sepolicy update

2016-11-30 18:20:35 +03:00 · 2016-11-30 18:20:35 +03:00 · e39b6954cb
commit e39b6954cb
parent ba81564646
27 changed files with 124 additions and 89 deletions
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@ -23,7 +23,9 @@
 # inherit from common msm8974
 -include device/samsung/msm8974-common/BoardConfigCommon.mk

-TARGET_SPECIFIC_HEADER_PATH := device/samsung/viennalte/include
+LOCAL_PATH := device/samsung/viennalte
+
+TARGET_SPECIFIC_HEADER_PATH := $(LOCAL_PATH)/include

 TARGET_OTA_ASSERT_DEVICE := viennalte,viennaltexx

@ -37,11 +39,11 @@ TARGET_BOOTLOADER_BOARD_NAME := MSM8974

 # Kernel
 BOARD_KERNEL_BASE := 0x00000000
-BOARD_KERNEL_CMDLINE := console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3 androidboot.selinux=permissive
+BOARD_KERNEL_CMDLINE := console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3
 BOARD_KERNEL_PAGESIZE := 2048
 BOARD_KERNEL_SEPARATED_DT := true
 BOARD_MKBOOTIMG_ARGS := --ramdisk_offset 0x02000000 --tags_offset 0x01E00000
-BOARD_CUSTOM_BOOTIMG_MK := device/samsung/viennalte/mkbootimg.mk
+BOARD_CUSTOM_BOOTIMG_MK := $(LOCAL_PATH)/mkbootimg.mk
 TARGET_KERNEL_SOURCE := kernel/samsung/viennalte
 TARGET_KERNEL_CONFIG := msm8974_sec_defconfig
 TARGET_KERNEL_VARIANT_CONFIG := msm8974_sec_viennalteeur_cm_defconfig
@ -51,8 +53,8 @@ BOARD_HAVE_NEW_QCOM_CSDCLIENT := true
 USE_CUSTOM_AUDIO_POLICY := 1

 # Bluetooth
-BOARD_BLUETOOTH_BDROID_BUILDCFG_INCLUDE_DIR := device/samsung/viennalte/bluetooth
-BOARD_CUSTOM_BT_CONFIG := device/samsung/viennalte/bluetooth/vnd_viennalte.txt
+BOARD_BLUETOOTH_BDROID_BUILDCFG_INCLUDE_DIR := $(LOCAL_PATH)/bluetooth
+BOARD_CUSTOM_BT_CONFIG := $(LOCAL_PATH)/bluetooth/vnd_viennalte.txt
 BOARD_BLUETOOTH_USES_HCIATTACH_PROPERTY := false
 BOARD_HAVE_BLUETOOTH_BCM := true

@ -65,9 +67,10 @@ USE_DEVICE_SPECIFIC_CAMERA := true
 BOARD_CHARGER_SHOW_PERCENTAGE := true

 # Hardware
-BOARD_HARDWARE_CLASS += device/samsung/viennalte/cmhw
+BOARD_HARDWARE_CLASS += $(LOCAL_PATH)/cmhw

 # Display
+TARGET_BOOTANIMATION_MULTITHREAD_DECODE := true
 SF_VSYNC_EVENT_PHASE_OFFSET_NS := 5000000
 VSYNC_EVENT_PHASE_OFFSET_NS := 7500000

@ -77,9 +80,6 @@ TARGET_NEEDS_PLATFORM_TEXT_RELOCATIONS := true
 # Lights
 TARGET_PROVIDES_LIBLIGHT := true

-# ANT+
-BOARD_ANT_WIRELESS_DEVICE := "vfs-prerelease"
-
 # Partitions
 BOARD_BOOTIMAGE_PARTITION_SIZE := 10485760
 BOARD_RECOVERYIMAGE_PARTITION_SIZE := 13631488
@ -94,27 +94,23 @@ TARGET_USERIMAGES_USE_F2FS := true

