diff options
| author | Joey Hewitt <joey@joeyhewitt.com> | 2019-09-02 21:24:47 -0600 |
|---|---|---|
| committer | Joey Hewitt <joey@joeyhewitt.com> | 2019-09-02 21:25:54 -0600 |
| commit | a83b24ba10576ec8c815df0ccaa97791e2c4537f (patch) | |
| tree | 3375481d607172dc6e7b79bede7da3e8afa00252 /selinux | |
| parent | 37c4769bcc40f7004b1ae2eb04cb1049121402aa (diff) | |
| download | device_samsung_t0lte-a83b24ba10576ec8c815df0ccaa97791e2c4537f.tar.gz device_samsung_t0lte-a83b24ba10576ec8c815df0ccaa97791e2c4537f.tar.bz2 device_samsung_t0lte-a83b24ba10576ec8c815df0ccaa97791e2c4537f.zip | |
remove references to proprietary stuff, mostly ril
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/SMD-daemon.te | 9 | ||||
| -rw-r--r-- | selinux/at_distributor.te | 33 | ||||
| -rw-r--r-- | selinux/diag_uart_log.te | 12 | ||||
| -rw-r--r-- | selinux/domain.te | 5 | ||||
| -rw-r--r-- | selinux/file.te | 1 | ||||
| -rw-r--r-- | selinux/file_contexts | 16 | ||||
| -rw-r--r-- | selinux/init.te | 3 | ||||
| -rwxr-xr-x | selinux/kickstart.te | 53 | ||||
| -rw-r--r-- | selinux/mediaserver.te | 1 | ||||
| -rwxr-xr-x | selinux/netmgrd.te | 32 | ||||
| -rw-r--r-- | selinux/qmiproxy.te | 17 | ||||
| -rw-r--r-- | selinux/qmuxd.te | 54 | ||||
| -rw-r--r-- | selinux/radio.te | 4 | ||||
| -rwxr-xr-x | selinux/rild.te | 41 | ||||
| -rw-r--r-- | selinux/secril.te | 37 | ||||
| -rw-r--r-- | selinux/servicemanager.te | 3 | ||||
| -rwxr-xr-x | selinux/system.te | 5 | ||||
| -rwxr-xr-x | selinux/te_macros | 13 | ||||
| -rw-r--r-- | selinux/wpa.te | 1 |
19 files changed, 1 insertions, 339 deletions
diff --git a/selinux/SMD-daemon.te b/selinux/SMD-daemon.te deleted file mode 100644 index 031daf0..0000000 --- a/selinux/SMD-daemon.te +++ /dev/null @@ -1,9 +0,0 @@ -type SMD-daemon, domain; -type SMD-daemon_exec, exec_type, file_type; -init_daemon_domain(SMD-daemon) - -allow SMD-daemon system_file:file { execute_no_trans }; -allow SMD-daemon self:capability { setuid }; - -allow SMD-daemon log_device:chr_file { write open }; -allow SMD-daemon log_device:dir { search }; diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te deleted file mode 100644 index 23036ad..0000000 --- a/selinux/at_distributor.te +++ /dev/null @@ -1,33 +0,0 @@ -type at_distributor, domain; -type at_distributor_exec, exec_type, file_type; -init_daemon_domain(at_distributor) - -allow at_distributor system_file:file { execute_no_trans }; - -allow at_distributor radio_device:chr_file { read write open ioctl }; - -allow at_distributor rild:unix_stream_socket { connectto }; - -allow at_distributor log_device:chr_file { open write }; -allow at_distributor log_device:dir { search }; - -allow at_distributor efs_file:dir { search }; -allow at_distributor efs_file:file { read open getattr setattr }; - -allow at_distributor radio_data_file:dir { search write add_name }; -allow at_distributor radio_data_file:file { open write create getattr read }; - -allow at_distributor unlabeled:dir { search getattr }; -allow at_distributor unlabeled:file { open read write setattr getattr }; - -allow at_distributor self:capability { dac_override chown fowner setuid fsetid }; - -allow at_distributor property_socket:sock_file { open write }; - -allow at_distributor diag_uart_log_exec:file { getattr }; - -allow at_distributor init:unix_stream_socket { connectto }; - -allow at_distributor radio_prop:property_service { set }; - -allow at_distributor sysfs_wake_lock:file { read write open }; diff --git a/selinux/diag_uart_log.te b/selinux/diag_uart_log.te deleted file mode 100644 index 6ebaacb..0000000 --- a/selinux/diag_uart_log.te +++ /dev/null @@ -1,12 +0,0 @@ -type diag_uart_log, domain; -type diag_uart_log_exec, exec_type, file_type; -init_daemon_domain(diag_uart_log) - -allow