From 53789b340ccf8ed0208306067c4a55a72a898246 Mon Sep 17 00:00:00 2001 From: Caio Schnepper Date: Thu, 12 Nov 2015 19:12:06 -0200 Subject: [PATCH] galaxys2-common: Marshmallow SELinux support This was made from scratch, for a general cleanup of unused policies and update to M guidelines Change-Id: Id4acda2b384d28b5ca51b3ef0f6e93b648c8e79d --- rootdir/init.smdk4210.rc | 7 +---- selinux/cpboot-daemon.te | 23 +++++++++++++++ selinux/debuggerd.te | 1 + selinux/device.te | 1 - selinux/domain.te | 4 +-- selinux/drmserver.te | 2 -- selinux/dumpstate.te | 1 - selinux/file.te | 5 ++-- selinux/file_contexts | 61 ++++++++++++++++++++++++---------------- selinux/fsck.te | 1 + selinux/init.te | 3 ++ selinux/kernel.te | 1 - selinux/macloader.te | 7 +++++ selinux/mediaserver.te | 2 +- selinux/rild.te | 22 ++++----------- selinux/system_app.te | 2 +- selinux/system_server.te | 13 +++++---- selinux/ueventd.te | 2 -- selinux/vold.te | 1 - selinux/wpa.te | 1 + 20 files changed, 94 insertions(+), 66 deletions(-) create mode 100644 selinux/cpboot-daemon.te create mode 100644 selinux/debuggerd.te delete mode 100644 selinux/drmserver.te delete mode 100644 selinux/dumpstate.te create mode 100644 selinux/fsck.te delete mode 100644 selinux/kernel.te create mode 100644 selinux/macloader.te delete mode 100644 selinux/ueventd.te create mode 100644 selinux/wpa.te diff --git a/rootdir/init.smdk4210.rc b/rootdir/init.smdk4210.rc index b857b01..dca0eec 100644 --- a/rootdir/init.smdk4210.rc +++ b/rootdir/init.smdk4210.rc @@ -224,8 +224,6 @@ on post-fs-data chmod 0660 /sys/class/rfkill/rfkill0/state chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type - restorecon /sys/class/rfkill/rfkill0/state - restorecon /sys/class/rfkill/rfkill0/type # Vibetonz chmod 0660 /dev/tspdrv @@ -239,7 +237,6 @@ on post-fs-data chown system media_rw /sys/class/lcd/panel/gamma_mode chown system media_rw /sys/class/lcd/panel/power_reduce chown system system /sys/class/backlight/panel/auto_brightness - restorecon /sys/class/lcd/panel/power_reduce # Permissions for mDNIe chown system media_rw /sys/class/mdnie/mdnie/mode @@ -248,9 +245,6 @@ on post-fs-data chown system media_rw /sys/class/mdnie/mdnie/negative write /sys/class/mdnie/mdnie/scenario 0 write /sys/class/mdnie/mdnie/mode 1 - restorecon /sys/class/mdnie/mdnie/scenario - restorecon /sys/class/mdnie/mdnie/mode - restorecon /sys/class/mdnie/mdnie/negative # Permissions for uart_sel and usb_sel chown system radio /sys/class/sec/switch/uart_sel/value @@ -332,6 +326,7 @@ service cpboot-daemon /sbin/cbd -d -p 8 class main user root group radio cache inet misc audio sdcard_rw log sdcard_r + seclabel u:r:cpboot-daemon:s0 service mdnsd /system/bin/mdnsd class main diff --git a/selinux/cpboot-daemon.te b/selinux/cpboot-daemon.te new file mode 100644 index 0000000..ef49102 --- /dev/null +++ b/selinux/cpboot-daemon.te @@ -0,0 +1,23 @@ +type cpboot-daemon, domain; + +permissive cpboot-daemon; + +allow cpboot-daemon cgroup:dir { create add_name }; +allow cpboot-daemon device:dir { write remove_name add_name }; +allow cpboot-daemon efs_block_device:blk_file { read open }; +allow cpboot-daemon efs_device_file:dir search; +allow cpboot-daemon efs_file:file { read write open }; +allow cpboot-daemon init:unix_stream_socket connectto; +allow cpboot-daemon log_device:chr_file { write open }; +allow cpboot-daemon log_device:dir search; +allow cpboot-daemon property_socket:sock_file write; +allow cpboot-daemon radio_device:chr_file { read write ioctl open }; +allow cpboot-daemon radio_prop:property_service set; +allow cpboot-daemon self:capability { setuid }; +allow cpboot-daemon sysfs_radio:file { read write open }; +allow cpboot-daemon usbfs:dir search; + + +# FIX ME +# allow cpboot-daemon usbfs:filesystem mount; +# allow cpboot-daemon self:capability { mknod }; diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te new file mode 100644 index 0000000..0cf27d7 --- /dev/null +++ b/selinux/debuggerd.te @@ -0,0 +1 @@ +allow debuggerd gpu_device:chr_file { read getattr open }; diff --git a/selinux/device.te b/selinux/device.te index a12b98c..a94df2c 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,4 +1,3 @@ -type mali_device, dev_type, mlstrustedobject; type