Commits

Stephen Smalley  committed 3ddee01

Sync to seandroid sepolicy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits 5e749d6
  • Branches seandroid-4.3

Comments (0)

Files changed (11)

File BoardConfig.mk

 include device/asus/grouper/BoardConfigCommon.mk
 
 TARGET_RECOVERY_FSTAB = device/asus/grouper/fstab.grouper
+

File BoardConfigCommon.mk

         file_contexts \
         genfs_contexts \
         app.te \
-        btmacreader.te \
         device.te \
         drmserver.te \
         file.te \

File init.grouper.rc

     chown bluetooth net_bt_stack /data/misc/bluetooth
 
     # sensors-config
-    mkdir /data/sensors 751 system system
-    mkdir /data/lightsensor 751 system system
+    mkdir /data/sensors 751
+    # /data/sensors was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/sensors
+    mkdir /data/lightsensor 751
+    # /data/lightsensor was owned by system/system earlier.
+    # Force it to root/root if it already exists.
+    chown root root /data/lightsensor
     mkdir /data/calibration
     mkdir /data/amit
 

File sepolicy/app.te

 allow appdomain sysfs_devices_system_cpu:dir r_dir_perms;
-allow appdomain { nvhost_writable_device nv_device }:chr_file rw_file_perms;
+allow appdomain nvhost_writable_device:chr_file rw_file_perms;

File sepolicy/btmacreader.te

-type btmacreader, domain;
-type btmacreader_exec, exec_type, file_type;
-type mac_data_file, file_type, data_file_type;
-init_daemon_domain(btmacreader)
-allow btmacreader self:capability dac_override;
-allow btmacreader mac_data_file:dir { mounton rmdir };
-allow btmacreader shell_exec:file rx_file_perms;
-file_type_auto_trans(btmacreader, system_data_file, mac_data_file)
-
-# Execute toolbox commands
-allow btmacreader system_file:file execute_no_trans;
-
-# Read from per device partition
-allow btmacreader sensors_block_device:lnk_file read;
-allow btmacreader sdcard_external:filesystem { mount unmount };
-allow btmacreader tty_device:chr_file rw_file_perms;
-allow btmacreader self:capability sys_admin;
-allow btmacreader bluetooth_data_file:dir search;

File sepolicy/device.te

 type knv_device, dev_type;
-type nv_device, dev_type, mlstrustedobject;
-type nvhost_device, dev_type;
 type nvhost_writable_device, dev_type, mlstrustedobject;
+type nvhost_device, dev_type;
 type elan_ip_device, dev_type;
 type sensors_block_device, dev_type;
 type diag_device, dev_type;

File sepolicy/file_contexts

 /dev/diag                         u:object_r:diag_device:s0
 /dev/elan-iap                     u:object_r:elan_ip_device:s0
 /dev/knvmap                       u:object_r:knv_device:s0
-/dev/nvmap                        u:object_r:nv_device:s0
 /dev/lightsensor                  u:object_r:sensors_device:s0
 /dev/mi1040                       u:object_r:camera_device:s0
 /dev/ov2710                       u:object_r:camera_device:s0
 /dev/nvhost-ctrl                  u:object_r:nvhost_writable_device:s0
 /dev/nvhost-gr2d                  u:object_r:nvhost_writable_device:s0
 /dev/nvhost-gr3d                  u:object_r:nvhost_writable_device:s0
-/dev/pn544                        u:object_r:nfc_device:s0
-/dev/spdif.*                      u:object_r:audio_device:s0
-/dev/tegra.*                      u:object_r:video_device:s0
 /dev/ttyHS1                       u:object_r:gps_device:s0
 /dev/ttyHS2                       u:object_r:hci_attach_dev:s0
 
 /data/amit(/.*)?                  u:object_r:sensors_data_file:s0
 /data/calibration(/.*)?           u:object_r:sensors_data_file:s0
 /data/lightsensor(/.*)?           u:object_r:sensors_data_file:s0
-/data/mac(/.*)?                   u:object_r:mac_data_file:s0
 /data/sensors(/.*)?               u:object_r:sensors_data_file:s0
 /data/tf(/.*)?                    u:object_r:tee_data_file:s0
 
 /system/bin/brcm_patchram_plus -- u:object_r:hci_attach_exec:s0
-/system/bin/btmacreader        -- u:object_r:btmacreader_exec:s0
 /system/bin/glgps              -- u:object_r:gpsd_exec:s0
 /system/bin/sensors-config     -- u:object_r:sensors_config_exec:s0
 

File sepolicy/mediaserver.te

-allow mediaserver { nvhost_writable_device nv_device nvhost_device }:chr_file rw_file_perms;
+allow mediaserver { nvhost_writable_device }:chr_file rw_file_perms;

File sepolicy/sensors_config.te

 type sensors_config_exec, exec_type, file_type;
 type sensors_data_file, file_type, data_file_type;
 init_daemon_domain(sensors_config)
-allow sensors_config self:capability { dac_override chown fowner fsetid };
-allow sensors_config sensors_data_file:dir { create_dir_perms mounton };
-allow sensors_config sensors_data_file:file create_file_perms;
-allow sensors_config shell_exec:file rx_file_perms;
 file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
 
 # Execute toolbox commands
+allow sensors_config shell_exec:file rx_file_perms;
 allow sensors_config system_file:file execute_no_trans;
 
-# Read from per device partition
-allow sensors_config block_device:dir search;
-allow sensors_config sensors_block_device:lnk_file read;
+# Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
+allow sensors_config sensors_data_file:dir mounton;
 allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config { sdcard_external block_device }:dir search;
+
+# Read from the mounted PER partition
 allow sensors_config sdcard_external:file r_file_perms;
-allow sensors_config tty_device:chr_file rw_file_perms;
+
+# Need to chmod and chown files (/data/lightsensor, /data/sensors)
+allow sensors_config self:capability { chown fowner };
+
+# Checked as a side effect on the chmod (don't allow)
+dontaudit sensors_config self:capability { fsetid };
+
+# Needed for mount/umount
 allow sensors_config self:capability sys_admin;
+
+# Tries to delete /data/calibration (don't allow)
+dontaudit sensors_config system_data_file:dir remove_name;
+dontaudit sensors_config self:capability dac_override;

File sepolicy/system_app.te

-allow system_app { knv_device nvhost_writable_device }:chr_file rw_file_perms;
+allow system_app knv_device:chr_file rw_file_perms;

File sepolicy/system_server.te

-allow system_server { knv_device nvhost_writable_device } :chr_file rw_file_perms;
+allow system_server { knv_device nvhost_writable_device }:chr_file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
 allow system_server sysfs_devices_system_cpu:dir r_dir_perms;
 allow system_server elan_ip_device:chr_file rw_file_perms;