galaxys2-common: Marshmallow SELinux support
This was made from scratch, for a general cleanup of unused policies and update to M guidelines Change-Id: Id4acda2b384d28b5ca51b3ef0f6e93b648c8e79d
This commit is contained in:
Caio Schnepper
parent
8bb93abd28
commit
53789b340c
|
|
@ -224,8 +224,6 @@ on post-fs-data
|
|||
chmod 0660 /sys/class/rfkill/rfkill0/state
|
||||
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
|
||||
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
|
||||
restorecon /sys/class/rfkill/rfkill0/state
|
||||
restorecon /sys/class/rfkill/rfkill0/type
|
||||
|
||||
# Vibetonz
|
||||
chmod 0660 /dev/tspdrv
|
||||
|
|
@ -239,7 +237,6 @@ on post-fs-data
|
|||
chown system media_rw /sys/class/lcd/panel/gamma_mode
|
||||
chown system media_rw /sys/class/lcd/panel/power_reduce
|
||||
chown system system /sys/class/backlight/panel/auto_brightness
|
||||
restorecon /sys/class/lcd/panel/power_reduce
|
||||
|
||||
# Permissions for mDNIe
|
||||
chown system media_rw /sys/class/mdnie/mdnie/mode
|
||||
|
|
@ -248,9 +245,6 @@ on post-fs-data
|
|||
chown system media_rw /sys/class/mdnie/mdnie/negative
|
||||
write /sys/class/mdnie/mdnie/scenario 0
|
||||
write /sys/class/mdnie/mdnie/mode 1
|
||||
restorecon /sys/class/mdnie/mdnie/scenario
|
||||
restorecon /sys/class/mdnie/mdnie/mode
|
||||
restorecon /sys/class/mdnie/mdnie/negative
|
||||
|
||||
# Permissions for uart_sel and usb_sel
|
||||
chown system radio /sys/class/sec/switch/uart_sel/value
|
||||
|
|
@ -332,6 +326,7 @@ service cpboot-daemon /sbin/cbd -d -p 8
|
|||
class main
|
||||
user root
|
||||
group radio cache inet misc audio sdcard_rw log sdcard_r
|
||||
seclabel u:r:cpboot-daemon:s0
|
||||
|
||||
service mdnsd /system/bin/mdnsd
|
||||
class main
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
type cpboot-daemon, domain;
|
||||
|
||||
permissive cpboot-daemon;
|
||||
|
||||
allow cpboot-daemon cgroup:dir { create add_name };
|
||||
allow cpboot-daemon device:dir { write remove_name add_name };
|
||||
allow cpboot-daemon efs_block_device:blk_file { read open };
|
||||
allow cpboot-daemon efs_device_file:dir search;
|
||||
allow cpboot-daemon efs_file:file { read write open };
|
||||
allow cpboot-daemon init:unix_stream_socket connectto;
|
||||
allow cpboot-daemon log_device:chr_file { write open };
|
||||
allow cpboot-daemon log_device:dir search;
|
||||
allow cpboot-daemon property_socket:sock_file write;
|
||||
allow cpboot-daemon radio_device:chr_file { read write ioctl open };
|
||||
allow cpboot-daemon radio_prop:property_service set;
|
||||
allow cpboot-daemon self:capability { setuid };
|
||||
allow cpboot-daemon sysfs_radio:file { read write open };
|
||||
allow cpboot-daemon usbfs:dir search;
|
||||
|
||||
|
||||
# FIX ME
|
||||
# allow cpboot-daemon usbfs:filesystem mount;
|
||||
# allow cpboot-daemon self:capability { mknod };
|
||||
|
|
@ -0,0 +1 @@
|
|||
allow debuggerd gpu_device:chr_file { read getattr open };
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
type mali_device, dev_type, mlstrustedobject;
|
||||
type rfkill_device, dev_type;
|
||||
type efs_block_device, dev_type;
|
||||
type mfc_device, dev_type;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
## Firmwares
|
||||
allow ueventd { firmware_mfc }:file r_file_perms;
|
||||
|
||||
## /dev/mali, /dev/ump
|
||||
allow domain mali_device:chr_file rw_file_perms;
|
||||
## 32bit personality requests
|
||||
dontaudit domain kernel:system module_request;
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
allow drmserver sdcard_external:file open;
|
||||
allow drmserver self:process execmem;
|
||||
|
|
@ -1 +0,0 @@
|
|||
unix_socket_connect(dumpstate, dumpstate, init);
