From 3977f65b1374e3365f69695771afe886165564d6 Mon Sep 17 00:00:00 2001
From: Luden <luden@ghostmail.com>
Date: Thu, 17 Mar 2016 20:19:12 +0000
Subject: Implemented SELinux rules for tuna.

Change-Id: I0c82e620532cf968341cc8c5d268aa0788ebb94f
---
 rootdir/init.tuna.rc       |  3 +++
 sepolicy/device.te         |  3 +++
 sepolicy/file.te           |  1 +
 sepolicy/file_contexts     | 30 +++++++++++++++++++++++++-----
 sepolicy/fs_setup.te       |  8 ++++++++
 sepolicy/init.te           |  6 ++++++
 sepolicy/mediaserver.te    |  1 +
 sepolicy/property.te       |  1 +
 sepolicy/property_contexts |  1 +
 sepolicy/recovery.te       | 42 ++++++++++++++++++++++++++++++++++++++++++
 sepolicy/rild.te           | 15 +++++++++++++--
 sepolicy/sdcardd.te        |  3 +++
 sepolicy/servicemanager.te |  2 ++
 sepolicy/smc_pa_ctrl.te    |  6 ++++++
 sepolicy/system_server.te  |  4 ++++
 sepolicy/tee.te            |  8 ++++++++
 sepolicy/vold.te           |  5 +++++
 sepolicy/zygote.te         |  4 ++++
 18 files changed, 136 insertions(+), 7 deletions(-)
 create mode 100644 sepolicy/device.te
 create mode 100644 sepolicy/file.te
 create mode 100644 sepolicy/fs_setup.te
 create mode 100644 sepolicy/property.te
 create mode 100644 sepolicy/property_contexts
 create mode 100644 sepolicy/recovery.te
 create mode 100644 sepolicy/sdcardd.te
 create mode 100644 sepolicy/servicemanager.te
 create mode 100644 sepolicy/smc_pa_ctrl.te
 create mode 100644 sepolicy/system_server.te
 create mode 100644 sepolicy/tee.te
 create mode 100644 sepolicy/vold.te
 create mode 100644 sepolicy/zygote.te

diff --git a/rootdir/init.tuna.rc b/rootdir/init.tuna.rc
index 3d0315f..ce9e85b 100755
--- a/rootdir/init.tuna.rc
+++ b/rootdir/init.tuna.rc
@@ -142,6 +142,7 @@ service setup_fs /system/bin/setup_fs \
         class core
         user root
         group root
+        seclabel u:r:fs_setup:s0
         oneshot
 
 service tf_daemon /system/bin/tf_daemon \
@@ -157,6 +158,7 @@ service smc_pa_wvdrm /system/bin/smc_pa_ctrl \
         class core
         user drmrpc
         group drmrpc
+        seclabel u:r:smc_pa_ctrl:s0
         oneshot
         disabled
 
@@ -251,6 +253,7 @@ service tee_fs_setup /system/vendor/bin/tee-fs-setup.sh
     class core
     user root
     group root
+    seclabel u:r:recovery:s0
     disabled
     oneshot
 
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..4bc0b81
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,3 @@
+# Device types
+type efs_block_device, dev_type;
+type tee_block_device, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..1ed4c15
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1 @@
+type radio_efs_file, file_type, mlstrustedobject; 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 17417ec..35c90c9 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,8 +1,6 @@
 #rild
-/data/radio/nv_data.bin.*       u:object_r:radio_data_file:s0
-/dev/block/mmcblk0p4            u:object_r:radio_device:s0
-/dev/block/mmcblk0p9            u:object_r:radio_device:s0
-/dev/block/platform/omap/omap_hsmmc.0/by-name/radio     u:object_r:radio_device:s0
+/data/radio(/.*)?		u:object_r:radio_data_file:s0
+/data/misc/radio(/.*)?		u:object_r:radio_data_file:s0
 /dev/an30259a_leds              u:object_r:video_device:s0
 /dev/cdma_.*                    u:object_r:radio_device:s0
 /dev/lte_.*                     u:object_r:radio_device:s0
@@ -18,7 +16,8 @@
 /dev/i2c-2			u:object_r:camera_device:s0
 /factory(/.*)?                  u:object_r:efs_file:s0
 /factory/bluetooth(/.*)?        u:object_r:bluetooth_efs_file:s0
-/factory/nv_data.bin.*          u:object_r:radio_data_file:s0
+/factory/nv_data.bin.*          u:object_r:radio_efs_file:s0
+
 #nfc
 /dev/ttyO3     u:object_r:nfc_device:s0
 
