Merge "sepolicy: Update the sepolicy for RFS and RMTS"

author: Linux Build Service Account <lnxbuild@localhost> 2014-12-10 13:03:58 -0800
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2014-12-10 13:03:58 -0800
commit: 77586e2947fc8c5c3bc1ef222478961518ae14a5 (patch)
tree: dddbc16f7d32a4add6f20aae8d8c6e4dfaaea669
parent: fbc4f83670ee249790928891461fd85b48a7d7fc (diff)
parent: 93241e5253df5e58322729ceba368dba3d5b0dc7 (diff)
download: android_device_qcom_sepolicy-77586e2947fc8c5c3bc1ef222478961518ae14a5.tar.gz
android_device_qcom_sepolicy-77586e2947fc8c5c3bc1ef222478961518ae14a5.tar.bz2
android_device_qcom_sepolicy-77586e2947fc8c5c3bc1ef222478961518ae14a5.zip
4 files changed, 39 insertions, 29 deletions
diff --git a/common/file.te b/common/file.te
index 2c62bc55..c7a36d74 100755..100644
--- a/common/file.te
+++ b/common/file.te
@@ -48,6 +48,7 @@ type sysfs_msmuart_file, sysfs_type, fs_type;
 # Storage RFS file types
 type rfs_data_file, file_type;
 type rfs_system_file, file_type;
+type rfs_shared_hlos_file, file_type;
 
 #mm-pp-daemon file type for sysfs access
 type sysfs_leds, fs_type, sysfs_type;
diff --git a/common/file_contexts b/common/file_contexts
index ac3b7303..8e558276 100755..100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -122,6 +122,7 @@
 /system/bin/time_daemon                         u:object_r:time_daemon_exec:s0
 /system/bin/rmt_storage                         u:object_r:rmt_storage_exec:s0
 /system/bin/rfs_access                          u:object_r:rfs_access_exec:s0
+/system/bin/tftp_server                         u:object_r:rfs_access_exec:s0
 /system/bin/hvdcp                               u:object_r:hvdcp_exec:s0
 /system/bin/qseecomd                            u:object_r:tee_exec:s0
 /system/bin/hostapd_cli                         u:object_r:hostapd_exec:s0
@@ -204,6 +205,7 @@
 /data/diag_log(/.*)?                                                u:object_r:diag_data_file:s0
 /data/misc/sensors(/.*)?                                            u:object_r:sensors_data_file:s0
 /data/rfs.*                                                         u:object_r:rfs_data_file:s0
+/data/hlos_rfs(/.*)?                                                u:object_r:rfs_shared_hlos_file:s0
 /data/camera(/.*)?                                                  u:object_r:camera_socket:s0
 /data/system/sensors(/.*)?                                          u:object_r:sensors_data_file:s0
 /data/time/*                                                        u:object_r:time_data_file:s0
diff --git a/common/rfs_access.te b/common/rfs_access.te
index ec946c27..e4dc3a55 100644
--- a/common/rfs_access.te
+++ b/common/rfs_access.te
@@ -5,39 +5,44 @@ init_daemon_domain(rfs_access)
 
 #The files created by rfs_access process in the /data folder will have type rfs_data_file
 type_transition rfs_access system_data_file:{ dir file } rfs_data_file;
+type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";
 
 #To read the uio char device
-allow rfs_access uio_device:chr_file { read write open };
+allow rfs_access uio_device:chr_file rw_file_perms;
 
-#For QMI sockets
-allow rfs_access self:socket { create_socket_perms };
+#For QMI sockets and IPCR Sockets
+allow rfs_access self:socket create_socket_perms;
+allow rfs_access smem_log_device:chr_file rw_file_perms;
 
 #For Wakelocks
 allow rfs_access self:capability2 block_suspend;
-allow rfs_access sysfs_wake_lock:file { open write append };
+allow rfs_access sysfs_wake_lock:file w_file_perms;
 
-#To create the /data/rfs
-allow rfs_access system_data_file:dir { write add_name };
+#To create the folders in /data
+allow rfs_access system_data_file:dir create_dir_perms;
 