 # PowerHAL
 TARGET_POWERHAL_VARIANT := qcom
-TARGET_POWERHAL_SET_INTERACTIVE_EXT := device/samsung/viennalte/power/power_ext.c
+TARGET_POWERHAL_SET_INTERACTIVE_EXT := $(LOCAL_PATH)/power/power_ext.c

 # RIL
 BOARD_RIL_CLASS := ../../../device/samsung/viennalte/ril

 # Recovery
-# COMMON_GLOBAL_CFLAGS += -DNO_SECURE_DISCARD
 BOARD_HAS_LARGE_FILESYSTEM := true
 BOARD_HAS_NO_MISC_PARTITION := true
 BOARD_HAS_NO_SELECT_BUTTON := true
 BOARD_RECOVERY_SWIPE := true
 BOARD_USE_CUSTOM_RECOVERY_FONT := \"roboto_23x41.h\"
 BOARD_USES_MMCUTILS := true
-TARGET_RECOVERY_FSTAB := device/samsung/viennalte/rootdir/etc/fstab.qcom
+TARGET_RECOVERY_FSTAB := $(LOCAL_PATH)/rootdir/etc/fstab.qcom

 # SELinux
 include device/qcom/sepolicy/sepolicy.mk
-BOARD_SEPOLICY_DIRS += device/samsung/viennalte/sepolicy
-
-# Sensors
-TARGET_NO_SENSOR_PERMISSION_CHECK := true
+BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/sepolicy

 # WiFi
 BOARD_HAVE_SAMSUNG_WIFI := true
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@ -0,0 +1,2 @@
+allow bluetooth bluetooth_device:chr_file { open write };
+allow bluetooth proc_bluetooth_writable:dir search;
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@ -0,0 +1,7 @@
+allow cameraserver camera_socket:sock_file write;
+allow cameraserver init:unix_stream_socket connectto;
+allow cameraserver property_socket:sock_file write;
+allow cameraserver system_data_file:sock_file write;
+allow cameraserver system_file:file execmod;
+allow cameraserver system_prop:property_service set;
+allow cameraserver tmpfs:dir search;
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@ -0,0 +1 @@
+type bluetooth_device, dev_type;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -1,2 +1,7 @@
 type sysfs_camera, fs_type, sysfs_type;
-type sysfs_input_file, fs_type, sysfs_type;
+type sysfs_display, fs_type, sysfs_type;
+type sysfs_vibeamp, fs_type, sysfs_type;
+type sysfs_rmnet, fs_type, sysfs_type;
+type sysfs_sec, fs_type, sysfs_type;
+type wifi_efs_file, file_type;
+type sensors_efs_file, file_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -1,6 +1,41 @@
-/firmware/(.*)                    u:object_r:firmware_file:s0
-/firmware-modem/(.*)              u:object_r:firmware_file:s0
+# Bluetooth
+/dev/btlock                                             u:object_r:bluetooth_device:s0
+/efs/bluetooth(/.*)?                                    u:object_r:bluetooth_efs_file:s0

-/sys/devices/virtual/sec/sec_touchkey/tsp_keys_enabled u:object_r:sysfs_input_file:s0
+# Camera
+/data/cam_socket.*                                      u:object_r:camera_socket:s0
+/sys/devices/virtual/camera(/.*)?                       u:object_r:sysfs_camera:s0

