From 68b75f910580f24e8573f068c35165682d7444ab Mon Sep 17 00:00:00 2001 From: "Kevin F. Haggerty" Date: Sat, 3 Feb 2018 15:04:39 -0700 Subject: [PATCH] msm8974-common: sepolicy: Import common sepolicy from klte-common * The bulk of the device family policy was common and applicable to all Samsung msm8974-devices. Move that common stuff here to ease maintenance. Change-Id: I86516adfb1b9c55a6959a7faf4ee424a4b3385c8 --- BoardConfigCommon.mk | 3 ++ sepolicy/common/bluetooth.te | 6 +++ sepolicy/common/cameraserver.te | 2 + sepolicy/common/device.te | 2 + sepolicy/common/file.te | 8 ++++ sepolicy/common/file_contexts | 37 +++++++++++++++++++ sepolicy/common/fsck.te | 2 + sepolicy/common/fsck_untrusted.te | 2 + sepolicy/common/genfs_contexts | 1 + sepolicy/common/hal_wifi_default.te | 5 +++ .../common/hal_wifi_supplicant_default.te | 1 + sepolicy/common/init.te | 2 + sepolicy/common/macloader.te | 12 ++++++ sepolicy/common/mediaextractor.te | 5 +++ sepolicy/common/mediaprovider.te | 2 + sepolicy/common/mediaserver.te | 4 ++ sepolicy/common/mm-qcamerad.te | 8 ++++ sepolicy/common/mpdecision.te | 2 + sepolicy/common/nfc.te | 1 + sepolicy/common/priv_app.te | 5 +++ sepolicy/common/property_contexts | 1 + sepolicy/common/rild.te | 8 ++++ sepolicy/common/system_server.te | 12 ++++++ sepolicy/common/thermal-engine.te | 3 ++ sepolicy/common/vold.te | 2 + sepolicy/sepolicy.mk | 22 +++++++++++ 26 files changed, 158 insertions(+) create mode 100644 sepolicy/common/bluetooth.te create mode 100644 sepolicy/common/cameraserver.te create mode 100644 sepolicy/common/device.te create mode 100644 sepolicy/common/file.te create mode 100644 sepolicy/common/file_contexts create mode 100644 sepolicy/common/fsck.te create mode 100644 sepolicy/common/fsck_untrusted.te create mode 100644 sepolicy/common/genfs_contexts create mode 100644 sepolicy/common/hal_wifi_default.te create mode 100644 sepolicy/common/hal_wifi_supplicant_default.te create mode 100644 sepolicy/common/init.te create mode 100644 sepolicy/common/macloader.te create mode 100644 sepolicy/common/mediaextractor.te create mode 100644 sepolicy/common/mediaprovider.te create mode 100644 sepolicy/common/mediaserver.te create mode 100644 sepolicy/common/mm-qcamerad.te create mode 100644 sepolicy/common/mpdecision.te create mode 100644 sepolicy/common/nfc.te create mode 100644 sepolicy/common/priv_app.te create mode 100644 sepolicy/common/property_contexts create mode 100644 sepolicy/common/rild.te create mode 100644 sepolicy/common/system_server.te create mode 100644 sepolicy/common/thermal-engine.te create mode 100644 sepolicy/common/vold.te create mode 100644 sepolicy/sepolicy.mk diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 45f0255..fc747cd 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -66,6 +66,9 @@ TARGET_FS_CONFIG_GEN := device/samsung/msm8974-common/config.fs DEVICE_MANIFEST_FILE := device/samsung/msm8974-common/manifest.xml DEVICE_MATRIX_FILE := device/samsung/msm8974-common/compatibility_matrix.xml +# SELinux +include device/samsung/msm8974-common/sepolicy/sepolicy.mk + # Init TARGET_INIT_VENDOR_LIB := libinit_msm8974 TARGET_RECOVERY_DEVICE_MODULES := libinit_msm8974 diff --git a/sepolicy/common/bluetooth.te b/sepolicy/common/bluetooth.te new file mode 100644 index 0000000..b47c96c --- /dev/null +++ b/sepolicy/common/bluetooth.te @@ -0,0 +1,6 @@ +allow bluetooth bluetooth_device:chr_file rw_file_perms; +allow bluetooth bt_fw_file:file r_file_perms; +allow bluetooth firmware_file:dir r_dir_perms; +allow bluetooth proc_bt_sleep:dir search; +allow bluetooth proc_bt_sleep:file w_file_perms; +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/common/cameraserver.te b/sepolicy/common/cameraserver.te new file mode 100644 index 0000000..e3c1e8f --- /dev/null +++ b/sepolicy/common/cameraserver.te @@ -0,0 +1,2 @@ +allow cameraserver camera_socket:sock_file w_file_perms; +allow cameraserver vendor_file:file execmod; diff --git a/sepolicy/common/device.te b/sepolicy/common/device.te new file mode 100644 index 0000000..eef944e --- /dev/null +++ b/sepolicy/common/device.te @@ -0,0 +1,2 @@ +type bluetooth_device, dev_type; +type efs_block_device, dev_type; diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te new file mode 100644 index 0000000..85522cd --- /dev/null +++ b/sepolicy/common/file.te @@ -0,0 +1,8 @@ +type proc_bt_sleep, fs_type; + +type sysfs_sec, fs_type, sysfs_type; +type sysfs_wifi_writeable, fs_type, sysfs_type; + +type bt_fw_file, file_type; +type nfc_fw_file, file_type; +type wifi_efs_file, file_type; diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts new file mode 100644 index 0000000..b83060e --- /dev/null +++ b/sepolicy/common/file_contexts @@ -0,0 +1,37 @@ +# block devices +/dev/block/platform/msm_sdcc\.1/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/msm_sdcc\.1/by-name/fota u:object_r:misc_block_device:s0 + +# data files +/data/.cid.info u:object_r:wifi_data_file:s0 +/data/.wifiver.info u:object_r:wifi_data_file:s0 + +# device nodes +/dev/batch_io u:object_r:sensors_device:s0 +/dev/bcm2079x u:object_r:nfc_device:s0 +/dev/btlock u:object_r:bluetooth_device:s0 +/dev/pn547 u:object_r:nfc_device:s0 +/dev/rfkill u:object_r:wlan_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 + +# efs files +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 + +# executeables +/system/vendor/bin/macloader u:object_r:macloader_exec:s0 + +# firmware +/system/vendor/firmware/bcm(.*).hcd u:object_r:bt_fw_file:s0 +/system/vendor/firmware/bcm2079x(.*).ncd u:object_r:nfc_fw_file:s0 +/system/vendor/firmware/libpn547_fw.so u:object_r:nfc_fw_file:s0 + +# sockets +/data/cam_socket3 u:object_r:camera_socket:s0 + +# sysfs +/sys/devices/battery.[0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_batteryinfo:s0 +/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi_writeable:s0 +/sys/module/dhd/parameters/nvram_path u:object_r:sysfs_wifi_writeable:s0 +/sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0 diff --git a/sepolicy/common/fsck.te b/sepolicy/common/fsck.te new file mode 100644 index 0000000..7f7dcd7 --- /dev/null +++ b/sepolicy/common/fsck.te @@ -0,0 +1,2 @@ +allow fsck cache_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; diff --git a/sepolicy/common/fsck_untrusted.te b/sepolicy/common/fsck_untrusted.te new file mode 100644 index 0000000..fb4216b --- /dev/null +++ b/sepolicy/common/fsck_untrusted.te @@ -0,0 +1,2 @@ +# /data/media +allow fsck_untrusted media_rw_data_file:dir getattr; diff --git a/sepolicy/common/genfs_contexts b/sepolicy/common/genfs_contexts new file mode 100644 index 0000000..f74675b --- /dev/null +++ b/sepolicy/common/genfs_contexts @@ -0,0 +1 @@ +genfscon proc /bluetooth/sleep u:object_r:proc_bt_sleep:s0 diff --git a/sepolicy/common/hal_wifi_default.te b/sepolicy/common/hal_wifi_default.te new file mode 100644 index 0000000..a581037 --- /dev/null +++ b/sepolicy/common/hal_wifi_default.te @@ -0,0 +1,5 @@ +r_dir_file(hal_wifi_default, wifi_efs_file) + +allow hal_wifi_default efs_file:dir search; +allow hal_wifi_default sysfs_wifi_writeable:file w_file_perms; +allow hal_wifi_default wifi_data_file:file r_file_perms; diff --git a/sepolicy/common/hal_wifi_supplicant_default.te b/sepolicy/common/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..893ea1b --- /dev/null +++ b/sepolicy/common/hal_wifi_supplicant_default.te @@ -0,0 +1 @@ +allow hal_wifi_supplicant_default wlan_device:chr_file r_file_perms; diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te new file mode 100644 index 0000000..57cb3d5 --- /dev/null +++ b/sepolicy/common/init.te @@ -0,0 +1,2 @@ +# Required to load shim libraries +allow init { domain -lmkd -crash_dump }:process noatsecure; diff --git a/sepolicy/common/macloader.te b/sepolicy/common/macloader.te new file mode 100644 index 0000000..52d47e1 --- /dev/null +++ b/sepolicy/common/macloader.te @@ -0,0 +1,12 @@ +type macloader, domain; +type macloader_exec, exec_type, file_type; +init_daemon_domain(macloader) + +type_transition macloader system_data_file:file wifi_data_file ".cid.info"; + +r_dir_file(macloader, wifi_efs_file) + +allow macloader efs_file:dir search; +allow macloader sysfs_wifi_writeable:file w_file_perms; +allow macloader system_data_file:dir w_dir_perms; +allow macloader wifi_data_file:file create_file_perms; diff --git a/sepolicy/common/mediaextractor.te b/sepolicy/common/mediaextractor.te new file mode 100644 index 0000000..e21636d --- /dev/null +++ b/sepolicy/common/mediaextractor.te @@ -0,0 +1,5 @@ +allow mediaextractor exfat:file r_file_perms; +allow mediaextractor ntfs:file r_file_perms; +allow mediaextractor sdcard_posix:file r_file_perms; +allow mediaextractor sdcardfs:file r_file_perms; +allow mediaextractor vfat:file r_file_perms; diff --git a/sepolicy/common/mediaprovider.te b/sepolicy/common/mediaprovider.te new file mode 100644 index 0000000..65ce0b8 --- /dev/null +++ b/sepolicy/common/mediaprovider.te @@ -0,0 +1,2 @@ +allow mediaprovider cache_private_backup_file:dir getattr; +allow mediaprovider cache_recovery_file:dir r_dir_perms; diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te new file mode 100644 index 0000000..a14d0b3 --- /dev/null +++ b/sepolicy/common/mediaserver.te @@ -0,0 +1,4 @@ +allow mediaserver camera_socket:sock_file write; +allow mediaserver mm-qcamerad:unix_dgram_socket sendto; +allow mediaserver thermal-engine:unix_stream_socket connectto; +allow mediaserver vendor_file:file execmod; diff --git a/sepolicy/common/mm-qcamerad.te b/sepolicy/common/mm-qcamerad.te new file mode 100644 index 0000000..4cd95cc --- /dev/null +++ b/sepolicy/common/mm-qcamerad.te @@ -0,0 +1,8 @@ +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3"; + +#allow mm-qcamerad camera_socket:sock_file create_file_perms; + +# Allow mm-qcamera-daemon to create the socket camera_socket +allow mm-qcamerad system_data_file:dir w_dir_perms; + +allow mm-qcamerad vendor_file:file execmod; diff --git a/sepolicy/common/mpdecision.te b/sepolicy/common/mpdecision.te