msm8226-common: Add SELinux specific policies

2024-11-06 21:55:45 +00:00 · 2014-12-30 14:11:24 +01:00 · 2014-12-30 14:11:24 +01:00 · 7a65d086dc
commit 7a65d086dc
parent aa5b6ce106
12 changed files with 55 additions and 0 deletions
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@ -91,6 +91,10 @@ BOARD_RECOVERY_SWIPE := true
 BOARD_USE_CUSTOM_RECOVERY_FONT := \"roboto_15x24.h\"
 COMMON_GLOBAL_CFLAGS += -DNO_SECURE_DISCARD

+# SELinux
+-include device/qcom/sepolicy/sepolicy.mk
+BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/sepolicy
+
 # Vold
 BOARD_VOLD_EMMC_SHARES_DEV_MAJOR := true
 TARGET_USE_CUSTOM_LUN_FILE_PATH := /sys/devices/platform/msm_hsusb/gadget/lun%d/file
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -0,0 +1,5 @@
+type sensors_efs_file, file_type;
+type sysfs_camera, fs_type, sysfs_type;
+type sysfs_display, fs_type, sysfs_type;
+type sysfs_vibeamp, fs_type, sysfs_type;
+type wifi_efs_file, file_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -0,0 +1,22 @@
+# Camera
+/data/cam_socket.*                                      u:object_r:camera_socket:s0
+/sys/devices/virtual/camera(/.*)?                       u:object_r:sysfs_camera:s0
+
+# CMHW
+/sys/devices/virtual/timed_output/vibrator(/.*)?        u:object_r:sysfs_vibeamp:s0
+/sys/class/sec/sec_touchkey/keypad_enable               u:object_r:sysfs_display:s0
+
+# Display
+/sys/devices/virtual/lcd/panel/power_reduce             u:object_r:sysfs_display:s0
+
+# NFC
+/dev/pn547                                              u:object_r:nfc_device:s0
+
+# Sensors
+/efs/FactoryApp/baro_delta                              u:object_r:sensors_efs_file:s0
+/efs/gyro_cal_data                                      u:object_r:sensors_efs_file:s0
+
+# WiFi
+/data/.wifiver.info                                     u:object_r:wifi_data_file:s0
+/efs/wifi(/.*)?                                         u:object_r:wifi_efs_file:s0
+
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@ -0,0 +1,2 @@
+allow mediaserver sysfs_camera:dir search;
+allow mediaserver sysfs_camera:file { getattr open read };
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@ -0,0 +1,3 @@
+allow mm-qcamerad sysfs_camera:dir search;
+allow mm-qcamerad sysfs_camera:file { getattr open read write };
+type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@ -0,0 +1 @@
+allow rild proc_net:file { write };
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@ -0,0 +1 @@
+allow rmt_storage ssd_device:blk_file { open read write };
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -0,0 +1,3 @@
+allow system_app sysfs_display:file { getattr open read write };
+allow system_app sysfs_vibeamp:dir search;
+allow system_app sysfs_vibeamp:file { getattr open read write };
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -0,0 +1,7 @@
+allow system_server efs_file:dir search;
+allow system_server sensors_efs_file:file { open read };
+allow system_server sysfs_vibeamp:dir search;
+allow system_server sysfs_vibeamp:file { open read write };
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file { open read write };
+allow system_server time_daemon:unix_stream_socket connectto;
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@ -0,0 +1,2 @@
+allow time_daemon time_data_file:file { getattr append unlink };
+allow time_daemon time_data_file:dir { remove_name };
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@ -0,0 +1,2 @@
+allow ueventd sysfs_camera:file { open read write };
+allow ueventd sysfs_vibeamp:file { open read write };
--- a/sepolicy/wpa.te
+++ b/sepolicy/wpa.te
@ -0,0 +1,3 @@
+allow wpa efs_file:dir search;
+allow wpa wifi_efs_file:dir search;
+allow wpa wifi_efs_file:file { open read };
				`@ -0,0 +1 @@`
				`allow rmt_storage ssd_device:blk_file { open read write };`