diff options
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/bluetooth.te | 4 | ||||
| -rw-r--r-- | sepolicy/bootanim.te | 1 | ||||
| -rw-r--r-- | sepolicy/device.te | 21 | ||||
| -rw-r--r-- | sepolicy/file.te | 13 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 60 | ||||
| -rw-r--r-- | sepolicy/gpsd.te | 9 | ||||
| -rw-r--r-- | sepolicy/hostapd.te | 1 | ||||
| -rw-r--r-- | sepolicy/mediaserver.te | 3 | ||||
| -rw-r--r-- | sepolicy/netd.te | 1 | ||||
| -rw-r--r-- | sepolicy/nfc.te | 1 | ||||
| -rw-r--r-- | sepolicy/platform_app.te | 1 | ||||
| -rw-r--r-- | sepolicy/radio.te | 2 | ||||
| -rw-r--r-- | sepolicy/rild.te | 3 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/servicemanager.te | 4 | ||||
| -rw-r--r-- | sepolicy/surfaceflinger.te | 1 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 3 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 7 | ||||
| -rw-r--r-- | sepolicy/ueventd.te | 3 | ||||
| -rw-r--r-- | sepolicy/untrusted_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/vold.te | 2 | ||||
| -rw-r--r-- | sepolicy/wpa.te | 1 |
22 files changed, 145 insertions, 0 deletions
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..7106722 --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,4 @@ +allow bluetooth firmware_exynos:dir { read open search }; +allow bluetooth firmware_exynos:file { read open }; +allow bluetooth bluetooth_efs_file:dir search; +allow bluetooth bluetooth_efs_file:file read; diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te new file mode 100644 index 0000000..8a18e92 --- /dev/null +++ b/sepolicy/bootanim.te @@ -0,0 +1 @@ +allow bootanim ump_device:chr_file { open read write ioctl }; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..ef8edbe --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,21 @@ +# Secure memory +type secmem_device, dev_type; + +# Unified Memory Management +type ump_device, dev_type; + +# Efs block device +type efs_block_device, dev_type; + +# Rfkill device +type rfkill_device, dev_type; + +# MFC device +type mfc_device, dev_type; + +# Fm radio device +type fm_radio_device, dev_type; + +# Gadget serial device +type gadget_serial_device, dev_type; + diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..6ada8e6 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,13 @@ +# MFC firmware +type firmware_mfc, file_type; + +# Common Exynos firmware +type firmware_exynos, file_type; + +# Sensors data +type sensors_data_file, file_type, data_file_type; + +# Display sysfs +type sysfs_display, fs_type, sysfs_type; + + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..5b0abcb --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,60 @@ +# Graphics +/dev/mali u:object_r:gpu_device:s0 +/dev/ump u:object_r:ump_device:s0 +/dev/fimg2d u:object_r:video_device:s0 +/dev/s5p-smem u:object_r:secmem_device:s0 + +# RIL +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_csd u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_loopback0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 + +# Efs +/dev/block/mmcblk0p3 u:object_r:efs_block_device:s0 +/factory(/.*)? u:object_r:efs_file:s0 + +# Camera +/data/ISP_CV u:object_r:camera_data_file:s0 +/dev/exynos-mem u:object_r:video_device:s0 +/dev/s3c-mfc u:object_r:mfc_device:s0 +/dev/video[0-3]* u:object_r:camera_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/factory/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/class/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 + +# Display +/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0 +/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 +/system/bin/gpsd u:object_r:gpsd_exec:s0 + +# Sensors +/dev/akm8963 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 + +# Wifi +/dev/rfkill u:object_r:rfkill_device:s0 +/factory/wifi/.mac.info u:object_r:wifi_data_file:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_exynos:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/data/cfw(/.*)? u:object_r:firmware_exynos:s0 + +# Vibrator +/dev/tspdrv u:object_r:input_device:s0 +/sys/vibrator/pwm_val u:object_r:sysfs:s0 + +# Misc +/dev/HPD u:object_r:video_device:s0 +/dev/fmradio u:object_r:fm_radio_device:s0 +/dev/ttyGS[0-9]* u:object_r:gadget_serial_device:s0 diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..309ab1a --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,9 @@ +allow gpsd rild:unix_stream_socket connectto; +allow gpsd system_data_file:dir { add_name write }; +allow gpsd system_data_file:file { create write lock open }; +allow gpsd system_data_file:fifo_file { create read write open setattr }; +allow gpsd sysfs_wake_lock:file { read write open }; +allow gpsd servicemanager:binder call; +allow gpsd system_server:binder call; +allow gpsd system_server:unix_stream_socket { read write }; + diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te new file mode 100644 index 0000000..7e0b91b --- /dev/null +++ b/sepolicy/hostapd.te @@ -0,0 +1 @@ +allow hostapd rfkill_device:chr_file { read open }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..8d43cdb --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,3 @@ +allow mediaserver camera_data_file:file write; +allow mediaserver mfc_device:chr_file { read write ioctl open }; +allow mediaserver ump_device:chr_file { read write ioctl open }; diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..ee1496b --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1 @@ +allow netd self:capability fsetid; diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..6a6e324 --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1 @@ +allow nfc firmware_exynos:dir search; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..fd825e9 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1 @@ +allow platform_app ump_device:chr_file { read write ioctl open }; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..c19e0cf --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1,2 @@ +allow radio ump_device:chr_file { read write ioctl open }; + diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..061742a --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,3 @@ +allow rild self:process execmem; +allow rild system_data_file:dir { write remove_name add_name setattr }; +allow rild system_data_file:file { write create unlink setattr }; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..c01caa2 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,2 @@ +Exynos.HWCService u:object_r:surfaceflinger_service:s0 +Exynos.IPService u:object_r:surfaceflinger_service:s0 diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..3b3bda8 --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,4 @@ +allow servicemanager gpsd:dir search; +allow servicemanager gpsd:file { read open }; +allow servicemanager gpsd:process getattr; + diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..a9a8d6a --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger ump_device:chr_file { open read write ioctl }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..2cb531f --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,3 @@ +allow system_app sysfs_display:file { write getattr open }; +allow system_app ump_device:chr_file { ioctl open read write }; + diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..f18517d --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,7 @@ +allow system_server efs_file:file { read open }; +allow system_server efs_file:dir search; +allow system_server sensors_data_file:file { read open }; +allow system_server uhid_device:chr_file { read write ioctl open }; +allow system_server ump_device:chr_file { read write ioctl open }; +allow system_server gpsd:binder transfer; + diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..af59995 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,3 @@ +allow ueventd firmware_mfc:file { read getattr open }; +allow ueventd firmware_exynos:dir search; +allow ueventd firmware_exynos:file { read getattr open }; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..adaf51a --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1,2 @@ +allow untrusted_app ump_device:chr_file { open read write ioctl }; + diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..8068d38 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,2 @@ +allow vold efs_file:dir { read getattr open ioctl }; + diff --git a/sepolicy/wpa.te b/sepolicy/wpa.te new file mode 100644 index 0000000..4f5ef08 --- /dev/null +++ b/sepolicy/wpa.te @@ -0,0 +1 @@ +allow wpa rfkill_device:chr_file { read open }; |