From 93241e5253df5e58322729ceba368dba3d5b0dc7 Mon Sep 17 00:00:00 2001
From: Nikhilesh Reddy <reddyn@codeaurora.org>
Date: Wed, 3 Dec 2014 18:44:07 -0800
Subject: sepolicy: Update the sepolicy for RFS and RMTS

Update the sepolicy for RFS and RMTS to include all new
permissions required and add the tftp_server to the RFS
domain

Change-Id: I1dc0c062ef21cf9eca1f365291ec7ff5733c7c8e
---
 common/file.te        |  1 +
 common/file_contexts  |  2 ++
 common/rfs_access.te  | 43 ++++++++++++++++++++++++-------------------
 common/rmt_storage.te | 22 ++++++++++++----------
 4 files changed, 39 insertions(+), 29 deletions(-)
 mode change 100755 => 100644 common/file.te
 mode change 100755 => 100644 common/file_contexts

diff --git a/common/file.te b/common/file.te
old mode 100755
new mode 100644
index 2c62bc55..c7a36d74
--- a/common/file.te
+++ b/common/file.te
@@ -48,6 +48,7 @@ type sysfs_msmuart_file, sysfs_type, fs_type;
 # Storage RFS file types
 type rfs_data_file, file_type;
 type rfs_system_file, file_type;
+type rfs_shared_hlos_file, file_type;
 
 #mm-pp-daemon file type for sysfs access
 type sysfs_leds, fs_type, sysfs_type;
diff --git a/common/file_contexts b/common/file_contexts
old mode 100755
new mode 100644
index ac3b7303..8e558276
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -122,6 +122,7 @@
 /system/bin/time_daemon                         u:object_r:time_daemon_exec:s0
 /system/bin/rmt_storage                         u:object_r:rmt_storage_exec:s0
 /system/bin/rfs_access                          u:object_r:rfs_access_exec:s0
+/system/bin/tftp_server                         u:object_r:rfs_access_exec:s0
 /system/bin/hvdcp                               u:object_r:hvdcp_exec:s0
 /system/bin/qseecomd                            u:object_r:tee_exec:s0
 /system/bin/hostapd_cli                         u:object_r:hostapd_exec:s0
@@ -204,6 +205,7 @@
 /data/diag_log(/.*)?                                                u:object_r:diag_data_file:s0
 /data/misc/sensors(/.*)?                                            u:object_r:sensors_data_file:s0
 /data/rfs.*                                                         u:object_r:rfs_data_file:s0
+/data/hlos_rfs(/.*)?                                                u:object_r:rfs_shared_hlos_file:s0
 /data/camera(/.*)?                                                  u:object_r:camera_socket:s0
 /data/system/sensors(/.*)?                                          u:object_r:sensors_data_file:s0
 /data/time/*                                                        u:object_r:time_data_file:s0
diff --git a/common/rfs_access.te b/common/rfs_access.te
index ec946c27..e4dc3a55 100644
--- a/common/rfs_access.te
+++ b/common/rfs_access.te
@@ -5,39 +5,44 @@ init_daemon_domain(rfs_access)
 
 #The files created by rfs_access process in the /data folder will have type rfs_data_file
 type_transition rfs_access system_data_file:{ dir file } rfs_data_file;
+type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";
 
 #To read the uio char device
-allow rfs_access uio_device:chr_file { read write open };
+allow rfs_access uio_device:chr_file rw_file_perms;
 
-#For QMI sockets
-allow rfs_access self:socket { create_socket_perms };
+#For QMI sockets and IPCR Sockets
+allow rfs_access self:socket create_socket_perms;
+allow rfs_access smem_log_device:chr_file rw_file_perms;
 
 #For Wakelocks
 allow rfs_access self:capability2 block_suspend;
-allow rfs_access sysfs_wake_lock:file { open write append };
+allow rfs_access sysfs_wake_lock:file w_file_perms;
 
-#To create the /data/rfs
-allow rfs_access system_data_file:dir { write add_name };
+#To create the folders in /data
+allow rfs_access system_data_file:dir create_dir_perms;
 
 #For system folder entries
-allow rfs_access rfs_system_file:dir search;
-allow rfs_access rfs_system_file:lnk_file read;
+allow rfs_access rfs_system_file:dir r_dir_perms;
+allow rfs_access rfs_system_file:lnk_file r_file_perms;
 
 #For data folder entries
-allow rfs_access rfs_data_file:dir { write search create add_name };
-allow rfs_access rfs_data_file:file { open read write create append getattr };
+allow rfs_access rfs_data_file:dir create_dir_perms;
+allow rfs_access rfs_data_file:file create_file_perms;
+
+allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
+allow rfs_access rfs_shared_hlos_file:file create_file_perms;
 
 #For ramdump entries in /data/tombstones.
-allow rfs_access tombstone_data_file:dir { write search create add_name };
-allow rfs_access tombstone_data_file:file { open read write create append getattr };
+allow rfs_access tombstone_data_file:dir create_dir_perms;
+allow rfs_access tombstone_data_file:file create_file_perms;
 
 #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
-allow rfs_access firmware_file:dir { search };
-allow rfs_access firmware_file:file { open read getattr };
+allow rfs_access firmware_file:dir r_dir_perms;
+allow rfs_access firmware_file:file r_file_perms;
 
-#Prevent other domains from accessing RFS data files.
-neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name };
-neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr };
+#For dropping permisions from root and wakelock
+allow rfs_access self:capability { setuid setgid setpcap net_raw };
 
-allow rfs_access self:capability { setuid setpcap net_raw };
-allow rfs_access smem_log_device:chr_file rw_file_perms;
+#Prevent other domains from accessing RFS data files.
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms;
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms;
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index 04a96ef1..19aea1d0 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -3,14 +3,16 @@ type rmt_storage, domain;
 type rmt_storage_exec, exec_type, file_type;
 init_daemon_domain(rmt_storage)
 
-allow rmt_storage modem_efs_partition_device:blk_file { read write open };
-allow rmt_storage block_device:dir search;
-allow rmt_storage cgroup:dir { create add_name };
-allow rmt_storage smem_log_device:chr_file { read write ioctl open };
-allow rmt_storage self:capability { setuid setgid sys_admin dac_override };
+allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms;
+allow rmt_storage block_device:dir r_dir_perms;
+allow rmt_storage cgroup:dir create_dir_perms;
+allow rmt_storage smem_log_device:chr_file rw_file_perms;
+
+# sys_admin is needed for ioprio_set
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap };
+
 allow rmt_storage self:capability2 block_suspend;
-allow rmt_storage self:socket { create_socket_perms };
-allow rmt_storage sysfs_wake_lock:file { open write append };
-allow rmt_storage uio_device:chr_file { read write open };
-allow rmt_storage mmc_block_device:blk_file r_file_perms;
-allow rmt_storage self:capability { net_raw setpcap };
+allow rmt_storage self:socket create_socket_perms;
+allow rmt_storage sysfs_wake_lock:file w_file_perms;
+allow rmt_storage uio_device:chr_file rw_file_perms;
+allow rmt_storage mmc_block_device:blk_file r_file_perms;
\ No newline at end of file
-- 
cgit v1.2.3