Commits

Robert Craig committed adebb9c

More SELinux policy changes.

Change-Id: Ie145ed63d898c5f506ee25c8a22fb3e2379ef29c

Comments (0)

Files changed (20)

 BOARD_SEPOLICY_UNION += \
 	file_contexts \
 	te_macros \
-	bd_addr_loader.te \
+	bluetooth_loader.te \
 	bluetooth.te \
 	bridge.te \
 	camera.te \
 	file.te \
 	kickstart.te \
 	init.te \
-	init_trusted_shell.te \
 	mediaserver.te \
 	mpdecision.te \
 	netmgrd.te \
 	sensors.te \
 	surfaceflinger.te \
 	system.te \
+	tee.te \
 	thermald.te \
 	ueventd.te \
 	wpa_supplicant.te
     mkdir /data/system/sensors
     chmod 665 /data/system/sensors
     write /data/system/sensors/settings 1
+    restorecon /data/system/sensors/settings
     chmod 660 /data/system/sensors/settings
 
     # AKM setting data
     # Enable the setgid bit on the directory
     mkdir /data/audio 0770 media audio
     chmod 2770 /data/audio
-    restorecon /data/audio
 
     # kickstart
     mkdir /data/qcks 0770 system system
     # communicate with mpdecision and thermald
     mkdir /dev/socket/mpdecision 0770 system system
     chmod 2770 /dev/socket/mpdecision
-    restorecon /dev/socket/mpdecision
 
     # adjust vibrator amplitude
     write /sys/class/timed_output/vibrator/amp 70
     class late_start
     user bluetooth
     group qcom_oncrpc bluetooth net_bt_admin system
-    seclabel u:r:init_trusted_shell:s0
+    seclabel u:r:bluetooth_loader:s0
     disabled
     oneshot
 
 
 service ks_checker /system/bin/sh /system/etc/kickstart_checker.sh
     class core
-    seclabel u:r:init_trusted_shell:s0
+    seclabel u:r:kickstart:s0
     oneshot
 
 service kickstart /system/bin/qcks -i /firmware/image/ -r /data/tombstones/mdm/

sepolicy/bd_addr_loader.te

-# Bluetooth executables and script (bdAddrLoader, init.mako.bt.sh)
-type bluetooth_loader, domain;
-type bluetooth_loader_exec, exec_type, file_type;
-
-# Run init.mako.bt.sh
-domain_auto_trans(init_trusted_shell, bluetooth_loader_exec, bluetooth_loader)
-allow bluetooth_loader init_trusted_shell:fd use;
-allow bluetooth_loader init_trusted_shell:fifo_file { getattr write };
-
-# Run hci_qcomm_init
-domain_auto_trans(init_trusted_shell, hci_attach_exec, hci_attach)
-
-# hci_qcomm_init started with logwrapper
-allow hci_attach init_trusted_shell:fd use;
-allow hci_attach devpts:chr_file rw_file_perms;
-
-# Start bdAddrLoader from init
-init_daemon_domain(bluetooth_loader)
-
-# Read mac address from persist partition
-allow bluetooth_loader persist_file:dir search;
-r_dir_file(bluetooth_loader, persist_bluetooth_file)
-
-# Talk to init over the property socket
-unix_socket_connect(bluetooth_loader, property, init)
-
-# Shared memory node access
-allow hci_attach bluetooth_device:chr_file rw_file_perms;
-
-# Allow getprop/setprop for init.mako.bt.sh
-allow bluetooth_loader system_file:file execute_no_trans;
-
-# Allow bdAddrLoader to set bluetooth property value
-allow bluetooth_loader system_prop:property_service set;

sepolicy/bluetooth_loader.te

+# Bluetooth executables and script (bdAddrLoader, init.mako.bt.sh)
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+# Run init.mako.bt.sh
+allow bluetooth_loader shell_exec:file { entrypoint read };
+allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };
+
+# init.mako.bt.sh needs /system/bin/log access
+allow bluetooth_loader devpts:chr_file rw_file_perms;
+
+# Run hci_qcomm_init from init.mako.bt.sh
+domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
+
+# hci_qcomm_init started with logwrapper
+allow hci_attach devpts:chr_file rw_file_perms;
+allow hci_attach bluetooth_loader:fd use;
+
+# Read mac address from persist partition
+allow bluetooth_loader persist_file:dir search;
+r_dir_file(bluetooth_loader, persist_bluetooth_file)
+
+# Talk to init over the property socket
+unix_socket_connect(bluetooth_loader, property, init)
+
+# Shared memory node access
+allow hci_attach bluetooth_device:chr_file rw_file_perms;
+
+# Allow getprop/setprop for init.mako.bt.sh
+allow bluetooth_loader system_file:file execute_no_trans;
+
+# Allow bdAddrLoader to set bluetooth property value
+allow bluetooth_loader system_prop:property_service set;

sepolicy/bridge.te

-# (radio process)
+# Bridge Manager (radio process)
 type bridge, domain;
 type bridge_exec, exec_type, file_type;
 

sepolicy/camera.te

 # Started by init
 init_daemon_domain(camera)
 
-allow camera { video_device camera_device }:chr_file rw_file_perms;
+allow camera self:process execmem;
 