@@ -34,3 +33,24 @@
 
 # System binaries
 /system/bin/dumpdcc		u:object_r:dumpdcc_exec:s0
+
+# TEE / SMC
+/tee/smc(/.*)?						u:object_r:tee_file:s0
+/dev/tf_ctrl						u:object_r:tee_device:s0
+/system/vendor/bin/tee-fs-setup.sh			u:object_r:recovery_exec:s0
+/system/bin/smc_pa_ctrl					u:object_r:smc_pa_ctrl_exec:s0
+
+# Generic setup
+/system/bin/setup_fs					u:object_r:fs_setup_exec:s0
+
+# Block devices
+/dev/block/mmcblk0					u:object_r:root_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/boot	u:object_r:boot_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/recovery	u:object_r:recovery_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/cache	u:object_r:cache_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/system	u:object_r:system_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata	u:object_r:userdata_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/param	u:object_r:radio_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/radio	u:object_r:radio_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/dgs	u:object_r:tee_block_device:s0
+/dev/block/platform/omap/omap_hsmmc.0/by-name/efs	u:object_r:efs_block_device:s0
diff --git a/sepolicy/fs_setup.te b/sepolicy/fs_setup.te
new file mode 100644
index 0000000..e8404f1
--- /dev/null
+++ b/sepolicy/fs_setup.te
@@ -0,0 +1,8 @@
+# fs_setup
+type fs_setup, domain;
+type fs_setup_exec, exec_type, file_type;
+init_daemon_domain(fs_setup)
+
+allow fs_setup cache_block_device:blk_file rw_file_perms;
+allow fs_setup userdata_block_device:blk_file rw_file_perms;
+allow fs_setup block_device:dir search;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 5684f92..13c8bd4 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,3 +1,9 @@
 # init
 allow init radio_device:lnk_file relabelto;
 allow init self:capability sys_module;
+
+# For sdcard link
+allow init tmpfs:lnk_file create;
+
+# For 'cpuset' module requests
+allow init kernel:system module_request;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 007fdc4..89877b1 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,2 +1,3 @@
 # mediaserver
 allow mediaserver system_server:unix_stream_socket { read write };
+allow mediaserver sensorservice_service:service_manager find;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..ef1e4d4
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1 @@
+type tee_fs_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..a136067
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1 @@
+init.tee_fs.		u:object_r:tee_fs_prop:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
new file mode 100644
index 0000000..dca6680
--- /dev/null
+++ b/sepolicy/recovery.te
@@ -0,0 +1,42 @@
+# recovery
+type recovery_exec, exec_type, file_type;
+
+# Instead of 'init_daemon_domain(recovery)' we're using
+# 'domain_auto_trans', which is the first part of 'init_daemon_domain'.
+# We cannot use 'init_daemon_domain' directly as it also results
+# in automatic transition from 'tmpfs' to 'recovery_tmpfs' which
+# is not accounted for by existing recovery.te rules and, moreover,
+# is forbidden by 'neverallow' that blocks execution of files not on
+# 'tmpfs'.
+domain_auto_trans(init, recovery_exec, recovery)
+
+# For running tunasetup
+allow recovery shell_exec:file read;
+
+# For tee_fs setprop
+allow recovery property_socket:sock_file write;
+allow recovery init:unix_stream_socket connectto;
+allow recovery tee_fs_prop:property_service set;
+
+# For creating or checking /tee
+allow recovery tee_block_device:blk_file { getattr open ioctl read write };
+allow recovery unlabeled:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
+allow recovery block_device:dir { search };
+allow recovery recovery:capability { chown dac_override fowner sys_admin };