rfkill_device, dev_type; type efs_block_device, dev_type; type mfc_device, dev_type; diff --git a/selinux/domain.te b/selinux/domain.te index fd893cc..2295e64 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,5 +1,5 @@ ## Firmwares allow ueventd { firmware_mfc }:file r_file_perms; -## /dev/mali, /dev/ump -allow domain mali_device:chr_file rw_file_perms; +## 32bit personality requests +dontaudit domain kernel:system module_request; diff --git a/selinux/drmserver.te b/selinux/drmserver.te deleted file mode 100644 index fea10e4..0000000 --- a/selinux/drmserver.te +++ /dev/null @@ -1,2 +0,0 @@ -allow drmserver sdcard_external:file open; -allow drmserver self:process execmem; diff --git a/selinux/dumpstate.te b/selinux/dumpstate.te deleted file mode 100644 index 1eb992e..0000000 --- a/selinux/dumpstate.te +++ /dev/null @@ -1 +0,0 @@ -unix_socket_connect(dumpstate, dumpstate, init); diff --git a/selinux/file.te b/selinux/file.te index b8c9390..8ae7311 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -1,4 +1,5 @@ -type radio_efs_file, fs_type; type firmware_mfc, file_type; -type sysfs_display, fs_type, sysfs_type; type efs_device_file, file_type; +type sysfs_display, fs_type, sysfs_type; +type sysfs_radio, fs_type, sysfs_type; +type radio_data, file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 0e01fb0..0b7febc 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -1,41 +1,54 @@ # GFX -/dev/mali u:object_r:mali_device:s0 -/dev/ump u:object_r:mali_device:s0 -/dev/fimg2d u:object_r:mali_device:s0 +/dev/mali u:object_r:gpu_device:s0 +/dev/ump u:object_r:gpu_device:s0 +/dev/fimg2d u:object_r:gpu_device:s0 # RIL -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_boot1 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ramdump0 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/link_pm u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_boot1 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ramdump0 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/data/misc/radio(/.*)? u:object_r:radio_data:s0 +/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0 -/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0 -/efs u:object_r:efs_device_file:s0 +# Block labeling +/dev/block/mmcblk0p1 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p7 u:object_r:cache_block_device:s0 +/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p9 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p10 u:object_r:userdata_block_device:s0 +/dev/block/zram0 u:object_r:swap_block_device:s0 +/efs u:object_r:efs_device_file:s0 # Camera -/dev/s3c-mfc u:object_r:mfc_device:s0 -/dev/s5p-jpeg u:object_r:video_device:s0 +/dev/s3c-mfc u:object_r:mfc_device:s0 +/dev/s5p-jpeg u:object_r:video_device:s0 # Bluetooth -/dev/ttySAC0 u:object_r:hci_attach_dev:s0 -/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0 -/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0 +/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 # GPS -/dev/ttySAC1 u:object_r:gps_device:s0 +/dev/ttySAC1 u:object_r:gps_device:s0 # Sensors -/dev/akm8975 u:object_r:sensors_device:s0 +/dev/akm8975 u:object_r:sensors_device:s0 -# for wpa_supp -/dev/rfkill u:object_r:rfkill_device:s0 +# WiFi +/dev/rfkill u:object_r:rfkill_device:s0 +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 # Firmwares -/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 + # Display -/sys/class/lcd/panel/power_reduce u:object_r:sysfs_display:s0 -/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0 -/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0 -/sys/class/mdnie/mdnie/negative u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/scenario u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/mode u:object_r:sysfs_display:s0 +/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/negative u:object_r:sysfs_display:s0 + +# Executables +/system/bin/macloader u:object_r:macloader_exec:s0 diff --git a/selinux/fsck.te b/selinux/fsck.te new file mode 100644 index 0000000..484df7b --- /dev/null +++ b/selinux/fsck.te @@ -0,0 +1 @@ +allow fsck efs_block_device:blk_file { read write getattr open ioctl }; diff --git a/selinux/init.te b/selinux/init.te index 74b1400..6b18583 