diff options
| author | rogersb11 <brettrogers11@gmail.com> | 2016-01-08 12:54:49 -0500 |
|---|---|---|
| committer | rogersb11 <brettrogers11@gmail.com> | 2016-02-13 22:20:48 -0500 |
| commit | 0f44657b41c0e9d23ead488bd92073072fbb726f (patch) | |
| tree | 3ed49fb5bec523e5078bce1129c5c49daf7a1f59 | |
| parent | 40cabb9762b5a59fad8988bb7d3ec7d1176eaea9 (diff) | |
| download | device_samsung_t0lte-0f44657b41c0e9d23ead488bd92073072fbb726f.tar.gz device_samsung_t0lte-0f44657b41c0e9d23ead488bd92073072fbb726f.tar.bz2 device_samsung_t0lte-0f44657b41c0e9d23ead488bd92073072fbb726f.zip | |
More SELinux
Change-Id: Ic9a27889102b8d397f6edb4c3da1ae1918668a48
| -rw-r--r-- | rootdir/init.target.rc | 3 | ||||
| -rw-r--r-- | selinux/SMD-daemon.te | 1 | ||||
| -rw-r--r-- | selinux/at_distributor.te | 1 | ||||
| -rw-r--r-- | selinux/device.te | 1 | ||||
| -rw-r--r-- | selinux/diag_uart_log.te | 5 | ||||
| -rw-r--r-- | selinux/domain.te | 2 | ||||
| -rw-r--r-- | selinux/file.te | 2 | ||||
| -rw-r--r-- | selinux/file_contexts | 6 | ||||
| -rw-r--r-- | selinux/init.te | 5 | ||||
| -rw-r--r-- | selinux/radio.te | 1 | ||||
| -rw-r--r-- | selinux/system_server.te | 1 | ||||
| -rw-r--r-- | selinux/untrusted_app.te | 2 |
12 files changed, 19 insertions, 11 deletions
diff --git a/rootdir/init.target.rc b/rootdir/init.target.rc index 88d779e..d987195 100644 --- a/rootdir/init.target.rc +++ b/rootdir/init.target.rc @@ -131,17 +131,20 @@ on property:sys.boot_completed=1 service at_distributor /system/bin/at_distributor class late_start user root + seclabel u:r:at_distributor:s0 group radio log # diag app for cp uart service diag_uart_log /system/bin/diag_uart_log class main user root + seclabel u:r:diag_uart_log:s0 group radio service SMD-daemon /system/bin/smdexe class main user root + seclabel u:r:SMD-daemon:s0 group system radio inet net_raw service qc_kickstart /system/bin/qcks s diff --git a/selinux/SMD-daemon.te b/selinux/SMD-daemon.te index 3632822..a29dbde 100644 --- a/selinux/SMD-daemon.te +++ b/selinux/SMD-daemon.te @@ -1,4 +1,5 @@ type SMD-daemon, domain; +permissive SMD-daemon; type SMD-daemon_exec, exec_type, file_type; allow SMD-daemon system_file:file { execute_no_trans }; diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te index 48655c9..d5f4808 100644 --- a/selinux/at_distributor.te +++ b/selinux/at_distributor.te @@ -1,4 +1,5 @@ type at_distributor, domain; +permissive at_distributor; type at_distributor_exec, exec_type, file_type; allow at_distributor system_file:file { execute_no_trans }; diff --git a/selinux/device.te b/selinux/device.te index cc1cf07..cd94885 100644 --- a/selinux/device.te +++ b/selinux/device.te @@ -1,4 +1,3 @@ -type mali_device, dev_type, mlstrustedobject; type mfc_device, dev_type; type rfkill_device, dev_type; type wlan_device, dev_type; diff --git a/selinux/diag_uart_log.te b/selinux/diag_uart_log.te index c0d1fd9..ba64515 100644 --- a/selinux/diag_uart_log.te +++ b/selinux/diag_uart_log.te @@ -1,2 +1,7 @@ type diag_uart_log, domain; +permissive diag_uart_log; + type diag_uart_log_exec, exec_type, file_type; + +allow diag_uart_log init:process { noatsecure rlimitinh siginh }; +allow diag_uart_log log_device:chr_file { open write }; diff --git a/selinux/domain.te b/selinux/domain.te index f581c46..cd1d423 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,5 +1,3 @@ -## /dev/mali, /dev/ump -allow domain mali_device:chr_file rw_file_perms; allow domain at_distributor:chr_file rw_file_perms; allow domain diag_uart_log:chr_file rw_file_perms; allow