30 files changed, 242 insertions, 57 deletions

diff --git a/selinux/bluetooth.te b/selinux/bluetooth.te
new file mode 100644
index 0000000..a6e68b8
--- /dev/null
+++ b/selinux/bluetooth.te
@@ -0,0 +1,2 @@
+allow bluetooth smd_device:chr_file { read write ioctl open };
+allow bluetooth sysfs:file { write };
\ No newline at end of file
diff --git a/selinux/device.te b/selinux/device.te
index c95050b..e4cec2d 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -1,4 +1,27 @@
 type mali_device, dev_type, mlstrustedobject;
+type mfc_device, dev_type;
 type rfkill_device, dev_type;
+type wlan_device, dev_type;
+type modem_block_device, dev_type;
 type diagnostic_device, dev_type;
 type efs_block_device, dev_type;
+type mmc_block_device, dev_type;
+
+#SSR device
+type ssr_device, dev_type;
+
+#device type for smd device nodes, ie /dev/smd*
+type smd_device, dev_type;
+
+#Define the hsic device
+type hsic_device, dev_type;
+
+#Define the mhi device
+type mhi_device, dev_type;
+
+#Define the logging device type
+type diag_device, dev_type;
+type smem_log_device, dev_type;
+
+#Define rct device type for time daemon
+type rtc_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
index 1be0633..56c2d49 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -1,4 +1,7 @@
 ## /dev/mali, /dev/ump
 allow domain mali_device:chr_file rw_file_perms;
 
+userdebug_or_eng(`
+			  allow domain diag_device:chr_file rw_file_perms;
+') 
 
diff --git a/selinux/file.te b/selinux/file.te
index 185b1c2..b711ab6 100644
--- a/selinux/file.te
+++ b/selinux/file.te
@@ -1,4 +1,4 @@
-type radio_efs_file, fs_type;
+type radio_efs_file, fs_type, contextmount_type;
 
 type firmware_mfc, file_type;
 type firmware_camera, file_type;
@@ -7,3 +7,21 @@ type qmuxd_socket, file_type;
 type kickstart_data_file, file_type, data_file_type;
 type sensors_data_file, file_type, data_file_type;
 type volume_data_file, file_type, data_file_type;
+
+#File types required by mdm-helper
+type sysfs_esoc, sysfs_type, fs_type;
+type sysfs_ssr,  sysfs_type, fs_type;
+type sysfs_ssr_toggle,  sysfs_type, file_type;
+type sysfs_hsic, sysfs_type, fs_type;
+type sysfs_hsic_host_rdy, sysfs_type, file_type;
+
+#Define the timeout for platform specific transports
+type sysfs_hsic_modem_wait, sysfs_type, fs_type;
+type sysfs_smd_open_timeout, sysfs_type, fs_type;
+
+# Persist file types
+type persist_file, file_type;
+type persist_data_file, file_type;
+type persist_drm_file, file_type;
+type data_drm_file, file_type;
+
diff --git a/selinux/file_contexts b/selinux/file_contexts
index 513f77f..90d9a3b 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -3,6 +3,8 @@
 /dev/ump                                u:object_r:mali_device:s0
 /dev/fimg2d                             u:object_r:mali_device:s0
 
+/dev/s3c-mfc							u:object_r:mfc_device:s0
+
 # RIL
 /dev/mdm                                u:object_r:radio_device:s0
 /dev/hsicctl[0-3]*                      u:object_r:radio_device:s0
@@ -49,8 +51,7 @@
 /data/misc/radio/dlnk                   u:object_r:radio_data_file:s0
 
 # Binaries
-/system/bin/qmuxd                u:object_r:qmux_exec:s0
-/system/bin/netmgrd              u:object_r:netmgrd_exec:s0
+/system/bin/qmuxd                u:object_r:qmuxd_exec:s0
 /system/bin/efsks                u:object_r:kickstart_exec:s0
 /system/bin/ks                   u:object_r:kickstart_exec:s0
 /system/bin/qcks                 u:object_r:kickstart_exec:s0
@@ -63,9 +64,7 @@
 /dev/socket/qmux_radio(/.*)?     u:object_r:qmuxd_socket:s0
 
 # Block devices
-/dev/block/mmcblk0p[3-6]*       u:object_r:efs_block_device:s0
-/dev/block/mmcblk0p10           u:object_r:efs_block_device:s0
-/dev/block/mmcblk0p11           u:object_r:efs_block_device:s0
+/dev/block/mmcblk0(.*)       u:object_r:mmc_block_device:s0
 
