Robert Craig avatar Robert Craig committed 8231c3e

SELinux policy additions.

Per-device policy additions targeting the
grouper board.

Change-Id: I54981e1fccd26e233149733a3c98e8b6bd61d6ed
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>;

Comments (0)

Files changed (10)

 
 -include vendor/asus/grouper/BoardConfigVendor.mk
 include device/asus/grouper/BoardConfigCommon.mk
+
+BOARD_SEPOLICY_DIRS := \
+        device/asus/grouper/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+        file_contexts \
+        btmacreader.te \
+        device.te \
+        drmserver.te \
+        file.te \
+        sensors_config.te \
+        shell.te \
+        surfaceflinger.te \
+        system.te

sepolicy/btmacreader.te

+type btmacreader, domain;
+type btmacreader_exec, exec_type, file_type;
+type mac_data_file, file_type, data_file_type;
+init_daemon_domain(btmacreader)
+allow btmacreader self:capability dac_override;
+allow btmacreader mac_data_file:dir { mounton rmdir };
+allow btmacreader shell_exec:file rx_file_perms;

sepolicy/device.te

+type knv_device, dev_type;

sepolicy/drmserver.te

+allow drmserver knv_device:chr_file rw_file_perms;
+type sysfs_firmware_writable, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;

sepolicy/file_contexts

+/dev/knvmap                       u:object_r:knv_device:s0
+/dev/mi1040                       u:object_r:camera_device:s0
+/dev/ttyHS1                       u:object_r:gps_device:s0
+/dev/ttyHS2                       u:object_r:hci_attach_dev:s0
+
+/data/amit(/.*)?                  u:object_r:sensors_data_file:s0
+/data/calibration(/.*)?           u:object_r:sensors_data_file:s0
+/data/lightsensor(/.*)?           u:object_r:sensors_data_file:s0
+/data/mac(/.*)?                   u:object_r:mac_data_file:s0
+/data/sensors(/.*)?               u:object_r:sensors_data_file:s0
+/data/tf(/.*)?                    u:object_r:tee_data_file:s0
+
+/system/bin/brcm_patchram_plus -- u:object_r:hci_attach_exec:s0
+/system/bin/btmacreader        -- u:object_r:btmacreader_exec:s0
+/system/bin/glgps              -- u:object_r:gpsd_exec:s0
+/system/bin/sensors-config     -- u:object_r:sensors_config_exec:s0
+
+/sys/bus/i2c/drivers/elan-ktf3k/1-0010/update_fw  --  u:object_r:sysfs_firmware_writable:s0
+/sys/devices/system/cpu(/.*)?                     u:object_r:sysfs_devices_system_cpu:s0

sepolicy/sensors_config.te

+##########
+# sensors_config: load calibration files.
+##########
+type sensors_config, domain;
+type sensors_config_exec, exec_type, file_type;
+type sensors_data_file, file_type, data_file_type;
+init_daemon_domain(sensors_config)
+allow sensors_config self:capability { dac_override chown fowner fsetid };
+allow sensors_config sensors_data_file:dir { create_dir_perms mounton };
+allow sensors_config sensors_data_file:file create_file_perms;
+allow sensors_config shell_exec:file rx_file_perms;

sepolicy/shell.te

+allow shell sysfs_firmware_writable:file w_file_perms;

sepolicy/surfaceflinger.te

+allow surfaceflinger knv_device:chr_file rw_file_perms;
+allow surfaceflinger sysfs_devices_system_cpu:file w_file_perms;

sepolicy/system.te

+allow { system system_app }knv_device:chr_file rw_file_perms;
+allow system sysfs_devices_system_cpu:file w_file_perms;
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.