Update sepolicy for M (WIP)

Change-Id: I668e299e7c6d9927144e3eedf59d559dfa8d0b23
author: rogersb11 <brettrogers11@gmail.com> 2015-11-12 04:51:38 -0500
committer: Brett Rogers <brettrogers11@gmail.com> 2015-12-02 09:54:17 -0800
commit: 04de314e155a00e7299305c6f0ca05fd47045926 (patch)
tree: 6ca57022949b1aab04a7573b5b54a370ab4c5b96
parent: 5b06fdd56bba9aeee7959794217d296c47d48945 (diff)
download: device_samsung_t0lte-04de314e155a00e7299305c6f0ca05fd47045926.tar.gz
device_samsung_t0lte-04de314e155a00e7299305c6f0ca05fd47045926.tar.bz2
device_samsung_t0lte-04de314e155a00e7299305c6f0ca05fd47045926.zip
36 files changed, 104 insertions, 46 deletions
diff --git a/BoardCommonConfig.mk b/BoardCommonConfig.mk
index 3d22f0a..db788f3 100644
--- a/BoardCommonConfig.mk
+++ b/BoardCommonConfig.mk
@@ -45,4 +45,4 @@ RECOVERY_FSTAB_VERSION := 2
 TARGET_OTA_ASSERT_DEVICE := t0lte,t0ltexx,GT-N7105,t0ltedv,GT-N7105T,t0lteatt,SGH-I317,t0ltetmo,SGH-T889,t0ltecan,t0ltevl,SGH-I317M
 
 # Selinux
-BOARD_SEPOLICY_DIRS += \device/samsung/t0lte/selinux
+BOARD_SEPOLICY_DIRS += device/samsung/t0lte/selinux
diff --git a/selinux/SMD-daemon.te b/selinux/SMD-daemon.te
new file mode 100644
index 0000000..3632822
--- /dev/null
+++ b/selinux/SMD-daemon.te
@@ -0,0 +1,4 @@
+type SMD-daemon, domain;
+type SMD-daemon_exec, exec_type, file_type;
+
+allow SMD-daemon system_file:file { execute_no_trans };
diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te
new file mode 100644
index 0000000..48655c9
--- /dev/null
+++ b/selinux/at_distributor.te
@@ -0,0 +1,4 @@
+type at_distributor, domain;
+type at_distributor_exec, exec_type, file_type;
+
+allow at_distributor system_file:file { execute_no_trans };
diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
index a6e68b8..4469f4d 100644
--- a/selinux/bluetooth.te
+++ b/selinux/bluetooth.te
@@ -1,2 +1,4 @@
 allow bluetooth smd_device:chr_file { read write ioctl open };
-allow bluetooth sysfs:file { write };
-\ No newline at end of file
+allow bluetooth log_device:chr_file { write open };
+#allow bluetooth sysfs:file { write };
+
diff --git a/selinux/bootanim.te b/selinux/bootanim.te
new file mode 100644
index 0000000..6549a99
--- /dev/null
+++ b/selinux/bootanim.te
@@ -0,0 +1 @@
+allow bootanim log_device:chr_file { open write };
diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te
new file mode 100644
index 0000000..1a03fb4
--- /dev/null
+++ b/selinux/debuggerd.te
@@ -0,0 +1,2 @@
+allow debuggerd log_device:chr_file { read open };
+allow debuggerd log_device:dir search;
diff --git a/selinux/device.te b/selinux/device.te
index e4cec2d..cc1cf07 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -5,7 +5,7 @@ type wlan_device, dev_type;
 type modem_block_device, dev_type;
 type diagnostic_device, dev_type;
 type efs_block_device, dev_type;
-type mmc_block_device, dev_type;
+#type boot_block_device, dev_type;
 
 #SSR device
 type ssr_device, dev_type;
@@ -24,4 +24,4 @@ type diag_device, dev_type;
 type smem_log_device, dev_type;
 
