From 279859988403de649091978b0bff52bce153fd29 Mon Sep 17 00:00:00 2001 From: Daniel Hillenbrand Date: Sun, 11 Aug 2013 16:23:09 +0200 Subject: [PATCH] galaxys2: add selinux policies Change-Id: I52a914da94f5c331b4928cb2e79d8fa5a0c0c41c --- BoardCommonConfig.mk | 11 +++++++++++ selinux/device.te | 3 +++ selinux/domain.te | 8 ++++++++ selinux/file.te | 2 ++ selinux/file_contexts | 37 +++++++++++++++++++++++++++++++++++++ selinux/rild.te | 10 ++++++++++ 6 files changed, 71 insertions(+) create mode 100644 selinux/device.te create mode 100644 selinux/domain.te create mode 100644 selinux/file.te create mode 100644 selinux/file_contexts create mode 100644 selinux/rild.te diff --git a/BoardCommonConfig.mk b/BoardCommonConfig.mk index f0d99bf..4e797d1 100644 --- a/BoardCommonConfig.mk +++ b/BoardCommonConfig.mk @@ -137,6 +137,17 @@ BOARD_VOLD_EMMC_SHARES_DEV_MAJOR := true BOARD_VOLD_DISC_HAS_MULTIPLE_MAJORS := true TARGET_USE_CUSTOM_LUN_FILE_PATH := "/sys/devices/platform/s3c-usbgadget/gadget/lun%d/file" +# Selinux +BOARD_SEPOLICY_DIRS := \ + device/samsung/galaxys2-common/selinux + +BOARD_SEPOLICY_UNION := \ + device.te \ + domain.te \ + file.te \ + file_contexts \ + rild.te + # Recovery BOARD_CUSTOM_RECOVERY_KEYMAPPING := ../../device/samsung/galaxys2-common/recovery/recovery_keys.c BOARD_CUSTOM_GRAPHICS := ../../../device/samsung/galaxys2-common/recovery/graphics.c diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..cca8ee1 --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,3 @@ +type mali_device, dev_type, mlstrustedobject; +type rfkill_device, dev_type; +type efs_block_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..24e0951 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,8 @@ +## /dev/mali, /dev/ump +allow domain mali_device:chr_file rw_file_perms; + +## /dev/rfkill for wpa_supp +allow wpa rfkill_device:chr_file rw_file_perms; + +## Firmwares +allow ueventd { firmware_mfc }:file r_file_perms; diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..51cf771 --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,2 @@ +type radio_efs_file, fs_type; +type firmware_mfc, file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..36fb414 --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,37 @@ +# GFX +/dev/mali u:object_r:mali_device:s0 +/dev/ump u:object_r:mali_device:s0 +/dev/fimg2d u:object_r:mali_device:s0 + +# NFC +/dev/pn544 u:object_r:nfc_device:s0 + +# RIL +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 + +/dev/block/mmcblk0p7 u:object_r:efs_block_device:s0 + +/efs/imei/mps_code.dat u:object_r:radio_data_file:s0 +/efs/nv_data.bin u:object_r:radio_data_file:s0 +/efs/nv_data.bin.md5 u:object_r:radio_data_file:s0 +/efs/upgaddr u:object_r:efs_file:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 + +# Sensors +/dev/akm8963 u:object_r:sensors_device:s0 + +# for wpa_supp +/dev/rfkill u:object_r:rfkill_device:s0 + +# Firmwares +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100644 index 0000000..5711ef0 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,10 @@ +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; +allow rild self:netlink_kobject_uevent_socket { create bind read write }; + +allow rild radio_device:chr_file rw_file_perms; + +allow rild efs_block_device:blk_file rw_file_perms; + +allow rild radio_data_file:file { read open write setattr }; +allow rild efs_file:file { read open write getattr };