diff options
author | Luden <luden@ghostmail.com> | 2016-03-17 20:19:12 +0000 |
---|---|---|
committer | Ziyan <jaraidaniel@gmail.com> | 2016-04-03 15:49:30 +0200 |
commit | 3977f65b1374e3365f69695771afe886165564d6 (patch) | |
tree | a146b3b6135fc94fa2f4e62b54ed677f9bce4d6f /sepolicy | |
parent | 3c60373689a44efea9a87b6cdac148530b02d775 (diff) | |
download | device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.zip device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.tar.gz device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.tar.bz2 |
Implemented SELinux rules for tuna.
Change-Id: I0c82e620532cf968341cc8c5d268aa0788ebb94f
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/device.te | 3 | ||||
-rw-r--r-- | sepolicy/file.te | 1 | ||||
-rw-r--r-- | sepolicy/file_contexts | 30 | ||||
-rw-r--r-- | sepolicy/fs_setup.te | 8 | ||||
-rw-r--r-- | sepolicy/init.te | 6 | ||||
-rw-r--r-- | sepolicy/mediaserver.te | 1 | ||||
-rw-r--r-- | sepolicy/property.te | 1 | ||||
-rw-r--r-- | sepolicy/property_contexts | 1 | ||||
-rw-r--r-- | sepolicy/recovery.te | 42 | ||||
-rw-r--r-- | sepolicy/rild.te | 15 | ||||
-rw-r--r-- | sepolicy/sdcardd.te | 3 | ||||
-rw-r--r-- | sepolicy/servicemanager.te | 2 | ||||
-rw-r--r-- | sepolicy/smc_pa_ctrl.te | 6 | ||||
-rw-r--r-- | sepolicy/system_server.te | 4 | ||||
-rw-r--r-- | sepolicy/tee.te | 8 | ||||
-rw-r--r-- | sepolicy/vold.te | 5 | ||||
-rw-r--r-- | sepolicy/zygote.te | 4 |
17 files changed, 133 insertions, 7 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..4bc0b81 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,3 @@ +# Device types +type efs_block_device, dev_type; +type tee_block_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..1ed4c15 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1 @@ +type radio_efs_file, file_type, mlstrustedobject; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 17417ec..35c90c9 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,8 +1,6 @@ #rild -/data/radio/nv_data.bin.* u:object_r:radio_data_file:s0 -/dev/block/mmcblk0p4 u:object_r:radio_device:s0 -/dev/block/mmcblk0p9 u:object_r:radio_device:s0 -/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0 +/data/radio(/.*)? u:object_r:radio_data_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /dev/an30259a_leds u:object_r:video_device:s0 /dev/cdma_.* u:object_r:radio_device:s0 /dev/lte_.* u:object_r:radio_device:s0 @@ -18,7 +16,8 @@ /dev/i2c-2 u:object_r:camera_device:s0 /factory(/.*)? u:object_r:efs_file:s0 /factory/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 -/factory/nv_data.bin.* u:object_r:radio_data_file:s0 +/factory/nv_data.bin.* u:object_r:radio_efs_file:s0 + #nfc /dev/ttyO3 u:object_r:nfc_device:s0 @@ -34,3 +33,24 @@ # System binaries /system/bin/dumpdcc u:object_r:dumpdcc_exec:s0 + +# TEE / SMC +/tee/smc(/.*)? u:object_r:tee_file:s0 +/dev/tf_ctrl u:object_r:tee_device:s0 +/system/vendor/bin/tee-fs-setup.sh u:object_r:recovery_exec:s0 +/system/bin/smc_pa_ctrl u:object_r:smc_pa_ctrl_exec:s0 + +# Generic setup +/system/bin/setup_fs u:object_r:fs_setup_exec:s0 + +# Block devices +/dev/block/mmcblk0 u:object_r:root_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/param u:object_r:radio_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/dgs u:object_r:tee_block_device:s0 +/dev/block/platform/omap/omap_hsmmc.0/by-name/efs u:object_r:efs_block_device:s0 diff --git a/sepolicy/fs_setup.te b/sepolicy/fs_setup.te new file mode 100644 index 0000000..e8404f1 --- /dev/null +++ b/sepolicy/fs_setup.te @@ -0,0 +1,8 @@ +# fs_setup +type fs_setup, domain; +type fs_setup_exec, exec_type, file_type; +init_daemon_domain(fs_setup) + +allow fs_setup cache_block_device:blk_file rw_file_perms; +allow fs_setup userdata_block_device:blk_file rw_file_perms; +allow fs_setup block_device:dir search; diff --git a/sepolicy/init.te b/sepolicy/init.te index 5684f92..13c8bd4 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,3 +1,9 @@ # init allow init radio_device:lnk_file relabelto; allow init self:capability sys_module; + +# For sdcard link +allow init tmpfs:lnk_file create; + +# For 'cpuset' module requests +allow init kernel:system module_request; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 007fdc4..89877b1 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1,2 +1,3 @@ # mediaserver allow mediaserver system_server:unix_stream_socket { read write }; +allow mediaserver sensorservice_service:service_manager find; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..ef1e4d4 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1 @@ +type tee_fs_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..a136067 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1 @@ +init.tee_fs. u:object_r:tee_fs_prop:s0 diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te new file mode 100644 index 0000000..dca6680 --- /dev/null +++ b/sepolicy/recovery.te @@ -0,0 +1,42 @@ +# recovery +type recovery_exec, exec_type, file_type; + +# Instead of 'init_daemon_domain(recovery)' we're using +# 'domain_auto_trans', which is the first part of 'init_daemon_domain'. +# We cannot use 'init_daemon_domain' directly as it also results +# in automatic transition from 'tmpfs' to 'recovery_tmpfs' which +# is not accounted for by existing recovery.te rules and, moreover, +# is forbidden by 'neverallow' that blocks execution of files not on +# 'tmpfs'. +domain_auto_trans(init, recovery_exec, recovery) + +# For running tunasetup +allow recovery shell_exec:file read; + +# For tee_fs setprop +allow recovery property_socket:sock_file write; +allow recovery init:unix_stream_socket connectto; +allow recovery tee_fs_prop:property_service set; + +# For creating or checking /tee +allow recovery tee_block_device:blk_file { getattr open ioctl read write }; +allow recovery unlabeled:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow recovery block_device:dir { search }; +allow recovery recovery:capability { chown dac_override fowner sys_admin }; +allow recovery kmsg_device:chr_file { getattr ioctl open write }; +allow recovery tee_file:dir { getattr open read relabelto setattr }; + +# For running mke2fs when creating tee +allow recovery system_file:file execute_no_trans; + +# For remounting and relabeling /factory and /system +allow recovery efs_block_device:blk_file { getattr open ioctl read write }; +allow recovery system_block_device:blk_file { open ioctl read }; +allow recovery labeledfs:filesystem { mount remount }; +allow recovery kernel:process setsched; +allow recovery rootfs:dir mounton; +allow recovery { efs_file radio_efs_file bluetooth_efs_file }:dir { getattr open read search setattr }; +allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr open read relabelfrom relabelto setattr }; + +# For rebooting in tunasetup +allow recovery powerctl_prop:property_service set; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 67a21b6..b6013f0 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,4 +1,15 @@ # rild -allow rild radio_data_file:dir { r_dir_perms setattr }; + +# Needed for /data/radio/*, /data/misc/radio/* and /factory/* +allow rild { radio_data_file radio_efs_file }:dir { rw_dir_perms setattr }; +allow rild { radio_data_file radio_efs_file }:file rw_file_perms; + allow rild self:process execmem; -allow rild block_device:dir search; +allow rild block_device:dir { search }; + +# Needed for /system/vendor/lib/libsec-ril.so +allow rild system_file:file { execute execmod }; + +# Have no idea why rild needs access to logcat, +# potentially to catch errors from some other components? +allow rild logcat_exec:file { getattr read open execute execute_no_trans }; diff --git a/sepolicy/sdcardd.te b/sepolicy/sdcardd.te new file mode 100644 index 0000000..dcc163a --- /dev/null +++ b/sepolicy/sdcardd.te @@ -0,0 +1,3 @@ +# sdcardd +allow sdcardd self:capability { setuid setgid dac_override }; +allow sdcardd system_data_file:dir create_dir_perms; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..dfd4473 --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,2 @@ +# servicemanager +allow servicemanager zygote:file { read open }; diff --git a/sepolicy/smc_pa_ctrl.te b/sepolicy/smc_pa_ctrl.te new file mode 100644 index 0000000..dfaaea5 --- /dev/null +++ b/sepolicy/smc_pa_ctrl.te @@ -0,0 +1,6 @@ +# smc_pa_ctrl +type smc_pa_ctrl, domain; +type smc_pa_ctrl_exec, exec_type, file_type; +init_daemon_domain(smc_pa_ctrl) + +allow smc_pa_ctrl tee_device:chr_file rw_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..072e89d --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,4 @@ +# system_server + +# Needed for /system/vendor/lib/hw/gps.omap4.so +allow system_server system_file:file { execmod }; diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..59e7894 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,8 @@ +# tee_data_file cannot be used as it has data_file_type, +# which triggers 'neverallow' for 'recovery' domain. +type tee_file, file_type; + +allow tee unlabeled:dir search; +allow tee tee_file:dir rw_dir_perms; +allow tee tee_file:file create_file_perms; +allow tee labeledfs:filesystem associate; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..9ba8469 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,5 @@ +# vold +allow vold efs_file:dir { getattr read open ioctl }; + +# For 'aes-*' module requests. +allow vold kernel:system module_request; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..58980c7 --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1,4 @@ +# zygote +allow zygote init:unix_stream_socket { read write getattr listen getopt setopt accept }; +allow zygote init:fifo_file { read write }; +allow zygote servicemanager:binder { call transfer }; |