summaryrefslogtreecommitdiffstats
path: root/sepolicy
diff options
context:
space:
mode:
authorLuden <luden@ghostmail.com>2016-03-17 20:19:12 +0000
committerZiyan <jaraidaniel@gmail.com>2016-04-03 15:49:30 +0200
commit3977f65b1374e3365f69695771afe886165564d6 (patch)
treea146b3b6135fc94fa2f4e62b54ed677f9bce4d6f /sepolicy
parent3c60373689a44efea9a87b6cdac148530b02d775 (diff)
downloaddevice_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.zip
device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.tar.gz
device_samsung_tuna-3977f65b1374e3365f69695771afe886165564d6.tar.bz2
Implemented SELinux rules for tuna.
Change-Id: I0c82e620532cf968341cc8c5d268aa0788ebb94f
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/device.te3
-rw-r--r--sepolicy/file.te1
-rw-r--r--sepolicy/file_contexts30
-rw-r--r--sepolicy/fs_setup.te8
-rw-r--r--sepolicy/init.te6
-rw-r--r--sepolicy/mediaserver.te1
-rw-r--r--sepolicy/property.te1
-rw-r--r--sepolicy/property_contexts1
-rw-r--r--sepolicy/recovery.te42
-rw-r--r--sepolicy/rild.te15
-rw-r--r--sepolicy/sdcardd.te3
-rw-r--r--sepolicy/servicemanager.te2
-rw-r--r--sepolicy/smc_pa_ctrl.te6
-rw-r--r--sepolicy/system_server.te4
-rw-r--r--sepolicy/tee.te8
-rw-r--r--sepolicy/vold.te5
-rw-r--r--sepolicy/zygote.te4
17 files changed, 133 insertions, 7 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..4bc0b81
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,3 @@
+# Device types
+type efs_block_device, dev_type;
+type tee_block_device, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..1ed4c15
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1 @@
+type radio_efs_file, file_type, mlstrustedobject;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 17417ec..35c90c9 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,8 +1,6 @@
#rild
-/data/radio/nv_data.bin.* u:object_r:radio_data_file:s0
-/dev/block/mmcblk0p4 u:object_r:radio_device:s0
-/dev/block/mmcblk0p9 u:object_r:radio_device:s0
-/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0
+/data/radio(/.*)? u:object_r:radio_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_data_file:s0
/dev/an30259a_leds u:object_r:video_device:s0
/dev/cdma_.* u:object_r:radio_device:s0
/dev/lte_.* u:object_r:radio_device:s0
@@ -18,7 +16,8 @@
/dev/i2c-2 u:object_r:camera_device:s0
/factory(/.*)? u:object_r:efs_file:s0
/factory/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
-/factory/nv_data.bin.* u:object_r:radio_data_file:s0
+/factory/nv_data.bin.* u:object_r:radio_efs_file:s0
+
#nfc
/dev/ttyO3 u:object_r:nfc_device:s0
@@ -34,3 +33,24 @@
# System binaries
/system/bin/dumpdcc u:object_r:dumpdcc_exec:s0
+
+# TEE / SMC
+/tee/smc(/.*)? u:object_r:tee_file:s0
+/dev/tf_ctrl u:object_r:tee_device:s0
+/system/vendor/bin/tee-fs-setup.sh u:object_r:recovery_exec:s0
+/system/bin/smc_pa_ctrl u:object_r:smc_pa_ctrl_exec:s0
+
+# Generic setup
+/system/bin/setup_fs u:object_r:fs_setup_exec:s0
+
+# Block devices
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/boot u:object_r:boot_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/recovery u:object_r:recovery_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/param u:object_r:radio_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/dgs u:object_r:tee_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/efs u:object_r:efs_block_device:s0
diff --git a/sepolicy/fs_setup.te b/sepolicy/fs_setup.te
new file mode 100644
index 0000000..e8404f1
--- /dev/null
+++ b/sepolicy/fs_setup.te
@@ -0,0 +1,8 @@
+# fs_setup
+type fs_setup, domain;
+type fs_setup_exec, exec_type, file_type;
+init_daemon_domain(fs_setup)
+
+allow fs_setup cache_block_device:blk_file rw_file_perms;
+allow fs_setup userdata_block_device:blk_file rw_file_perms;
+allow fs_setup block_device:dir search;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 5684f92..13c8bd4 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,3 +1,9 @@
# init
allow init radio_device:lnk_file relabelto;
allow init self:capability sys_module;
+
+# For sdcard link
+allow init tmpfs:lnk_file create;
+
+# For 'cpuset' module requests
+allow init kernel:system module_request;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 007fdc4..89877b1 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,2 +1,3 @@
# mediaserver
allow mediaserver system_server:unix_stream_socket { read write };
+allow mediaserver sensorservice_service:service_manager find;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..ef1e4d4
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1 @@
+type tee_fs_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..a136067
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1 @@
+init.tee_fs. u:object_r:tee_fs_prop:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
new file mode 100644
index 0000000..dca6680
--- /dev/null
+++ b/sepolicy/recovery.te
@@ -0,0 +1,42 @@
+# recovery
+type recovery_exec, exec_type, file_type;
+
+# Instead of 'init_daemon_domain(recovery)' we're using
+# 'domain_auto_trans', which is the first part of 'init_daemon_domain'.