-file_type_auto_trans(camera, system_data_file, camera_data_file);
+allow camera { video_device camera_device }:chr_file rw_file_perms;
+allow camera { surfaceflinger mediaserver }:fd use;
 
-# Create /data/cam_socket* and /data/fdAlbum
-# XXX can we distinguish between the socket and the file?
-allow camera camera_data_file:dir { write add_name };
-allow camera camera_data_file:file { write open create };
-# Create /data/app/sensor_ctl_socket
-allow camera sensors_data_file:sock_file write;
+# Create /data/cam_socket0 as camera_socket
+type_transition camera system_data_file:sock_file camera_socket "cam_socket0";
+allow camera camera_socket:sock_file { create unlink };
 dontaudit camera system_data_file:dir remove_name;
-dontaudit camera system_data_file:sock_file unlink;
 
-allow camera { surfaceflinger mediaserver }:fd use;
+# All others under /data get camera_data_file
+file_type_auto_trans(camera, system_data_file, camera_data_file);
+allow camera camera_data_file:dir { write add_name };
+allow camera camera_data_file:file create_file_perms;
 
-allow camera sensors:unix_stream_socket connectto;
+# Connect to /data/app/sensor_ctl_socket
+unix_socket_connect(camera, sensors, sensors)
 type mpdecision_socket, file_type;
 type qmuxd_socket, file_type;
+type sensors_socket, file_type;
+type camera_socket, file_type;
 
 type kickstart_data_file, file_type, data_file_type;
 type sensors_data_file, file_type, data_file_type;

sepolicy/file_contexts

 /data/nfc(/.*)?                u:object_r:nfc_data_file:s0
 /data/qcks(/.*)?               u:object_r:kickstart_data_file:s0
 /data/misc/sensors(/.*)?       u:object_r:sensors_data_file:s0
+/data/system/sensors(/.*)?     u:object_r:sensors_data_file:s0
 
 # System binaries
 /system/bin/rmt_storage          u:object_r:rmt_exec:s0

sepolicy/init_trusted_shell.te

-# shell started by init that is not UID shell
-type init_trusted_shell, domain, shelldomain;
-
-allow init_trusted_shell kickstart_data_file:dir { getattr read open search };
-allow init_trusted_shell kickstart_data_file:file getattr;
-
-allow init_trusted_shell shell_exec:file entrypoint;
-
-allow init_trusted_shell self:capability dac_override;
-
-allow init_trusted_shell radio_prop:property_service set;

sepolicy/kickstart.te

 type kickstart, domain;
 type kickstart_exec, exec_type, file_type;
 
-# Run kickstart_checker.sh
-domain_auto_trans(init_trusted_shell, kickstart_exec, kickstart)
-
 # kickstart_checker.sh talks to init over the property socket
 unix_socket_connect(kickstart, property, init)
 
 
 # Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2
 allow kickstart block_device:dir { getattr write search };
+
+# Set system property key
+allow kickstart radio_prop:property_service set;
+
+allow kickstart shell_exec:file entrypoint;
+# ls on /data/qcks/
+allow kickstart self:capability dac_override;

sepolicy/mediaserver.te

 allow mediaserver audio_data_file:dir w_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;
 
-# Talk to qmuxd. qmuxd doesn't seem to talk to
-# anything audio related on the other end...
-# Maybe dontaudit?
 qmux_socket(mediaserver)
 
-allow mediaserver self:socket create;
-
-allow mediaserver camera:unix_dgram_socket sendto;
+unix_socket_send(mediaserver, camera, camera)
 
-# /data/cam_socket* access
-#file_type_auto_trans(mediaserver, system_data_file, camera_data_file);
-allow mediaserver camera_data_file:sock_file write;
+allow mediaserver self:socket create;
 
