Commits

Robert Craig committed f1f49ae

Update selinux policy.

Various policy changes and updates concerning
sysfs and proc access, new device node domains,
and updated btmacreader and sensors-config
policy.

Change-Id: I6e4c20a3f2c669427b6d60d8ac1c07dadddf1e1a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Comments (0)

Files changed (12)

 
 BOARD_SEPOLICY_UNION := \
         file_contexts \
+        genfs_contexts \
+        app.te \
         btmacreader.te \
         device.te \
         drmserver.te \
         sensors_config.te \
         shell.te \
         surfaceflinger.te \
-        system.te
+        system.te \
+        zygote.te
     write /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor interactive
     write /sys/devices/system/cpu/cpu2/cpufreq/scaling_governor interactive
     write /sys/devices/system/cpu/cpu3/cpufreq/scaling_governor interactive
-    restorecon /sys/devices/system/cpu
+    restorecon /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/boost
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/boost_factor
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/go_maxspeed_load
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/input_boost
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/max_boost
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/sustain_load
+    restorecon /sys/devices/system/cpu/cpufreq/interactive/timer_rate
+    restorecon /sys/devices/tegradc.0/smartdimmer/aggressiveness
+    restorecon /sys/devices/tegradc.0/smartdimmer/enable
 
 on fs
     setprop ro.crypto.umount_sd false
     mount_all /fstab.grouper
+    restorecon /dev/block/platform/sdhci-tegra.3/by-name/PER
 
 on post-fs-data
     mkdir /data/misc/wifi 0770 wifi wifi
     chmod 0660 /sys/class/rfkill/rfkill0/type
     chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
     chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
+    restorecon /sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/state
+    restorecon /sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/type
 
     # bluetooth MAC address programming
     chown bluetooth net_bt_stack ro.bt.bdaddr_path
+allow appdomain sysfs_devices_system_cpu:dir r_dir_perms;

sepolicy/btmacreader.te

 allow btmacreader self:capability dac_override;
 allow btmacreader mac_data_file:dir { mounton rmdir };
 allow btmacreader shell_exec:file rx_file_perms;
+file_type_auto_trans(btmacreader, system_data_file, mac_data_file)
+
+# Execute toolbox commands
+allow btmacreader system_file:file execute_no_trans;
+
+# Read from per device partition
+allow btmacreader sensors_block_device:lnk_file read;
+allow btmacreader sdcard_external:filesystem { mount unmount };
+allow btmacreader tty_device:chr_file rw_file_perms;
+allow btmacreader self:capability sys_admin;
+allow btmacreader bluetooth_data_file:dir search;

sepolicy/device.te

 type knv_device, dev_type;
+type elan_ip_device, dev_type;
+type sensors_block_device, dev_type;
 type sysfs_firmware_writable, fs_type, sysfs_type;
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
+type sysfs_devices_tegradc, fs_type, sysfs_type;

sepolicy/file_contexts

+/dev/block/platform/sdhci-tegra.3/by-name/PER     u:object_r:sensors_block_device:s0
+/dev/elan-iap                     u:object_r:elan_ip_device:s0
 /dev/knvmap                       u:object_r:knv_device:s0
+/dev/lightsensor                  u:object_r:sensors_device:s0
 /dev/mi1040                       u:object_r:camera_device:s0
 /dev/ttyHS1                       u:object_r:gps_device:s0
 /dev/ttyHS2                       u:object_r:hci_attach_dev:s0
 
 /sys/bus/i2c/drivers/elan-ktf3k/1-0010/update_fw  --  u:object_r:sysfs_firmware_writable:s0
 /sys/devices/system/cpu(/.*)?                     u:object_r:sysfs_devices_system_cpu:s0
+/sys/devices/tegradc\.0(/.*)?                u:object_r:sysfs_devices_tegradc:s0
+/sys/devices/tegradc\.1(/.*)?                u:object_r:sysfs_devices_tegradc:s0
+/sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/state   --  u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/type    --  u:object_r:sysfs_bluetooth_writable:s0

sepolicy/genfs_contexts

+genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0

sepolicy/sensors_config.te

 allow sensors_config sensors_data_file:dir { create_dir_perms mounton };
 allow sensors_config sensors_data_file:file create_file_perms;
 allow sensors_config shell_exec:file rx_file_perms;
+file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
+
+# Execute toolbox commands
+allow sensors_config system_file:file execute_no_trans;
+
+# Read from per device partition
+allow sensors_config sensors_block_device:lnk_file read;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config sdcard_external:file r_file_perms;
+allow sensors_config tty_device:chr_file rw_file_perms;
+allow sensors_config self:capability sys_admin;

sepolicy/surfaceflinger.te

 allow surfaceflinger knv_device:chr_file rw_file_perms;
-allow surfaceflinger sysfs_devices_system_cpu:file w_file_perms;
+allow surfaceflinger { sysfs_devices_system_cpu sysfs_devices_tegradc }:file w_file_perms;
+allow surfaceflinger sysfs_devices_system_cpu:dir w_dir_perms;

sepolicy/system.te

 allow { system system_app }knv_device:chr_file rw_file_perms;
 allow system sysfs_devices_system_cpu:file w_file_perms;
+allow system sysfs_devices_system_cpu:dir r_dir_perms;
+allow system elan_ip_device:chr_file rw_file_perms;
+allow system usb_device:dir r_dir_perms;

sepolicy/zygote.te

+allow zygote sysfs_devices_system_cpu:dir r_dir_perms;