From 5045387decc152cf4a089201f43a2d6f5d914058 Mon Sep 17 00:00:00 2001 From: "Kevin F. Haggerty" Date: Mon, 25 Dec 2017 15:30:21 -0700 Subject: [PATCH] [DO NOT MERGE] klte-common: sepolicy: Rewrite for O * WIP * KILL that sepolicy/old/ before merging * KILL the dontaudits before merging Change-Id: I6694567fa1c834b262941b9be362c96cbd16625e --- BoardConfigCommon.mk | 5 +- rootdir/etc/init.qcom.rc | 19 ++++-- rootdir/etc/ueventd.qcom.rc | 5 +- sepolicy/common/bluetooth.te | 7 +++ sepolicy/common/cameraserver.te | 2 + sepolicy/{ => common}/device.te | 1 + sepolicy/common/dontaudit.te | 25 ++++++++ sepolicy/common/file.te | 16 +++++ sepolicy/common/file_contexts | 60 ++++++++++++++++++ sepolicy/common/fsck.te | 2 + sepolicy/common/genfs_contexts | 1 + sepolicy/common/hal_fingerprint_default.te | 6 ++ sepolicy/common/hal_wifi_default.te | 4 ++ .../common/hal_wifi_supplicant_default.te | 1 + sepolicy/common/init.te | 2 + sepolicy/common/kernel.te | 4 ++ sepolicy/common/macloader.te | 11 ++++ sepolicy/common/mediaprovider.te | 2 + sepolicy/common/mediaserver.te | 4 ++ sepolicy/common/mm-qcamerad.te | 8 +++ sepolicy/common/mpdecision.te | 2 + sepolicy/common/nfc.te | 1 + sepolicy/common/priv_app.te | 5 ++ sepolicy/common/property_contexts | 1 + sepolicy/common/rild.te | 8 +++ sepolicy/common/system_server.te | 12 ++++ sepolicy/common/tee.te | 1 + sepolicy/common/thermal-engine.te | 3 + sepolicy/common/vold.te | 2 + sepolicy/file.te | 8 --- sepolicy/file_contexts | 63 ------------------- sepolicy/genfs_contexts | 1 - sepolicy/{ => old}/bluetooth.te | 0 sepolicy/{ => old}/cameraserver.te | 1 - sepolicy/old/file_contexts | 8 +++ sepolicy/{ => old}/fingerprintd.te | 10 ++- sepolicy/{ => old}/fsck.te | 0 sepolicy/{ => old}/healthd.te | 0 sepolicy/{ => old}/hostapd.te | 0 sepolicy/{ => old}/init.te | 0 sepolicy/{ => old}/kernel.te | 0 sepolicy/{ => old}/macloader.te | 4 -- sepolicy/{ => old}/mediaserver.te | 0 sepolicy/{ => old}/mm-qcamerad.te | 0 sepolicy/{ => old}/mpdecision.te | 0 sepolicy/{ => old}/platform_app.te | 0 sepolicy/{ => old}/priv_app.te | 0 sepolicy/{ => old}/rild.te | 0 sepolicy/{ => old}/shell.te | 0 sepolicy/{ => old}/system_server.te | 0 sepolicy/{ => old}/tee.te | 0 sepolicy/{ => old}/thermal-engine.te | 0 sepolicy/{ => old}/ueventd.te | 0 sepolicy/{ => old}/untrusted_app.te | 0 sepolicy/{ => old}/vold.te | 0 sepolicy/private/mediaextractor.te | 2 + sepolicy/property_contexts | 10 --- sepolicy/sepolicy.mk | 28 +++++++++ sepolicy/wpa.te | 4 -- 59 files changed, 252 insertions(+), 107 deletions(-) create mode 100644 sepolicy/common/bluetooth.te create mode 100644 sepolicy/common/cameraserver.te rename sepolicy/{ => common}/device.te (50%) create mode 100644 sepolicy/common/dontaudit.te create mode 100644 sepolicy/common/file.te create mode 100644 sepolicy/common/file_contexts create mode 100644 sepolicy/common/fsck.te create mode 100644 sepolicy/common/genfs_contexts create mode 100644 sepolicy/common/hal_fingerprint_default.te create mode 100644 sepolicy/common/hal_wifi_default.te create mode 100644 sepolicy/common/hal_wifi_supplicant_default.te create mode 100644 sepolicy/common/init.te create mode 100644 sepolicy/common/kernel.te create mode 100644 sepolicy/common/macloader.te create mode 100644 sepolicy/common/mediaprovider.te create mode 100644 sepolicy/common/mediaserver.te create mode 100644 sepolicy/common/mm-qcamerad.te create mode 100644 sepolicy/common/mpdecision.te create mode 100644 sepolicy/common/nfc.te create mode 100644 sepolicy/common/priv_app.te create mode 100644 sepolicy/common/property_contexts create mode 100644 sepolicy/common/rild.te create mode 100644 sepolicy/common/system_server.te create mode 100644 sepolicy/common/tee.te create mode 100644 sepolicy/common/thermal-engine.te create mode 100644 