diag_uart_log init:process { noatsecure rlimitinh siginh }; - -allow diag_uart_log log_device:chr_file { open write }; -allow diag_uart_log log_device:dir { search }; - -allow diag_uart_log at_distributor:unix_stream_socket { connectto }; - -allow diag_uart_log self:capability { setuid }; diff --git a/selinux/domain.te b/selinux/domain.te index cd1d423..7b21391 100644 --- a/selinux/domain.te +++ b/selinux/domain.te @@ -1,8 +1,3 @@ -allow domain at_distributor:chr_file rw_file_perms; -allow domain diag_uart_log:chr_file rw_file_perms; -allow domain SMD-daemon:chr_file rw_file_perms; -allow domain qmiproxy:chr_file rw_file_perms; - userdebug_or_eng(` allow domain diag_device:chr_file rw_file_perms; ') diff --git a/selinux/file.te b/selinux/file.te index bc4ef55..0f14cce 100644 --- a/selinux/file.te +++ b/selinux/file.te @@ -6,7 +6,6 @@ type firmware_camera, file_type; type mdnie_sysfs, file_type; type vib_sysfs, file_type; -type qmuxd_socket, file_type; type kickstart_data_file, file_type, data_file_type; type sensors_data_file, file_type, data_file_type; type volume_data_file, file_type, data_file_type; diff --git a/selinux/file_contexts b/selinux/file_contexts index 2b87860..b552aa4 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -55,22 +55,6 @@ /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /efs u:object_r:efs_device_file:s0 -# Binaries -/system/bin/qmuxd u:object_r:qmuxd_exec:s0 -/system/bin/efsks u:object_r:kickstart_exec:s0 -/system/bin/ks u:object_r:kickstart_exec:s0 -/system/bin/qcks u:object_r:kickstart_exec:s0 -/system/bin/qmiproxy u:object_r:qmiproxy_exec:s0 -/system/bin/at_distributor u:object_r:at_distributor_exec:s0 -/system/bin/smdexe u:object_r:SMD-daemon_exec:s0 -/system/bin/diag_uart_log u:object_r:diag_uart_log_exec:s0 - -# Sockets -/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 - # Block devices /dev/block/mmcblk0(.*) u:object_r:boot_block_device:s0 /dev/block/mmcblk0p3 u:object_r:efs_block_device:s0 diff --git a/selinux/init.te b/selinux/init.te index 9f3c6ae..1e1fab6 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -14,8 +14,5 @@ allow init sysfs:lnk_file { setattr }; allow init log_device:chr_file { write }; allow init kernel:system { module_request }; allow init block_device:lnk_file { setattr }; -domain_trans(init, rootfs, SMD-daemon) allow init shell_data_file:lnk_file { getattr }; - -allow init rild:process noatsecure; diff --git a/selinux/kickstart.te b/selinux/kickstart.te deleted file mode 100755 index 8d550c6..0000000 --- a/selinux/kickstart.te +++ /dev/null @@ -1,53 +0,0 @@ -# kickstart processes and scripts -type kickstart, domain; -type kickstart_exec, exec_type, file_type; - -# kickstart_checker.sh talks to init over the property socket -unix_socket_connect(kickstart, property, init) - -# Start /system/bin/qcks from init -init_daemon_domain(kickstart) - -# Spawn /system/bin/efsks and /system/bin/ks -allow kickstart kickstart_exec:file { open execute_no_trans getattr }; -allow kickstart rild_exec:file { open execute_no_trans getattr }; - -# Run dd on m9kefs[123] block devices; write to /data/qcks/ -# Run cat on firmware and m9kefs[123] data; write to /data/qcks/ -allow kickstart boot_block_device:blk_file { getattr read write open }; -allow kickstart kickstart_data_file:file create_file_perms; -allow kickstart kickstart_data_file:dir rw_dir_perms; -allow kickstart radio_efs_file:file r_file_perms; -allow kickstart radio_efs_file:dir search; - -# Let qcks access /dev/mdm node (modem driver) -allow kickstart radio_device:chr_file rw_file_perms; - -# Allow /dev/ttyUSB0 access -allow kickstart radio_device:chr_file { write ioctl getattr }; - -# Allow to run toolbox commands -allow kickstart