galaxys2-common: Marshmallow SELinux support

This was made from scratch, for a general cleanup of unused policies
and update to M guidelines

Change-Id: Id4acda2b384d28b5ca51b3ef0f6e93b648c8e79d

rootdir/init.smdk4210.rc

@@ -224,8 +224,6 @@ on post-fs-data
     chmod 0660 /sys/class/rfkill/rfkill0/state
     chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
     chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
-    restorecon /sys/class/rfkill/rfkill0/state
-    restorecon /sys/class/rfkill/rfkill0/type
 
 # Vibetonz
     chmod 0660 /dev/tspdrv
@@ -239,7 +237,6 @@ on post-fs-data
     chown system media_rw /sys/class/lcd/panel/gamma_mode
     chown system media_rw /sys/class/lcd/panel/power_reduce
     chown system system /sys/class/backlight/panel/auto_brightness
-    restorecon /sys/class/lcd/panel/power_reduce
 
 # Permissions for mDNIe
     chown system media_rw /sys/class/mdnie/mdnie/mode
@@ -248,9 +245,6 @@ on post-fs-data
     chown system media_rw /sys/class/mdnie/mdnie/negative
     write /sys/class/mdnie/mdnie/scenario 0
     write /sys/class/mdnie/mdnie/mode 1
-    restorecon /sys/class/mdnie/mdnie/scenario
-    restorecon /sys/class/mdnie/mdnie/mode
-    restorecon /sys/class/mdnie/mdnie/negative
 
 # Permissions for uart_sel and usb_sel
     chown system radio /sys/class/sec/switch/uart_sel/value
@@ -332,6 +326,7 @@ service cpboot-daemon /sbin/cbd -d -p 8
     class main
     user root
     group radio cache inet misc audio sdcard_rw log sdcard_r
+    seclabel u:r:cpboot-daemon:s0
 
 service mdnsd /system/bin/mdnsd
     class main

selinux/cpboot-daemon.te

@@ -0,0 +1,23 @@
+type cpboot-daemon, domain;
+
+permissive cpboot-daemon;
+
+allow cpboot-daemon cgroup:dir { create add_name };
+allow cpboot-daemon device:dir { write remove_name add_name };
+allow cpboot-daemon efs_block_device:blk_file { read open };
+allow cpboot-daemon efs_device_file:dir search;
+allow cpboot-daemon efs_file:file { read write open };
+allow cpboot-daemon init:unix_stream_socket connectto;
+allow cpboot-daemon log_device:chr_file { write open };
+allow cpboot-daemon log_device:dir search;
+allow cpboot-daemon property_socket:sock_file write;
+allow cpboot-daemon radio_device:chr_file { read write ioctl open };
+allow cpboot-daemon radio_prop:property_service set;
+allow cpboot-daemon self:capability { setuid };
+allow cpboot-daemon sysfs_radio:file { read write open };
+allow cpboot-daemon usbfs:dir search;
+
+
+# FIX ME
+# allow cpboot-daemon usbfs:filesystem mount;
+# allow cpboot-daemon self:capability { mknod };

selinux/debuggerd.te

@@ -0,0 +1 @@
+allow debuggerd gpu_device:chr_file { read getattr open };

selinux/device.te

@@ -1,4 +1,3 @@
-type mali_device, dev_type, mlstrustedobject;
 type rfkill_device, dev_type;
 type efs_block_device, dev_type;
 type mfc_device, dev_type;

selinux/domain.te

@@ -1,5 +1,5 @@
 ## Firmwares
 allow ueventd { firmware_mfc }:file r_file_perms;
 
