diff options
| author | slayher <layhertony@gmail.com> | 2013-08-09 22:32:05 -0400 |
|---|---|---|
| committer | slayher <layhertony@gmail.com> | 2013-08-09 22:32:05 -0400 |
| commit | 78a966a467efd8966f674e665bff8101518eb8d5 (patch) | |
| tree | 48e27059329b448a44f672755386e374a7fe3a01 | |
| parent | dbce7c06a9ac7e40f1f4cd5be63d8a38f3b8458d (diff) | |
| download | device_samsung_t0lte-78a966a467efd8966f674e665bff8101518eb8d5.tar.gz device_samsung_t0lte-78a966a467efd8966f674e665bff8101518eb8d5.tar.bz2 device_samsung_t0lte-78a966a467efd8966f674e665bff8101518eb8d5.zip | |
SELinux Policies: t0lte family
Change-Id: Ib5951934a62fae38425ef9d324de758c2c69b3cb
| -rw-r--r-- | BoardCommonConfig.mk | 22 | ||||
| -rw-r--r-- | rootdir/fstab.smdk4x12 | 1 | ||||
| -rwxr-xr-x | rootdir/init.smdk4x12.rc | 30 | ||||
| -rw-r--r-- | selinux/device.te | 4 | ||||
| -rwxr-xr-x | selinux/dhcp.te | 1 | ||||
| -rw-r--r-- | selinux/domain.te | 4 | ||||
| -rw-r--r-- | selinux/file.te | 9 | ||||
| -rw-r--r-- | selinux/file_contexts | 69 | ||||
| -rw-r--r-- | selinux/init.te | 3 | ||||
| -rwxr-xr-x | selinux/kickstart.te | 44 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 5 | ||||
| -rwxr-xr-x | selinux/netmgrd.te | 29 | ||||
| -rwxr-xr-x | selinux/qmux.te | 21 | ||||
| -rwxr-xr-x | selinux/rild.te | 14 | ||||
| -rw-r--r-- | selinux/secril.te | 25 | ||||
| -rwxr-xr-x | selinux/system.te | 12 | ||||
| -rwxr-xr-x | selinux/te_macros | 12 | ||||
| -rw-r--r-- | selinux/ueventd.te | 6 | ||||
| -rwxr-xr-x | selinux/wpa_supplicant.te | 10 |
19 files changed, 310 insertions, 11 deletions
diff --git a/BoardCommonConfig.mk b/BoardCommonConfig.mk index 4b02dff..74d6ae0 100644 --- a/BoardCommonConfig.mk +++ b/BoardCommonConfig.mk @@ -44,3 +44,25 @@ RECOVERY_FSTAB_VERSION := 2 # assert TARGET_OTA_ASSERT_DEVICE := t0lte,t0ltexx,GT-N7105,t0ltedv,GT-N7105T,t0lteatt,SGH-I317,t0ltetmo,SGH-T889,t0ltecan,t0ltevl,SGH-I317M +# Selinux +BOARD_SEPOLICY_DIRS := \ + device/samsung/t0lte/selinux + +BOARD_SEPOLICY_UNION := \ + file_contexts \ + te_macros \ + device.te \ + dhcp.te \ + domain.te \ + file.te \ + init.te \ + kickstart.te \ + mediaserver.te \ + netmgrd.te \ + qmux.te \ + rild.te \ + secril.te \ + system.te \ + ueventd.te \ + wpa_supplicant.te + diff --git a/rootdir/fstab.smdk4x12 b/rootdir/fstab.smdk4x12 index bdfa38a..62e1230 100644 --- a/rootdir/fstab.smdk4x12 +++ b/rootdir/fstab.smdk4x12 @@ -7,6 +7,7 @@ /dev/block/mmcblk0p3 /efs ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check /dev/block/mmcblk0p12 /cache ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check /dev/block/mmcblk0p11 /tombstones ext4 noatime,nosuid,nodev,journal_async_commit,errors=panic wait,check +/dev/block/mmcblk0p10 /firmware vfat ro,shortname=lower,fmask=0133,dmask=0022,context=u:object_r:radio_efs_file:s0 wait /dev/block/mmcblk0p16 /data ext4 noatime,nosuid,nodev,discard,noauto_da_alloc,journal_async_commit,errors=panic wait,check,encryptable=footer # vold-managed volumes ("block device" is actually a sysfs devpath) diff --git a/rootdir/init.smdk4x12.rc b/rootdir/init.smdk4x12.rc index 4ac41de..56bc9b7 100755 --- a/rootdir/init.smdk4x12.rc +++ b/rootdir/init.smdk4x12.rc @@ -38,17 +38,8 @@ on init export VIBE_PIPE_PATH /dev/pipes mkdir /dev/pipes 0771 shell shell -on fs - mount_all /fstab.smdk4x12 - - setprop ro.crypto.fuse_sdcard true - - chown radio system /efs - chmod 0771 /efs - #MDM requirement mkdir /firmware 0771 system system - mount vfat /dev/block/mmcblk0p10 /firmware ro shortname=lower fmask=0133,dmask=0022 chown system system /tombstones chmod 0775 /tombstones mkdir /tombstones/modem 0775 system system @@ -60,6 +51,14 @@ on fs rmdir /tombstones/efs mkdir /tombstones/efs 771 system system +on fs + mount_all /fstab.smdk4x12 + + setprop ro.crypto.fuse_sdcard true + + chown radio system /efs + chmod 0771 /efs + chown system radio /dev/block/platform/dw_mmc/by-name chmod 0775 /dev/block/platform/dw_mmc/by-name @@ -88,6 +87,10 @@ on post-fs-data # an ack packet comes out of order write /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal 1 + restorecon /efs/FactoryApp/keystr + restorecon /efs/FactoryApp/factorymode + restorecon /efs/FactoryApp/serial_no + # for AT distributor chown system radio /sys/module/cpuidle_exynos4/parameters/enable_mask chmod 0664 /sys/module/cpuidle_exynos4/parameters/enable_mask @@ -156,6 +159,8 @@ on post-fs-data chmod 0660 /sys/class/rfkill/rfkill0/state chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type + restorecon /sys/class/rfkill/rfkill0/state + restorecon /sys/class/rfkill/rfkill0/type # NFC setprop ro.nfc.port "I2C" @@ -504,7 +509,7 @@ service p2p_supplicant /system/bin/wpa_supplicant \ # user wifi # group wifi inet keystore class main - socket wpa_wlan0 dgram 660 wifi wifi + socket wpa_wlan0 dgram 660 wifi wifi u:object_r:wpa_socket:s0 disabled oneshot @@ -516,7 +521,7 @@ service wpa_supplicant /system/bin/wpa_supplicant \ # user wifi # group wifi inet keystore class main - socket wpa_wlan0 dgram 660 wifi wifi + socket wpa_wlan0 dgram 660 wifi wifi u:object_r:wpa_socket:s0 disabled oneshot @@ -565,11 +570,13 @@ service SMD-daemon /system/bin/smdexe service qc_kickstart /system/bin/qcks s class core user root + seclabel u:r:kickstart:s0 group radio cache inet misc audio sdcard_rw log service secril-daemon /system/bin/sec-ril class main user root + seclabel u:r:secril-daemon:s0 group radio cache inet misc audio sdcard_rw qcom_diag log #For EncryptionMode - remove disabled, Modify class main @@ -581,6 +588,7 @@ service qmiproxy /system/bin/qmiproxy service qmuxd /system/bin/qmuxd class main user root + seclabel u:r:qmux:s0 group radio log audio bluetooth gps log #start GNSS/Sensor interface daemon diff --git a/selinux/device.te b/selinux/device.te new file mode 100644 index 0000000..c95050b --- /dev/null +++ b/selinux/device.te @@ -0,0 +1,4 @@ +type mali_device, dev_type, mlstrustedobject; +type rfkill_device, dev_type; +type diagnostic_device, dev_type; +type efs_block_device, dev_type; diff --git a/selinux/dhcp.te b/selinux/dhcp.te new file mode 100755 index 0000000..c403b9b --- /dev/null +++ b/selinux/dhcp.te @@ -0,0 +1 @@ +allow dhcp self:rawip_socket { create write setopt }; diff --git a/selinux/domain.te b/selinux/domain.te new file mode 100644 index 0000000..1be0633 --- /dev/null +++ b/selinux/domain.te @@ -0,0 +1,4 @@ +## /dev/mali, /dev/ump +allow domain mali_device:chr_file rw_file_perms; + + diff --git a/selinux/file.te b/selinux/file.te new file mode 100644 index 0000000..89c3352 --- /dev/null +++ b/selinux/file.te @@ -0,0 +1,9 @@ +type radio_efs_file, fs_type; + +type firmware_mfc, file_type; +type firmware_camera, file_type; + +type qmuxd_socket, file_type; +type kickstart_data_file, file_type, data_file_type; +type sensors_data_file, file_type, data_file_type; +type volume_data_file, file_type, data_file_type;