 #Define rct device type for time daemon
-type rtc_device, dev_type;
+#type rtc_device, dev_type;
diff --git a/selinux/dex2oat.te b/selinux/dex2oat.te
new file mode 100644
index 0000000..ef256e5
--- /dev/null
+++ b/selinux/dex2oat.te
@@ -0,0 +1,2 @@
+allow dex2oat log_device:chr_file { write open };
+allow dex2oat log_device:dir search;
diff --git a/selinux/diag_uart_log.te b/selinux/diag_uart_log.te
new file mode 100644
index 0000000..c0d1fd9
--- /dev/null
+++ b/selinux/diag_uart_log.te
@@ -0,0 +1,2 @@
+type diag_uart_log, domain;
+type diag_uart_log_exec, exec_type, file_type;
diff --git a/selinux/domain.te b/selinux/domain.te
index 56c2d49..f581c46 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -1,7 +1,11 @@
 ## /dev/mali, /dev/ump
 allow domain mali_device:chr_file rw_file_perms;
+allow domain at_distributor:chr_file rw_file_perms;
+allow domain diag_uart_log:chr_file rw_file_perms;
+allow domain SMD-daemon:chr_file rw_file_perms;
+allow domain qmiproxy:chr_file rw_file_perms;
 
 userdebug_or_eng(`
 			  allow domain diag_device:chr_file rw_file_perms;
 ') 
-
+dontaudit domain kernel:system module_request;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index c42fa2c..4409611 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -1,7 +1,7 @@
 # GFX
-/dev/mali                               u:object_r:mali_device:s0
-/dev/ump                                u:object_r:mali_device:s0
-/dev/fimg2d                             u:object_r:mali_device:s0
+/dev/mali                               u:object_r:gpu_device:s0
+/dev/ump                                u:object_r:gpu_device:s0
+/dev/fimg2d                             u:object_r:gpu_device:s0
 
 /dev/s3c-mfc							u:object_r:mfc_device:s0
 
@@ -9,7 +9,7 @@
 /dev/mdm                                u:object_r:radio_device:s0
 /dev/hsicctl[0-3]*                      u:object_r:radio_device:s0
 /dev/ttyUSB0                            u:object_r:radio_device:s0
-/dev/diag                               u:object_r:diagnostic_device:s0
+/dev/qcom_diag                          u:object_r:diagnostic_device:s0
 
 # GPS
 /dev/ttySAC1                            u:object_r:gps_device:s0
@@ -58,19 +58,23 @@
 /data/misc/radio/dlnk                   u:object_r:radio_data_file:s0
 
 # Binaries
-/system/bin/qmuxd                u:object_r:qmuxd_exec:s0
-/system/bin/efsks                u:object_r:kickstart_exec:s0
-/system/bin/ks                   u:object_r:kickstart_exec:s0
-/system/bin/qcks                 u:object_r:kickstart_exec:s0
+/system/bin/qmuxd                       u:object_r:qmuxd_exec:s0
+/system/bin/efsks                       u:object_r:kickstart_exec:s0
+/system/bin/ks                          u:object_r:kickstart_exec:s0
+/system/bin/qcks                        u:object_r:kickstart_exec:s0
 
 # Sockets
-/dev/socket/qmux_audio(/.*)?     u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_gps(/.*)?       u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_radio(/.*)?     u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_audio(/.*)?            u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)?        u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)?              u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)?            u:object_r:qmuxd_socket:s0
 
 # Block devices
-/dev/block/mmcblk0(.*)       u:object_r:mmc_block_device:s0
+/dev/block/mmcblk0(.*)                  u:object_r:boot_block_device:s0
+/dev/block/mmcblk0p3                    u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p12                   u:object_r:cache_block_device:s0
+/dev/block/mmcblk0p13                   u:object_r:system_block_device:s0
+/dev/block/mmcblk0p16                   u:object_r:userdata_block_device:s0
 
 # Audio related
-/data/local/audio(/.*)?         u:object_r:volume_data_file:s0
+/data/local/audio(/.*)?                 u:object_r:volume_data_file:s0
diff --git a/selinux/fsck.te b/selinux/fsck.te
new file mode 100644
index 0000000..352c53b
--- /dev/null
+++ b/selinux/fsck.te
@@ -0,0 +1,2 @@
+allow fsck efs_block_device:blk_file { getattr open read write ioctl };
+allow fsck fsck:capability { dac_override };
diff --git a/selinux/fsck_untrusted.te b/selinux/fsck_untrusted.te
new file mode 100644
index 0000000..623481d
--- /dev/null
+++ b/selinux/fsck_untrusted.te
@@ -0,0 +1 @@
+allow fsck_untrusted log_device:chr_file { open write };
diff --git a/selinux/init.te b/selinux/init.te
index 2fdff9a..77e8963 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1,14 +1,17 @@
 allow init wpa_socket:unix_dgram_socket { bind create };
-allow init su_exec:file { execute_no_trans };
+#allow init su_exec:file { execute_no_trans };
 allow init init:process { execmem };
 allow init init:capability { sys_module };
 allow init radio_efs_file:filesystem { relabelto };
 allow init app_data_file:dir { read open setattr getattr relabelfrom };
 
