Commits

Stephen Smalley committed a7adfaf

Sync to our policy.

Comments (0)

Files changed (16)

 include device/asus/grouper/BoardConfigCommon.mk
 
 TARGET_RECOVERY_FSTAB = device/asus/grouper/fstab.grouper
-
-BOARD_SEPOLICY_DIRS := \
-        device/asus/grouper/sepolicy
-
-BOARD_SEPOLICY_UNION := \
-        file_contexts \
-        genfs_contexts \
-        app.te \
-        btmacreader.te \
-        device.te \
-        drmserver.te \
-        init_shell.te \
-        file.te \
-        rild.te \
-        sensors_config.te \
-        shell.te \
-        surfaceflinger.te \
-        system.te \
-        zygote.te

BoardConfigCommon.mk

 BOARD_USES_GROUPER_MODULES := true
 
 TARGET_RUNNING_WITHOUT_SYNC_FRAMEWORK := true
+
+BOARD_SEPOLICY_DIRS += \
+        device/asus/grouper/sepolicy
+
+BOARD_SEPOLICY_UNION += \
+        file_contexts \
+        genfs_contexts \
+        app.te \
+        device.te \
+        drmserver.te \
+        file.te \
+        gpsd.te \
+        init_shell.te \
+        keystore.te \
+        mediaserver.te \
+        rild.te \
+        sensors_config.te \
+        surfaceflinger.te \
+        system_app.te \
+        system_server.te
-allow appdomain sysfs_devices_system_cpu:dir r_dir_perms;
+allow appdomain nvhost_writable_device:chr_file rw_file_perms;

sepolicy/btmacreader.te

-type btmacreader, domain;
-permissive btmacreader;
-type btmacreader_exec, exec_type, file_type;
-type mac_data_file, file_type, data_file_type;
-init_daemon_domain(btmacreader)
-file_type_auto_trans(btmacreader, system_data_file, mac_data_file)
-unconfined_domain(btmacreader)

sepolicy/device.te

 type knv_device, dev_type;
+type nvhost_writable_device, dev_type, mlstrustedobject;
+type nvhost_device, dev_type;
 type elan_ip_device, dev_type;
 type sensors_block_device, dev_type;
-type sysfs_devices_tegradc, dev_type;
 type diag_device, dev_type;
 type sysfs_firmware_writable, fs_type, sysfs_type;
-
-allow sysfs_devices_tegradc sysfs:filesystem associate;
-allow sysfs_devices_system_cpu sysfs:filesystem associate;
+type sysfs_devices_tegradc, fs_type, sysfs_type;

sepolicy/file_contexts

 /dev/knvmap                       u:object_r:knv_device:s0
 /dev/lightsensor                  u:object_r:sensors_device:s0
 /dev/mi1040                       u:object_r:camera_device:s0
+/dev/ov2710                       u:object_r:camera_device:s0
+/dev/tegra_camera                 u:object_r:camera_device:s0
+/dev/camera.*                     u:object_r:camera_device:s0
+/dev/focuser.*                    u:object_r:camera_device:s0
+/dev/torch.*                      u:object_r:camera_device:s0
+/dev/video0                       u:object_r:camera_device:s0
+/dev/video1                       u:object_r:camera_device:s0
+/dev/nvhost.*                     u:object_r:nvhost_device:s0
+/dev/nvhost-ctrl                  u:object_r:nvhost_writable_device:s0
+/dev/nvhost-gr2d                  u:object_r:nvhost_writable_device:s0
+/dev/nvhost-gr3d                  u:object_r:nvhost_writable_device:s0
 /dev/ttyHS1                       u:object_r:gps_device:s0
 /dev/ttyHS2                       u:object_r:hci_attach_dev:s0
 
 /system/bin/sensors-config     -- u:object_r:sensors_config_exec:s0
 
 /sys/bus/i2c/drivers/elan-ktf3k/1-0010/update_fw  --  u:object_r:sysfs_firmware_writable:s0
-/sys/devices/system/cpu(/.*)?                     u:object_r:sysfs_devices_system_cpu:s0
 /sys/devices/tegradc\.0(/.*)?                u:object_r:sysfs_devices_tegradc:s0
 /sys/devices/tegradc\.1(/.*)?                u:object_r:sysfs_devices_tegradc:s0
 /sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/state   --  u:object_r:sysfs_bluetooth_writable:s0
+allow gpsd self:process execmem;

sepolicy/keystore.te

+allow keystore self:process execmem;

sepolicy/mediaserver.te

+allow mediaserver { nvhost_writable_device }:chr_file rw_file_perms;

sepolicy/sensors_config.te

 # sensors_config: load calibration files.
 ##########
 type sensors_config, domain;
-permissive sensors_config;
 type sensors_config_exec, exec_type, file_type;
 type sensors_data_file, file_type, data_file_type;
 init_daemon_domain(sensors_config)
 file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
-unconfined_domain(sensors_config)
+
+# Execute toolbox commands
+allow sensors_config shell_exec:file rx_file_perms;
+allow sensors_config system_file:file execute_no_trans;
+
+# Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
+allow sensors_config sensors_data_file:dir mounton;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config { sdcard_external block_device }:dir search;
+
+# Read from the mounted PER partition
+allow sensors_config sdcard_external:file r_file_perms;
+
+# Need to chmod and chown files (/data/lightsensor, /data/sensors)
+allow sensors_config self:capability { chown fowner };
+
+# Checked as a side effect on the chmod (don't allow)
+dontaudit sensors_config self:capability { fsetid };
+
+# Needed for mount/umount
+allow sensors_config self:capability sys_admin;
+
+# Tries to delete /data/calibration (don't allow)
+dontaudit sensors_config system_data_file:dir remove_name;
+dontaudit sensors_config self:capability dac_override;

sepolicy/surfaceflinger.te

-allow surfaceflinger knv_device:chr_file rw_file_perms;
+allow surfaceflinger { knv_device nvhost_writable_device }:chr_file rw_file_perms;
 allow surfaceflinger { sysfs_devices_system_cpu sysfs_devices_tegradc }:file w_file_perms;
 allow surfaceflinger sysfs_devices_system_cpu:dir w_dir_perms;

sepolicy/system.te

-allow { system system_app }knv_device:chr_file rw_file_perms;
-allow system sysfs_devices_system_cpu:file w_file_perms;
-allow system sysfs_devices_system_cpu:dir r_dir_perms;
-allow system elan_ip_device:chr_file rw_file_perms;
-allow system diag_device:chr_file rw_file_perms;

sepolicy/system_app.te

+allow system_app knv_device:chr_file rw_file_perms;

sepolicy/system_server.te

+allow system_server { knv_device nvhost_writable_device }:chr_file rw_file_perms;
+allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server elan_ip_device:chr_file rw_file_perms;
+allow system_server diag_device:chr_file rw_file_perms;

sepolicy/zygote.te

-allow zygote sysfs_devices_system_cpu:dir r_dir_perms;