msm8976-common: Make it enforcing :3

2017-01-23 17:09:59 +01:00 · 2017-01-23 17:09:59 +01:00 · f175f6bc68
parent 06e899f6c8
commit f175f6bc68
14 changed files with 37 additions and 3 deletions
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@ -50,7 +50,6 @@ TARGET_NO_BOOTLOADER := true
 # Kernel
 BOARD_KERNEL_BASE := 0x80000000
 BOARD_KERNEL_CMDLINE := console=null androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_IMAGE_NAME := Image.gz
 BOARD_KERNEL_PAGESIZE := 2048
 BOARD_KERNEL_SEPARATED_DT := true
--- a/rootdir/etc/init.qcom.rc
+++ b/rootdir/etc/init.qcom.rc
@ -1534,6 +1534,7 @@ service hci_filter_root /system/bin/wcnss_filter
 service config_bluetooth /system/bin/sh /system/etc/init.qcom.bt.sh "onboot"
    class core
    user root
+    seclabel u:r:bluetooth_loader:s0
    oneshot

 service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh
@ -1541,6 +1542,7 @@ service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh
    user bluetooth
    group bluetooth net_bt_admin
    disabled
+    seclabel u:r:bluetooth_loader:s0
    oneshot

 on property:bluetooth.hciattach=true
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@ -0,0 +1 @@
+type efs_block_device, dev_type;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -0,0 +1,2 @@
+type app_efs_file, file_type;
+type sysfs_mdnie, fs_type, sysfs_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -1 +1,17 @@
-/system/bin/timekeep                     u:object_r:timekeep_exec:s0
+# Cache
+/dev/block/bootdevice/by-name/cache          u:object_r:cache_block_device:s0
+
+# EFS
+/dev/block/bootdevice/by-name/efs            u:object_r:efs_block_device:s0
+/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
+/efs/FactoryApp(/.*)?                        u:object_r:app_efs_file:s0
+
+# FRP
+/dev/block/bootdevice/by-name/persistent     u:object_r:frp_block_device:s0
+
+# mDNIe
+/sys/devices/virtual/mdnie/mdnie/mode        u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/scenario    u:object_r:sysfs_mdnie:s0
+
+# TimeKeep
+/system/bin/timekeep                         u:object_r:timekeep_exec:s0
--- a/sepolicy/fsck.te
+++ b/sepolicy/fsck.te
@ -0,0 +1 @@
+allow fsck efs_block_device:blk_file rw_file_perms;
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@ -0,0 +1,2 @@
+r_dir_file(netd, efs_file)
+r_dir_file(netd, firmware_file)
--- a/sepolicy/perm_mgr.te
+++ b/sepolicy/perm_mgr.te
@ -0,0 +1 @@
+allow per_mgr self:capability net_raw;
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@ -1 +1,2 @@
 type timekeep_prop, property_type;
+type rmt_storage_prop, property_type;
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@ -1 +1,3 @@
-persist.sys.timeadjust     u:object_r:timekeep_prop:s0
+persist.sys.timeadjust         u:object_r:timekeep_prop:s0
+service.camera.hdmi_preview    u:object_r:camera_prop:s0
+storage.efs_sync.done          u:object_r:rmt_storage_prop:s0
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@ -0,0 +1 @@
+set_prop(rmt_storage, rmt_storage_prop)
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -1,3 +1,5 @@
+allow system_app sysfs_mdnie:file rw_file_perms;
+
 allow system_app time_data_file:file rw_file_perms;

 set_prop(system_app, timekeep_prop)
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -0,0 +1,3 @@
+allow system_server sysfs_mdnie:file rw_file_perms;
+
+r_dir_file(system_server, app_efs_file)
--- a/sepolicy/wcnss_service.te
+++ b/sepolicy/wcnss_service.te
@ -0,0 +1 @@
+allow wcnss_service self:capability { setgid setuid };
				`@ -0,0 +1 @@`
				`allow fsck efs_block_device:blk_file rw_file_perms;`
				`@ -0,0 +1 @@`
				`allow wcnss_service self:capability { setgid setuid };`