Commits

Nick Kralevich  committed 6168600 Merge

Merge "Improve sepolicy labeling and domain confinement."

  • Participants
  • Parent commits ac0c39c, 3370c79

Comments (0)

Files changed (15)

File BoardConfig.mk

 
 TARGET_RELEASETOOLS_EXTENSIONS := device/lge/mako
 
-BOARD_SEPOLICY_DIRS := \
+BOARD_SEPOLICY_DIRS += \
        device/lge/mako/sepolicy
 
-BOARD_SEPOLICY_UNION := \
+BOARD_SEPOLICY_UNION += \
        app.te \
        bluetooth.te \
+       bluetooth_loader.te \
+       bridge.te \
+       camera.te \
+       conn_init.te \
        device.te \
        domain.te \
        drmserver.te \
        hci_init.te \
        init_shell.te \
        keystore.te \
-       mediaserver.te \
        kickstart.te \
+       mediaserver.te \
+       mpdecision.te \
+       netmgrd.te \
        nfc.te \
+       qmux.te \
        rild.te \
+       rmt.te \
+       sensors.te \
        surfaceflinger.te \
        system_server.te \
+       thermald.te \
        ueventd.te \
        wpa.te
 
 /dev/block/platform/msm_sdcc.1/by-name/cache        /cache          ext4    noatime,nosuid,nodev,barrier=1,data=ordered                     wait,check
 /dev/block/platform/msm_sdcc.1/by-name/userdata     /data           ext4    noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc     wait,check,encryptable=/dev/block/platform/msm_sdcc.1/by-name/metadata
 /dev/block/platform/msm_sdcc.1/by-name/persist      /persist        ext4    nosuid,nodev,barrier=1,data=ordered,nodelalloc                  wait
-/dev/block/platform/msm_sdcc.1/by-name/modem        /firmware       vfat    ro,uid=1000,gid=1000,dmask=227,fmask=337                        wait
+/dev/block/platform/msm_sdcc.1/by-name/modem        /firmware       vfat    ro,uid=1000,gid=1000,dmask=227,fmask=337,context=u:object_r:radio_efs_file:s0                        wait
 /dev/block/platform/msm_sdcc.1/by-name/boot         /boot           emmc    defaults                                                        defaults
 /dev/block/platform/msm_sdcc.1/by-name/recovery     /recovery       emmc    defaults                                                        defaults
 /dev/block/platform/msm_sdcc.1/by-name/misc         /misc           emmc    defaults                                                        defaults

File init.mako.rc

     class late_start
     user bluetooth
     group qcom_oncrpc bluetooth net_bt_admin system
+    seclabel u:r:bluetooth_loader:s0
     disabled
     oneshot
 

File sepolicy/bluetooth_loader.te

+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+permissive bluetooth_loader;
+unconfined_domain(bluetooth_loader)

File sepolicy/bridge.te

+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(bridge)
+
+permissive bridge;
+unconfined_domain(bridge)

File sepolicy/camera.te

+# Qualcomm MSM camera
+type camera, domain;
+type camera_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(camera)
+
+permissive camera;
+unconfined_domain(camera)

File sepolicy/conn_init.te

+# wifi connection service
+type conn_init, domain;
+type conn_init_exec, exec_type, file_type;
+
+# Started by logwrapper in init
+domain_auto_trans(init, conn_init_exec, conn_init)
+
+permissive conn_init;
+unconfined_domain(conn_init)

File sepolicy/file.te

 type qmux_radio_socket, file_type;
 
 type audio_firmware_file, file_type;
+
+# Default type for anything under /firmware
+type radio_efs_file, fs_type;

File sepolicy/file_contexts

 /data/nfc(/.*)?                    u:object_r:nfc_data_file:s0
 
 /system/bin/hci_qcomm_init         u:object_r:hci_exec:s0
-/system/bin/bdAddrLoader           u:object_r:hci_exec:s0
+/system/bin/bdAddrLoader           u:object_r:bluetooth_loader_exec:s0
+/system/etc/init.mako.bt.sh        u:object_r:bluetooth_loader_exec:s0
+/system/bin/rmt_storage            u:object_r:rmt_exec:s0
+/system/bin/bridgemgrd             u:object_r:bridge_exec:s0
+/system/bin/qmuxd                  u:object_r:qmux_exec:s0
+/system/bin/netmgrd                u:object_r:netmgrd_exec:s0
+/system/bin/thermald               u:object_r:thermald_exec:s0
+/system/bin/mpdecision             u:object_r:mpdecision_exec:s0
+/system/bin/sensors.qcom           u:object_r:sensors_exec:s0
+/system/bin/mm-qcamera-daemon      u:object_r:camera_exec:s0
+/system/bin/qseecomd               u:object_r:tee_exec:s0
+/system/bin/conn_init              u:object_r:conn_init_exec:s0
+

File sepolicy/mpdecision.te

+# CPU governor (root process)
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(mpdecision)
+
+permissive mpdecision;
+unconfined_domain(mpdecision)

File sepolicy/netmgrd.te

+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(netmgrd)
+
+permissive netmgrd;
+unconfined_domain(netmgrd)

File sepolicy/qmux.te

+# Qualcomm Management Interface Multiplexer
+type qmux, domain;
+type qmux_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(qmux)
+
+permissive qmux;
+unconfined_domain(qmux)

File sepolicy/rmt.te

+# remote storage process
+type rmt, domain;
+type rmt_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(rmt)
+
+permissive rmt;
+unconfined_domain(rmt)

File sepolicy/sensors.te

+# Integrated qualcomm sensor process
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(sensors)
+
+permissive sensors;
+unconfined_domain(sensors)

File sepolicy/thermald.te

+# Temperature sensor daemon (root process)
+type thermald, domain;
+type thermald_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(thermald)
+
+permissive thermald;
+unconfined_domain(thermald)