domain SMD-daemon:chr_file rw_file_perms; diff --git a/selinux/file.te b/selinux/file.te index 07e5b83..bc4ef55 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -27,4 +27,4 @@ type persist_file, file_type; type persist_data_file, file_type; type persist_drm_file, file_type; type data_drm_file, file_type; - +type efs_device_file, file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 23031d4..87739a2 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -28,6 +28,7 @@ # For wpa_supp /dev/rfkill u:object_r:rfkill_device:s0 +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 # Firmwares /system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 @@ -47,14 +48,12 @@ /dev/tspdrv u:object_r:input_device:s0 /sys/vibrator/pwm_val u:object_r:vib_sysfs:s0 -# Wifi -/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 - # Sec-ril /efs/FactoryApp/keystr u:object_r:efs_file:s0 /efs/FactoryApp/factorymode u:object_r:efs_file:s0 /efs/FactoryApp/serial_no u:object_r:efs_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 +/efs u:object_r:efs_device_file:s0 # Binaries /system/bin/qmuxd u:object_r:qmuxd_exec:s0 @@ -76,6 +75,7 @@ /dev/block/mmcblk0p13 u:object_r:system_block_device:s0 /dev/block/mmcblk0p16 u:object_r:userdata_block_device:s0 /dev/block/mmcblk0p17 u:object_r:efs_block_device:s0 +/dev/block/zram0 u:object_r:swap_block_device:s0 # Audio related /data/local/audio(/.*)? u:object_r:volume_data_file:s0 diff --git a/selinux/init.te b/selinux/init.te index 6a22ee7..19fe880 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -1,5 +1,4 @@ allow init wpa_socket:unix_dgram_socket { bind create }; -#allow init su_exec:file { execute_no_trans }; allow init init:process { execmem }; allow init init:capability { sys_module }; allow init radio_efs_file:filesystem { relabelto }; @@ -12,9 +11,7 @@ allow init init:rawip_socket { create setopt write }; allow init tmpfs:lnk_file { create }; allow init sysfs:lnk_file { setattr }; -#allow init_shell init:packet_socket { read write }; allow init log_device:chr_file { write }; allow init kernel:system { module_request }; -#allow init system_file:file execute_no_trans; allow init block_device:lnk_file { setattr }; -domain_trans(init, rootfs, SMD-daemon)
\ No newline at end of file +domain_trans(init, rootfs, SMD-daemon) diff --git a/selinux/radio.te b/selinux/radio.te index dfc04dd..a591489 100644 --- a/selinux/radio.te +++ b/selinux/radio.te @@ -3,3 +3,4 @@ qmux_socket(radio) ; allow radio secril-daemon:unix_stream_socket { connectto }; allow radio log_device:chr_file { write open }; +allow radio log_device:dir { search }; diff --git a/selinux/system_server.te b/selinux/system_server.te index 3e183c6..fddfeaa 100644 --- a/selinux/system_server.te +++ b/selinux/system_server.te @@ -7,3 +7,4 @@ allow system_server dex2oat_exec:file { execute execute_no_trans read open }; allow system_server log_device:chr_file { open write }; allow system_server system_file:file { execmod }; allow system_server self:capability sys_module; +allow system_server log_device:dir { search }; diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te index e4106d5..03cc436 100644 --- a/selinux/untrusted_app.te +++ b/selinux/untrusted_app.te @@ -4,3 +4,5 @@ allow untrusted_app kernel:system { module_request }; allow untrusted_app firmware_camera:dir { read getattr open }; allow untrusted_app firmware_camera:file getattr; allow untrusted_app firmware_mfc:file getattr; +allow untrusted_app efs_file:dir getattr; +allow untrusted_app device:dir { open read }; |