+allow recovery kmsg_device:chr_file { getattr ioctl open write };
+allow recovery tee_file:dir { getattr open read relabelto setattr };
+
+# For running mke2fs when creating tee
+allow recovery system_file:file execute_no_trans;
+
+# For remounting and relabeling /factory and /system
+allow recovery efs_block_device:blk_file { getattr open ioctl read write };
+allow recovery system_block_device:blk_file { open ioctl read };
+allow recovery labeledfs:filesystem { mount remount };
+allow recovery kernel:process setsched;
+allow recovery rootfs:dir mounton;
+allow recovery { efs_file radio_efs_file bluetooth_efs_file }:dir { getattr open read search setattr };
+allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr open read relabelfrom relabelto setattr };
+
+# For rebooting in tunasetup
+allow recovery powerctl_prop:property_service set;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 67a21b6..b6013f0 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,4 +1,15 @@
 # rild
-allow rild radio_data_file:dir { r_dir_perms setattr };
+
+# Needed for /data/radio/*, /data/misc/radio/* and /factory/*
+allow rild { radio_data_file radio_efs_file }:dir { rw_dir_perms setattr };
+allow rild { radio_data_file radio_efs_file }:file rw_file_perms;
+
 allow rild self:process execmem;
-allow rild block_device:dir search;
+allow rild block_device:dir { search };
+
+# Needed for /system/vendor/lib/libsec-ril.so
+allow rild system_file:file { execute execmod };
+
+# Have no idea why rild needs access to logcat,
+# potentially to catch errors from some other components?
+allow rild logcat_exec:file { getattr read open execute execute_no_trans };
diff --git a/sepolicy/sdcardd.te b/sepolicy/sdcardd.te
new file mode 100644
index 0000000..dcc163a
--- /dev/null
+++ b/sepolicy/sdcardd.te
@@ -0,0 +1,3 @@
+# sdcardd
+allow sdcardd self:capability { setuid setgid dac_override };
+allow sdcardd system_data_file:dir  create_dir_perms;
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..dfd4473
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,2 @@
+# servicemanager
+allow servicemanager zygote:file { read open };
diff --git a/sepolicy/smc_pa_ctrl.te b/sepolicy/smc_pa_ctrl.te
new file mode 100644
index 0000000..dfaaea5
--- /dev/null
+++ b/sepolicy/smc_pa_ctrl.te
@@ -0,0 +1,6 @@
+# smc_pa_ctrl
+type smc_pa_ctrl, domain;
+type smc_pa_ctrl_exec, exec_type, file_type;
+init_daemon_domain(smc_pa_ctrl)
+
+allow smc_pa_ctrl tee_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..072e89d
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,4 @@
+# system_server
+
+# Needed for /system/vendor/lib/hw/gps.omap4.so
+allow system_server system_file:file { execmod };
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..59e7894
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1,8 @@
+# tee_data_file cannot be used as it has data_file_type,
+# which triggers 'neverallow' for 'recovery' domain.
+type tee_file, file_type;
+
+allow tee unlabeled:dir search;
+allow tee tee_file:dir rw_dir_perms;
+allow tee tee_file:file create_file_perms;
+allow tee labeledfs:filesystem associate;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..9ba8469
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,5 @@
+# vold
+allow vold efs_file:dir { getattr read open ioctl };
+
+# For 'aes-*' module requests.
+allow vold kernel:system module_request;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..58980c7
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1,4 @@
+# zygote
+allow zygote init:unix_stream_socket { read write getattr listen getopt setopt accept };
+allow zygote init:fifo_file { read write };
+allow zygote servicemanager:binder { call transfer };
-- 
cgit v1.1