[DO NOT MERGE] klte-common: sepolicy: Rewrite for O

* WIP
* KILL that sepolicy/old/ before merging
* KILL the dontaudits before merging

Change-Id: I6694567fa1c834b262941b9be362c96cbd16625e

BoardConfigCommon.mk

@@ -100,10 +100,7 @@ BOARD_RECOVERY_SWIPE := true
 TARGET_RECOVERY_FSTAB := $(COMMON_PATH)/rootdir/etc/fstab.full
 
 # SELinux
--include device/qcom/sepolicy/sepolicy.mk
-
-BOARD_SEPOLICY_DIRS += \
-    $(COMMON_PATH)/sepolicy
+include $(COMMON_PATH)/sepolicy/sepolicy.mk
 
 # Sensors
 TARGET_NO_SENSOR_PERMISSION_CHECK := true

rootdir/etc/init.qcom.rc

@@ -110,6 +110,10 @@ on post-fs-data
     chmod 0660 /efs/wifi/.mac.info
     restorecon /efs/wifi/.mac.info
 
+    # for WIFI Front End Module
+    chown system system /data/.cid.info
+    chmod 0664 /data/.cid.info
+
     # Create directory used by audio subsystem
     mkdir /data/misc/audio 0770 audio audio
 
@@ -273,6 +277,14 @@ on boot
     chown radio system /efs/bluetooth
     chmod 0775 /efs/bluetooth
 
+    # Audience ES705 UART
+    # Note: DO NOT move this to ueventd.qcom.rc. Samsung thoughtfully has
+    #       the kernel write directly to /dev/ttyHS3 (!) to load the audience
+    #       firmware. Setting ownership immediately with ueventd would require
+    #       allowing the kernel dac_override, which is an sepolicy neverallow.
+    chmod 0660 /dev/ttyHS3
+    chown media audio /dev/ttyHS3
+
     #Create QMUX deamon socket area
     mkdir /dev/socket/qmux_radio 0770 radio radio
     chmod 2770 /dev/socket/qmux_radio
@@ -839,6 +851,7 @@ on boot
 
     # Set permissions for firmware path control
     chown wifi wifi /sys/module/dhd/parameters/firmware_path
+    chown wifi wifi /sys/module/dhd/parameters/nvram_path
 
 # Services begin here
 
@@ -916,15 +929,13 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \
 service macloader /vendor/bin/macloader
     class late_start
     oneshot
+    user system
+    group system wifi
     seclabel u:r:macloader:s0
 
 on property:wlan.driver.status=ok
     start macloader
 
-on property:init.svc.macloader=stopped
-    chown system root /data/.cid.info
-    chmod 0664 /data/.cid.info
-
 on property:sys.boot_completed=1
     setprop sys.io.scheduler bfq
 

rootdir/etc/ueventd.qcom.rc

@@ -147,8 +147,9 @@
 /dev/i2c-5                0660   media      media
 /dev/voice_svc            0660   system     audio
 
-#Audience ES705 UART
-/dev/ttyHS3               0660   media      audio
+# Audience ES705 UART - do not be tempted to uncomment the below unless you
+#   want firmware loading to be blocked by selinux
+#/dev/ttyHS3               0660   media      audio
 
 # Bluetooth
 /dev/ttyHS0               0660   bluetooth  bluetooth

sepolicy/common/bluetooth.te

@@ -0,0 +1,7 @@
+allow bluetooth bluetooth_device:chr_file rw_file_perms;
+allow bluetooth bt_fw_file:file r_file_perms;
+allow bluetooth firmware_file:dir r_dir_perms;
+allow bluetooth proc_bt_sleep:dir search;
+allow bluetooth proc_bt_sleep:file w_file_perms;
+allow bluetooth sysfs_bt_rfkill_state:file w_file_perms;
+allow bluetooth wifi_data_file:file r_file_perms;

sepolicy/common/cameraserver.te

@@ -0,0 +1,2 @@
+allow cameraserver camera_socket:sock_file w_file_perms;
+allow cameraserver vendor_file:file execmod;

sepolicy/common/device.te

@@ -1 +1,2 @@
 type bluetooth_device, dev_type;
+type efs_block_device, dev_type;