\ No newline at end of file diff --git a/selinux/file_contexts b/selinux/file_contexts new file mode 100644 index 0000000..839e068 --- /dev/null +++ b/selinux/file_contexts @@ -0,0 +1,69 @@ +# GFX +/dev/mali u:object_r:mali_device:s0 +/dev/ump u:object_r:mali_device:s0 +/dev/fimg2d u:object_r:mali_device:s0 + +# NFC +/dev/pn544 u:object_r:nfc_device:s0 + +# RIL +/dev/mdm u:object_r:radio_device:s0 +/dev/hsicctl[0-3]* u:object_r:radio_device:s0 +/dev/ttyUSB0 u:object_r:radio_device:s0 +/dev/diag u:object_r:diagnostic_device:s0 + +# GPS +/dev/ttySAC1 u:object_r:gps_device:s0 + +# Bluetooth +/dev/ttySAC0 u:object_r:hci_attach_dev:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 + +# Sensors +/dev/akm8963 u:object_r:sensors_device:s0 +/efs/gyro_cal_data u:object_r:sensors_data_file:s0 + +# for wpa_supp +/dev/rfkill u:object_r:rfkill_device:s0 + +# Firmwares +/system/vendor/firmware(/.*)? u:object_r:firmware_camera:s0 +/system/vendor/firmware/mfc_fw.bin u:object_r:firmware_mfc:s0 +/data/cfw(/.*)? u:object_r:firmware_camera:s0 +/tombstones/qcks(/.*)? u:object_r:kickstart_data_file:s0 +/tombstones(/.*)? u:object_r:tombstone_data_file:s0 + +# Vibrator +/dev/tspdrv u:object_r:input_device:s0 + +#Wifi +/efs/wifi/.mac.info u:object_r:wifi_data_file:s0 + +#Sec-ril +/efs/FactoryApp/keystr u:object_r:efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:efs_file:s0 +/efs/FactoryApp/serial_no u:object_r:efs_file:s0 +/data/misc/radio/ramdumpmode.txt u:object_r:radio_data_file:s0 +/data/misc/radio/dlnk u:object_r:radio_data_file:s0 + +#Binaries +/system/bin/qmuxd u:object_r:qmux_exec:s0 +/system/bin/netmgrd u:object_r:netmgrd_exec:s0 +/system/bin/efsks u:object_r:kickstart_exec:s0 +/system/bin/ks u:object_r:kickstart_exec:s0 +/system/bin/qcks u:object_r:kickstart_exec:s0 +/system/bin/sec-ril u:object_r:secril-daemon_exec:s0 + +# Sockets +/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 +/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 + +# Block devices +/dev/block/mmcblk0p[3-6]* u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p10 u:object_r:efs_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:efs_block_device:s0 + +# Audio related +/data/local/audio(/.*)? u:object_r:volume_data_file:s0 diff --git a/selinux/init.te b/selinux/init.te new file mode 100644 index 0000000..2f29889 --- /dev/null +++ b/selinux/init.te @@ -0,0 +1,3 @@ +allow init wpa_socket:unix_dgram_socket { bind create }; + + diff --git a/selinux/kickstart.te b/selinux/kickstart.te new file mode 100755 index 0000000..14e1ad5 --- /dev/null +++ b/selinux/kickstart.te @@ -0,0 +1,44 @@ +# kickstart processes and scripts +type kickstart, domain; +type kickstart_exec, exec_type, file_type; + +# kickstart_checker.sh talks to init over the property socket +unix_socket_connect(kickstart, property, init) + +# Start /system/bin/qcks from init +init_daemon_domain(kickstart) + +# Spawn /system/bin/efsks and /system/bin/ks +allow kickstart kickstart_exec:file { open execute_no_trans getattr }; + +# Run dd on m9kefs[123] block devices; write to /data/qcks/ +# Run cat on firmware and m9kefs[123] data; write to /data/qcks/ +allow kickstart efs_block_device:blk_file rw_file_perms; +allow kickstart kickstart_data_file:file create_file_perms; +allow kickstart kickstart_data_file:dir rw_dir_perms; +allow kickstart radio_efs_file:file r_file_perms; +allow kickstart radio_efs_file:dir search; + +# Let qcks access /dev/mdm node (modem driver) +allow kickstart radio_device:chr_file rw_file_perms; + +# Allow /dev/ttyUSB0 access +allow kickstart radio_device:chr_file { write ioctl