-allow init_shell kernel:system { syslog_mod };
+allow init kernel:system syslog_read;
 allow init init:packet_socket { create bind write read };
 allow init init:rawip_socket { create setopt write };
 
-allow init_shell init:packet_socket { read write };
-
-
+#allow init_shell init:packet_socket { read write };
+allow init log_device:chr_file { write };
+allow init kernel:system { module_request };
+#allow init system_file:file execute_no_trans;
+allow init block_device:lnk_file { setattr };
+domain_trans(init, rootfs, SMD-daemon)
diff --git a/selinux/kickstart.te b/selinux/kickstart.te
index d663145..773c264 100755
--- a/selinux/kickstart.te
+++ b/selinux/kickstart.te
@@ -13,7 +13,7 @@ allow kickstart kickstart_exec:file { open execute_no_trans getattr };
 
 # Run dd on m9kefs[123] block devices; write to /data/qcks/
 # Run cat on firmware and m9kefs[123] data; write to /data/qcks/
-allow kickstart mmc_block_device:blk_file { getattr read write open };
+allow kickstart boot_block_device:blk_file { getattr read write open };
 allow kickstart kickstart_data_file:file create_file_perms;
 allow kickstart kickstart_data_file:dir rw_dir_perms;
 allow kickstart radio_efs_file:file r_file_perms;
@@ -50,3 +50,4 @@ allow kickstart kickstart:process { execmem };
 allow kickstart usbfs:dir { search };
 #allow kickstart system_file:file { entrypoint };
 allow kickstart vfat:dir { search };
+allow kickstart log_device:chr_file { open write };
diff --git a/selinux/logd.te b/selinux/logd.te
index d2378fd..5ed43b6 100644
--- a/selinux/logd.te
+++ b/selinux/logd.te
@@ -1,2 +1,2 @@
-allow logd location_app:dir r_dir_perms;
-allow logd location_app:file r_file_perms;
-\ No newline at end of file
+#allow logd location_app:dir r_dir_perms;
+#allow logd location_app:file r_file_perms;
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index 65550ce..3241f66 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -6,4 +6,10 @@ allow mediaserver camera_data_file:file rw_file_perms;
 allow mediaserver volume_data_file:file create_file_perms;
 allow mediaserver volume_data_file:dir create_dir_perms;
 allow mediaserver mfc_device:chr_file rw_file_perms;
-allow mediaserver system_data_file:file { write open };
+allow mediaserver system_data_file:file { execmod };
+allow mediaserver system_file:file { execmod };
+allow mediaserver mnt_user_file:lnk_file { read };
+allow mediaserver mnt_user_file:dir { search };
+allow mediaserver storage_file:lnk_file { read };
+allow mediaserver storage_file:dir { search };
+allow mediaserver log_device:chr_file { open write };
diff --git a/selinux/netd.te b/selinux/netd.te
index 0fb1b6a..5a41e80 100644
--- a/selinux/netd.te
+++ b/selinux/netd.te
@@ -1 +1 @@
-allow netd kernel:system { module_request };
-\ No newline at end of file
+allow netd log_device:chr_file { open write };
diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te
index 0f31fad..8b99f42 100755
--- a/selinux/netmgrd.te
+++ b/selinux/netmgrd.te
@@ -13,7 +13,6 @@ allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_ra
 allow netmgrd self:packet_socket { write bind read create };
 allow netmgrd self:netlink_socket { write read create bind setopt };
 allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };
-allow netmgrd kernel:system module_request;
 