-## /dev/mali, /dev/ump
-allow domain mali_device:chr_file rw_file_perms;
+## 32bit personality requests
+dontaudit domain kernel:system module_request;

selinux/drmserver.te

@@ -1,2 +0,0 @@
-allow drmserver sdcard_external:file open;
-allow drmserver self:process execmem;

selinux/dumpstate.te

@@ -1 +0,0 @@
-unix_socket_connect(dumpstate, dumpstate, init);

selinux/file.te

@@ -1,4 +1,5 @@
-type radio_efs_file, fs_type;
 type firmware_mfc, file_type;
-type sysfs_display, fs_type, sysfs_type;
 type efs_device_file, file_type;
+type sysfs_display, fs_type, sysfs_type;
+type sysfs_radio, fs_type, sysfs_type;
+type radio_data, file_type;

selinux/file_contexts

@@ -1,41 +1,54 @@
 # GFX
-/dev/mali                               u:object_r:mali_device:s0
-/dev/ump                                u:object_r:mali_device:s0
-/dev/fimg2d                             u:object_r:mali_device:s0
+/dev/mali                                                        u:object_r:gpu_device:s0
+/dev/ump                                                         u:object_r:gpu_device:s0
+/dev/fimg2d                                                      u:object_r:gpu_device:s0
 
 # RIL
-/dev/umts_boot0                         u:object_r:radio_device:s0
-/dev/umts_boot1                         u:object_r:radio_device:s0
-/dev/umts_ipc0                          u:object_r:radio_device:s0
-/dev/umts_ramdump0                      u:object_r:radio_device:s0
-/dev/umts_rfs0                          u:object_r:radio_device:s0
+/dev/link_pm                                                     u:object_r:radio_device:s0
+/dev/umts_boot0                                                  u:object_r:radio_device:s0
+/dev/umts_boot1                                                  u:object_r:radio_device:s0
+/dev/umts_ipc0                                                   u:object_r:radio_device:s0
+/dev/umts_ramdump0                                               u:object_r:radio_device:s0
+/dev/umts_rfs0                                                   u:object_r:radio_device:s0
+/data/misc/radio(/.*)?                                           u:object_r:radio_data:s0
+/sys/devices/platform/s5p-ehci/ehci_power                        u:object_r:sysfs_radio:s0
 
-/dev/block/mmcblk0p8                    u:object_r:efs_block_device:s0
-/efs                                    u:object_r:efs_device_file:s0
+# Block labeling
+/dev/block/mmcblk0p1                                             u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p7                                             u:object_r:cache_block_device:s0
+/dev/block/mmcblk0p8                                             u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p9                                             u:object_r:system_block_device:s0
+/dev/block/mmcblk0p10                                            u:object_r:userdata_block_device:s0
+/dev/block/zram0                                                 u:object_r:swap_block_device:s0
+/efs                                                             u:object_r:efs_device_file:s0
 
 # Camera
-/dev/s3c-mfc                            u:object_r:mfc_device:s0
-/dev/s5p-jpeg                           u:object_r:video_device:s0
+/dev/s3c-mfc                                                     u:object_r:mfc_device:s0
+/dev/s5p-jpeg                                                    u:object_r:video_device:s0
 
 # Bluetooth
-/dev/ttySAC0                            u:object_r:hci_attach_dev:s0
-/efs/bluetooth/bt_addr                  u:object_r:bluetooth_data_file:s0
-/sys/class/rfkill/rfkill0/state         u:object_r:sysfs_bluetooth_writable:s0
+/dev/ttySAC0                                                     u:object_r:hci_attach_dev:s0
+/efs/bluetooth/bt_addr                                           u:object_r:bluetooth_data_file:s0
+/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state     u:object_r:sysfs_bluetooth_writable:s0
 
 # GPS
-/dev/ttySAC1                            u:object_r:gps_device:s0
+/dev/ttySAC1                                                     u:object_r:gps_device:s0
 
 # Sensors
-/dev/akm8975                            u:object_r:sensors_device:s0
+/dev/akm8975                                                     u:object_r:sensors_device:s0
 
-# for wpa_supp
-/dev/rfkill                             u:object_r:rfkill_device:s0
+# WiFi
+/dev/rfkill                                                      u:object_r:rfkill_device:s0
+/efs/wifi/.mac.info                                              u:object_r:wifi_data_file:s0
 
 # Firmwares
-/system/vendor/firmware/mfc_fw.bin      u:object_r:firmware_mfc:s0
+/system/vendor/firmware/mfc_fw.bin                               u:object_r:firmware_mfc:s0
+
 