getattr }; + +# Allow to run toolbox commands +allow kickstart shell_exec:file rx_file_perms; +# Toolbox commands for firmware dd +allow kickstart system_file:file execute_no_trans; + +# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2 +allow kickstart block_device:dir { getattr write search }; + +# Set system property key +allow kickstart radio_prop:property_service set; + +allow kickstart shell_exec:file entrypoint; +# ls on /data/qcks/ +allow kickstart self:capability { dac_override setuid }; + +# XXX Label sysfs files with a specific type? +allow kickstart sysfs:file rw_file_perms;
\ No newline at end of file diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te new file mode 100644 index 0000000..7ad89ef --- /dev/null +++ b/selinux/mediaserver.te @@ -0,0 +1,5 @@ +qmux_socket(mediaserver) +allow mediaserver self:socket create_socket_perms; +allow mediaserver { firmware_camera }:file r_file_perms; +allow mediaserver volume_data_file:file create_file_perms; +allow mediaserver volume_data_file:dir create_dir_perms;
\ No newline at end of file diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te new file mode 100755 index 0000000..11159a4 --- /dev/null +++ b/selinux/netmgrd.te @@ -0,0 +1,29 @@ +# Network utilities (radio process) +type netmgrd, domain; +type netmgrd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(netmgrd) + +allow netmgrd self:udp_socket { create ioctl }; +# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket +allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; +allow netmgrd self:packet_socket { write bind read create }; +allow netmgrd self:netlink_socket { write read create bind setopt }; +allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr }; +allow netmgrd kernel:system module_request; + +# Talk to qmuxd +qmux_socket(netmgrd) + +# Allow logging diagnostic items +allow netmgrd diagnostic_device:chr_file rw_file_perms; + +# /data/data_test/ access with shell +allow netmgrd shell_exec:file { execute read open execute_no_trans }; +allow netmgrd system_file:file { execute_no_trans }; + +# Talk to init over the property socket +unix_socket_connect(netmgrd, property, init) +# Set net.rmnet_usb0. values +allow netmgrd radio_prop:property_service set; diff --git a/selinux/qmux.te b/selinux/qmux.te new file mode 100755 index 0000000..e2a5bbf --- /dev/null +++ b/selinux/qmux.te @@ -0,0 +1,21 @@ +# Qualcomm Management Interface Multiplexer +type qmux, domain; +type qmux_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(qmux) + +# Create local qmux_connect_socket +allow qmux qmuxd_socket:dir w_dir_perms; +allow qmux qmuxd_socket:sock_file { create setattr getattr unlink }; + +# /dev/hsicctl* node access +allow qmux radio_device:chr_file rw_file_perms; + +# Allow logging diagnostic items +allow qmux diagnostic_device:chr_file rw_file_perms; + +allow qmux self:capability { dac_override setuid }; + +# XXX Should we label with own type +allow qmux sysfs:file { open write append read getattr }; diff --git a/selinux/rild.te b/selinux/rild.te new file mode 100755 index 0000000..04209b0 --- /dev/null +++ b/selinux/rild.te @@ -0,0 +1,14 @@ +## RIL +allow rild radio_device:chr_file rw_file_perms; +allow rild { efs_file }:file rw_file_perms; +allow rild self:netlink_socket { create bind read write }; +allow rild self:netlink_route_socket { write }; + +# Talk to qmuxd +qmux_socket(rild) + +# Allow logging diagnostic items +allow rild diagnostic_device:chr_file rw_file_perms; + +# XXX