diff options
| -rw-r--r-- | selinux/SMD-daemon.te | 6 | ||||
| -rw-r--r-- | selinux/at_distributor.te | 30 | ||||
| -rw-r--r-- | selinux/diag_uart_log.te | 9 | ||||
| -rw-r--r-- | selinux/file_contexts | 6 | ||||
| -rw-r--r-- | selinux/init.te | 4 | ||||
| -rwxr-xr-x | selinux/kickstart.te | 2 | ||||
| -rw-r--r-- | selinux/qmiproxy.te | 14 | ||||
| -rw-r--r-- | selinux/qmuxd.te | 4 | ||||
| -rw-r--r-- | selinux/radio.te | 1 | ||||
| -rwxr-xr-x | selinux/rild.te | 8 |
10 files changed, 76 insertions, 8 deletions
diff --git a/selinux/SMD-daemon.te b/selinux/SMD-daemon.te index a29dbde..031daf0 100644 --- a/selinux/SMD-daemon.te +++ b/selinux/SMD-daemon.te @@ -1,5 +1,9 @@ type SMD-daemon, domain; -permissive SMD-daemon; type SMD-daemon_exec, exec_type, file_type; +init_daemon_domain(SMD-daemon) allow SMD-daemon system_file:file { execute_no_trans }; +allow SMD-daemon self:capability { setuid }; + +allow SMD-daemon log_device:chr_file { write open }; +allow SMD-daemon log_device:dir { search }; diff --git a/selinux/at_distributor.te b/selinux/at_distributor.te index d5f4808..23036ad 100644 --- a/selinux/at_distributor.te +++ b/selinux/at_distributor.te @@ -1,5 +1,33 @@ type at_distributor, domain; -permissive at_distributor; type at_distributor_exec, exec_type, file_type; +init_daemon_domain(at_distributor) allow at_distributor system_file:file { execute_no_trans }; + +allow at_distributor radio_device:chr_file { read write open ioctl }; + +allow at_distributor rild:unix_stream_socket { connectto }; + +allow at_distributor log_device:chr_file { open write }; +allow at_distributor log_device:dir { search }; + +allow at_distributor efs_file:dir { search }; +allow at_distributor efs_file:file { read open getattr setattr }; + +allow at_distributor radio_data_file:dir { search write add_name }; +allow at_distributor radio_data_file:file { open write create getattr read }; + +allow at_distributor unlabeled:dir { search getattr }; +allow at_distributor unlabeled:file { open read write setattr getattr }; + +allow at_distributor self:capability { dac_override chown fowner setuid fsetid }; + +allow at_distributor property_socket:sock_file { open write }; + +allow at_distributor diag_uart_log_exec:file { getattr }; + +allow at_distributor init:unix_stream_socket { connectto }; + +allow at_distributor radio_prop:property_service { set }; + +allow at_distributor sysfs_wake_lock:file { read write open }; diff --git a/selinux/diag_uart_log.te b/selinux/diag_uart_log.te index ba64515..6ebaacb 100644 --- a/selinux/diag_uart_log.te +++ b/selinux/diag_uart_log.te @@ -1,7 +1,12 @@ type diag_uart_log, domain; -permissive diag_uart_log; - type diag_uart_log_exec, exec_type, file_type; +init_daemon_domain(diag_uart_log) allow diag_uart_log init:process { noatsecure rlimitinh siginh }; + allow diag_uart_log log_device:chr_file { open write }; +allow diag_uart_log log_device:dir { search }; + +allow diag_uart_log at_distributor:unix_stream_socket { connectto }; + +allow diag_uart_log self:capability { setuid }; diff --git a/selinux/file_contexts b/selinux/file_contexts index 87739a2..2b87860 100644 --- a/selinux/file_contexts +++ b/selinux/file_contexts @@ -3,7 +3,7 @@ /dev/ump u:object_r:gpu_device:s0 /dev/fimg2d u:object_r:gpu_device:s0 -/dev/s3c-mfc u:object_r:mfc_device:s0 +/dev/s3c-mfc u:object_r:mfc_device:s0 # RIL /dev/mdm u:object_r:radio_device:s0 @@ -60,6 +60,10 @@ /system/bin/efsks u:object_r:kickstart_exec:s0 /system/bin/ks u:object_r:kickstart_exec:s0 /system/bin/qcks u:object_r:kickstart_exec:s0 +/system/bin/qmiproxy u:object_r:qmiproxy_exec:s0 +/system/bin/at_distributor u:object_r:at_distributor_exec:s0 +/system/bin/smdexe u:object_r:SMD-daemon_exec:s0 +/system/bin/diag_uart_log u:object_r:diag_uart_log_exec:s0 # Sockets /dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 diff --git a/selinux/init.te b/selinux/init.te index 19fe880..9f3c6ae 100644 --- a/selinux/init.te +++ b/selinux/init.te @@ -15,3 +15,7 @@ allow init log_device:chr_file { write }; allow init kernel:system { module_request }; allow init block_device:lnk_file { setattr }; domain_trans(init, rootfs, SMD-daemon) + +allow init shell_data_file:lnk_file { getattr }; + +allow init rild:process noatsecure; diff --git a/selinux/kickstart.te b/selinux/kickstart.te index 001d53a..8d550c6 100755 --- a/selinux/kickstart.te +++ b/selinux/kickstart.te @@ -50,4 +50,4 @@ allow kickstart kickstart:process { execmem }; allow kickstart usbfs:dir { search }; allow kickstart vfat:dir { search }; allow kickstart log_device:chr_file { open write }; -allow kickstart rild_exec:file { getattr execute read open };
\ No newline at end of file +allow kickstart rild_exec:file { getattr execute read open }; diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te index 5845fcd..eb332c8 100644 --- a/selinux/qmiproxy.te +++ b/selinux/qmiproxy.te @@ -2,4 +2,16 @@ type qmiproxy, domain; type qmiproxy_exec, exec_type, file_type; net_domain(qmiproxy) -init_daemon_domain(qmiproxy)
\ No newline at end of file +init_daemon_domain(qmiproxy) + +allow qmiproxy log_device:chr_file { open write }; +allow qmiproxy log_device:dir { search }; + +allow qmiproxy qmuxd_socket:dir { search write add_name }; +allow qmiproxy qmuxd_socket:sock_file { create }; +allow qmiproxy property_socket:sock_file { open write }; +allow qmiproxy init:unix_stream_socket connectto; + +allow qmiproxy radio_prop:property_service { set }; + +allow qmiproxy system_file:file { execmod }; diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te index 2f3bd59..dfef990 100644 --- a/selinux/qmuxd.te +++ b/selinux/qmuxd.te @@ -49,4 +49,6 @@ allow qmuxd mhi_device:chr_file rw_file_perms; allow qmuxd qmuxd:process { execmem }; allow qmuxd radio_device:chr_file { read write open }; -allow qmuxd log_device:chr_file { open write };
\ No newline at end of file +allow qmuxd log_device:chr_file { open write }; + +allow qmuxd system_file:file { execmod }; diff --git a/selinux/radio.te b/selinux/radio.te index a591489..0ac335e 100644 --- a/selinux/radio.te +++ b/selinux/radio.te @@ -4,3 +4,4 @@ qmux_socket(radio) ; allow radio secril-daemon:unix_stream_socket { connectto }; allow radio log_device:chr_file { write open }; allow radio log_device:dir { search }; +allow radio system_app_data_file:dir { search }; diff --git a/selinux/rild.te b/selinux/rild.te index 3128b61..eeaeccf 100755 --- a/selinux/rild.te +++ b/selinux/rild.te @@ -31,3 +31,11 @@ allow rild proc_net:file { write }; allow rild log_device:chr_file { open }; allow rild log_device:chr_file write; allow rild self:capability dac_override; + +allow rild unlabeled:dir { search }; +allow rild unlabeled:file { open read getattr }; + +allow rild at_distributor:dir { search }; +allow rild at_distributor:file { read open getattr }; + +allow rild system_file:file { execmod }; |