galaxys2: add selinux policies

Change-Id: I52a914da94f5c331b4928cb2e79d8fa5a0c0c41c
2013-08-11 16:23:09 +02:00 · 2013-08-11 16:23:09 +02:00 · 2798599884
commit 2798599884
parent 7c04adc7ab
6 changed files with 71 additions and 0 deletions
--- a/BoardCommonConfig.mk
+++ b/BoardCommonConfig.mk
@ -137,6 +137,17 @@ BOARD_VOLD_EMMC_SHARES_DEV_MAJOR := true
 BOARD_VOLD_DISC_HAS_MULTIPLE_MAJORS := true
 TARGET_USE_CUSTOM_LUN_FILE_PATH := "/sys/devices/platform/s3c-usbgadget/gadget/lun%d/file"

+# Selinux
+BOARD_SEPOLICY_DIRS := \
+    device/samsung/galaxys2-common/selinux
+
+BOARD_SEPOLICY_UNION := \
+    device.te \
+    domain.te \
+    file.te \
+    file_contexts \
+    rild.te
+
 # Recovery
 BOARD_CUSTOM_RECOVERY_KEYMAPPING := ../../device/samsung/galaxys2-common/recovery/recovery_keys.c
 BOARD_CUSTOM_GRAPHICS := ../../../device/samsung/galaxys2-common/recovery/graphics.c
--- a/selinux/device.te
+++ b/selinux/device.te
@ -0,0 +1,3 @@
+type mali_device, dev_type, mlstrustedobject;
+type rfkill_device, dev_type;
+type efs_block_device, dev_type;
--- a/selinux/domain.te
+++ b/selinux/domain.te
@ -0,0 +1,8 @@
+## /dev/mali, /dev/ump
+allow domain mali_device:chr_file rw_file_perms;
+
+## /dev/rfkill for wpa_supp
+allow wpa rfkill_device:chr_file rw_file_perms;
+
+## Firmwares
+allow ueventd { firmware_mfc }:file r_file_perms;
--- a/selinux/file.te
+++ b/selinux/file.te
@ -0,0 +1,2 @@
+type radio_efs_file, fs_type;
+type firmware_mfc, file_type;
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@ -0,0 +1,37 @@
+# GFX
+/dev/mali                               u:object_r:mali_device:s0
+/dev/ump                                u:object_r:mali_device:s0
+/dev/fimg2d                             u:object_r:mali_device:s0
+
+# NFC
+/dev/pn544                              u:object_r:nfc_device:s0
+
+# RIL
+/dev/umts_boot0                         u:object_r:radio_device:s0
+/dev/umts_boot1                         u:object_r:radio_device:s0
+/dev/umts_ipc0                          u:object_r:radio_device:s0
+/dev/umts_ramdump0                      u:object_r:radio_device:s0
+/dev/umts_rfs0                          u:object_r:radio_device:s0
+
+/dev/block/mmcblk0p7                    u:object_r:efs_block_device:s0
+
+/efs/imei/mps_code.dat                  u:object_r:radio_data_file:s0
+/efs/nv_data.bin                        u:object_r:radio_data_file:s0
+/efs/nv_data.bin.md5                    u:object_r:radio_data_file:s0
+/efs/upgaddr                            u:object_r:efs_file:s0
+
+# Bluetooth
+/dev/ttySAC0                            u:object_r:hci_attach_dev:s0
+/efs/bluetooth(/.*)?                    u:object_r:bluetooth_data_file:s0
+
+# GPS
+/dev/ttySAC1                            u:object_r:gps_device:s0
+
+# Sensors
+/dev/akm8963                            u:object_r:sensors_device:s0
+
+# for wpa_supp
+/dev/rfkill                             u:object_r:rfkill_device:s0
+
+# Firmwares
+/system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
--- a/selinux/rild.te
+++ b/selinux/rild.te
@ -0,0 +1,10 @@
+allow rild self:netlink_socket { create bind read write };
+allow rild self:netlink_route_socket { write };
+allow rild self:netlink_kobject_uevent_socket { create bind read write };
+
+allow rild radio_device:chr_file rw_file_perms;
+
+allow rild efs_block_device:blk_file rw_file_perms;
+
+allow rild radio_data_file:file { read open write setattr };
+allow rild efs_file:file { read open write getattr };