 # Audio related
 /data/local/audio(/.*)?         u:object_r:volume_data_file:s0
diff --git a/selinux/init.te b/selinux/init.te
index 2f29889..2fdff9a 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1,3 +1,14 @@
 allow init wpa_socket:unix_dgram_socket { bind create };
+allow init su_exec:file { execute_no_trans };
+allow init init:process { execmem };
+allow init init:capability { sys_module };
+allow init radio_efs_file:filesystem { relabelto };
+allow init app_data_file:dir { read open setattr getattr relabelfrom };
+
+allow init_shell kernel:system { syslog_mod };
+allow init init:packet_socket { create bind write read };
+allow init init:rawip_socket { create setopt write };
+
+allow init_shell init:packet_socket { read write };
 
 
diff --git a/selinux/kickstart.te b/selinux/kickstart.te
index 14e1ad5..d663145 100755
--- a/selinux/kickstart.te
+++ b/selinux/kickstart.te
@@ -13,7 +13,7 @@ allow kickstart kickstart_exec:file { open execute_no_trans getattr };
 
 # Run dd on m9kefs[123] block devices; write to /data/qcks/
 # Run cat on firmware and m9kefs[123] data; write to /data/qcks/
-allow kickstart efs_block_device:blk_file rw_file_perms;
+allow kickstart mmc_block_device:blk_file { getattr read write open };
 allow kickstart kickstart_data_file:file create_file_perms;
 allow kickstart kickstart_data_file:dir rw_dir_perms;
 allow kickstart radio_efs_file:file r_file_perms;
@@ -41,4 +41,12 @@ allow kickstart shell_exec:file entrypoint;
 allow kickstart self:capability { dac_override setuid };
 
 # XXX Label sysfs files with a specific type?
-allow kickstart sysfs:file rw_file_perms;
\ No newline at end of file
+allow kickstart sysfs:file rw_file_perms;
+
+allow kickstart unlabeled:file { setattr getattr read write open };
+allow kickstart vfat:file { getattr read open };
+allow kickstart kickstart:process { execmem };
+#allow kickstart usbfs:filesystem { mount };
+allow kickstart usbfs:dir { search };
+#allow kickstart system_file:file { entrypoint };
+allow kickstart vfat:dir { search };
diff --git a/selinux/logd.te b/selinux/logd.te
new file mode 100644
index 0000000..d2378fd
--- /dev/null
+++ b/selinux/logd.te
@@ -0,0 +1,2 @@
+allow logd location_app:dir r_dir_perms;
+allow logd location_app:file r_file_perms;
\ No newline at end of file
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index 011f7c6..65550ce 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -1,7 +1,9 @@
-qmux_socket(mediaserver)
+qmux_socket(mediaserver);
 allow mediaserver self:socket create_socket_perms;
 allow mediaserver { firmware_camera }:file r_file_perms;
 allow mediaserver firmware_camera:dir r_dir_perms;
 allow mediaserver camera_data_file:file rw_file_perms;
 allow mediaserver volume_data_file:file create_file_perms;
 allow mediaserver volume_data_file:dir create_dir_perms;
+allow mediaserver mfc_device:chr_file rw_file_perms;
+allow mediaserver system_data_file:file { write open };
diff --git a/selinux/netd.te b/selinux/netd.te
new file mode 100644
index 0000000..0fb1b6a
--- /dev/null
+++ b/selinux/netd.te
@@ -0,0 +1 @@
+allow netd kernel:system { module_request };
\ No newline at end of file
diff --git a/selinux/netmgrd.te b/selinux/netmgrd.te
index 11159a4..0f31fad 100755
--- a/selinux/netmgrd.te
+++ b/selinux/netmgrd.te
@@ -2,9 +2,11 @@
 type netmgrd, domain;
 type netmgrd_exec, exec_type, file_type;
 
+net_domain(netmgrd)
 # Started by init
 init_daemon_domain(netmgrd)
 