-/system/bin/thermal-engine             u:object_r:thermal-engine_exec:s0
+# CMHW
+/sys/devices/virtual/timed_output/vibrator(/.*)?        u:object_r:sysfs_vibeamp:s0
+/sys/class/sec/sec_touchkey/keypad_enable               u:object_r:sysfs_display:s0
+
+# Domain
+/system/bin/macloader                                   u:object_r:macloader_exec:s0
+
+# Display
+/sys/devices/virtual/lcd/panel/power_reduce             u:object_r:sysfs_display:s0
+
+# RIL
+/efs/FactoryApp(/.*)?                                   u:object_r:efs_file:s0
+/efs/imei                                               u:object_r:efs_file:s0
+/efs/mps_code.dat                                       u:object_r:efs_file:s0
+
+# RMNET
+/sys/class/android_usb/f_rmnet_smd_sdio/transport  --  u:object_r:sysfs_rmnet:s0
+/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport  --  u:object_r:sysfs_rmnet:s0
+
+# SEC
+/sys/devices/virtual/sec/sec_key/hall_irq_ctrl          u:object_r:sysfs_sec:s0
+
+# Sensors
+/dev/batch_io                                           u:object_r:sensors_device:s0
+/dev/shtc1_sensor                                       u:object_r:sensors_device:s0
+/efs/FactoryApp/baro_delta                              u:object_r:sensors_efs_file:s0
+/efs/prox_cal                                           u:object_r:sensors_efs_file:s0
+
+# Thermal
+/system/bin/thermal-engine                              u:object_r:thermal-engine_exec:s0
+
+# WiFi
+/efs/wifi/.mac.info                                     u:object_r:wifi_efs_file:s0
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@ -0,0 +1,2 @@
+genfscon proc /bluetooth/sleep/lpm     u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@ -1,2 +0,0 @@
-allow init firmware_file:dir search;
-allow init self:socket read;
--- a/sepolicy/keystore.te
+++ b/sepolicy/keystore.te
@ -1,2 +0,0 @@
-allow keystore firmware_file:dir search;
-allow keystore firmware_file:file { read getattr open };
--- a/sepolicy/macloader.te
+++ b/sepolicy/macloader.te
@ -0,0 +1,11 @@
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+init_daemon_domain(macloader)
+
+type_transition macloader system_data_file:file wifi_data_file;
+
+allow macloader efs_file:dir search;
+allow macloader wifi_efs_file:dir search;
+
+allow macloader wifi_efs_file:file { read open getattr };
+allow macloader system_data_file:dir { add_name search write };
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@ -1,11 +1,6 @@
+allow mediaserver persist_drm_file:dir search;
+allow mediaserver persist_drm_file:file rw_file_perms;
 allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file { getattr open read };
-allow mediaserver firmware_file:dir r_dir_perms;
-allow mediaserver firmware_file:file r_file_perms;
-# allow mediaserver shell_data_file:dir search;
-allow mediaserver socket_device:sock_file write;
-allow mediaserver system_data_file:sock_file write;
-allow mediaserver system_prop:property_service set;
-allow mediaserver thermal-engine:unix_stream_socket connectto;
-# This sucks but needed for libmmjpeg
-# allow mediaserver system_file:file execmod;
+allow mediaserver system_data_file:sock_file { write };
+allow mediaserver system_file:file execmod; # for libmmjpeg
--- a/sepolicy/mm-pp-daemon.te
+++ b/sepolicy/mm-pp-daemon.te
@ -1,2 +0,0 @@
-allow mm-pp-daemon init:unix_stream_socket { read write accept listen };
-allow mm-pp-daemon pps_socket:sock_file write;
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@ -1,18 +1,6 @@
-binder_use(mm-qcamerad);
-binder_call(mm-qcamerad, servicemanager);
-binder_call(mm-qcamerad, system_server);
-allow mm-qcamerad mpdecision:unix_stream_socket connectto;
-allow mm-qcamerad camera_socket:sock_file { create unlink };
-allow mm-qcamerad system_data_file:sock_file unlink;
-allow mm-qcamerad socket_device:sock_file write;
-# allow mm-qcamerad system_file:file execmod;
-allow mm-qcamerad system_data_file:dir { add_name remove_name write };
-allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
-
 allow mm-qcamerad sysfs_camera:dir search;
 allow mm-qcamerad sysfs_camera:file { getattr open read write };
-
-type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
-
-# This sucks but needed for libmmjpeg
-# allow mm-qcamerad system_file:file execmod;
+allow mm-qcamerad system_data_file:dir { add_name remove_name write };
+allow mm-qcamerad system_data_file:sock_file { create unlink };
