3
0

galaxys2-common: Marshmallow SELinux support

This was made from scratch, for a general cleanup of unused policies
and update to M guidelines

Change-Id: Id4acda2b384d28b5ca51b3ef0f6e93b648c8e79d
This commit is contained in:
Caio Schnepper 2015-11-12 19:12:06 -02:00
parent 8bb93abd28
commit 53789b340c
20 changed files with 94 additions and 66 deletions

View File

@ -224,8 +224,6 @@ on post-fs-data
chmod 0660 /sys/class/rfkill/rfkill0/state
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
restorecon /sys/class/rfkill/rfkill0/state
restorecon /sys/class/rfkill/rfkill0/type
# Vibetonz
chmod 0660 /dev/tspdrv
@ -239,7 +237,6 @@ on post-fs-data
chown system media_rw /sys/class/lcd/panel/gamma_mode
chown system media_rw /sys/class/lcd/panel/power_reduce
chown system system /sys/class/backlight/panel/auto_brightness
restorecon /sys/class/lcd/panel/power_reduce
# Permissions for mDNIe
chown system media_rw /sys/class/mdnie/mdnie/mode
@ -248,9 +245,6 @@ on post-fs-data
chown system media_rw /sys/class/mdnie/mdnie/negative
write /sys/class/mdnie/mdnie/scenario 0
write /sys/class/mdnie/mdnie/mode 1
restorecon /sys/class/mdnie/mdnie/scenario
restorecon /sys/class/mdnie/mdnie/mode
restorecon /sys/class/mdnie/mdnie/negative
# Permissions for uart_sel and usb_sel
chown system radio /sys/class/sec/switch/uart_sel/value
@ -332,6 +326,7 @@ service cpboot-daemon /sbin/cbd -d -p 8
class main
user root
group radio cache inet misc audio sdcard_rw log sdcard_r
seclabel u:r:cpboot-daemon:s0
service mdnsd /system/bin/mdnsd
class main

23
selinux/cpboot-daemon.te Normal file
View File

@ -0,0 +1,23 @@
type cpboot-daemon, domain;
permissive cpboot-daemon;
allow cpboot-daemon cgroup:dir { create add_name };
allow cpboot-daemon device:dir { write remove_name add_name };
allow cpboot-daemon efs_block_device:blk_file { read open };
allow cpboot-daemon efs_device_file:dir search;
allow cpboot-daemon efs_file:file { read write open };
allow cpboot-daemon init:unix_stream_socket connectto;
allow cpboot-daemon log_device:chr_file { write open };
allow cpboot-daemon log_device:dir search;
allow cpboot-daemon property_socket:sock_file write;
allow cpboot-daemon radio_device:chr_file { read write ioctl open };
allow cpboot-daemon radio_prop:property_service set;
allow cpboot-daemon self:capability { setuid };
allow cpboot-daemon sysfs_radio:file { read write open };
allow cpboot-daemon usbfs:dir search;
# FIX ME
# allow cpboot-daemon usbfs:filesystem mount;
# allow cpboot-daemon self:capability { mknod };

1
selinux/debuggerd.te Normal file
View File

@ -0,0 +1 @@
allow debuggerd gpu_device:chr_file { read getattr open };

View File

@ -1,4 +1,3 @@
type mali_device, dev_type, mlstrustedobject;
type rfkill_device, dev_type;
type efs_block_device, dev_type;
type mfc_device, dev_type;

View File

@ -1,5 +1,5 @@
## Firmwares
allow ueventd { firmware_mfc }:file r_file_perms;
## /dev/mali, /dev/ump
allow domain mali_device:chr_file rw_file_perms;
## 32bit personality requests
dontaudit domain kernel:system module_request;

View File

@ -1,2 +0,0 @@
allow drmserver sdcard_external:file open;
allow drmserver self:process execmem;

View File

@ -1 +0,0 @@
unix_socket_connect(dumpstate, dumpstate, init);

View File

@ -1,4 +1,5 @@
type radio_efs_file, fs_type;
type firmware_mfc, file_type;
type sysfs_display, fs_type, sysfs_type;
type efs_device_file, file_type;
type sysfs_display, fs_type, sysfs_type;
type sysfs_radio, fs_type, sysfs_type;
type radio_data, file_type;

