galaxys2-common: Marshmallow SELinux support
This was made from scratch, for a general cleanup of unused policies and update to M guidelines Change-Id: Id4acda2b384d28b5ca51b3ef0f6e93b648c8e79d
This commit is contained in:
parent
8bb93abd28
commit
53789b340c
@ -224,8 +224,6 @@ on post-fs-data
|
|||||||
chmod 0660 /sys/class/rfkill/rfkill0/state
|
chmod 0660 /sys/class/rfkill/rfkill0/state
|
||||||
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
|
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
|
||||||
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
|
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
|
||||||
restorecon /sys/class/rfkill/rfkill0/state
|
|
||||||
restorecon /sys/class/rfkill/rfkill0/type
|
|
||||||
|
|
||||||
# Vibetonz
|
# Vibetonz
|
||||||
chmod 0660 /dev/tspdrv
|
chmod 0660 /dev/tspdrv
|
||||||
@ -239,7 +237,6 @@ on post-fs-data
|
|||||||
chown system media_rw /sys/class/lcd/panel/gamma_mode
|
chown system media_rw /sys/class/lcd/panel/gamma_mode
|
||||||
chown system media_rw /sys/class/lcd/panel/power_reduce
|
chown system media_rw /sys/class/lcd/panel/power_reduce
|
||||||
chown system system /sys/class/backlight/panel/auto_brightness
|
chown system system /sys/class/backlight/panel/auto_brightness
|
||||||
restorecon /sys/class/lcd/panel/power_reduce
|
|
||||||
|
|
||||||
# Permissions for mDNIe
|
# Permissions for mDNIe
|
||||||
chown system media_rw /sys/class/mdnie/mdnie/mode
|
chown system media_rw /sys/class/mdnie/mdnie/mode
|
||||||
@ -248,9 +245,6 @@ on post-fs-data
|
|||||||
chown system media_rw /sys/class/mdnie/mdnie/negative
|
chown system media_rw /sys/class/mdnie/mdnie/negative
|
||||||
write /sys/class/mdnie/mdnie/scenario 0
|
write /sys/class/mdnie/mdnie/scenario 0
|
||||||
write /sys/class/mdnie/mdnie/mode 1
|
write /sys/class/mdnie/mdnie/mode 1
|
||||||
restorecon /sys/class/mdnie/mdnie/scenario
|
|
||||||
restorecon /sys/class/mdnie/mdnie/mode
|
|
||||||
restorecon /sys/class/mdnie/mdnie/negative
|
|
||||||
|
|
||||||
# Permissions for uart_sel and usb_sel
|
# Permissions for uart_sel and usb_sel
|
||||||
chown system radio /sys/class/sec/switch/uart_sel/value
|
chown system radio /sys/class/sec/switch/uart_sel/value
|
||||||
@ -332,6 +326,7 @@ service cpboot-daemon /sbin/cbd -d -p 8
|
|||||||
class main
|
class main
|
||||||
user root
|
user root
|
||||||
group radio cache inet misc audio sdcard_rw log sdcard_r
|
group radio cache inet misc audio sdcard_rw log sdcard_r
|
||||||
|
seclabel u:r:cpboot-daemon:s0
|
||||||
|
|
||||||
service mdnsd /system/bin/mdnsd
|
service mdnsd /system/bin/mdnsd
|
||||||
class main
|
class main
|
||||||
|
23
selinux/cpboot-daemon.te
Normal file
23
selinux/cpboot-daemon.te
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
type cpboot-daemon, domain;
|
||||||
|
|
||||||
|
permissive cpboot-daemon;
|
||||||
|
|
||||||
|
allow cpboot-daemon cgroup:dir { create add_name };
|
||||||
|
allow cpboot-daemon device:dir { write remove_name add_name };
|
||||||
|
allow cpboot-daemon efs_block_device:blk_file { read open };
|
||||||
|
allow cpboot-daemon efs_device_file:dir search;
|
||||||
|
allow cpboot-daemon efs_file:file { read write open };
|
||||||
|
allow cpboot-daemon init:unix_stream_socket connectto;