label with own type? +allow rild sysfs:file { read open write getattr }; diff --git a/selinux/secril.te b/selinux/secril.te new file mode 100644 index 0000000..7761d80 --- /dev/null +++ b/selinux/secril.te @@ -0,0 +1,25 @@ +# sec-ril +type secril-daemon, domain; +type secril-daemon_exec, exec_type, file_type; + +# Start /system/bin/sec-ril from init +init_daemon_domain(secril-daemon) + +allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr }; +allow secril-daemon self:udp_socket { create ioctl }; +unix_socket_connect(secril-daemon, property, init) +unix_socket_connect(secril-daemon, rild, rild) + +allow secril-daemon { efs_file }:file rw_file_perms; +allow secril-daemon system_data_file:dir create_dir_perms; +allow secril-daemon system_data_file:file unlink; +allow secril-daemon radio_data_file:file { create_file_perms }; +allow secril-daemon kernel:system module_request; +allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; +allow secril-daemon system_file:file x_file_perms; +allow secril-daemon sysfs:file rw_file_perms; +allow secril-daemon shell_exec:file rx_file_perms; +allow secril-daemon app_data_file:file rw_file_perms; +allow secril-daemon app_data_file:dir search; +allow secril-daemon zygote_exec:file rx_file_perms; +allow secril-daemon ashmem_device:chr_file x_file_perms;
\ No newline at end of file diff --git a/selinux/system.te b/selinux/system.te new file mode 100755 index 0000000..73de1ee --- /dev/null +++ b/selinux/system.te @@ -0,0 +1,12 @@ +# Talk to qmuxd +qmux_socket(system) + +allow system diagnostic_device:chr_file rw_file_perms; +allow system uinput_device:chr_file { read ioctl write open }; +allow system sensors_device:chr_file { read open }; +allow system sensors_data_file:file r_file_perms; +allow system wpa_socket:unix_dgram_socket sendto; +allow system_app volume_data_file:file { read write open getattr }; + +allow system sysfs:file { read open write }; +allow system self:capability { sys_module };
\ No newline at end of file diff --git a/selinux/te_macros b/selinux/te_macros new file mode 100755 index 0000000..274fd55 --- /dev/null +++ b/selinux/te_macros @@ -0,0 +1,12 @@ +##################################### +# qmux_socket(clientdomain) +# Allow client to send via a local +# socket to the qmux domain. +define(`qmux_socket', ` +type $1_qmuxd_socket, file_type; +file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket) +unix_socket_connect($1, qmuxd, qmux) +allow qmux $1_qmuxd_socket:sock_file { getattr unlink }; +') + + diff --git a/selinux/ueventd.te b/selinux/ueventd.te new file mode 100644 index 0000000..489b31a --- /dev/null +++ b/selinux/ueventd.te @@ -0,0 +1,6 @@ +# Drivers read firmware files /firmware/image +allow ueventd { radio_efs_file }:file r_file_perms; +allow ueventd { radio_efs_file }:dir search; +## More Firmwares +allow ueventd { firmware_mfc }:file r_file_perms; +allow ueventd { firmware_camera }:dir search;
\ No newline at end of file diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te new file mode 100755 index 0000000..ab5fb24 --- /dev/null +++ b/selinux/wpa_supplicant.te @@ -0,0 +1,10 @@ +allow wpa init:unix_dgram_socket { read write }; + +# logwrapper used with wpa_supplicant +allow wpa devpts:chr_file { read write }; + +allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa_socket system:unix_dgram_socket sendto; + +allow wpa_socket wifi_data_file:sock_file unlink; +allow wpa rfkill_device:chr_file rw_file_perms;
\ No newline at end of file |