shell_exec:file rx_file_perms; -# Toolbox commands for firmware dd -allow kickstart system_file:file execute_no_trans; - -# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2 -allow kickstart block_device:dir { getattr write search }; - -# Set system property key -allow kickstart radio_prop:property_service set; - -allow kickstart shell_exec:file entrypoint; -# ls on /data/qcks/ -allow kickstart self:capability { dac_override setuid }; - -# XXX Label sysfs files with a specific type? -allow kickstart sysfs:file rw_file_perms; - -allow kickstart unlabeled:file { setattr getattr read write open }; -allow kickstart vfat:file { getattr read open }; -allow kickstart kickstart:process { execmem }; -allow kickstart usbfs:dir { search }; -allow kickstart vfat:dir { search }; -allow kickstart log_device:chr_file { open write }; -allow kickstart rild_exec:file { getattr execute read open }; diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te index 3241f66..1b2c8ba 100644 --- a/selinux/mediaserver.te +++ b/selinux/mediaserver.te @@ -1,4 +1,3 @@ -qmux_socket(mediaserver); allow mediaserver self:socket create_socket_perms; allow mediaserver { firmware_camera }:file r_file_perms; allow mediaserver firmware_camera:dir r_dir_perms; diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te deleted file mode 100755 index 8b99f42..0000000 --- a/selinux/netmgrd.te +++ /dev/null @@ -1,32 +0,0 @@ -# Network utilities (radio process) -type netmgrd, domain; -type netmgrd_exec, exec_type, file_type; - -net_domain(netmgrd) -# Started by init -init_daemon_domain(netmgrd) - - -allow netmgrd self:udp_socket { create ioctl }; -# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket -allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; -allow netmgrd self:packet_socket { write bind read create }; -allow netmgrd self:netlink_socket { write read create bind setopt }; -allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr }; - -# Talk to qmuxd -qmux_socket(netmgrd) - -# Allow logging diagnostic items -allow netmgrd diagnostic_device:chr_file rw_file_perms; - -# /data/data_test/ access with shell -allow netmgrd shell_exec:file { execute read open execute_no_trans }; -allow netmgrd system_file:file { execute_no_trans }; - -# Talk to init over the property socket -unix_socket_connect(netmgrd, property, init) -# Set net.rmnet_usb0. values -allow netmgrd radio_prop:property_service set; - -allow netmgrd netmgrd:process { execmem }; diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te deleted file mode 100644 index eb332c8..0000000 --- a/selinux/qmiproxy.te +++ /dev/null @@ -1,17 +0,0 @@ -type qmiproxy, domain; -type qmiproxy_exec, exec_type, file_type; - -net_domain(qmiproxy) -init_daemon_domain(qmiproxy) - -allow qmiproxy log_device:chr_file { open write }; -allow qmiproxy log_device:dir { search }; - -allow qmiproxy qmuxd_socket:dir { search write add_name }; -allow qmiproxy qmuxd_socket:sock_file { create }; -allow qmiproxy property_socket:sock_file { open write }; -allow qmiproxy init:unix_stream_socket connectto; - -allow qmiproxy radio_prop:property_service { set }; - -allow qmiproxy system_file:file { execmod }; diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te deleted file mode 100644 index dfef990..0000000 --- a/selinux/qmuxd.te +++ /dev/null @@ -1,54 +0,0 @@ -type qmuxd, domain; -type qmuxd_exec, exec_type, file_type; -net_domain(qmuxd) -init_daemon_domain(qmuxd) - -userdebug_or_eng(` - domain_auto_trans(shell, qmuxd_exec, qmuxd) - domain_auto_trans(adbd, qmuxd_exec, qmuxd) -') - -#Allow qmuxd to operate on various qmux device sockets -#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search }; -#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink }; -#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search }; -#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink }; -#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search }; -#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink }; -#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search }; -#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink }; - -qmux_socket(qmuxd); - -#Allow logging -allow qmuxd diag_device:chr_file { rw_file_perms }; - -#Allow operation in platform specific transports -allow qmuxd smd_device:chr_file { rw_file_perms }; -allow qmuxd hsic_device:chr_file { rw_file_perms }; - -#Allow qmuxd to operate in platform specific transports -allow qmuxd sysfs_smd_open_timeout:file w_file_perms; -allow qmuxd sysfs_wake_lock:file { append open }; - -#Allow qmuxd to write in hsic specific transport -allow qmuxd sysfs:file w_file_perms; -allow qmuxd radio_device:file w_file_perms; - -allow qmuxd self:capability { setuid setgid setpcap dac_override }; - -#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability -allow qmuxd qmuxd:capability2 { block_suspend }; - -allow qmuxd sysfs_esoc:dir r_dir_perms; -allow qmuxd sysfs_hsic_modem_wait:file w_file_perms; -allow qmuxd sysfs_esoc:lnk_file read; - -r_dir_file(qmuxd, sysfs_ssr); -allow qmuxd mhi_device:chr_file rw_file_perms; - -allow qmuxd qmuxd:process { execmem }; -allow qmuxd radio_device:chr_file { read write open }; -allow qmuxd log_device:chr_file { open write }; - -allow qmuxd system_file:file { execmod }; diff --git a/selinux/radio.te b/selinux/radio.te index 0ac335e..53c51f6 100644 --- a/selinux/radio.te +++ b/selinux/radio.te @@ -1,7 +1,3 @@ -# Talk to qmuxd (/dev/socket/qmux_radio) -qmux_socket(radio) ; - -allow radio secril-daemon:unix_stream_socket { connectto }; allow radio log_device:chr_file { write open }; allow radio log_device:dir { search }; allow radio system_app_data_file:dir { search }; diff --git a/selinux/rild.te b/selinux/rild.te deleted file mode 100755 index eeaeccf..0000000 --- a/selinux/rild.te +++ /dev/null @@ -1,41 +0,0 @@ -#allow rild qmux_radio_socket:dir { write remove_name search add_name }; -#allow rild qmux_radio_socket:sock_file { write create unlink setattr }; -#allow rild qmuxd:unix_stream_socket connectto; -qmux_socket(rild); -binder_use(rild) - -allow rild ssr_device:chr_file { open read }; -allow rild sysfs_esoc:dir { search read open}; -allow rild sysfs_esoc:lnk_file { read }; -allow rild sysfs_esoc:file { write }; -allow rild sysfs_ssr:dir { open search read }; -allow rild sysfs_ssr:lnk_file { read open }; - -allow rild mediaserver:binder { transfer call }; - -#allow rild diag_device:chr_file { open read write }; -allow rild rild_socket:chr_file { open read write }; - -allow rild sysfs_ssr:dir r_dir_perms; -allow rild sysfs_ssr:lnk_file read; -allow rild system_data_file:dir w_dir_perms; -#allow rild system_data_file:file create_file_perms; -#allow rild time_daemon:unix_stream_socket connectto; - -allow rild rild:process execmem; -allow rild diagnostic_device:chr_file { read write open }; -allow rild radio_data_file:dir { setattr }; -allow rild init:unix_stream_socket { read write }; -allow rild proc_net:file { write }; - -allow rild log_device:chr_file { open }; -allow rild log_device:chr_file write; -allow rild self:capability dac_override; - -allow rild unlabeled:dir { search }; -allow rild unlabeled:file { open read getattr }; - -allow rild at_distributor:dir { search }; -allow rild at_distributor:file { read open getattr }; - -allow rild system_file:file { execmod }; diff --git a/selinux/secril.te b/selinux/secril.te deleted file mode 100644 index 0681aa4..0000000 --- a/selinux/secril.te +++ /dev/null @@ -1,37 +0,0 @@ -# sec-ril -type secril-daemon, domain; -type secril-daemon_exec, exec_type, file_type; - -# Start /system/bin/sec-ril from init -init_daemon_domain(secril-daemon) - -allow secril-daemon secril-daemon_exec:file { open execute_no_trans getattr }; -allow secril-daemon self:udp_socket { create ioctl }; -unix_socket_connect(secril-daemon, property, init) -unix_socket_connect(secril-daemon, rild, rild) - -allow secril-daemon { efs_file }:file rw_file_perms; -allow secril-daemon system_data_file:dir create_dir_perms; -# allow secril-daemon system_data_file:file unlink; -allow secril-daemon radio_data_file:file { create_file_perms }; -allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override }; -allow secril-daemon system_file:file x_file_perms; -allow secril-daemon sysfs:file rw_file_perms; -allow secril-daemon shell_exec:file rx_file_perms; -allow secril-daemon app_data_file:file rw_file_perms; -allow secril-daemon app_data_file:dir search; -allow secril-daemon zygote_exec:file rx_file_perms; -allow secril-daemon ashmem_device:chr_file x_file_perms; - -allow secril-daemon secril-daemon:process { execmem }; -allow secril-daemon unlabeled:dir { search }; -allow secril-daemon radio_prop:property_service { set }; -allow secril-daemon sysfs_wake_lock:file { read write open }; -allow secril-daemon unlabeled:file { read open getattr setattr }; -#allow secril-daemon system_file:file { entrypoint }; -allow secril-daemon radio_data_file:dir { search write add_name read open remove_name }; -allow secril-daemon efs_file:dir { search }; -allow secril-daemon rild_exec:file { entrypoint read }; -allow secril-daemon qmuxd_socket:dir { write add_name remove_name search }; -allow secril-daemon qmuxd_socket:sock_file { create setattr unlink }; - diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te index a9d669c..2694903 100644 --- a/selinux/servicemanager.te +++ b/selinux/servicemanager.te @@ -1,6 +1,3 @@ -allow servicemanager rild:dir search; -allow servicemanager rild:file r_file_perms; -allow servicemanager rild:process getattr; allow servicemanager zygote:dir { search read open getattr }; allow servicemanager zygote:file { read open }; allow servicemanager zygote:process { getattr }; diff --git a/selinux/system.te b/selinux/system.te index 1160fd7..29fe0ff 100755 --- a/selinux/system.te +++ b/selinux/system.te @@ -1,6 +1,3 @@ -# Talk to qmuxd -qmux_socket(system_server) - allow system_server diagnostic_device:chr_file rw_file_perms; allow system_server sensors_device:chr_file { read open }; allow system_server sensors_data_file:file r_file_perms; @@ -8,4 +5,4 @@ allow system_server wpa_socket:unix_dgram_socket sendto; allow system_app volume_data_file:file { read write open getattr }; allow system_server sysfs:file { read open write }; -allow system_server self:capability { sys_module };
\ No newline at end of file +allow system_server self:capability { sys_module }; diff --git a/selinux/te_macros b/selinux/te_macros index 8378501..e69de29 100755 --- a/selinux/te_macros +++ b/selinux/te_macros @@ -1,13 +0,0 @@ -##################################### -# qmux_socket(clientdomain) -# Allow client domain to connecto and send -# via a local socket to the qmux domain. -# Also allow the client domain to remove -# its own socket. -define(`qmux_socket', ` -allow $1 qmuxd_socket:dir create_dir_perms; -unix_socket_connect($1, qmuxd, qmuxd) -allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink }; -') - - diff --git a/selinux/wpa.te b/selinux/wpa.te index d4b06c7..a209706 100644 --- a/selinux/wpa.te +++ b/selinux/wpa.te @@ -1,5 +1,4 @@ allow wpa persist_file:dir search; -qmux_socket(wpa); allow wpa self:socket create_socket_perms; allow wpa smem_log_device:chr_file rw_file_perms; |