|
||||||
|
allow cpboot-daemon log_device:chr_file { write open };
|
||||||
|
allow cpboot-daemon log_device:dir search;
|
||||||
|
allow cpboot-daemon property_socket:sock_file write;
|
||||||
|
allow cpboot-daemon radio_device:chr_file { read write ioctl open };
|
||||||
|
allow cpboot-daemon radio_prop:property_service set;
|
||||||
|
allow cpboot-daemon self:capability { setuid };
|
||||||
|
allow cpboot-daemon sysfs_radio:file { read write open };
|
||||||
|
allow cpboot-daemon usbfs:dir search;
|
||||||
|
|
||||||
|
|
||||||
|
# FIX ME
|
||||||
|
# allow cpboot-daemon usbfs:filesystem mount;
|
||||||
|
# allow cpboot-daemon self:capability { mknod };
|
1
selinux/debuggerd.te
Normal file
1
selinux/debuggerd.te
Normal file
@ -0,0 +1 @@
|
|||||||
|
allow debuggerd gpu_device:chr_file { read getattr open };
|
@ -1,4 +1,3 @@
|
|||||||
type mali_device, dev_type, mlstrustedobject;
|
|
||||||
type rfkill_device, dev_type;
|
type rfkill_device, dev_type;
|
||||||
type efs_block_device, dev_type;
|
type efs_block_device, dev_type;
|
||||||
type mfc_device, dev_type;
|
type mfc_device, dev_type;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
## Firmwares
|
## Firmwares
|
||||||
allow ueventd { firmware_mfc }:file r_file_perms;
|
allow ueventd { firmware_mfc }:file r_file_perms;
|
||||||
|
|
||||||
## /dev/mali, /dev/ump
|
## 32bit personality requests
|
||||||
allow domain mali_device:chr_file rw_file_perms;
|
dontaudit domain kernel:system module_request;
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
allow drmserver sdcard_external:file open;
|
|
||||||
allow drmserver self:process execmem;
|
|
@ -1 +0,0 @@
|
|||||||
unix_socket_connect(dumpstate, dumpstate, init);
|
|
@ -1,4 +1,5 @@
|
|||||||
type radio_efs_file, fs_type;
|
|
||||||
type firmware_mfc, file_type;
|
type firmware_mfc, file_type;
|
||||||
type sysfs_display, fs_type, sysfs_type;
|
|
||||||
type efs_device_file, file_type;
|
type efs_device_file, file_type;
|
||||||
|
type sysfs_display, fs_type, sysfs_type;
|
||||||
|
type sysfs_radio, fs_type, sysfs_type;
|
||||||
|
type radio_data, file_type;
|
||||||
|
@ -1,41 +1,54 @@
|
|||||||
# GFX
|
# GFX
|
||||||
/dev/mali u:object_r:mali_device:s0
|
/dev/mali u:object_r:gpu_device:s0
|
||||||
/dev/ump u:object_r:mali_device:s0
|
/dev/ump u:object_r:gpu_device:s0
|
||||||
/dev/fimg2d u:object_r:mali_device:s0
|
/dev/fimg2d u:object_r:gpu_device:s0
|
||||||
|
|
||||||
# RIL
|
# RIL
|
||||||
/dev/umts_boot0 u:object_r:radio_device:s0
|
/dev/link_pm u:object_r:radio_device:s0
|
||||||
/dev/umts_boot1 u:object_r:radio_device:s0
|
/dev/umts_boot0 u:object_r:radio_device:s0
|
||||||
/dev/umts_ipc0 u:object_r:radio_device:s0
|
/dev/umts_boot1 u:object_r:radio_device:s0
|
||||||
/dev/umts_ramdump0 u:object_r:radio_device:s0
|
/dev/umts_ipc0 u:object_r:radio_device:s0
|
||||||
/dev/umts_rfs0 u:object_r:radio_device:s0
|
/dev/umts_ramdump0 u:object_r:radio_device:s0
|
||||||
|
/dev/umts_rfs0 u:object_r:radio_device:s0
|
||||||
|
/data/misc/radio(/.*)? u:object_r:radio_data:s0
|
||||||
|
/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0
|
||||||
|
|
||||||
/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0
|
# Block labeling
|