sepolicy/common/vold.te delete mode 100644 sepolicy/file.te delete mode 100644 sepolicy/file_contexts delete mode 100644 sepolicy/genfs_contexts rename sepolicy/{ => old}/bluetooth.te (100%) rename sepolicy/{ => old}/cameraserver.te (99%) create mode 100644 sepolicy/old/file_contexts rename sepolicy/{ => old}/fingerprintd.te (99%) rename sepolicy/{ => old}/fsck.te (100%) rename sepolicy/{ => old}/healthd.te (100%) rename sepolicy/{ => old}/hostapd.te (100%) rename sepolicy/{ => old}/init.te (100%) rename sepolicy/{ => old}/kernel.te (100%) rename sepolicy/{ => old}/macloader.te (82%) rename sepolicy/{ => old}/mediaserver.te (100%) rename sepolicy/{ => old}/mm-qcamerad.te (100%) rename sepolicy/{ => old}/mpdecision.te (100%) rename sepolicy/{ => old}/platform_app.te (100%) rename sepolicy/{ => old}/priv_app.te (100%) rename sepolicy/{ => old}/rild.te (100%) rename sepolicy/{ => old}/shell.te (100%) rename sepolicy/{ => old}/system_server.te (100%) rename sepolicy/{ => old}/tee.te (100%) rename sepolicy/{ => old}/thermal-engine.te (100%) rename sepolicy/{ => old}/ueventd.te (100%) rename sepolicy/{ => old}/untrusted_app.te (100%) rename sepolicy/{ => old}/vold.te (100%) create mode 100644 sepolicy/private/mediaextractor.te delete mode 100644 sepolicy/property_contexts create mode 100644 sepolicy/sepolicy.mk delete mode 100644 sepolicy/wpa.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 2393669..6f51be1 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -100,10 +100,7 @@ BOARD_RECOVERY_SWIPE := true TARGET_RECOVERY_FSTAB := $(COMMON_PATH)/rootdir/etc/fstab.full # SELinux --include device/qcom/sepolicy/sepolicy.mk - -BOARD_SEPOLICY_DIRS += \ - $(COMMON_PATH)/sepolicy +include $(COMMON_PATH)/sepolicy/sepolicy.mk # Sensors TARGET_NO_SENSOR_PERMISSION_CHECK := true diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc index d67de30..cd405fe 100644 --- a/rootdir/etc/init.qcom.rc +++ b/rootdir/etc/init.qcom.rc @@ -110,6 +110,10 @@ on post-fs-data chmod 0660 /efs/wifi/.mac.info restorecon /efs/wifi/.mac.info + # for WIFI Front End Module + chown system system /data/.cid.info + chmod 0664 /data/.cid.info + # Create directory used by audio subsystem mkdir /data/misc/audio 0770 audio audio @@ -273,6 +277,14 @@ on boot chown radio system /efs/bluetooth chmod 0775 /efs/bluetooth + # Audience ES705 UART + # Note: DO NOT move this to ueventd.qcom.rc. Samsung thoughtfully has + # the kernel write directly to /dev/ttyHS3 (!) to load the audience + # firmware. Setting ownership immediately with ueventd would require + # allowing the kernel dac_override, which is an sepolicy neverallow. + chmod 0660 /dev/ttyHS3 + chown media audio /dev/ttyHS3 + #Create QMUX deamon socket area mkdir /dev/socket/qmux_radio 0770 radio radio chmod 2770 /dev/socket/qmux_radio @@ -839,6 +851,7 @@ on boot # Set permissions for firmware path control chown wifi wifi /sys/module/dhd/parameters/firmware_path + chown wifi wifi /sys/module/dhd/parameters/nvram_path # Services begin here @@ -916,15 +929,13 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \ service macloader /vendor/bin/macloader class late_start oneshot + user system + group system wifi seclabel u:r:macloader:s0 on property:wlan.driver.status=ok start macloader -on property:init.svc.macloader=stopped - chown system root /data/.cid.info - chmod 0664 /data/.cid.info - on property:sys.boot_completed=1 setprop sys.io.scheduler bfq diff --git a/rootdir/etc/ueventd.qcom.rc b/rootdir/etc/ueventd.qcom.rc index dbfa9a5..e7d5c30 100644 --- a/rootdir/etc/ueventd.qcom.rc +++ b/rootdir/etc/ueventd.qcom.rc @@ -147,8 +147,9 @@ /dev/i2c-5 0660 media media /dev/voice_svc 0660 system audio -#Audience ES705 UART -/dev/ttyHS3 0660 media audio +# Audience ES705 UART - do not be tempted to uncomment the below