+
 allow netmgrd self:udp_socket { create ioctl };
 # fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
 allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
@@ -27,3 +29,5 @@ allow netmgrd system_file:file { execute_no_trans };
 unix_socket_connect(netmgrd, property, init)
 # Set net.rmnet_usb0. values
 allow netmgrd radio_prop:property_service set;
+
+allow netmgrd netmgrd:process { execmem };
diff --git a/selinux/nfc.te b/selinux/nfc.te
new file mode 100644
index 0000000..9c8c37a
--- /dev/null
+++ b/selinux/nfc.te
@@ -0,0 +1 @@
+allow nfc firmware_camera:dir { search };
\ No newline at end of file
diff --git a/selinux/qmiproxy.te b/selinux/qmiproxy.te
new file mode 100644
index 0000000..5845fcd
--- /dev/null
+++ b/selinux/qmiproxy.te
@@ -0,0 +1,5 @@
+type qmiproxy, domain;
+type qmiproxy_exec, exec_type, file_type;
+
+net_domain(qmiproxy)
+init_daemon_domain(qmiproxy)
\ No newline at end of file
diff --git a/selinux/qmux.te b/selinux/qmux.te
deleted file mode 100755
index e2a5bbf..0000000
--- a/selinux/qmux.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# Qualcomm Management Interface Multiplexer
-type qmux, domain;
-type qmux_exec, exec_type, file_type;
-
-# Started by init
-init_daemon_domain(qmux)
-
-# Create local qmux_connect_socket
-allow qmux qmuxd_socket:dir w_dir_perms;
-allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };
-
-# /dev/hsicctl* node access
-allow qmux radio_device:chr_file rw_file_perms;
-
-# Allow logging diagnostic items
-allow qmux diagnostic_device:chr_file rw_file_perms;
-
-allow qmux self:capability { dac_override setuid };
-
-# XXX Should we label with own type
-allow qmux sysfs:file { open write append read getattr };
diff --git a/selinux/qmuxd.te b/selinux/qmuxd.te
new file mode 100644
index 0000000..12413a7
--- /dev/null
+++ b/selinux/qmuxd.te
@@ -0,0 +1,50 @@
+type qmuxd, domain;
+type qmuxd_exec, exec_type, file_type;
+net_domain(qmuxd)
+init_daemon_domain(qmuxd)
+
+userdebug_or_eng(`
+  domain_auto_trans(shell, qmuxd_exec, qmuxd)
+  domain_auto_trans(adbd, qmuxd_exec, qmuxd)
+')
+
+#Allow qmuxd to operate on various qmux device sockets
+#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
+
+qmux_socket(qmuxd);
+
+#Allow logging
+allow qmuxd diag_device:chr_file { rw_file_perms };
+
+#Allow operation in platform specific transports
+allow qmuxd smd_device:chr_file { rw_file_perms };
+allow qmuxd hsic_device:chr_file { rw_file_perms };
+
+#Allow qmuxd to operate in platform specific transports
+allow qmuxd sysfs_smd_open_timeout:file w_file_perms;
+allow qmuxd sysfs_wake_lock:file { append open };
+
+#Allow qmuxd to write in hsic specific transport
+allow qmuxd sysfs:file w_file_perms;
+
+allow qmuxd self:capability { setuid setgid setpcap dac_override };
+
+#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
+allow qmuxd qmuxd:capability2 { block_suspend };
+
+allow qmuxd sysfs_esoc:dir r_dir_perms;
+allow qmuxd sysfs_hsic_modem_wait:file w_file_perms;
+allow qmuxd sysfs_esoc:lnk_file read;
+
+r_dir_file(qmuxd, sysfs_ssr);
+allow qmuxd mhi_device:chr_file rw_file_perms;
+
+allow qmuxd qmuxd:process { execmem };
+allow qmuxd radio_device:chr_file {read write open };
\ No newline at end of file
diff --git a/selinux/radio.te b/selinux/radio.te
new file mode 100644
index 0000000..da639c5
--- /dev/null
+++ b/selinux/radio.te
@@ -0,0 +1,2 @@
+# Talk to qmuxd (/dev/socket/qmux_radio)
+qmux_socket(radio) ;
\ No newline at end of file
diff --git a/selinux/rild.te b/selinux/rild.te
index 04209b0..96d30df 100755
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -1,14 +1,27 @@
-## RIL
-allow rild radio_device:chr_file rw_file_perms;
-allow rild { efs_file }:file rw_file_perms;
-allow rild self:netlink_socket { create bind read write };
-allow rild self:netlink_route_socket { write };
+#allow rild qmux_radio_socket:dir { write remove_name search add_name };
+#allow rild qmux_radio_socket:sock_file { write create unlink setattr };
+#allow rild qmuxd:unix_stream_socket connectto;
+qmux_socket(rild);
+binder_use(rild)
 
