klte-common: Update SELinux configuration

Change-Id: Ia7140d0cd2c1c80d4811988a3cb4e7960eba1261
2015-11-14 15:04:33 -08:00 · 2015-11-14 15:04:33 -08:00 · cc9392254e
parent 48529d198a
commit cc9392254e
18 changed files with 39 additions and 40 deletions
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@ -1,2 +1,2 @@
-allow bluetooth bluetooth_device:chr_file { open write };
+allow bluetooth bluetooth_device:chr_file rw_file_perms;
 allow bluetooth proc_bluetooth_writable:dir search;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -3,7 +3,6 @@

 # Bluetooth
 /dev/btlock                                             u:object_r:bluetooth_device:s0
-/dev/block/mmcblk0(.*)                                  u:object_r:mmc_block_device:s0
 /dev/rfkill                                             u:object_r:bluetooth_device:s0
 /efs/bluetooth(/.*)?                                    u:object_r:bluetooth_efs_file:s0

@ -17,11 +16,11 @@
 # Display
 /sys/devices/virtual/lcd/panel/power_reduce             u:object_r:sysfs_display:s0

-# GPS
-/data/misc/gsiff_ctrl_q                                 u:object_r:location_data_file:s0
+# EFS
+/dev/block/bootdevice/by-name/efs                       u:object_r:modem_efs_partition_device:s0

-# Mpdecision
-/data/system/default_values                             u:object_r:mpctl_data_file:s0
+# Macloader
+/system/bin/macloader                                   u:object_r:macloader_exec:s0

 # NFC
 /dev/bcm2079x                                           u:object_r:nfc_device:s0
@ -37,12 +36,10 @@
 /efs/gyro_cal_data                                      u:object_r:sensors_efs_file:s0
 /efs/prox_cal                                           u:object_r:sensors_efs_file:s0

-# Time
-/data/time/time.log                                     u:object_r:time_data_file:s0
+# Thermal
+/system/bin/thermal-engine                              u:object_r:thermal-engine_exec:s0

 # WiFi
+/data/.cid.info                                         u:object_r:wifi_data_file:s0
 /data/.wifiver.info                                     u:object_r:wifi_data_file:s0
 /efs/wifi(/.*)?                                         u:object_r:wifi_efs_file:s0
-
-# Vold
-/etc/blkid.tab                                          u:object_r:system_file:s0
--- a/sepolicy/fsck.te
+++ b/sepolicy/fsck.te
@ -0,0 +1 @@
+allow fsck modem_efs_partition_device:blk_file rw_file_perms;
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@ -1 +1 @@
-allow init kernel:system syslog_read;
+allow init sysfs_sec:lnk_file r_file_perms;
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@ -0,0 +1 @@
+allow kernel audio_device:chr_file rw_file_perms;
--- a/sepolicy/macloader.te
+++ b/sepolicy/macloader.te
@ -0,0 +1,9 @@
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+init_daemon_domain(macloader)
+
+allow macloader efs_file:dir search;
+allow macloader self:capability { chown dac_override fowner };
+allow macloader wifi_data_file:file create_file_perms;
+allow macloader wifi_efs_file:dir search;
+allow macloader wifi_efs_file:file r_file_perms;
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@ -1,2 +1,3 @@
 allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file { getattr open read };
+allow mediaserver system_file:file execmod; # for libmmjpeg
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@ -1,5 +1,6 @@
 allow mm-qcamerad media_rw_data_file:dir search;
-allow mm-qcamerad qdsp_device:chr_file { open read ioctl };
 allow mm-qcamerad sysfs_camera:dir search;
-allow mm-qcamerad sysfs_camera:file { getattr open read write };
+allow mm-qcamerad sysfs_camera:file rw_file_perms;
+allow mm-qcamerad system_data_file:dir w_dir_perms;
+allow mm-qcamerad system_file:file execmod; # for libmmcamera_faceproc
 type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@ -1,4 +0,0 @@
-allow mpdecision socket_device:dir rw_dir_perms;
-allow mpdecision socket_device:sock_file { write create setattr };
-allow mpdecision thermal_socket:sock_file write;
-allow mpdecision thermal-engine:unix_stream_socket connectto;
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@ -1,3 +1,2 @@
-allow rild proc_net:file { write };
-allow rild sysfs_sec:file { getattr open read write };
-allow rild zygote_exec:file execute;
+allow rild proc_net:file rw_file_perms;
+allow rild self:capability dac_override;
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@ -1 +0,0 @@
-allow rmt_storage ssd_device:blk_file { open read write };
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -1 +0,0 @@
-allow system_app shell_data_file:dir search;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -1,7 +1,8 @@
 allow system_server efs_file:dir search;
-allow system_server sensors_efs_file:file { open read };
-allow system_server sysfs_display:file { getattr open read write };
+allow system_server sensors_efs_file:file r_file_perms;
+allow system_server sysfs_display:file rw_file_perms;
 allow system_server sysfs_sec:dir search;
-allow system_server sysfs_sec:file { getattr open read write };
+allow system_server sysfs_sec:file rw_file_perms;
 allow system_server sysfs_vibeamp:dir search;
-allow system_server sysfs_vibeamp:file { getattr open read write };
+allow system_server sysfs_vibeamp:file rw_file_perms;
+allow system_server wifi_efs_file:file r_file_perms;
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@ -0,0 +1,3 @@
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client";
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@ -1,6 +0,0 @@
-allow time_daemon system_app:dir search;
-allow time_daemon system_app:file { read open };
-allow time_daemon system_server:dir search;
-allow time_daemon system_server:file { open read };
-allow time_daemon time_data_file:dir remove_name;
-allow time_daemon time_data_file:file { getattr append unlink };
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@ -1,3 +1,3 @@
-allow ueventd sysfs_camera:file { open read write };
-allow ueventd sysfs_sec:file { open read write };
-allow ueventd sysfs_vibeamp:file { open read write };
+allow ueventd sysfs_camera:file rw_file_perms;
+allow ueventd sysfs_sec:file rw_file_perms;
+allow ueventd sysfs_vibeamp:file rw_file_perms;
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@ -1,2 +0,0 @@
-allow vold efs_file:dir { getattr read };
-allow vold mmc_block_device:blk_file { open read write ioctl getattr };
--- a/sepolicy/wpa.te
+++ b/sepolicy/wpa.te
@ -1,4 +1,4 @@
-allow wpa bluetooth_device:chr_file { open read write };
+allow wpa bluetooth_device:chr_file rw_file_perms;
 allow wpa efs_file:dir search;
 allow wpa wifi_efs_file:dir search;
-allow wpa wifi_efs_file:file { open read };
+allow wpa wifi_efs_file:file r_file_perms;
				`@ -0,0 +1 @@`
				`allow fsck modem_efs_partition_device:blk_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow kernel audio_device:chr_file rw_file_perms;`
				`@ -1 +0,0 @@`
				`allow rmt_storage ssd_device:blk_file { open read write };`
				`@ -1 +0,0 @@`
				`allow system_app shell_data_file:dir search;`