sepolicy/common/dontaudit.te

@@ -0,0 +1,25 @@
+# These will be deleted before committing, I just don't want to keep
+# seeing them during policy bringup
+
+dontaudit shell kernel:system syslog_read;
+
+#dontaudit system_server dalvikcache_data_file:file execute;
+
+dontaudit untrusted_app net_dns_prop:file { open read };
+dontaudit untrusted_app proc:file r_file_perms;
+
+dontaudit untrusted_app_25 camera_prop:file r_file_perms;
+dontaudit untrusted_app_25 debugfs:file r_file_perms;
+dontaudit untrusted_app_25 hal_memtrack_hwservice:hwservice_manager find;
+dontaudit untrusted_app_25 mnt_media_rw_file:dir r_dir_perms;
+dontaudit untrusted_app_25 proc:file r_file_perms;
+dontaudit untrusted_app_25 proc_stat:file r_file_perms;
+dontaudit untrusted_app_25 rootfs:dir r_file_perms;
+dontaudit untrusted_app_25 selinuxfs:file r_file_perms;
+dontaudit untrusted_app_25 serialno_prop:file r_file_perms;
+dontaudit untrusted_app_25 sysfs:file { r_file_perms setattr };
+dontaudit untrusted_app_25 sysfs_devices_system_cpu:file setattr;
+dontaudit untrusted_app_25 sysfs_lowmemorykiller:dir search;
+dontaudit untrusted_app_25 sysfs_lowmemorykiller:file r_file_perms;
+dontaudit untrusted_app_25 userdata_block_device:blk_file getattr;
+dontaudit untrusted_app_25 usermodehelper:file r_file_perms;

sepolicy/common/file.te

@@ -0,0 +1,16 @@
+type proc_bt_sleep, fs_type;
+
+type sysfs_bt_rfkill_state, fs_type, sysfs_type;
+type sysfs_sec, fs_type, sysfs_type;
+type sysfs_wifi_fw_path, fs_type, sysfs_type;
+type sysfs_wifi_nv_path, fs_type, sysfs_type;
+
+type bt_fw_file, file_type;
+type nfc_fw_file, file_type;
+type vcs_data_file, file_type, data_file_type;
+type wifi_efs_file, file_type;
+
+#type sensors_efs_file, file_type;
+#type sysfs_camera, fs_type, sysfs_type;
+#type sysfs_display, fs_type, sysfs_type;
+#type sysfs_vibeamp, fs_type, sysfs_type;

sepolicy/common/file_contexts

@@ -0,0 +1,60 @@
+# block devices
+/dev/block/platform/msm_sdcc\.1/by-name/efs             u:object_r:efs_block_device:s0
+/dev/block/platform/msm_sdcc\.1/by-name/fota            u:object_r:misc_block_device:s0
+
+# data files
+/data/.cid.info                                         u:object_r:wifi_data_file:s0
+/data/.wifiver.info                                     u:object_r:wifi_data_file:s0
+/data/(misc|system)/perfd(/.*)?                         u:object_r:mpctl_data_file:s0
+/data/validity(/.*)?                                    u:object_r:vcs_data_file:s0
+
+# device nodes
+/dev/batch_io                                           u:object_r:sensors_device:s0
+/dev/bcm2079x                                           u:object_r:nfc_device:s0
+/dev/btlock                                             u:object_r:bluetooth_device:s0
+/dev/pn547                                              u:object_r:nfc_device:s0
+/dev/rfkill                                             u:object_r:wlan_device:s0
+/dev/sec-nfc                                            u:object_r:nfc_device:s0
+/dev/ttyHS3                                             u:object_r:audio_device:s0
+/dev/vfsspi                                             u:object_r:vcs_device:s0
+
+# efs files
+/efs/bluetooth(/.*)?                                    u:object_r:bluetooth_efs_file:s0
+/efs/wifi(/.*)?                                         u:object_r:wifi_efs_file:s0
+
+# executeables
+/system/vendor/bin/macloader                            u:object_r:macloader_exec:s0
+
+# firmware
+/system/vendor/firmware/bcm4350(.*).hcd                 u:object_r:bt_fw_file:s0
+/system/vendor/firmware/libpn547_fw.so                  u:object_r:nfc_fw_file:s0
+
+# sockets
+/data/cam_socket(.*)                                    u:object_r:camera_socket:s0
+
+# sysfs
+/sys/devices/battery.[0-9]+/power_supply/battery(/.*)?           u:object_r:sysfs_batteryinfo:s0
+/sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_fw_path:s0
+/sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_nv_path:s0
+/sys/devices/platform/bcm4354_bluetooth/rfkill/rfkill0/state     u:object_r:sysfs_bt_rfkill_state:s0
+/sys/devices/virtual/sec/sec_key/hall_irq_ctrl                   u:object_r:sysfs_sec:s0
+
+# Camera
+#/sys/devices/virtual/camera(/.*)?                       u:object_r:sysfs_camera:s0
+
+# CMHW
+#/sys/devices/virtual/timed_output/vibrator(/.*)?        u:object_r:sysfs_vibeamp:s0
+
+# Display
+#/sys/devices/virtual/lcd/panel/power_reduce             u:object_r:sysfs_display:s0
+
+# Fingerprint
+#/dev/validity(/.*)?                                     u:object_r:vcs_device:s0
+
+# SEC
+#/sys/devices/virtual/sec/tsp(/.*)?                      u:object_r:sysfs_sec:s0
+
+# Sensors
+#/efs/FactoryApp/baro_delta                              u:object_r:sensors_efs_file:s0
+#/efs/gyro_cal_data                                      u:object_r:sensors_efs_file:s0
+#/efs/prox_cal                                           u:object_r:sensors_efs_file:s0