 # Display
-/sys/class/lcd/panel/power_reduce       u:object_r:sysfs_display:s0
-/sys/class/mdnie/mdnie/scenario         u:object_r:sysfs_display:s0
-/sys/class/mdnie/mdnie/mode             u:object_r:sysfs_display:s0
-/sys/class/mdnie/mdnie/negative         u:object_r:sysfs_display:s0
+/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/scenario    u:object_r:sysfs_display:s0
+/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/mode        u:object_r:sysfs_display:s0
+/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/negative    u:object_r:sysfs_display:s0
+
+# Executables
+/system/bin/macloader                                            u:object_r:macloader_exec:s0

selinux/fsck.te

@@ -0,0 +1 @@
+allow fsck efs_block_device:blk_file { read write getattr open ioctl };

selinux/init.te

@@ -1 +1,4 @@
 allow init self:capability sys_module;
+allow init tmpfs:lnk_file create;
+allow init rild:process noatsecure;
+domain_trans(init, rootfs, cpboot-daemon)

selinux/kernel.te

@@ -1 +0,0 @@
-allow kernel block_device:blk_file write;

selinux/macloader.te

@@ -0,0 +1,7 @@
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+init_daemon_domain(macloader);
+
+allow macloader efs_file:dir search;
+allow macloader efs_device_file:dir search;
+allow macloader wifi_data_file:file { read getattr open };

selinux/mediaserver.te

@@ -1,2 +1,2 @@
+allow mediaserver system_file:file execmod;
 allow mediaserver mfc_device:chr_file rw_file_perms;
-allow mediaserver video_device:chr_file rw_file_perms;

selinux/rild.te

@@ -1,17 +1,5 @@
-allow rild self:netlink_socket { create bind read write };
-allow rild self:netlink_route_socket { write };
-allow rild self:netlink_kobject_uevent_socket { create bind read write };
-allow rild self:process execmem;
-
-allow rild radio_device:chr_file rw_file_perms;
-allow rild efs_block_device:blk_file rw_file_perms;
-allow rild efs_file:file { read open write setattr };
-allow rild radio_data_file:dir setattr;
-allow rild block_device:dir search;
-allow rild efs_device_file:dir { search write };
-allow rild efs_device_file:file { read write append getattr open setattr };
-allow rild system_data_file:dir { write add_name };
-allow rild system_data_file:file { write create setattr };
-
-allow rild dumpstate_exec:file { read open getattr execute };
-unix_socket_connect(rild, dumpstate, dumpstate)
+allow rild radio_data:dir { search write remove_name getattr add_name setattr };
+allow rild radio_data:file { write getattr setattr read create unlink open };
+allow rild system_file:file execmod;
+allow rild efs_block_device:blk_file read;
+allow rild efs_device_file:dir search;

selinux/system_app.te

@@ -1 +1 @@
-allow system_app sysfs_display:file { getattr open read write };
+allow system_app sysfs_display:file { write getattr open };

selinux/system_server.te

@@ -1,6 +1,9 @@
-allow system_server uhid_device:chr_file { read write ioctl open };
-allow system_server sysfs_display:file { read write getattr open };
-allow system_server efs_file:dir { search };
-allow system_server efs_file:file { read open write };
+allow system_server efs_file:dir search;
+allow system_server efs_file:file { read open };
 allow system_server efs_device_file:dir search;
-allow system_server fuse:dir search;
+allow system_server self:capability sys_module;
+allow system_server system_file:file execmod;
+allow system_server uhid_device:chr_file { read write ioctl open };
+allow system_server recovery_cache_file:dir rmdir;
+allow system_server dex2oat_exec:file { read open execute};
+allow system_server radio_data:dir search;

selinux/ueventd.te

@@ -1,2 +0,0 @@
-allow ueventd sdcard_external:dir search;
-allow ueventd sdcard_external:file r_file_perms;

selinux/vold.te

@@ -1,3 +1,2 @@
-allow vold sdcard_external:file rw_file_perms;
 allow vold efs_device_file:dir rw_dir_perms;
 allow vold efs_device_file:file rw_file_perms;

selinux/wpa.te

@@ -0,0 +1 @@
+allow wpa rfkill_device:chr_file rw_file_perms;