+# We cannot use 'init_daemon_domain' directly as it also results
+# in automatic transition from 'tmpfs' to 'recovery_tmpfs' which
+# is not accounted for by existing recovery.te rules and, moreover,
+# is forbidden by 'neverallow' that blocks execution of files not on
+# 'tmpfs'.
+domain_auto_trans(init, recovery_exec, recovery)
+
+# For running tunasetup
+allow recovery shell_exec:file read;
+
+# For tee_fs setprop
+allow recovery property_socket:sock_file write;
+allow recovery init:unix_stream_socket connectto;
+allow recovery tee_fs_prop:property_service set;
+
+# For creating or checking /tee
+allow recovery tee_block_device:blk_file { getattr open ioctl read write };
+allow recovery unlabeled:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
+allow recovery block_device:dir { search };
+allow recovery recovery:capability { chown dac_override fowner sys_admin };
+allow recovery kmsg_device:chr_file { getattr ioctl open write };
+allow recovery tee_file:dir { getattr open read relabelto setattr };
+
+# For running mke2fs when creating tee
+allow recovery system_file:file execute_no_trans;
+
+# For remounting and relabeling /factory and /system
+allow recovery efs_block_device:blk_file { getattr open ioctl read write };
+allow recovery system_block_device:blk_file { open ioctl read };
+allow recovery labeledfs:filesystem { mount remount };
+allow recovery kernel:process setsched;
+allow recovery rootfs:dir mounton;
+allow recovery { efs_file radio_efs_file bluetooth_efs_file }:dir { getattr open read search setattr };
+allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr open read relabelfrom relabelto setattr };
+
+# For rebooting in tunasetup
+allow recovery powerctl_prop:property_service set;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 67a21b6..b6013f0 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,4 +1,15 @@
# rild
-allow rild radio_data_file:dir { r_dir_perms setattr };
+
+# Needed for /data/radio/*, /data/misc/radio/* and /factory/*
+allow rild { radio_data_file radio_efs_file }:dir { rw_dir_perms setattr };
+allow rild { radio_data_file radio_efs_file }:file rw_file_perms;
+
allow rild self:process execmem;
-allow rild block_device:dir search;
+allow rild block_device:dir { search };
+
+# Needed for /system/vendor/lib/libsec-ril.so
+allow rild system_file:file { execute execmod };
+
+# Have no idea why rild needs access to logcat,
+# potentially to catch errors from some other components?
+allow rild logcat_exec:file { getattr read open execute execute_no_trans };
diff --git a/sepolicy/sdcardd.te b/sepolicy/sdcardd.te
new file mode 100644
index 0000000..dcc163a
--- /dev/null
+++ b/sepolicy/sdcardd.te
@@ -0,0 +1,3 @@
+# sdcardd
+allow sdcardd self:capability { setuid setgid dac_override };
+allow sdcardd system_data_file:dir create_dir_perms;
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..dfd4473
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,2 @@
+# servicemanager
+allow servicemanager zygote:file { read open };
diff --git a/sepolicy/smc_pa_ctrl.te b/sepolicy/smc_pa_ctrl.te
new file mode 100644
index 0000000..dfaaea5
--- /dev/null
+++ b/sepolicy/smc_pa_ctrl.te
@@ -0,0 +1,6 @@
+# smc_pa_ctrl
+type smc_pa_ctrl, domain;
+type smc_pa_ctrl_exec, exec_type, file_type;
+init_daemon_domain(smc_pa_ctrl)
+
+allow smc_pa_ctrl tee_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..072e89d
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,4 @@
+# system_server
+
+# Needed for /system/vendor/lib/hw/gps.omap4.so
+allow system_server system_file:file { execmod };
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..59e7894
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1,8 @@
+# tee_data_file cannot be used as it has data_file_type,
+# which triggers 'neverallow' for 'recovery' domain.
+type tee_file, file_type;
+
+allow tee unlabeled:dir search;
+allow tee tee_file:dir rw_dir_perms;
+allow tee tee_file:file create_file_perms;
+allow tee labeledfs:filesystem associate;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..9ba8469
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,5 @@
+# vold
+allow vold efs_file:dir { getattr read open ioctl };
+
+# For 'aes-*' module requests.
+allow vold kernel:system module_request;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..58980c7
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1,4 @@
+# zygote
+allow zygote init:unix_stream_socket { read write getattr listen getopt setopt accept };
+allow zygote init:fifo_file { read write };
+allow zygote servicemanager:binder { call transfer };