|
||||
|
|
@ -1,4 +1,5 @@
|
|||
type radio_efs_file, fs_type;
|
||||
type firmware_mfc, file_type;
|
||||
type sysfs_display, fs_type, sysfs_type;
|
||||
type efs_device_file, file_type;
|
||||
type sysfs_display, fs_type, sysfs_type;
|
||||
type sysfs_radio, fs_type, sysfs_type;
|
||||
type radio_data, file_type;
|
||||
|
|
|
|||
|
|
@ -1,41 +1,54 @@
|
|||
# GFX
|
||||
/dev/mali u:object_r:mali_device:s0
|
||||
/dev/ump u:object_r:mali_device:s0
|
||||
/dev/fimg2d u:object_r:mali_device:s0
|
||||
/dev/mali u:object_r:gpu_device:s0
|
||||
/dev/ump u:object_r:gpu_device:s0
|
||||
/dev/fimg2d u:object_r:gpu_device:s0
|
||||
|
||||
# RIL
|
||||
/dev/umts_boot0 u:object_r:radio_device:s0
|
||||
/dev/umts_boot1 u:object_r:radio_device:s0
|
||||
/dev/umts_ipc0 u:object_r:radio_device:s0
|
||||
/dev/umts_ramdump0 u:object_r:radio_device:s0
|
||||
/dev/umts_rfs0 u:object_r:radio_device:s0
|
||||
/dev/link_pm u:object_r:radio_device:s0
|
||||
/dev/umts_boot0 u:object_r:radio_device:s0
|
||||
/dev/umts_boot1 u:object_r:radio_device:s0
|
||||
/dev/umts_ipc0 u:object_r:radio_device:s0
|
||||
/dev/umts_ramdump0 u:object_r:radio_device:s0
|
||||
/dev/umts_rfs0 u:object_r:radio_device:s0
|
||||
/data/misc/radio(/.*)? u:object_r:radio_data:s0
|
||||
/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0
|
||||
|
||||
/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0
|
||||
/efs u:object_r:efs_device_file:s0
|
||||
# Block labeling
|
||||
/dev/block/mmcblk0p1 u:object_r:efs_block_device:s0
|
||||
/dev/block/mmcblk0p7 u:object_r:cache_block_device:s0
|
||||
/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0
|
||||
/dev/block/mmcblk0p9 u:object_r:system_block_device:s0
|
||||
/dev/block/mmcblk0p10 u:object_r:userdata_block_device:s0
|
||||
/dev/block/zram0 u:object_r:swap_block_device:s0
|
||||
/efs u:object_r:efs_device_file:s0
|
||||
|
||||
# Camera
|
||||
/dev/s3c-mfc u:object_r:mfc_device:s0
|
||||
/dev/s5p-jpeg u:object_r:video_device:s0
|
||||
/dev/s3c-mfc u:object_r:mfc_device:s0
|
||||
/dev/s5p-jpeg u:object_r:video_device:s0
|
||||
|
||||
# Bluetooth
|
||||
/dev/ttySAC0 u:object_r:hci_attach_dev:s0
|
||||
/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0
|
||||
/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||
/dev/ttySAC0 u:object_r:hci_attach_dev:s0
|
||||
/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0
|
||||
/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||
|
||||
# GPS
|
||||
/dev/ttySAC1 u:object_r:gps_device:s0
|
||||
/dev/ttySAC1 u:object_r:gps_device:s0
|
||||
|
||||
# Sensors
|
||||
/dev/akm8975 u:object_r:sensors_device:s0
|
||||
/dev/akm8975 u:object_r:sensors_device:s0
|
||||
|
||||
# for wpa_supp
|
||||
/dev/rfkill u:object_r:rfkill_device:s0
|
||||
# WiFi
|
||||
/dev/rfkill u:object_r:rfkill_device:s0
|
||||
/efs/wifi/.mac.info u:object_r:wifi_data_file:s0
|
||||
|
||||
# Firmwares
|
||||
/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
|
||||
/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
|
||||
|
||||
|
||||
# Display
|
||||
/sys/class/lcd/panel/power_reduce u:object_r:sysfs_display:s0
|
||||
/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
|
||||
/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0
|
||||
/sys/class/mdnie/mdnie/negative u:object_r:sysfs_display:s0
|
||||
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
|
||||
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/mode u:object_r:sysfs_display:s0
|
||||
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/negative u:object_r:sysfs_display:s0
|
||||
|
||||
# Executables
|
||||
/system/bin/macloader u:object_r:macloader_exec:s0
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