sepolicy/common/fsck.te

@@ -0,0 +1,2 @@
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;

sepolicy/common/genfs_contexts

@@ -0,0 +1 @@
+genfscon proc /bluetooth/sleep u:object_r:proc_bt_sleep:s0

sepolicy/common/hal_fingerprint_default.te

@@ -0,0 +1,6 @@
+r_dir_file(hal_fingerprint_default, firmware_file)
+
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default vcs_data_file:dir search;
+allow hal_fingerprint_default vcs_data_file:file rw_file_perms;
+allow hal_fingerprint_default vcs_device:chr_file rw_file_perms;

sepolicy/common/hal_wifi_default.te

@@ -0,0 +1,4 @@
+r_dir_file(hal_wifi_default, wifi_efs_file)
+
+allow hal_wifi_default sysfs_wifi_fw_path:file w_file_perms;
+allow hal_wifi_default wifi_data_file:file r_file_perms;

sepolicy/common/hal_wifi_supplicant_default.te

@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default wlan_device:chr_file r_file_perms;

sepolicy/common/init.te

@@ -0,0 +1,2 @@
+# Required to load shim libraries
+allow init { domain -lmkd -crash_dump }:process noatsecure;

sepolicy/common/kernel.te

@@ -0,0 +1,4 @@
+# Samsung literally vfs_write()s to the es705 UART at /dev/ttyHS3 to
+# load the firmware. Without crafting a userspace helper or re-doing
+# the whole path, there is no way around this.
+allow kernel audio_device:chr_file rw_file_perms;

sepolicy/common/macloader.te

@@ -0,0 +1,11 @@
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+init_daemon_domain(macloader)
+
+type_transition macloader system_data_file:file wifi_data_file;
+
+r_dir_file(macloader, wifi_efs_file)
+
+allow macloader efs_file:dir search;
+allow macloader sysfs_wifi_nv_path:file w_file_perms;
+allow macloader wifi_data_file:file create_file_perms;

sepolicy/common/mediaprovider.te

@@ -0,0 +1,2 @@
+allow mediaprovider cache_private_backup_file:dir getattr;
+allow mediaprovider cache_recovery_file:dir r_dir_perms;

sepolicy/common/mediaserver.te

@@ -0,0 +1,4 @@
+allow mediaserver camera_socket:sock_file write;
+allow mediaserver mm-qcamerad:unix_dgram_socket sendto;
+allow mediaserver thermal-engine:unix_stream_socket connectto;
+allow mediaserver vendor_file:file execmod;

sepolicy/common/mm-qcamerad.te

@@ -0,0 +1,8 @@
+type_transition mm-qcamerad system_data_file:sock_file camera_socket;
+
+allow mm-qcamerad camera_socket:sock_file create_file_perms;
+
+# Allow mm-qcamera-daemon to create the socket camera_socket
+allow mm-qcamerad system_data_file:dir w_dir_perms;
+
+allow mm-qcamerad vendor_file:file execmod;

sepolicy/common/mpdecision.te

@@ -0,0 +1,2 @@
+allow mpdecision mpctl_data_file:dir w_dir_perms;
+allow mpdecision mpctl_data_file:sock_file create_file_perms;

sepolicy/common/nfc.te

@@ -0,0 +1 @@
+allow nfc nfc_fw_file:file rx_file_perms;

sepolicy/common/priv_app.te

@@ -0,0 +1,5 @@
+get_prop(priv_app, camera_prop)
+get_prop(priv_app, qemu_hw_mainkeys_prop)
+
+allow priv_app device:dir r_dir_perms;
+allow priv_app proc_interrupts:file r_file_perms;

sepolicy/common/property_contexts

@@ -0,0 +1 @@
+service.camera.hdmi_preview                      u:object_r:camera_prop:s0