 # Talk to qmuxd
 qmux_socket(netmgrd)
diff --git a/selinux/nfc.te b/selinux/nfc.te
index 9c8c37a..e1f83cb 100644
--- a/selinux/nfc.te
+++ b/selinux/nfc.te
@@ -1 +1,2 @@
-allow nfc firmware_camera:dir { search };
-\ No newline at end of file
+allow nfc firmware_camera:dir { search };
+allow nfc log_device:chr_file { write };
diff --git a/selinux/platform_app.te b/selinux/platform_app.te
new file mode 100644
index 0000000..5f9a1ed
--- /dev/null
+++ b/selinux/platform_app.te
@@ -0,0 +1 @@
+allow platform_app log_device:chr_file { open write };
diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te
index da255f2..9ce6f57 100644
--- a/selinux/qmuxd.te
+++ b/selinux/qmuxd.te
@@ -48,4 +48,4 @@ r_dir_file(qmuxd, sysfs_ssr);
 allow qmuxd mhi_device:chr_file rw_file_perms;
 
 allow qmuxd qmuxd:process { execmem };
-allow qmuxd radio_device:chr_file {read write open };
-\ No newline at end of file
+allow qmuxd radio_device:chr_file { read write open };
diff --git a/selinux/radio.te b/selinux/radio.te
index 6dc99b0..e697ef9 100644
--- a/selinux/radio.te
+++ b/selinux/radio.te
@@ -1,4 +1,5 @@
 # Talk to qmuxd (/dev/socket/qmux_radio)
 qmux_socket(radio) ;
 
-allow radio secril-daemon:unix_stream_socket { connectto };
-\ No newline at end of file
+allow radio secril-daemon:unix_stream_socket { connectto };
+allow radio log_device:chr_file { write };
diff --git a/selinux/rild.te b/selinux/rild.te
index b81c43f..3128b61 100755
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -19,7 +19,7 @@ allow rild rild_socket:chr_file { open read write };
 allow rild sysfs_ssr:dir r_dir_perms;
 allow rild sysfs_ssr:lnk_file read;
 allow rild system_data_file:dir w_dir_perms;
-allow rild system_data_file:file create_file_perms;
+#allow rild system_data_file:file create_file_perms;
 #allow rild time_daemon:unix_stream_socket connectto;
 
 allow rild rild:process execmem;
@@ -27,3 +27,7 @@ allow rild diagnostic_device:chr_file { read write open };
 allow rild radio_data_file:dir { setattr };
 allow rild init:unix_stream_socket { read write };
 allow rild proc_net:file { write };
+
+allow rild log_device:chr_file { open };
+allow rild log_device:chr_file write;
+allow rild self:capability dac_override;
diff --git a/selinux/sdcardd.te b/selinux/sdcardd.te
new file mode 100644
index 0000000..2be5568
--- /dev/null
+++ b/selinux/sdcardd.te
@@ -0,0 +1 @@
+allow sdcardd log_device:chr_file { open write };
diff --git a/selinux/secril.te b/selinux/secril.te
index 1b1cc0a..0681aa4 100644
--- a/selinux/secril.te
+++ b/selinux/secril.te
@@ -12,9 +12,8 @@ unix_socket_connect(secril-daemon, rild, rild)
 