allow fsck efs_block_device:blk_file { read write getattr open ioctl };
|
||||
|
|
@ -1 +1,4 @@
|
|||
allow init self:capability sys_module;
|
||||
allow init tmpfs:lnk_file create;
|
||||
allow init rild:process noatsecure;
|
||||
domain_trans(init, rootfs, cpboot-daemon)
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
allow kernel block_device:blk_file write;
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
type macloader, domain;
|
||||
type macloader_exec, exec_type, file_type;
|
||||
init_daemon_domain(macloader);
|
||||
|
||||
allow macloader efs_file:dir search;
|
||||
allow macloader efs_device_file:dir search;
|
||||
allow macloader wifi_data_file:file { read getattr open };
|
||||
|
|
@ -1,2 +1,2 @@
|
|||
allow mediaserver system_file:file execmod;
|
||||
allow mediaserver mfc_device:chr_file rw_file_perms;
|
||||
allow mediaserver video_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -1,17 +1,5 @@
|
|||
allow rild self:netlink_socket { create bind read write };
|
||||
allow rild self:netlink_route_socket { write };
|
||||
allow rild self:netlink_kobject_uevent_socket { create bind read write };
|
||||
allow rild self:process execmem;
|
||||
|
||||
allow rild radio_device:chr_file rw_file_perms;
|
||||
allow rild efs_block_device:blk_file rw_file_perms;
|
||||
allow rild efs_file:file { read open write setattr };
|
||||
allow rild radio_data_file:dir setattr;
|
||||
allow rild block_device:dir search;
|
||||
allow rild efs_device_file:dir { search write };
|
||||
allow rild efs_device_file:file { read write append getattr open setattr };
|
||||
allow rild system_data_file:dir { write add_name };
|
||||
allow rild system_data_file:file { write create setattr };
|
||||
|
||||
allow rild dumpstate_exec:file { read open getattr execute };
|
||||
unix_socket_connect(rild, dumpstate, dumpstate)
|
||||
allow rild radio_data:dir { search write remove_name getattr add_name setattr };
|
||||
allow rild radio_data:file { write getattr setattr read create unlink open };
|
||||
allow rild system_file:file execmod;
|
||||
allow rild efs_block_device:blk_file read;
|
||||
allow rild efs_device_file:dir search;
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
allow system_app sysfs_display:file { getattr open read write };
|
||||
allow system_app sysfs_display:file { write getattr open };
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
allow system_server uhid_device:chr_file { read write ioctl open };
|
||||
allow system_server sysfs_display:file { read write getattr open };
|
||||
allow system_server efs_file:dir { search };
|
||||
allow system_server efs_file:file { read open write };
|
||||
allow system_server efs_file:dir search;
|
||||
allow system_server efs_file:file { read open };
|
||||
allow system_server efs_device_file:dir search;
|
||||
allow system_server fuse:dir search;
|
||||
allow system_server self:capability sys_module;
|
||||
allow system_server system_file:file execmod;
|
||||
allow system_server uhid_device:chr_file { read write ioctl open };
|
||||
allow system_server recovery_cache_file:dir rmdir;
|
||||
allow system_server dex2oat_exec:file { read open execute};
|
||||
allow system_server radio_data:dir search;
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
allow ueventd sdcard_external:dir search;
|
||||
allow ueventd sdcard_external:file r_file_perms;
|
||||
|
|
@ -1,3 +1,2 @@
|
|||
allow vold sdcard_external:file rw_file_perms;
|
||||
allow vold efs_device_file:dir rw_dir_perms;
|
||||
allow vold efs_device_file:file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
allow wpa rfkill_device:chr_file rw_file_perms;
|
||||
Loading…
Reference in New Issue