new file mode 100644 index 0000000..94d3f08 --- /dev/null +++ b/sepolicy/common/mpdecision.te @@ -0,0 +1,2 @@ +allow mpdecision mpctl_data_file:dir w_dir_perms; +allow mpdecision mpctl_data_file:sock_file create_file_perms; diff --git a/sepolicy/common/nfc.te b/sepolicy/common/nfc.te new file mode 100644 index 0000000..477e977 --- /dev/null +++ b/sepolicy/common/nfc.te @@ -0,0 +1 @@ +allow nfc nfc_fw_file:file rx_file_perms; diff --git a/sepolicy/common/priv_app.te b/sepolicy/common/priv_app.te new file mode 100644 index 0000000..fe2dc8b --- /dev/null +++ b/sepolicy/common/priv_app.te @@ -0,0 +1,5 @@ +get_prop(priv_app, camera_prop) +get_prop(priv_app, qemu_hw_mainkeys_prop) + +allow priv_app device:dir r_dir_perms; +allow priv_app proc_interrupts:file r_file_perms; diff --git a/sepolicy/common/property_contexts b/sepolicy/common/property_contexts new file mode 100644 index 0000000..05f3ea1 --- /dev/null +++ b/sepolicy/common/property_contexts @@ -0,0 +1 @@ +service.camera.hdmi_preview u:object_r:camera_prop:s0 diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te new file mode 100644 index 0000000..6bbe2cf --- /dev/null +++ b/sepolicy/common/rild.te @@ -0,0 +1,8 @@ +set_prop(rild, net_radio_prop) + +allow rild radio_data_file:dir rw_dir_perms; +allow rild radio_data_file:file create_file_perms; +allow rild radio_data_file:lnk_file read; + +allow rild proc_net:file w_file_perms; +allow rild sysfs_sec:file rw_file_perms; diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te new file mode 100644 index 0000000..ca2a9a4 --- /dev/null +++ b/sepolicy/common/system_server.te @@ -0,0 +1,12 @@ +get_prop(system_server, alarm_boot_prop) + +allow system_server efs_file:dir search; +allow system_server efs_file:file r_file_perms; +allow system_server mpctl_data_file:dir search; +allow system_server mpctl_data_file:sock_file w_file_perms; +allow system_server mpdecision:unix_stream_socket connectto; +allow system_server qmuxd:unix_stream_socket connectto; +allow system_server qmuxd_socket:dir w_dir_perms; +allow system_server qmuxd_socket:sock_file { create setattr write }; +allow system_server qti_debugfs:file r_file_perms; +allow system_server sensors_device:chr_file r_file_perms; diff --git a/sepolicy/common/thermal-engine.te b/sepolicy/common/thermal-engine.te new file mode 100644 index 0000000..a68d2b0 --- /dev/null +++ b/sepolicy/common/thermal-engine.te @@ -0,0 +1,3 @@ +type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client"; +type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client"; +type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client"; diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te new file mode 100644 index 0000000..5ce680c --- /dev/null +++ b/sepolicy/common/vold.te @@ -0,0 +1,2 @@ +allow vold efs_file:dir rw_dir_perms; +allow vold efs_file:file create; diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk new file mode 100644 index 0000000..e1570d3 --- /dev/null +++ b/sepolicy/sepolicy.mk @@ -0,0 +1,22 @@ +# +# Copyright (C) 2018 The LineageOS Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include device/qcom/sepolicy/sepolicy.mk +include device/qcom/sepolicy/legacy-sepolicy.mk + +# Board specific SELinux policy variable definitions +BOARD_SEPOLICY_DIRS += \ + device/samsung/msm8974-common/sepolicy/common