unless you +# want firmware loading to be blocked by selinux +#/dev/ttyHS3 0660 media audio # Bluetooth /dev/ttyHS0 0660 bluetooth bluetooth diff --git a/sepolicy/common/bluetooth.te b/sepolicy/common/bluetooth.te new file mode 100644 index 0000000..cae1201 --- /dev/null +++ b/sepolicy/common/bluetooth.te @@ -0,0 +1,7 @@ +allow bluetooth bluetooth_device:chr_file rw_file_perms; +allow bluetooth bt_fw_file:file r_file_perms; +allow bluetooth firmware_file:dir r_dir_perms; +allow bluetooth proc_bt_sleep:dir search; +allow bluetooth proc_bt_sleep:file w_file_perms; +allow bluetooth sysfs_bt_rfkill_state:file w_file_perms; +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/common/cameraserver.te b/sepolicy/common/cameraserver.te new file mode 100644 index 0000000..e3c1e8f --- /dev/null +++ b/sepolicy/common/cameraserver.te @@ -0,0 +1,2 @@ +allow cameraserver camera_socket:sock_file w_file_perms; +allow cameraserver vendor_file:file execmod; diff --git a/sepolicy/device.te b/sepolicy/common/device.te similarity index 50% rename from sepolicy/device.te rename to sepolicy/common/device.te index 5cc35eb..eef944e 100644 --- a/sepolicy/device.te +++ b/sepolicy/common/device.te @@ -1 +1,2 @@ type bluetooth_device, dev_type; +type efs_block_device, dev_type; diff --git a/sepolicy/common/dontaudit.te b/sepolicy/common/dontaudit.te new file mode 100644 index 0000000..a5d655d --- /dev/null +++ b/sepolicy/common/dontaudit.te @@ -0,0 +1,25 @@ +# These will be deleted before committing, I just don't want to keep +# seeing them during policy bringup + +dontaudit shell kernel:system syslog_read; + +#dontaudit system_server dalvikcache_data_file:file execute; + +dontaudit untrusted_app net_dns_prop:file { open read }; +dontaudit untrusted_app proc:file r_file_perms; + +dontaudit untrusted_app_25 camera_prop:file r_file_perms; +dontaudit untrusted_app_25 debugfs:file r_file_perms; +dontaudit untrusted_app_25 hal_memtrack_hwservice:hwservice_manager find; +dontaudit untrusted_app_25 mnt_media_rw_file:dir r_dir_perms; +dontaudit untrusted_app_25 proc:file r_file_perms; +dontaudit untrusted_app_25 proc_stat:file r_file_perms; +dontaudit untrusted_app_25 rootfs:dir r_file_perms; +dontaudit untrusted_app_25 selinuxfs:file r_file_perms; +dontaudit untrusted_app_25 serialno_prop:file r_file_perms; +dontaudit untrusted_app_25 sysfs:file { r_file_perms setattr }; +dontaudit untrusted_app_25 sysfs_devices_system_cpu:file setattr; +dontaudit untrusted_app_25 sysfs_lowmemorykiller:dir search; +dontaudit untrusted_app_25 sysfs_lowmemorykiller:file r_file_perms; +dontaudit untrusted_app_25 userdata_block_device:blk_file getattr; +dontaudit untrusted_app_25 usermodehelper:file r_file_perms; diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te new file mode 100644 index 0000000..ce827f8 --- /dev/null +++ b/sepolicy/common/file.te @@ -0,0 +1,16 @@ +type proc_bt_sleep, fs_type; + +type sysfs_bt_rfkill_state, fs_type, sysfs_type; +type sysfs_sec, fs_type, sysfs_type; +type sysfs_wifi_fw_path, fs_type, sysfs_type; +type sysfs_wifi_nv_path, fs_type, sysfs_type; + +type bt_fw_file, file_type; +type nfc_fw_file, file_type; +type vcs_data_file, file_type, data_file_type; +type wifi_efs_file, file_type; + +#type sensors_efs_file, file_type; +#type sysfs_camera, fs_type, sysfs_type; +#type sysfs_display, fs_type, sysfs_type; +#type sysfs_vibeamp, fs_type, sysfs_type; diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts new file mode 100644 index 0000000..86f7091 --- /dev/null +++ b/sepolicy/common/file_contexts @@ -0,0 +1,60 @@ +# block devices +/dev/block/platform/msm_sdcc\.1/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/fota u:object_r:misc_block_device:s0 + +# data files +/data/.cid.info u:object_r:wifi_data_file:s0 +/data/.wifiver.info u:object_r:wifi_data_file:s0 +/data/(misc|system)/perfd(/.