 allow secril-daemon { efs_file }:file rw_file_perms;
 allow secril-daemon system_data_file:dir create_dir_perms;
-allow secril-daemon system_data_file:file unlink;
+# allow secril-daemon system_data_file:file unlink;
 allow secril-daemon radio_data_file:file { create_file_perms };
-allow secril-daemon kernel:system module_request;
 allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
 allow secril-daemon system_file:file x_file_perms;
 allow secril-daemon sysfs:file rw_file_perms;
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
index f793106..a9d669c 100644
--- a/selinux/servicemanager.te
+++ b/selinux/servicemanager.te
@@ -6,4 +6,5 @@ allow servicemanager zygote:file { read open };
 allow servicemanager zygote:process { getattr };
 allow servicemanager init:file rw_file_perms;
 allow servicemanager init:dir { search read open getattr };
-allow servicemanager init:process { getattr };
-\ No newline at end of file
+allow servicemanager init:process { getattr };
+allow servicemanager log_device:chr_file { open write };
diff --git a/selinux/shared_relro.te b/selinux/shared_relro.te
new file mode 100644
index 0000000..f7f75b3
--- /dev/null
+++ b/selinux/shared_relro.te
@@ -0,0 +1 @@
+allow shared_relro log_device:chr_file { write };
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
index 705bb8a..e7e487e 100644
--- a/selinux/sysinit.te
+++ b/selinux/sysinit.te
@@ -1,4 +1,4 @@
-allow sysinit mmc_block_device:file read;
+#allow sysinit boot_block_device:file read;
 allow sysinit firmware_camera:dir { read search open getattr write remove_name add_name };
 allow sysinit firmware_camera:file { read open write getattr setattr create unlink };
 allow sysinit sysinit:capability { dac_override chown fowner fsetid };
diff --git a/selinux/system_app.te b/selinux/system_app.te
index 22ee485..162bf37 100644
--- a/selinux/system_app.te
+++ b/selinux/system_app.te
@@ -1,2 +1,3 @@
 allow system_app mdnie_sysfs:file { write };
-allow system_app vib_sysfs:file { write };
-\ No newline at end of file
+allow system_app vib_sysfs:file { write };
+allow system_app log_device:chr_file { open write };
diff --git a/selinux/system_server.te b/selinux/system_server.te
index 0bf317f..3e183c6 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -3,3 +3,7 @@ allow system_server uhid_device:file { read write open ioctl };
 allow system_server uhid_device:chr_file { read write open ioctl };
 allow system_server efs_file:dir { search };
 allow system_server efs_file:file r_file_perms;
+allow system_server dex2oat_exec:file { execute execute_no_trans read open };
+allow system_server log_device:chr_file { open write };
+allow system_server system_file:file { execmod };
+allow system_server self:capability sys_module;
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
new file mode 100644
index 0000000..e4106d5
--- /dev/null
+++ b/selinux/untrusted_app.te
@@ -0,0 +1,6 @@
+allow untrusted_app block_device:dir { open read search };
+allow untrusted_app log_device:chr_file { open write };
+allow untrusted_app kernel:system { module_request };
+allow untrusted_app firmware_camera:dir { read getattr open };
+allow untrusted_app firmware_camera:file getattr;
+allow untrusted_app firmware_mfc:file getattr;
diff --git a/selinux/vold.te b/selinux/vold.te
index 3487976..053d9a8 100644
--- a/selinux/vold.te
+++ b/selinux/vold.te
@@ -1,2 +1,3 @@
-allow vold kernel:system { module_request };
-allow vold mmc_block_device:blk_file { read write open ioctl getattr };
-\ No newline at end of file
+allow vold boot_block_device:blk_file { read write open ioctl getattr };
+allow vold efs_file:dir { ioctl open read };
+allow vold log_device:chr_file { open write };
diff --git a/selinux/wpa.te b/selinux/wpa.te
index 32dc267..d4b06c7 100644
--- a/selinux/wpa.te
+++ b/selinux/wpa.te
@@ -5,3 +5,4 @@ allow wpa self:socket create_socket_perms;
 allow wpa smem_log_device:chr_file rw_file_perms;
 allow wpa proc_net:file write;
 allow wpa wifi_data_file:sock_file { write };
+allow wpa log_device:chr_file { open write };
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
index 91a5c56..114d6b5 100755
--- a/selinux/wpa_supplicant.te
+++ b/selinux/wpa_supplicant.te
@@ -1,10 +1,11 @@
 allow wpa init:unix_dgram_socket { read write };
 
 # logwrapper used with wpa_supplicant
-allow wpa devpts:chr_file { read write };
+#allow wpa devpts:chr_file { read write };
 
 allow wpa wpa_socket:unix_dgram_socket { read write };
 allow wpa_socket system_server:unix_dgram_socket sendto;
 
 allow wpa_socket wifi_data_file:sock_file unlink;
-allow wpa rfkill_device:chr_file rw_file_perms;
-\ No newline at end of file
+allow wpa rfkill_device:chr_file rw_file_perms;
+allow wpa log_device:chr_file { open };
diff --git a/selinux/zygote.te b/selinux/zygote.te
index d25d524..05c4d7d 100644
--- a/selinux/zygote.te
+++ b/selinux/zygote.te
@@ -1,3 +1 @@
-allow zygote shell_data_file:dir search;
-allow zygote devpts:chr_file { read write };
-allow zygote init_shell:process { sigchld };
+allow zygote log_device:chr_file { open };
author	rogersb11 <brettrogers11@gmail.com>	2015-11-12 04:51:38 -0500
committer	Brett Rogers <brettrogers11@gmail.com>	2015-12-02 09:54:17 -0800
commit	04de314e155a00e7299305c6f0ca05fd47045926 (patch)
tree	6ca57022949b1aab04a7573b5b54a370ab4c5b96
parent	5b06fdd56bba9aeee7959794217d296c47d48945 (diff)
download	device_samsung_t0lte-04de314e155a00e7299305c6f0ca05fd47045926.tar.gz device_samsung_t0lte-04de314e155a00e7299305c6f0ca05fd47045926.tar.bz2 device_samsung_t0lte-04de314e155a00e7299305c6f0ca05fd47045926.zip