View File

@ -1,16 +1,25 @@
# GFX
/dev/mali u:object_r:mali_device:s0
/dev/ump u:object_r:mali_device:s0
/dev/fimg2d u:object_r:mali_device:s0
/dev/mali u:object_r:gpu_device:s0
/dev/ump u:object_r:gpu_device:s0
/dev/fimg2d u:object_r:gpu_device:s0
# RIL
/dev/link_pm u:object_r:radio_device:s0
/dev/umts_boot0 u:object_r:radio_device:s0
/dev/umts_boot1 u:object_r:radio_device:s0
/dev/umts_ipc0 u:object_r:radio_device:s0
/dev/umts_ramdump0 u:object_r:radio_device:s0
/dev/umts_rfs0 u:object_r:radio_device:s0
/data/misc/radio(/.*)? u:object_r:radio_data:s0
/sys/devices/platform/s5p-ehci/ehci_power u:object_r:sysfs_radio:s0
# Block labeling
/dev/block/mmcblk0p1 u:object_r:efs_block_device:s0
/dev/block/mmcblk0p7 u:object_r:cache_block_device:s0
/dev/block/mmcblk0p8 u:object_r:efs_block_device:s0
/dev/block/mmcblk0p9 u:object_r:system_block_device:s0
/dev/block/mmcblk0p10 u:object_r:userdata_block_device:s0
/dev/block/zram0 u:object_r:swap_block_device:s0
/efs u:object_r:efs_device_file:s0
# Camera
@ -20,7 +29,7 @@
# Bluetooth
/dev/ttySAC0 u:object_r:hci_attach_dev:s0
/efs/bluetooth/bt_addr u:object_r:bluetooth_data_file:s0
/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
/sys/devices/platform/bcm4330_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
# GPS
/dev/ttySAC1 u:object_r:gps_device:s0
@ -28,14 +37,18 @@
# Sensors
/dev/akm8975 u:object_r:sensors_device:s0
# for wpa_supp
# WiFi
/dev/rfkill u:object_r:rfkill_device:s0
/efs/wifi/.mac.info u:object_r:wifi_data_file:s0
# Firmwares
/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0
# Display
/sys/class/lcd/panel/power_reduce u:object_r:sysfs_display:s0
/sys/class/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
/sys/class/mdnie/mdnie/mode u:object_r:sysfs_display:s0
/sys/class/mdnie/mdnie/negative u:object_r:sysfs_display:s0
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/scenario u:object_r:sysfs_display:s0
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/mode u:object_r:sysfs_display:s0
/sys/devices/platform/samsung-pd.2/mdnie/mdnie/mdnie/negative u:object_r:sysfs_display:s0
# Executables
/system/bin/macloader u:object_r:macloader_exec:s0

1
selinux/fsck.te Normal file
View File

@ -0,0 +1 @@
allow fsck efs_block_device:blk_file { read write getattr open ioctl };

View File

@ -1 +1,4 @@
allow init self:capability sys_module;
allow init tmpfs:lnk_file create;
allow init rild:process noatsecure;
domain_trans(init, rootfs, cpboot-daemon)

View File

@ -1 +0,0 @@
allow kernel block_device:blk_file write;

7
selinux/macloader.te Normal file
View File

@ -0,0 +1,7 @@
type macloader, domain;
type macloader_exec, exec_type, file_type;
init_daemon_domain(macloader);
allow macloader efs_file:dir search;
allow macloader efs_device_file:dir search;
allow macloader wifi_data_file:file { read getattr open };

View File

@ -1,2 +1,2 @@
allow mediaserver system_file:file execmod;
allow mediaserver mfc_device:chr_file rw_file_perms;
allow mediaserver video_device:chr_file rw_file_perms;

View File

@ -1,17 +1,5 @@
allow rild self:netlink_socket { create bind read write };
allow rild self:netlink_route_socket { write };
allow rild self:netlink_kobject_uevent_socket { create bind read write };
allow rild self:process execmem;
allow rild radio_device:chr_file rw_file_perms;
allow rild efs_block_device:blk_file rw_file_perms;
allow rild efs_file:file { read open write setattr };
allow rild radio_data_file:dir setattr;
allow rild block_device:dir search;
allow rild efs_device_file:dir { search write };
allow rild efs_device_file:file { read write append getattr open setattr };
allow rild system_data_file:dir { write add_name };
allow rild system_data_file:file { write create setattr };
allow rild dumpstate_exec:file { read open getattr execute };
unix_socket_connect(rild, dumpstate, dumpstate)
allow rild radio_data:dir { search write remove_name getattr add_name setattr };
allow rild radio_data:file { write getattr setattr read create unlink open };
allow rild system_file:file execmod;
allow rild efs_block_device:blk_file read;
allow rild efs_device_file:dir search;

View File

@ -1 +1 @@
allow system_app sysfs_display:file { getattr open read write };
allow system_app sysfs_display:file { write getattr open };

View File

@ -1,6 +1,9 @@
allow system_server uhid_device:chr_file { read write ioctl open };
allow system_server sysfs_display:file { read write getattr open };
allow system_server efs_file:dir { search };
allow system_server efs_file:file { read open write };
allow system_server efs_file:dir search;
allow system_server efs_file:file { read open };
allow system_server efs_device_file:dir search;
allow system_server fuse:dir search;
allow system_server self:capability sys_module;
allow system_server system_file:file execmod;
allow system_server uhid_device:chr_file { read write ioctl open };
allow system_server recovery_cache_file:dir rmdir;
allow system_server dex2oat_exec:file { read open execute};
allow system_server radio_data:dir search;

View File

@ -1,2 +0,0 @@
allow ueventd sdcard_external:dir search;
allow ueventd sdcard_external:file r_file_perms;

View File

@ -1,3 +1,2 @@
allow vold sdcard_external:file rw_file_perms;
allow vold efs_device_file:dir rw_dir_perms;
allow vold efs_device_file:file rw_file_perms;

1
selinux/wpa.te Normal file
View File

@ -0,0 +1 @@
allow wpa rfkill_device:chr_file rw_file_perms;