*)? u:object_r:mpctl_data_file:s0 +/data/validity(/.*)? u:object_r:vcs_data_file:s0 + +# device nodes +/dev/batch_io u:object_r:sensors_device:s0 +/dev/bcm2079x u:object_r:nfc_device:s0 +/dev/btlock u:object_r:bluetooth_device:s0 +/dev/pn547 u:object_r:nfc_device:s0 +/dev/rfkill u:object_r:wlan_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 +/dev/ttyHS3 u:object_r:audio_device:s0 +/dev/vfsspi u:object_r:vcs_device:s0 + +# efs files +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 + +# executeables +/system/vendor/bin/macloader u:object_r:macloader_exec:s0 + +# firmware +/system/vendor/firmware/bcm4350(.*).hcd u:object_r:bt_fw_file:s0 +/system/vendor/firmware/libpn547_fw.so u:object_r:nfc_fw_file:s0 + +# sockets +/data/cam_socket(.*) u:object_r:camera_socket:s0 + +# sysfs +/sys/devices/battery.[0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_batteryinfo:s0 +/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi_fw_path:s0 +/sys/module/dhd/parameters/nvram_path u:object_r:sysfs_wifi_nv_path:s0 +/sys/devices/platform/bcm4354_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bt_rfkill_state:s0 +/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0 + +# Camera +#/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 + +# CMHW +#/sys/devices/virtual/timed_output/vibrator(/.*)? u:object_r:sysfs_vibeamp:s0 + +# Display +#/sys/devices/virtual/lcd/panel/power_reduce u:object_r:sysfs_display:s0 + +# Fingerprint +#/dev/validity(/.*)? u:object_r:vcs_device:s0 + +# SEC +#/sys/devices/virtual/sec/tsp(/.*)? u:object_r:sysfs_sec:s0 + +# Sensors +#/efs/FactoryApp/baro_delta u:object_r:sensors_efs_file:s0 +#/efs/gyro_cal_data u:object_r:sensors_efs_file:s0 +#/efs/prox_cal u:object_r:sensors_efs_file:s0 diff --git a/sepolicy/common/fsck.te b/sepolicy/common/fsck.te new file mode 100644 index 0000000..7f7dcd7 --- /dev/null +++ b/sepolicy/common/fsck.te @@ -0,0 +1,2 @@ +allow fsck cache_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; diff --git a/sepolicy/common/genfs_contexts b/sepolicy/common/genfs_contexts new file mode 100644 index 0000000..f74675b --- /dev/null +++ b/sepolicy/common/genfs_contexts @@ -0,0 +1 @@ +genfscon proc /bluetooth/sleep u:object_r:proc_bt_sleep:s0 diff --git a/sepolicy/common/hal_fingerprint_default.te b/sepolicy/common/hal_fingerprint_default.te new file mode 100644 index 0000000..ae671aa --- /dev/null +++ b/sepolicy/common/hal_fingerprint_default.te @@ -0,0 +1,6 @@ +r_dir_file(hal_fingerprint_default, firmware_file) + +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default vcs_data_file:dir search; +allow hal_fingerprint_default vcs_data_file:file rw_file_perms; +allow hal_fingerprint_default vcs_device:chr_file rw_file_perms; diff --git a/sepolicy/common/hal_wifi_default.te b/sepolicy/common/hal_wifi_default.te new file mode 100644 index 0000000..717cf60 --- /dev/null +++ b/sepolicy/common/hal_wifi_default.te @@ -0,0 +1,4 @@ +r_dir_file(hal_wifi_default, wifi_efs_file) + +allow hal_wifi_default sysfs_wifi_fw_path:file w_file_perms; +allow hal_wifi_default wifi_data_file:file r_file_perms; diff --git a/sepolicy/common/hal_wifi_supplicant_default.te b/sepolicy/common/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..893ea1b --- /dev/null +++ b/sepolicy/common/hal_wifi_supplicant_default.te @@ -0,0 +1 @@ +allow hal_wifi_supplicant_default wlan_device:chr_file r_file_perms; diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te new file mode 100644 index 0000000..57cb3d5 --- /dev/null +++ b/sepolicy/common/init.te @@ -0,0 +1,2 @@ +# Required to load shim libraries +allow init { domain -lmkd -crash_dump }:process noatsecure; diff --git a/sepolicy/common/kernel.te b/sepolicy/common/kernel.te new file mode 100644 index 