+allow mm-qcamerad system_data_file:sock_file unlink;
+allow mm-qcamerad system_file:file execmod;
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@ -1,7 +0,0 @@
-type_transition mpdecision system_data_file:file mpctl_data_file;
-
-allow mpdecision socket_device:dir w_dir_perms;
-allow mpdecision socket_device:sock_file create_file_perms;
-
-# Needed to create /data/system/default_values
-allow mpdecision system_data_file:dir w_dir_perms;
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@ -0,0 +1,7 @@
+allow platform_app fuseblk:dir read;
+allow platform_app fuseblk:dir { open write };
+allow platform_app fuseblk:dir { search };
+allow platform_app fuseblk:file { read write };
+allow platform_app fuseblk:file { open };
+allow platform_app fuseblk:file { getattr };
+
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@ -1,2 +0,0 @@
-allow qti_init_shell efs_file:dir r_dir_perms;
-allow qti_init_shell efs_file:file r_file_perms;
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@ -1,3 +1,3 @@
-allow rild proc_net:file write;
-allow rild proc_net:file rw_file_perms;
-allow rild self:capability dac_override;
+allow rild proc_net:file { getattr open read write };
+allow rild sysfs_sec:file { getattr open read write };
+allow rild self:capability { dac_override dac_read_search };
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@ -1 +1 @@
-allow rmt_storage ssd_device:blk_file { read write open };
+allow rmt_storage ssd_device:blk_file { open read write };
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -1 +1 @@
-allow system_app shell_data_file:dir search;
+allow system_app sysfs_display:file { getattr open read write };
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -1,2 +1,9 @@
+allow system_server sysfs_vibeamp:dir search;
+allow system_server sysfs_vibeamp:file { getattr open read write };
+allow system_server time_daemon:unix_stream_socket connectto;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file { open read write };
 allow system_server efs_file:dir search;
-allow system_server sysfs_input_file:file rw_file_perms;
+allow system_server sensors_efs_file:file { open read };
+allow system_server efs_file:file { read };
+allow system_server wifi_efs_file:file { read write };
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@ -1,5 +0,0 @@
-allow tee efs_file:dir r_dir_perms;
-allow tee efs_file:file r_file_perms;
-allow tee system_prop:property_service set;
-allow tee init:unix_stream_socket connectto;
-allow tee property_socket:sock_file write;
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@ -1,7 +0,0 @@
-allow thermal-engine self:capability net_admin;
-allow thermal-engine self:netlink_kobject_uevent_socket { read bind create setopt };
-allow thermal-engine self:socket write;
-allow thermal-engine socket_device:dir { write add_name };
-allow thermal-engine socket_device:sock_file { create setattr };
-allow thermal-engine sysfs_devices_system_cpu:file write;
-allow thermal-engine sysfs:file write;
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@ -1 +1,2 @@
-allow time_daemon system_data_file:file open;
+allow time_daemon time_data_file:file { getattr append unlink };
+allow time_daemon time_data_file:dir { remove_name };
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@ -1,3 +1,2 @@
-allow ueventd firmware_file:dir search;
-allow ueventd firmware_file:file { read getattr open };
-allow ueventd sysfs_camera:file rw_file_perms;
+allow ueventd sysfs_vibeamp:file rw_file_perms;
+allow ueventd sysfs_camera:file rw_file_perms;
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
@ -0,0 +1,12 @@
+allow untrusted_app fuseblk:dir read;
+allow untrusted_app fuseblk:dir { open write };
+allow untrusted_app fuseblk:dir { search };
+allow untrusted_app fuseblk:file { read write };
+allow untrusted_app fuseblk:file { open };
+allow untrusted_app fuseblk:file { getattr };
+
+allow untrusted_app rootfs:dir { read };
+allow untrusted_app sysfs:file { read };
+allow untrusted_app sysfs:file { open };
+
+
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@ -1,4 +0,0 @@
-allow vold vold_tmpfs:file create_file_perms;
-# Needed for keymaster firmware
-allow vold firmware_file:dir r_dir_perms;
-allow vold firmware_file:file r_file_perms;
--- a/sepolicy/wcnss-service.te
+++ b/sepolicy/wcnss-service.te
@ -1,2 +0,0 @@
-allow wcnss_service efs_file:dir search;
-allow wcnss_service efs_file:file r_file_perms;