||||||
/efs u:object_r:efs_device_file:s0
|
/dev/block/mmcblk0p1 u:object_r:efs_block_device:s0
|
||||||
|
/dev/block/mmcblk0p7 u:object_r:cache_block_device:s0
|
||||||
|
/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0
|
||||||
|
/dev/block/mmcblk0p9 u:object_r:system_block_device:s0
|
||||||
|
/dev/block/mmcblk0p10 u:object_r:userdata_block_device:s0
|
||||||
|
/dev/block/zram0 u:object_r:swap_block_device:s0
|
||||||
|
/efs u:object_r:efs_device_file:s0
|
||||||
|
|
||||||
# Camera
|
# Camera
|
||||||
/dev/s3c-mfc u:object_r:mfc_device:s0
|
/dev/s3c-mfc u:object_r:mfc_device:s0
|
||||||
/dev/s5p-jpeg u:object_r:video_device:s0
|
/dev/s5p-jpeg u:object_r:video_device:s0
|
||||||
|
|
||||||
# Bluetooth
|
# Bluetooth
|
||||||
/dev/ttySAC0 u:object_r:hci_attach_dev:s0
|
/dev/ttySAC0 u:object_r:hci_attach_dev:s0
|
||||||
/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0
|
/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0
|
||||||
/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||||
|
|
||||||
# GPS
|
# GPS
|
||||||
/dev/ttySAC1 u:object_r:gps_device:s0
|
/dev/ttySAC1 u:object_r:gps_device:s0
|
||||||
|
|
||||||
# Sensors
|
# Sensors
|
||||||
/dev/akm8975 u:object_r:sensors_device:s0
|
/dev/akm8975 u:object_r:sensors_device:s0
|
||||||
|
|
||||||
# for wpa_supp
|
# WiFi
|
||||||
/dev/rfkill u:object_r:rfkill_device:s0
|
/dev/rfkill u:object_r:rfkill_device:s0
|
||||||
|
/efs/wifi/.mac.info u:object_r:wifi_data_file:s0
|
||||||
|
|
||||||
# Firmwares
|
# Firmwares
|
||||||
/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
|
/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
|
||||||
|
|
||||||
|
|
||||||
# Display
|
# Display
|
||||||
/sys/class/lcd/panel/power_reduce u:object_r:sysfs_display:s0
|
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
|
||||||
/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
|
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/mode u:object_r:sysfs_display:s0
|
||||||
/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0
|
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/negative u:object_r:sysfs_display:s0
|
||||||
/sys/class/mdnie/mdnie/negative u:object_r:sysfs_display:s0
|
|
||||||
|
# Executables
|
||||||
|
/system/bin/macloader u:object_r:macloader_exec:s0
|
||||||
|
1
selinux/fsck.te
Normal file
1
selinux/fsck.te
Normal file
@ -0,0 +1 @@
|
|||||||
|
allow fsck efs_block_device:blk_file { read write getattr open ioctl };
|
@ -1 +1,4 @@
|
|||||||
allow init self:capability sys_module;
|
allow init self:capability sys_module;
|
||||||
|
allow init tmpfs:lnk_file create;
|
||||||
|
allow init rild:process noatsecure;
|
||||||
|
domain_trans(init, rootfs, cpboot-daemon)
|
||||||
|
@ -1 +0,0 @@
|
|||||||
allow kernel block_device:blk_file write;
|
|
7
selinux/macloader.te
Normal file
7
selinux/macloader.te
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
type macloader, domain;
|
||||||
|
type macloader_exec, exec_type, file_type;
|
||||||
|
init_daemon_domain(macloader);
|
||||||
|
|
||||||
|
allow macloader efs_file:dir search;
|
||||||
|
allow macloader efs_device_file:dir search;
|
||||||
|
allow macloader wifi_data_file:file { read getattr open };
|
@ -1,2 +1,2 @@
|
|||||||
|