0000000..8f8e1f1 --- /dev/null +++ b/sepolicy/common/kernel.te @@ -0,0 +1,4 @@ +# Samsung literally vfs_write()s to the es705 UART at /dev/ttyHS3 to +# load the firmware. Without crafting a userspace helper or re-doing +# the whole path, there is no way around this. +allow kernel audio_device:chr_file rw_file_perms; diff --git a/sepolicy/common/macloader.te b/sepolicy/common/macloader.te new file mode 100644 index 0000000..3642f00 --- /dev/null +++ b/sepolicy/common/macloader.te @@ -0,0 +1,11 @@ +type macloader, domain; +type macloader_exec, exec_type, file_type; +init_daemon_domain(macloader) + +type_transition macloader system_data_file:file wifi_data_file; + +r_dir_file(macloader, wifi_efs_file) + +allow macloader efs_file:dir search; +allow macloader sysfs_wifi_nv_path:file w_file_perms; +allow macloader wifi_data_file:file create_file_perms; diff --git a/sepolicy/common/mediaprovider.te b/sepolicy/common/mediaprovider.te new file mode 100644 index 0000000..65ce0b8 --- /dev/null +++ b/sepolicy/common/mediaprovider.te @@ -0,0 +1,2 @@ +allow mediaprovider cache_private_backup_file:dir getattr; +allow mediaprovider cache_recovery_file:dir r_dir_perms; diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te new file mode 100644 index 0000000..a14d0b3 --- /dev/null +++ b/sepolicy/common/mediaserver.te @@ -0,0 +1,4 @@ +allow mediaserver camera_socket:sock_file write; +allow mediaserver mm-qcamerad:unix_dgram_socket sendto; +allow mediaserver thermal-engine:unix_stream_socket connectto; +allow mediaserver vendor_file:file execmod; diff --git a/sepolicy/common/mm-qcamerad.te b/sepolicy/common/mm-qcamerad.te new file mode 100644 index 0000000..a004dc5 --- /dev/null +++ b/sepolicy/common/mm-qcamerad.te @@ -0,0 +1,8 @@ +type_transition mm-qcamerad system_data_file:sock_file camera_socket; + +allow mm-qcamerad camera_socket:sock_file create_file_perms; + +# Allow mm-qcamera-daemon to create the socket camera_socket +allow mm-qcamerad system_data_file:dir w_dir_perms; + +allow mm-qcamerad vendor_file:file execmod; diff --git a/sepolicy/common/mpdecision.te b/sepolicy/common/mpdecision.te new file mode 100644 index 0000000..94d3f08 --- /dev/null +++ b/sepolicy/common/mpdecision.te @@ -0,0 +1,2 @@ +allow mpdecision mpctl_data_file:dir w_dir_perms; +allow mpdecision mpctl_data_file:sock_file create_file_perms; diff --git a/sepolicy/common/nfc.te b/sepolicy/common/nfc.te new file mode 100644 index 0000000..477e977 --- /dev/null +++ b/sepolicy/common/nfc.te @@ -0,0 +1 @@ +allow nfc nfc_fw_file:file rx_file_perms; diff --git a/sepolicy/common/priv_app.te b/sepolicy/common/priv_app.te new file mode 100644 index 0000000..fe2dc8b --- /dev/null +++ b/sepolicy/common/priv_app.te @@ -0,0 +1,5 @@ +get_prop(priv_app, camera_prop) +get_prop(priv_app, qemu_hw_mainkeys_prop) + +allow priv_app device:dir r_dir_perms; +allow priv_app proc_interrupts:file r_file_perms; diff --git a/sepolicy/common/property_contexts b/sepolicy/common/property_contexts new file mode 100644 index 0000000..05f3ea1 --- /dev/null +++ b/sepolicy/common/property_contexts @@ -0,0 +1 @@ +service.camera.hdmi_preview u:object_r:camera_prop:s0 diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te new file mode 100644 index 0000000..6bbe2cf --- /dev/null +++ b/sepolicy/common/rild.te @@ -0,0 +1,8 @@ +set_prop(rild, net_radio_prop) + +allow rild radio_data_file:dir rw_dir_perms; +allow rild radio_data_file:file create_file_perms; +allow rild radio_data_file:lnk_file read; + +allow rild proc_net:file w_file_perms; +allow rild sysfs_sec:file rw_file_perms; diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te new file mode 100644 index 0000000..ca2a9a4 --- /dev/null +++ b/sepolicy/common/system_server.te @@ -0,0 +1,12 @@ +get_prop(system_server, alarm_boot_prop) + +allow system_server