-# Talk to qmuxd
-qmux_socket(rild)
+allow rild ssr_device:chr_file { open read };
+allow rild sysfs_esoc:dir { search read open};
+allow rild sysfs_esoc:lnk_file { read };
+allow rild sysfs_esoc:file { write };
+allow rild sysfs_ssr:dir { open search read };
+allow rild sysfs_ssr:lnk_file { read open };
 
-# Allow logging diagnostic items
-allow rild diagnostic_device:chr_file rw_file_perms;
+allow rild mediaserver:binder { transfer call };
 
-# XXX label with own type?
-allow rild sysfs:file { read open write getattr };
+#allow rild diag_device:chr_file { open read write };
+allow rild rild_socket:chr_file { open read write };
+
+allow rild sysfs_ssr:dir r_dir_perms;
+allow rild sysfs_ssr:lnk_file read;
+allow rild system_data_file:dir w_dir_perms;
+allow rild system_data_file:file create_file_perms;
+#allow rild time_daemon:unix_stream_socket connectto;
+
+allow rild rild:process execmem;
+allow rild diagnostic_device:chr_file { read write open };
+allow rild radio_data_file:dir { setattr };
diff --git a/selinux/secril.te b/selinux/secril.te
index 7761d80..f6fa610 100644
--- a/selinux/secril.te
+++ b/selinux/secril.te
@@ -22,4 +22,14 @@ allow secril-daemon shell_exec:file rx_file_perms;
 allow secril-daemon app_data_file:file rw_file_perms;
 allow secril-daemon app_data_file:dir search;
 allow secril-daemon zygote_exec:file rx_file_perms;
-allow secril-daemon ashmem_device:chr_file x_file_perms;
\ No newline at end of file
+allow secril-daemon ashmem_device:chr_file x_file_perms;
+
+allow secril-daemon secril-daemon:process { execmem };
+allow secril-daemon unlabeled:dir { search };
+allow secril-daemon radio_prop:property_service { set };
+allow secril-daemon sysfs_wake_lock:file { read write open };
+allow secril-daemon unlabeled:file { read open getattr setattr };
+#allow secril-daemon system_file:file { entrypoint };
+allow secril-daemon radio_data_file:dir { search write add_name read open remove_name };
+allow secril-daemon efs_file:dir { search };
+
diff --git a/selinux/servicemanager.te b/selinux/servicemanager.te
new file mode 100644
index 0000000..f793106
--- /dev/null
+++ b/selinux/servicemanager.te
@@ -0,0 +1,9 @@
+allow servicemanager rild:dir search;
+allow servicemanager rild:file r_file_perms;
+allow servicemanager rild:process getattr;
+allow servicemanager zygote:dir { search read open getattr };
+allow servicemanager zygote:file { read open };
+allow servicemanager zygote:process { getattr };
+allow servicemanager init:file rw_file_perms;
+allow servicemanager init:dir { search read open getattr };
+allow servicemanager init:process { getattr };
\ No newline at end of file
diff --git a/selinux/sysinit.te b/selinux/sysinit.te
new file mode 100644
index 0000000..84765ea
--- /dev/null
+++ b/selinux/sysinit.te
@@ -0,0 +1,2 @@
+allow sysinit mmc_block_device:file read;
+allow sysinit firmware_camera:dir { read search open getattr };
\ No newline at end of file
diff --git a/selinux/system.te b/selinux/system.te
index 0db325d..1160fd7 100755
--- a/selinux/system.te
+++ b/selinux/system.te
@@ -1,11 +1,11 @@
 # Talk to qmuxd
-qmux_socket(system)
+qmux_socket(system_server)
 
-allow system diagnostic_device:chr_file rw_file_perms;
-allow system sensors_device:chr_file { read open };
-allow system sensors_data_file:file r_file_perms;
-allow system wpa_socket:unix_dgram_socket sendto;
+allow system_server diagnostic_device:chr_file rw_file_perms;
+allow system_server sensors_device:chr_file { read open };
+allow system_server sensors_data_file:file r_file_perms;
+allow system_server wpa_socket:unix_dgram_socket sendto;
 allow system_app volume_data_file:file { read write open getattr };
 