sepolicy/common/rild.te

@@ -0,0 +1,8 @@
+set_prop(rild, net_radio_prop)
+
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file create_file_perms;
+allow rild radio_data_file:lnk_file read;
+
+allow rild proc_net:file w_file_perms;
+allow rild sysfs_sec:file rw_file_perms;

sepolicy/common/system_server.te

@@ -0,0 +1,12 @@
+get_prop(system_server, alarm_boot_prop)
+
+allow system_server efs_file:dir search;
+allow system_server efs_file:file r_file_perms;
+allow system_server mpctl_data_file:dir search;
+allow system_server mpctl_data_file:sock_file w_file_perms;
+allow system_server mpdecision:unix_stream_socket connectto;
+allow system_server qmuxd:unix_stream_socket connectto;
+allow system_server qmuxd_socket:dir w_dir_perms;
+allow system_server qmuxd_socket:sock_file { create setattr write };
+allow system_server qti_debugfs:file r_file_perms;
+allow system_server sensors_device:chr_file r_file_perms;

sepolicy/common/tee.te

@@ -0,0 +1 @@
+r_dir_file(tee, vcs_data_file)

sepolicy/common/thermal-engine.te

@@ -0,0 +1,3 @@
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";

sepolicy/common/vold.te

@@ -0,0 +1,2 @@
+allow vold efs_file:dir rw_dir_perms;
+allow vold efs_file:file create;

sepolicy/file.te

@@ -1,8 +0,0 @@
-type sensors_efs_file, file_type;
-type sysfs_camera, fs_type, sysfs_type;
-type sysfs_display, fs_type, sysfs_type;
-type sysfs_sec, fs_type, sysfs_type;
-type sysfs_vibeamp, fs_type, sysfs_type;
-type sysfs_wifi_nv_path, fs_type, sysfs_type;
-type vcs_data_file, file_type, data_file_type;
-type wifi_efs_file, file_type;

sepolicy/file_contexts

@@ -1,63 +0,0 @@
-# Audience
-/dev/ttyHS3                                             u:object_r:audio_device:s0
-
-# Bluetooth
-/dev/btlock                                             u:object_r:bluetooth_device:s0
-/dev/rfkill                                             u:object_r:bluetooth_device:s0
-/efs/bluetooth(/.*)?                                    u:object_r:bluetooth_efs_file:s0
-
-# Camera
-/data/cam_socket.*                                      u:object_r:camera_socket:s0
-/sys/devices/virtual/camera(/.*)?                       u:object_r:sysfs_camera:s0
-
-# CMHW
-/sys/devices/virtual/timed_output/vibrator(/.*)?        u:object_r:sysfs_vibeamp:s0
-
-# Display
-/sys/devices/virtual/lcd/panel/power_reduce             u:object_r:sysfs_display:s0
-
-# EFS
-/dev/block/platform/msm_sdcc.1/by-name/efs              u:object_r:modem_efs_partition_device:s0
-
-# Fingerprint
-/data/validity(/.*)?                                    u:object_r:vcs_data_file:s0
-/dev/validity(/.*)?                                     u:object_r:vcs_device:s0
-/dev/vfsspi                                             u:object_r:vcs_device:s0
-
-# Macloader
-/system/bin/macloader                                   u:object_r:macloader_exec:s0
-
-# NFC
-/dev/bcm2079x                                           u:object_r:nfc_device:s0
-/dev/pn547                                              u:object_r:nfc_device:s0
-/dev/sec-nfc                                            u:object_r:nfc_device:s0
-
-# RIL
-/data/data/com.android.providers.telephony/databases(/.*)?     u:object_r:radio_data_file:s0
-/data/data/com.android.providers.telephony/shared_prefs(/.*)?  u:object_r:radio_data_file:s0
-
-# RIL - Variant Blobs
-/system/blobs/(.*)/bin/ks                               u:object_r:mdm_helper_exec:s0
-/system/blobs/(.*)/bin/qmuxd                            u:object_r:qmuxd_exec:s0
-/system/blobs/(.*)/bin/rfs_access                       u:object_r:rfs_access_exec:s0
-/system/blobs/(.*)/bin/rild                             u:object_r:rild_exec:s0
-/system/blobs/(.*)/bin/rmt_storage                      u:object_r:rmt_storage_exec:s0
-
-# SEC
-/sys/devices/virtual/sec/sec_key/hall_irq_ctrl          u:object_r:sysfs_sec:s0
-/sys/devices/virtual/sec/tsp(/.*)?                      u:object_r:sysfs_sec:s0
-
-# Sensors
-/dev/batch_io                                           u:object_r:sensors_device:s0
-/efs/FactoryApp/baro_delta                              u:object_r:sensors_efs_file:s0
-/efs/gyro_cal_data                                      u:object_r:sensors_efs_file:s0
-/efs/prox_cal                                           u:object_r:sensors_efs_file:s0
-
-# Uncrypt
-/dev/block/platform/msm_sdcc.1/by-name/fota             u:object_r:misc_block_device:s0
-
-# WiFi
-/data/.cid.info                                         u:object_r:wifi_data_file:s0
-/data/.wifiver.info                                     u:object_r:wifi_data_file:s0
-/efs/wifi(/.*)?                                         u:object_r:wifi_efs_file:s0
-/sys/module/dhd/parameters/nvram_path                   u:object_r:sysfs_wifi_nv_path:s0