efs_file:dir search; +allow system_server efs_file:file r_file_perms; +allow system_server mpctl_data_file:dir search; +allow system_server mpctl_data_file:sock_file w_file_perms; +allow system_server mpdecision:unix_stream_socket connectto; +allow system_server qmuxd:unix_stream_socket connectto; +allow system_server qmuxd_socket:dir w_dir_perms; +allow system_server qmuxd_socket:sock_file { create setattr write }; +allow system_server qti_debugfs:file r_file_perms; +allow system_server sensors_device:chr_file r_file_perms; diff --git a/sepolicy/common/tee.te b/sepolicy/common/tee.te new file mode 100644 index 0000000..edb0ac7 --- /dev/null +++ b/sepolicy/common/tee.te @@ -0,0 +1 @@ +r_dir_file(tee, vcs_data_file) diff --git a/sepolicy/common/thermal-engine.te b/sepolicy/common/thermal-engine.te new file mode 100644 index 0000000..a68d2b0 --- /dev/null +++ b/sepolicy/common/thermal-engine.te @@ -0,0 +1,3 @@ +type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client"; +type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client"; +type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client"; diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te new file mode 100644 index 0000000..5ce680c --- /dev/null +++ b/sepolicy/common/vold.te @@ -0,0 +1,2 @@ +allow vold efs_file:dir rw_dir_perms; +allow vold efs_file:file create; diff --git a/sepolicy/file.te b/sepolicy/file.te deleted file mode 100644 index 5ba86a2..0000000 --- a/sepolicy/file.te +++ /dev/null @@ -1,8 +0,0 @@ -type sensors_efs_file, file_type; -type sysfs_camera, fs_type, sysfs_type; -type sysfs_display, fs_type, sysfs_type; -type sysfs_sec, fs_type, sysfs_type; -type sysfs_vibeamp, fs_type, sysfs_type; -type sysfs_wifi_nv_path, fs_type, sysfs_type; -type vcs_data_file, file_type, data_file_type; -type wifi_efs_file, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts deleted file mode 100644 index 3aaf30c..0000000 --- a/sepolicy/file_contexts +++ /dev/null @@ -1,63 +0,0 @@ -# Audience -/dev/ttyHS3 u:object_r:audio_device:s0 - -# Bluetooth -/dev/btlock u:object_r:bluetooth_device:s0 -/dev/rfkill u:object_r:bluetooth_device:s0 -/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 - -# Camera -/data/cam_socket.* u:object_r:camera_socket:s0 -/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 - -# CMHW -/sys/devices/virtual/timed_output/vibrator(/.*)? u:object_r:sysfs_vibeamp:s0 - -# Display -/sys/devices/virtual/lcd/panel/power_reduce u:object_r:sysfs_display:s0 - -# EFS -/dev/block/platform/msm_sdcc.1/by-name/efs u:object_r:modem_efs_partition_device:s0 - -# Fingerprint -/data/validity(/.*)? u:object_r:vcs_data_file:s0 -/dev/validity(/.*)? u:object_r:vcs_device:s0 -/dev/vfsspi u:object_r:vcs_device:s0 - -# Macloader -/system/bin/macloader u:object_r:macloader_exec:s0 - -# NFC -/dev/bcm2079x u:object_r:nfc_device:s0 -/dev/pn547 u:object_r:nfc_device:s0 -/dev/sec-nfc u:object_r:nfc_device:s0 - -# RIL -/data/data/com.android.providers.telephony/databases(/.*)? u:object_r:radio_data_file:s0 -/data/data/com.android.providers.telephony/shared_prefs(/.*)? u:object_r:radio_data_file:s0 - -# RIL - Variant Blobs -/system/blobs/(.*)/bin/ks u:object_r:mdm_helper_exec:s0 -/system/blobs/(.*)/bin/qmuxd u:object_r:qmuxd_exec:s0 -/system/blobs/(.*)/bin/rfs_access u:object_r:rfs_access_exec:s0 -/system/blobs/(.*)/bin/rild u:object_r:rild_exec:s0 -/system/blobs/(.*)/bin/rmt_storage u:object_r:rmt_storage_exec:s0 - -# SEC -/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0 -/sys/devices/virtual/sec/tsp(/.