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1 +1,4 @@ allow init self:capability sys_module; +allow init tmpfs:lnk_file create; +allow init rild:process noatsecure; +domain_trans(init, rootfs, cpboot-daemon) diff --git a/selinux/kernel.te b/selinux/kernel.te deleted file mode 100644 index 3a08988..0000000 --- a/selinux/kernel.te +++ /dev/null @@ -1 +0,0 @@ -allow kernel block_device:blk_file write; diff --git a/selinux/macloader.te b/selinux/macloader.te new file mode 100644 index 0000000..5799c7c --- /dev/null +++ b/selinux/macloader.te @@ -0,0 +1,7 @@ +type macloader, domain; +type macloader_exec, exec_type, file_type; +init_daemon_domain(macloader); + +allow macloader efs_file:dir search; +allow macloader efs_device_file:dir search; +allow macloader wifi_data_file:file { read getattr open }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 2697346..79bf90c 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -1,2 +1,2 @@ +allow mediaserver system_file:file execmod; allow mediaserver mfc_device:chr_file rw_file_perms; -allow mediaserver video_device:chr_file rw_file_perms; diff --git a/selinux/rild.te b/selinux/rild.te index 3c8040a..5b24906 100644 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -1,17 +1,5 @@ -allow rild self:netlink_socket { create bind read write }; -allow rild self:netlink_route_socket { write }; -allow rild self:netlink_kobject_uevent_socket { create bind read write }; -allow rild self:process execmem; - -allow rild radio_device:chr_file rw_file_perms; -allow rild efs_block_device:blk_file rw_file_perms; -allow rild efs_file:file { read open write setattr }; -allow rild radio_data_file:dir setattr; -allow rild block_device:dir search; -allow rild efs_device_file:dir { search write }; -allow rild efs_device_file:file { read write append getattr open setattr }; -allow rild system_data_file:dir { write add_name }; -allow rild system_data_file:file { write create setattr }; - -allow rild dumpstate_exec:file { read open getattr execute }; -unix_socket_connect(rild, dumpstate, dumpstate) +allow rild radio_data:dir { search write remove_name getattr add_name setattr }; +allow rild radio_data:file { write getattr setattr read create unlink open }; +allow rild system_file:file execmod; +allow rild efs_block_device:blk_file read; +allow rild efs_device_file:dir search; diff --git a/selinux/system_app.te b/selinux/system_app.te index bc716f2..db47fa3 100644 --- a/selinux/system_app.te +++ b/selinux/system_app.te @@ -1 +1 @@ -allow system_app sysfs_display:file { getattr open read write }; +allow system_app sysfs_display:file { write getattr open }; diff --git a/selinux/system_server.te b/selinux/system_server.te index 5ae729d..5f8321d 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -1,6 +1,9 @@ -allow system_server uhid_device:chr_file { read write ioctl open }; -allow system_server sysfs_display:file { read write getattr open }; -allow system_server efs_file:dir { search }; -allow system_server efs_file:file { read open write }; +allow system_server efs_file:dir search; +allow system_server efs_file:file { read open }; allow system_server efs_device_file:dir search; -allow system_server fuse:dir search; +allow system_server self:capability sys_module; +allow system_server system_file:file execmod; +allow system_server uhid_device:chr_file { read write ioctl open }; +allow system_server recovery_cache_file:dir rmdir; +allow system_server dex2oat_exec:file { read open execute}; +allow system_server radio_data:dir search; diff --git a/selinux/ueventd.te b/selinux/ueventd.te deleted file mode 100644 index 95a5698..0000000 --- a/selinux/ueventd.te +++ /dev/null @@ -1,2 +0,0 @@ -allow ueventd sdcard_external:dir search; -allow ueventd sdcard_external:file r_file_perms; diff --git a/selinux/vold.te b/selinux/vold.te index b31b92d..de4c78f 100644 --- a/selinux/vold.te +++ b/selinux/vold.te @@ -1,3 +1,2 @@ -allow vold sdcard_external:file rw_file_perms; allow vold efs_device_file:dir rw_dir_perms; allow vold efs_device_file:file rw_file_perms; diff --git a/selinux/wpa.te b/selinux/wpa.te new file mode 100644 index 0000000..1e935a4 --- /dev/null +++ b/selinux/wpa.te @@ -0,0 +1 @@ +allow wpa rfkill_device:chr_file rw_file_perms;