 #For system folder entries
-allow rfs_access rfs_system_file:dir search;
-allow rfs_access rfs_system_file:lnk_file read;
+allow rfs_access rfs_system_file:dir r_dir_perms;
+allow rfs_access rfs_system_file:lnk_file r_file_perms;
 
 #For data folder entries
-allow rfs_access rfs_data_file:dir { write search create add_name };
-allow rfs_access rfs_data_file:file { open read write create append getattr };
+allow rfs_access rfs_data_file:dir create_dir_perms;
+allow rfs_access rfs_data_file:file create_file_perms;
+
+allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
+allow rfs_access rfs_shared_hlos_file:file create_file_perms;
 
 #For ramdump entries in /data/tombstones.
-allow rfs_access tombstone_data_file:dir { write search create add_name };
-allow rfs_access tombstone_data_file:file { open read write create append getattr };
+allow rfs_access tombstone_data_file:dir create_dir_perms;
+allow rfs_access tombstone_data_file:file create_file_perms;
 
 #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
-allow rfs_access firmware_file:dir { search };
-allow rfs_access firmware_file:file { open read getattr };
+allow rfs_access firmware_file:dir r_dir_perms;
+allow rfs_access firmware_file:file r_file_perms;
 
-#Prevent other domains from accessing RFS data files.
-neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name };
-neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr };
+#For dropping permisions from root and wakelock
+allow rfs_access self:capability { setuid setgid setpcap net_raw };
 
-allow rfs_access self:capability { setuid setpcap net_raw };
-allow rfs_access smem_log_device:chr_file rw_file_perms;
+#Prevent other domains from accessing RFS data files.
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms;
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms;
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index 04a96ef1..19aea1d0 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -3,14 +3,16 @@ type rmt_storage, domain;
 type rmt_storage_exec, exec_type, file_type;
 init_daemon_domain(rmt_storage)
 
-allow rmt_storage modem_efs_partition_device:blk_file { read write open };
-allow rmt_storage block_device:dir search;
-allow rmt_storage cgroup:dir { create add_name };
-allow rmt_storage smem_log_device:chr_file { read write ioctl open };
-allow rmt_storage self:capability { setuid setgid sys_admin dac_override };
+allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms;
+allow rmt_storage block_device:dir r_dir_perms;
+allow rmt_storage cgroup:dir create_dir_perms;
+allow rmt_storage smem_log_device:chr_file rw_file_perms;
+
+# sys_admin is needed for ioprio_set
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap };
+
 allow rmt_storage self:capability2 block_suspend;
-allow rmt_storage self:socket { create_socket_perms };
-allow rmt_storage sysfs_wake_lock:file { open write append };
-allow rmt_storage uio_device:chr_file { read write open };
-allow rmt_storage mmc_block_device:blk_file r_file_perms;
-allow rmt_storage self:capability { net_raw setpcap };
+allow rmt_storage self:socket create_socket_perms;
+allow rmt_storage sysfs_wake_lock:file w_file_perms;
+allow rmt_storage uio_device:chr_file rw_file_perms;
+allow rmt_storage mmc_block_device:blk_file r_file_perms;
+\ No newline at end of file
author	Linux Build Service Account <lnxbuild@localhost>	2014-12-10 13:03:58 -0800
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2014-12-10 13:03:58 -0800
commit	77586e2947fc8c5c3bc1ef222478961518ae14a5 (patch)
tree	dddbc16f7d32a4add6f20aae8d8c6e4dfaaea669
parent	fbc4f83670ee249790928891461fd85b48a7d7fc (diff)
parent	93241e5253df5e58322729ceba368dba3d5b0dc7 (diff)
download	android_device_qcom_sepolicy-77586e2947fc8c5c3bc1ef222478961518ae14a5.tar.gz android_device_qcom_sepolicy-77586e2947fc8c5c3bc1ef222478961518ae14a5.tar.bz2 android_device_qcom_sepolicy-77586e2947fc8c5c3bc1ef222478961518ae14a5.zip