*)? u:object_r:sysfs_sec:s0 - -# Sensors -/dev/batch_io u:object_r:sensors_device:s0 -/efs/FactoryApp/baro_delta u:object_r:sensors_efs_file:s0 -/efs/gyro_cal_data u:object_r:sensors_efs_file:s0 -/efs/prox_cal u:object_r:sensors_efs_file:s0 - -# Uncrypt -/dev/block/platform/msm_sdcc.1/by-name/fota u:object_r:misc_block_device:s0 - -# WiFi -/data/.cid.info u:object_r:wifi_data_file:s0 -/data/.wifiver.info u:object_r:wifi_data_file:s0 -/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 -/sys/module/dhd/parameters/nvram_path u:object_r:sysfs_wifi_nv_path:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts deleted file mode 100644 index 49a35af..0000000 --- a/sepolicy/genfs_contexts +++ /dev/null @@ -1 +0,0 @@ -genfscon proc /bluetooth/sleep u:object_r:proc_bluetooth_writable:s0 diff --git a/sepolicy/bluetooth.te b/sepolicy/old/bluetooth.te similarity index 100% rename from sepolicy/bluetooth.te rename to sepolicy/old/bluetooth.te diff --git a/sepolicy/cameraserver.te b/sepolicy/old/cameraserver.te similarity index 99% rename from sepolicy/cameraserver.te rename to sepolicy/old/cameraserver.te index 2a2100a..11cf7d7 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/old/cameraserver.te @@ -4,4 +4,3 @@ allow cameraserver property_socket:sock_file write; allow cameraserver sysfs_camera:dir search; allow cameraserver sysfs_camera:file { open read }; allow cameraserver system_file:file execmod; - diff --git a/sepolicy/old/file_contexts b/sepolicy/old/file_contexts new file mode 100644 index 0000000..b946283 --- /dev/null +++ b/sepolicy/old/file_contexts @@ -0,0 +1,8 @@ +# Camera +/data/cam_socket.* u:object_r:camera_socket:s0 + +# EFS +/dev/block/platform/msm_sdcc.1/by-name/efs u:object_r:modem_efs_partition_device:s0 + +# Macloader +/system/bin/macloader u:object_r:macloader_exec:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/old/fingerprintd.te similarity index 99% rename from sepolicy/fingerprintd.te rename to sepolicy/old/fingerprintd.te index 4a25a4c..0010127 100644 --- a/sepolicy/fingerprintd.te +++ b/sepolicy/old/fingerprintd.te @@ -1,14 +1,12 @@ +allow fingerprintd firmware_file:dir r_dir_perms; +allow fingerprintd firmware_file:file r_file_perms; allow fingerprintd vcs_data_file:dir create_dir_perms; allow fingerprintd vcs_data_file:file create_file_perms; +allow fingerprintd tee_device:chr_file rw_file_perms; allow fingerprintd vcs_device:dir create_dir_perms; allow fingerprintd vcs_device:file create_file_perms; allow fingerprintd vcs_device:fifo_file create_file_perms; + allow fingerprintd vcs_device:chr_file create_file_perms; - -allow fingerprintd tee_device:chr_file rw_file_perms; - -allow fingerprintd firmware_file:dir r_dir_perms; -allow fingerprintd firmware_file:file r_file_perms; - allow fingerprintd vfat:file { getattr open read }; diff --git a/sepolicy/fsck.te b/sepolicy/old/fsck.te similarity index 100% rename from sepolicy/fsck.te rename to sepolicy/old/fsck.te diff --git a/sepolicy/healthd.te b/sepolicy/old/healthd.te similarity index 100% rename from sepolicy/healthd.te rename to sepolicy/old/healthd.te diff --git a/sepolicy/hostapd.te b/sepolicy/old/hostapd.te similarity index 100% rename from sepolicy/hostapd.te rename to sepolicy/old/hostapd.te diff --git a/sepolicy/init.te b/sepolicy/old/init.te similarity index 100% rename from sepolicy/init.te rename to sepolicy/old/init.te diff --git a/sepolicy/kernel.te b/sepolicy/old/kernel.te similarity index 100% rename from sepolicy/kernel.te rename to sepolicy/old/kernel.te diff --git a/sepolicy/macloader.te b/sepolicy/old/macloader.te similarity index 82% rename from sepolicy/macloader.te rename to sepolicy/old/macloader.te index df90419..0b3b410 100644 --- a/sepolicy/macloader.te +++ b/sepolicy/old/macloader.te @@ -1,7 +1,3 @@ -type macloader, domain; -type macloader_exec, exec_type, file_type; -init_daemon_domain(macloader) - type_transition macloader system_data_file:file wifi_data_file; allow macloader efs_file:dir search; diff --git a/sepolicy/mediaserver.te b/sepolicy/old/mediaserver.te