-allow system sysfs:file { read open write };
-allow system self:capability { sys_module };
+allow system_server sysfs:file { read open write };
+allow system_server self:capability { sys_module };
\ No newline at end of file
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..91e658f
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1 @@
+#allow system_app sysfs:file { write };
\ No newline at end of file
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..0bf317f
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,5 @@
+allow system_server device:chr_file { ioctl };
+allow system_server uhid_device:file { read write open ioctl };
+allow system_server uhid_device:chr_file { read write open ioctl };
+allow system_server efs_file:dir { search };
+allow system_server efs_file:file r_file_perms;
diff --git a/selinux/te_macros b/selinux/te_macros
index 274fd55..8378501 100755
--- a/selinux/te_macros
+++ b/selinux/te_macros
@@ -1,12 +1,13 @@
 #####################################
 # qmux_socket(clientdomain)
-# Allow client to send via a local
-# socket to the qmux domain.
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
 define(`qmux_socket', `
-type $1_qmuxd_socket, file_type;
-file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
-unix_socket_connect($1, qmuxd, qmux)
-allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
+allow $1 qmuxd_socket:dir create_dir_perms;
+unix_socket_connect($1, qmuxd, qmuxd)
+allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
 ')
 
 
diff --git a/selinux/time_daemon.te b/selinux/time_daemon.te
new file mode 100644
index 0000000..5793197
--- /dev/null
+++ b/selinux/time_daemon.te
@@ -0,0 +1,21 @@
+# Policies for time daemon
+type time_daemon, domain;
+type time_daemon_exec, exec_type, file_type;
+type time_data_file, file_type, data_file_type;
+
+# Make transition to its own time_daemon domain from init
+init_daemon_domain(time_daemon)
+allow time_daemon smem_log_device:chr_file rw_file_perms;
+
+# Add rules for access permissions
+#============= IOCTL operations ==============
+allow time_daemon rtc_device:chr_file { open read ioctl };
+allow time_daemon alarm_device:chr_file { open read write ioctl };
+
+#============= File read/write ==============
+allow time_daemon time_data_file:file { write create open read};
+allow time_daemon time_data_file:dir { write add_name search};
+allow time_daemon self:socket { write read create ioctl};
+allow time_daemon self:capability { setuid setgid };
+
+r_dir_file(time_daemon, sysfs_esoc);
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
index 489b31a..df589f0 100644
--- a/selinux/ueventd.te
+++ b/selinux/ueventd.te
@@ -3,4 +3,5 @@ allow ueventd { radio_efs_file }:file r_file_perms;
 allow ueventd { radio_efs_file }:dir search;
 ## More Firmwares
 allow ueventd { firmware_mfc }:file r_file_perms;
-allow ueventd { firmware_camera }:dir search;
\ No newline at end of file
+allow ueventd { firmware_camera }:dir search;
+allow ueventd firmware_camera:file { read open getattr };
\ No newline at end of file
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..3487976
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1,2 @@
+allow vold kernel:system { module_request };
+allow vold mmc_block_device:blk_file { read write open ioctl getattr };
\ No newline at end of file
diff --git a/selinux/wpa.te b/selinux/wpa.te
new file mode 100644
index 0000000..32dc267
--- /dev/null
+++ b/selinux/wpa.te
@@ -0,0 +1,7 @@
+allow wpa persist_file:dir search;
+qmux_socket(wpa);
+
+allow wpa self:socket create_socket_perms;
+allow wpa smem_log_device:chr_file rw_file_perms;
+allow wpa proc_net:file write;
+allow wpa wifi_data_file:sock_file { write };
diff --git a/selinux/wpa_supplicant.te b/selinux/wpa_supplicant.te
index ab5fb24..91a5c56 100755
--- a/selinux/wpa_supplicant.te
+++ b/selinux/wpa_supplicant.te
@@ -4,7 +4,7 @@ allow wpa init:unix_dgram_socket { read write };
 allow wpa devpts:chr_file { read write };
 
 allow wpa wpa_socket:unix_dgram_socket { read write };
-allow wpa_socket system:unix_dgram_socket sendto;
+allow wpa_socket system_server:unix_dgram_socket sendto;
 
 allow wpa_socket wifi_data_file:sock_file unlink;
 allow wpa rfkill_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/selinux/zygote.te b/selinux/zygote.te
new file mode 100644
index 0000000..d25d524
--- /dev/null
+++ b/selinux/zygote.te
@@ -0,0 +1,3 @@
+allow zygote shell_data_file:dir search;
+allow zygote devpts:chr_file { read write };
+allow zygote init_shell:process { sigchld };