socket:unix_dgram_socket sendto; + +allow system_server sysfs:file { read open write }; +allow system_server sysfs_display:lnk_file rw_file_perms; +allow system_server sysfs_display:dir rw_dir_perms; +allow system_server sysfs_display:file rw_file_perms; +allow system_server self:capability { sys_module }; + +allow system_server efs_file:dir search; +allow system_server efs_file:file read; +allow system_server efs_device_file:dir search; +allow system_server uhid_device:chr_file { read ioctl write open }; +allow system_server storage_stub_file:dir getattr; + + +# for sensors +allow system_server system_file:file execmod; + +# /efs/wifi/.mac.info +allow system_server wifi_data_file:file { read open }; + +allow system_server radio_data:dir r_dir_perms; + +allow system_server gpsd:binder transfer; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; + +# Access .gps.interface.pipe.to_gpsd. +allow system_server gps_data_file:dir rw_dir_perms; +allow system_server gps_data_file:fifo_file { setattr rw_file_perms create }; + +# Access /data/sensors/gps* socket +allow system_server gps_data_file:sock_file create_file_perms; +allow system_server gps_data_file:dir rw_dir_perms; +allow system_server gps_data_file:file rw_file_perms; + diff --git a/selinux/ueventd.te b/selinux/ueventd.te index 1ed58dc..315ccb3 100644 --- a/selinux/ueventd.te +++ b/selinux/ueventd.te @@ -1,6 +1,5 @@ -# MFC firmware +# Firmwares allow ueventd { firmware_mfc }:file r_file_perms; - -# Camera related firmwares -allow ueventd { firmware_camera }:dir search; -allow ueventd { firmware_camera }:file r_file_perms; +allow ueventd { firmware_exynos }:dir search; +allow ueventd { firmware_exynos }:file { read getattr open }; +allow ueventd sysfs_display:file { write open }; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te new file mode 100644 index 0000000..f9c5bde --- /dev/null +++ b/selinux/untrusted_app.te @@ -0,0 +1,5 @@ +allow untrusted_app storage_stub_file:dir getattr; +allow untrusted_app log_device:chr_file { read write }; +allow untrusted_app self:udp_socket ioctl; +allow untrusted_app app_data_file:file create_file_perms; +allow untrusted_app app_data_file:dir create_dir_perms; diff --git a/selinux/vold.te b/selinux/vold.te index 9452abf..ba429d6 100644 --- a/selinux/vold.te +++ b/selinux/vold.te @@ -1,2 +1,12 @@ allow vold kernel:process setsched; allow vold sdcardd_exec:file { read open execute execute_no_trans }; + +allow vold log_device:dir search; +allow vold storage_stub_file:dir { read open search write add_name }; +allow vold mnt_media_rw_stub_file:dir { read open }; +allow vold blkid_exec:file { getattr execute read open execute_no_trans }; + +allow vold log_device:chr_file { write open }; + +allow vold efs_device_file:dir rw_file_perms; +allow vold efs_device_file:file rw_file_perms; diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te index bbe679b..9b806e0 100755..100644 --- a/selinux/wpa_supplicant.te +++ b/selinux/wpa_supplicant.te @@ -2,8 +2,11 @@ allow wpa init:unix_dgram_socket { read write }; # logwrapper used with wpa_supplicant allow wpa devpts:chr_file { read write }; +allow wpa log_device:chr_file { write }; allow wpa wpa_socket:unix_dgram_socket { read write }; -allow wpa_socket system:unix_dgram_socket sendto; +allow wpa_socket system_app:unix_dgram_socket sendto; allow wpa_socket wifi_data_file:sock_file unlink; + +allow wpa rfkill_device:chr_file rw_file_perms; diff --git a/selinux/zygote.te b/selinux/zygote.te new file mode 100644 index 0000000..4de92c2 --- /dev/null +++ b/selinux/zygote.te @@ -0,0 +1 @@ +allow zygote log_device:dir search; |