sepolicy/genfs_contexts

@@ -1 +0,0 @@
-genfscon proc /bluetooth/sleep u:object_r:proc_bluetooth_writable:s0

sepolicy/old/cameraserver.te

@@ -4,4 +4,3 @@ allow cameraserver property_socket:sock_file write;
 allow cameraserver sysfs_camera:dir search;
 allow cameraserver sysfs_camera:file { open read };
 allow cameraserver system_file:file execmod;
-

sepolicy/old/file_contexts

@@ -0,0 +1,8 @@
+# Camera
+/data/cam_socket.*                                      u:object_r:camera_socket:s0
+
+# EFS
+/dev/block/platform/msm_sdcc.1/by-name/efs              u:object_r:modem_efs_partition_device:s0
+
+# Macloader
+/system/bin/macloader                                   u:object_r:macloader_exec:s0

sepolicy/old/fingerprintd.te

@@ -1,14 +1,12 @@
+allow fingerprintd firmware_file:dir r_dir_perms;
+allow fingerprintd firmware_file:file r_file_perms;
 allow fingerprintd vcs_data_file:dir create_dir_perms;
 allow fingerprintd vcs_data_file:file create_file_perms;
 
+allow fingerprintd tee_device:chr_file rw_file_perms;
 allow fingerprintd vcs_device:dir create_dir_perms;
 allow fingerprintd vcs_device:file create_file_perms;
 allow fingerprintd vcs_device:fifo_file create_file_perms;
+
 allow fingerprintd vcs_device:chr_file create_file_perms;
-
-allow fingerprintd tee_device:chr_file rw_file_perms;
-
-allow fingerprintd firmware_file:dir r_dir_perms;
-allow fingerprintd firmware_file:file r_file_perms;
-
 allow fingerprintd vfat:file { getattr open read };

sepolicy/old/macloader.te

@@ -1,7 +1,3 @@
-type macloader, domain;
-type macloader_exec, exec_type, file_type;
-init_daemon_domain(macloader)
-
 type_transition macloader system_data_file:file wifi_data_file;
 
 allow macloader efs_file:dir search;

sepolicy/private/mediaextractor.te

@@ -0,0 +1,2 @@
+allow mediaextractor exfat:file r_file_perms;
+allow mediaextractor sdcardfs:file r_file_perms;

sepolicy/property_contexts

@@ -1,10 +0,0 @@
-##########################
-# property service keys
-#
-#
-persist.ril.radiocapa.tdscdma            u:object_r:radio_prop:s0
-persist.ril.modem.board                  u:object_r:radio_prop:s0
-persist.ril.ims.eutranParam              u:object_r:radio_prop:s0
-persist.ril.ims.utranParam               u:object_r:radio_prop:s0
-persist.ril.xcap.pdnFailCause            u:object_r:radio_prop:s0
-persist.ril.ims.pdnFailCause             u:object_r:radio_prop:s0

sepolicy/sepolicy.mk

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2018 The LineageOS Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+-include device/qcom/sepolicy/sepolicy.mk
+-include device/qcom/sepolicy/legacy-sepolicy.mk
+
+# Board specific SELinux policy variable definitions
+BOARD_SEPOLICY_DIRS += \
+    device/samsung/klte-common/sepolicy/common \
+
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
+    device/samsung/klte-common/sepolicy/public
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
+    device/samsung/klte-common/sepolicy/private

sepolicy/wpa.te

@@ -1,4 +0,0 @@
-allow wpa bluetooth_device:chr_file rw_file_perms;
-allow wpa efs_file:dir search;
-allow wpa wifi_efs_file:dir search;
-allow wpa wifi_efs_file:file r_file_perms;