Robert Craig committed 3370c79

Improve sepolicy labeling and domain confinement.

* Move certain services out of inits domain.
inits domain is unconfined and we should
be limiting those services that need to
run in inits context. For the new domains
introduced, keep them permissive and unconfined
for now until future policy work will individually
drop these constraints.

* Add context option to fstab when mounting
the firmware partition. This will ensure
proper labeling and not use the default vfat
label of sdcard_external.

* Use concatenation versus assignment when making
policy declarations inside This
will allow sepolicy to exist in the vendor

Change-Id: I93c7413bf2a8ceb7589f059e754c4b2a787fdbaf
Signed-off-by: rpcraig <>

  • Participants
  • Parent commits ac0c39c

Comments (0)

Files changed (15)


        app.te \
        bluetooth.te \
+       bluetooth_loader.te \
+       bridge.te \
+       camera.te \
+       conn_init.te \
        device.te \
        domain.te \
        drmserver.te \
        hci_init.te \
        init_shell.te \
        keystore.te \
-       mediaserver.te \
        kickstart.te \
+       mediaserver.te \
+       mpdecision.te \
+       netmgrd.te \
        nfc.te \
+       qmux.te \
        rild.te \
+       rmt.te \
+       sensors.te \
        surfaceflinger.te \
        system_server.te \
+       thermald.te \
        ueventd.te \
 /dev/block/platform/msm_sdcc.1/by-name/cache        /cache          ext4    noatime,nosuid,nodev,barrier=1,data=ordered                     wait,check
 /dev/block/platform/msm_sdcc.1/by-name/userdata     /data           ext4    noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc     wait,check,encryptable=/dev/block/platform/msm_sdcc.1/by-name/metadata
 /dev/block/platform/msm_sdcc.1/by-name/persist      /persist        ext4    nosuid,nodev,barrier=1,data=ordered,nodelalloc                  wait
-/dev/block/platform/msm_sdcc.1/by-name/modem        /firmware       vfat    ro,uid=1000,gid=1000,dmask=227,fmask=337                        wait
+/dev/block/platform/msm_sdcc.1/by-name/modem        /firmware       vfat    ro,uid=1000,gid=1000,dmask=227,fmask=337,context=u:object_r:radio_efs_file:s0                        wait
 /dev/block/platform/msm_sdcc.1/by-name/boot         /boot           emmc    defaults                                                        defaults
 /dev/block/platform/msm_sdcc.1/by-name/recovery     /recovery       emmc    defaults                                                        defaults
 /dev/block/platform/msm_sdcc.1/by-name/misc         /misc           emmc    defaults                                                        defaults

File init.mako.rc

     class late_start
     user bluetooth
     group qcom_oncrpc bluetooth net_bt_admin system
+    seclabel u:r:bluetooth_loader:s0

File sepolicy/bluetooth_loader.te

+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+# Start bdAddrLoader from init
+permissive bluetooth_loader;

File sepolicy/bridge.te

+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+# Started by init
+permissive bridge;

File sepolicy/camera.te

+# Qualcomm MSM camera
+type camera, domain;
+type camera_exec, exec_type, file_type;
+# Started by init
+permissive camera;

File sepolicy/conn_init.te

+# wifi connection service
+type conn_init, domain;
+type conn_init_exec, exec_type, file_type;
+# Started by logwrapper in init
+domain_auto_trans(init, conn_init_exec, conn_init)
+permissive conn_init;

File sepolicy/file.te

 type qmux_radio_socket, file_type;
 type audio_firmware_file, file_type;
+# Default type for anything under /firmware
+type radio_efs_file, fs_type;

File sepolicy/file_contexts

 /data/nfc(/.*)?                    u:object_r:nfc_data_file:s0
 /system/bin/hci_qcomm_init         u:object_r:hci_exec:s0
-/system/bin/bdAddrLoader           u:object_r:hci_exec:s0
+/system/bin/bdAddrLoader           u:object_r:bluetooth_loader_exec:s0
+/system/etc/        u:object_r:bluetooth_loader_exec:s0
+/system/bin/rmt_storage            u:object_r:rmt_exec:s0
+/system/bin/bridgemgrd             u:object_r:bridge_exec:s0
+/system/bin/qmuxd                  u:object_r:qmux_exec:s0
+/system/bin/netmgrd                u:object_r:netmgrd_exec:s0
+/system/bin/thermald               u:object_r:thermald_exec:s0
+/system/bin/mpdecision             u:object_r:mpdecision_exec:s0
+/system/bin/sensors.qcom           u:object_r:sensors_exec:s0
+/system/bin/mm-qcamera-daemon      u:object_r:camera_exec:s0
+/system/bin/qseecomd               u:object_r:tee_exec:s0
+/system/bin/conn_init              u:object_r:conn_init_exec:s0

File sepolicy/mpdecision.te

+# CPU governor (root process)
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+# Started by init
+permissive mpdecision;

File sepolicy/netmgrd.te

+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+# Started by init
+permissive netmgrd;

File sepolicy/qmux.te

+# Qualcomm Management Interface Multiplexer
+type qmux, domain;
+type qmux_exec, exec_type, file_type;
+# Started by init
+permissive qmux;

File sepolicy/rmt.te

+# remote storage process
+type rmt, domain;
+type rmt_exec, exec_type, file_type;
+# Started by init
+permissive rmt;

File sepolicy/sensors.te

+# Integrated qualcomm sensor process
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+# Started by init
+permissive sensors;

File sepolicy/thermald.te

+# Temperature sensor daemon (root process)
+type thermald, domain;
+type thermald_exec, exec_type, file_type;
+# Started by init
+permissive thermald;