allow mediaserver system_file:file execmod;
|
||||||
allow mediaserver mfc_device:chr_file rw_file_perms;
|
allow mediaserver mfc_device:chr_file rw_file_perms;
|
||||||
allow mediaserver video_device:chr_file rw_file_perms;
|
|
||||||
|
@ -1,17 +1,5 @@
|
|||||||
allow rild self:netlink_socket { create bind read write };
|
allow rild radio_data:dir { search write remove_name getattr add_name setattr };
|
||||||
allow rild self:netlink_route_socket { write };
|
allow rild radio_data:file { write getattr setattr read create unlink open };
|
||||||
allow rild self:netlink_kobject_uevent_socket { create bind read write };
|
allow rild system_file:file execmod;
|
||||||
allow rild self:process execmem;
|
allow rild efs_block_device:blk_file read;
|
||||||
|
allow rild efs_device_file:dir search;
|
||||||
allow rild radio_device:chr_file rw_file_perms;
|
|
||||||
allow rild efs_block_device:blk_file rw_file_perms;
|
|
||||||
allow rild efs_file:file { read open write setattr };
|
|
||||||
allow rild radio_data_file:dir setattr;
|
|
||||||
allow rild block_device:dir search;
|
|
||||||
allow rild efs_device_file:dir { search write };
|
|
||||||
allow rild efs_device_file:file { read write append getattr open setattr };
|
|
||||||
allow rild system_data_file:dir { write add_name };
|
|
||||||
allow rild system_data_file:file { write create setattr };
|
|
||||||
|
|
||||||
allow rild dumpstate_exec:file { read open getattr execute };
|
|
||||||
unix_socket_connect(rild, dumpstate, dumpstate)
|
|
||||||
|
@ -1 +1 @@
|
|||||||
allow system_app sysfs_display:file { getattr open read write };
|
allow system_app sysfs_display:file { write getattr open };
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
allow system_server uhid_device:chr_file { read write ioctl open };
|
allow system_server efs_file:dir search;
|
||||||
allow system_server sysfs_display:file { read write getattr open };
|
allow system_server efs_file:file { read open };
|
||||||
allow system_server efs_file:dir { search };
|
|
||||||
allow system_server efs_file:file { read open write };
|
|
||||||
allow system_server efs_device_file:dir search;
|
allow system_server efs_device_file:dir search;
|
||||||
allow system_server fuse:dir search;
|
allow system_server self:capability sys_module;
|
||||||
|
allow system_server system_file:file execmod;
|
||||||
|
allow system_server uhid_device:chr_file { read write ioctl open };
|
||||||
|
allow system_server recovery_cache_file:dir rmdir;
|
||||||
|
allow system_server dex2oat_exec:file { read open execute};
|
||||||
|
allow system_server radio_data:dir search;
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
allow ueventd sdcard_external:dir search;
|
|
||||||
allow ueventd sdcard_external:file r_file_perms;
|
|
@ -1,3 +1,2 @@
|
|||||||
allow vold sdcard_external:file rw_file_perms;
|
|
||||||
allow vold efs_device_file:dir rw_dir_perms;
|
allow vold efs_device_file:dir rw_dir_perms;
|
||||||
allow vold efs_device_file:file rw_file_perms;
|
allow vold efs_device_file:file rw_file_perms;
|
||||||
|
1
selinux/wpa.te
Normal file
1
selinux/wpa.te
Normal file
@ -0,0 +1 @@
|
|||||||
|
allow wpa rfkill_device:chr_file rw_file_perms;
|
Loading…
Reference in New Issue
Block a user