similarity index 100% rename from sepolicy/mediaserver.te rename to sepolicy/old/mediaserver.te diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/old/mm-qcamerad.te similarity index 100% rename from sepolicy/mm-qcamerad.te rename to sepolicy/old/mm-qcamerad.te diff --git a/sepolicy/mpdecision.te b/sepolicy/old/mpdecision.te similarity index 100% rename from sepolicy/mpdecision.te rename to sepolicy/old/mpdecision.te diff --git a/sepolicy/platform_app.te b/sepolicy/old/platform_app.te similarity index 100% rename from sepolicy/platform_app.te rename to sepolicy/old/platform_app.te diff --git a/sepolicy/priv_app.te b/sepolicy/old/priv_app.te similarity index 100% rename from sepolicy/priv_app.te rename to sepolicy/old/priv_app.te diff --git a/sepolicy/rild.te b/sepolicy/old/rild.te similarity index 100% rename from sepolicy/rild.te rename to sepolicy/old/rild.te diff --git a/sepolicy/shell.te b/sepolicy/old/shell.te similarity index 100% rename from sepolicy/shell.te rename to sepolicy/old/shell.te diff --git a/sepolicy/system_server.te b/sepolicy/old/system_server.te similarity index 100% rename from sepolicy/system_server.te rename to sepolicy/old/system_server.te diff --git a/sepolicy/tee.te b/sepolicy/old/tee.te similarity index 100% rename from sepolicy/tee.te rename to sepolicy/old/tee.te diff --git a/sepolicy/thermal-engine.te b/sepolicy/old/thermal-engine.te similarity index 100% rename from sepolicy/thermal-engine.te rename to sepolicy/old/thermal-engine.te diff --git a/sepolicy/ueventd.te b/sepolicy/old/ueventd.te similarity index 100% rename from sepolicy/ueventd.te rename to sepolicy/old/ueventd.te diff --git a/sepolicy/untrusted_app.te b/sepolicy/old/untrusted_app.te similarity index 100% rename from sepolicy/untrusted_app.te rename to sepolicy/old/untrusted_app.te diff --git a/sepolicy/vold.te b/sepolicy/old/vold.te similarity index 100% rename from sepolicy/vold.te rename to sepolicy/old/vold.te diff --git a/sepolicy/private/mediaextractor.te b/sepolicy/private/mediaextractor.te new file mode 100644 index 0000000..88b7c6d --- /dev/null +++ b/sepolicy/private/mediaextractor.te @@ -0,0 +1,2 @@ +allow mediaextractor exfat:file r_file_perms; +allow mediaextractor sdcardfs:file r_file_perms; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts deleted file mode 100644 index 1f84c35..0000000 --- a/sepolicy/property_contexts +++ /dev/null @@ -1,10 +0,0 @@ -########################## -# property service keys -# -# -persist.ril.radiocapa.tdscdma u:object_r:radio_prop:s0 -persist.ril.modem.board u:object_r:radio_prop:s0 -persist.ril.ims.eutranParam u:object_r:radio_prop:s0 -persist.ril.ims.utranParam u:object_r:radio_prop:s0 -persist.ril.xcap.pdnFailCause u:object_r:radio_prop:s0 -persist.ril.ims.pdnFailCause u:object_r:radio_prop:s0 diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk new file mode 100644 index 0000000..45022e2 --- /dev/null +++ b/sepolicy/sepolicy.mk @@ -0,0 +1,28 @@ +# +# Copyright (C) 2018 The LineageOS Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +-include device/qcom/sepolicy/sepolicy.mk +-include device/qcom/sepolicy/legacy-sepolicy.mk + +# Board specific SELinux policy variable definitions +BOARD_SEPOLICY_DIRS += \ + device/samsung/klte-common/sepolicy/common \ + +BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \ + device/samsung/klte-common/sepolicy/public + +BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \ + device/samsung/klte-common/sepolicy/private diff --git a/sepolicy/wpa.te b/sepolicy/wpa.te deleted file mode 100644 index 1cdf25b..0000000 --- a/sepolicy/wpa.te +++ /dev/null @@ -1,4 +0,0 @@ -allow wpa bluetooth_device:chr_file rw_file_perms; -allow wpa efs_file:dir search; -allow wpa wifi_efs_file:dir search; -allow wpa wifi_efs_file:file r_file_perms;