 # Allow logging diagnostic items
 allow mediaserver diagnostic_device:chr_file rw_file_perms;

sepolicy/mpdecision.te

 # Started by init
 init_daemon_domain(mpdecision)
 
-# Allow access to /dev/socket/mpdecision/*
+# dac_override to unlink /dev/socket/mpdecision/touchboost
 allow mpdecision self:capability { dac_override fsetid net_admin };
 allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind read };
 

sepolicy/netmgrd.te

 # Started by init
 init_daemon_domain(netmgrd)
 
-# fsetid, dac_override on /dev/socket/qmux_radio/
-allow netmgrd self:capability { dac_override sys_module fsetid };
 allow netmgrd self:udp_socket { create ioctl };
-allow netmgrd self:capability { setuid setgid net_admin net_raw dac_read_search };
+# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
+allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
 allow netmgrd self:packet_socket { write bind read create };
 allow netmgrd self:netlink_socket { write read create bind setopt };
 allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };
 
 # XXX should we allow sys_rawio on /dev/mem?
 allow rmt self:capability { sys_rawio };
-# dac_override on /sys/power/wake_lock
+# dac_override on open /sys/power/wake_lock
 allow rmt self:capability { setuid setgid dac_override };
 allow rmt self:socket { create ioctl bind setopt read };
 

sepolicy/sensors.te

 # Started by init
 init_daemon_domain(sensors)
 
-# dac_override /dev/msm_dsps
+# dac_override open /dev/msm_dsps
 allow sensors self:capability { setuid setgid chown dac_override };
 
 # Allow logging diagnostic items
 allow sensors diagnostic_device:chr_file rw_file_perms;
 
-# Creates /data/app/sensor_ctl_socket
-file_type_auto_trans(sensors, apk_data_file, sensors_data_file);
-allow sensors sensors_data_file:dir { remove_name add_name setattr };
-allow sensors sensors_data_file:file open;
-allow sensors sensors_data_file:sock_file { create unlink setattr };
+# Create /data/app/sensor_ctl_socket
+file_type_auto_trans(sensors, apk_data_file, sensors_socket);
 
-# Wants to delete /data/app/sensor_ctl_socket
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file r_file_perms;
 dontaudit sensors apk_data_file:dir remove_name;
 
 # Access to sensor nodes
 allow sensors sensors_device:chr_file rw_file_perms;
+
 # XXX should power_control_device be labeled differently?
 allow sensors power_control_device:chr_file { write open append };
 
 allow sensors persist_sensors_file:dir r_dir_perms;
 allow sensors persist_sensors_file:file rw_file_perms;
 
-# Access to /data/system/sensors/settings
-allow sensors system_data_file:file r_file_perms;
-
 # XXX label with own type?
 allow sensors sysfs:file { open append read write getattr };

sepolicy/system.te

-allow system { mpdecision sensors }:unix_stream_socket { connectto sendto };
-allow system { init mpdecision }:unix_dgram_socket sendto;
-# XXX how and why?
 allow system diagnostic_device:chr_file rw_file_perms;
 
+allow system init:unix_dgram_socket sendto;
+allow system wpa_socket:unix_dgram_socket sendto;
+
 qmux_socket(system)
 
-# XXX how and why
-allow system sysfs:file { read open write };
-allow system mpdecision_socket:sock_file write;
+# PowerManagerService
+unix_socket_connect(system, sensors, sensors)
+allow system sensors:unix_stream_socket sendto;
+
+# mpdecision access
+unix_socket_connect(system, mpdecision, mpdecision)
+unix_socket_send(system, mpdecision, mpdecision)
+allow system mpdecision:unix_stream_socket sendto;
 allow system mpdecision_socket:dir search;
-allow system wpa_socket:unix_dgram_socket sendto;
+
+allow system sysfs:file { read open write };

sepolicy/te_macros

 # Allow client to send via a local
 # socket to the qmux domain.
 define(`qmux_socket', `
+type $1_qmuxd_socket, file_type;
+file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
 unix_socket_connect($1, qmuxd, qmux)
-allow $1 qmuxd_socket:dir w_dir_perms;
-allow $1 qmuxd_socket:sock_file { create setattr unlink getattr };
+allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
 ')
+
+
+allow tee self:process execmem;

sepolicy/thermald.te

 init_daemon_domain(thermald)
 
 # XXX should we allow kexec_load with /dev/socket/qmux_radio/qmux_client_socket
-# dac_override with /dev/socket/qmux_radio
+# dac_override open, unlink with /dev/socket/qmux_radio/qmux_client_socket
 allow thermald self:capability { net_admin fsetid dac_override };
 
 allow thermald self:socket { ioctl create write read };

sepolicy/wpa_supplicant.te

-# XXX not quite sure
 allow wpa init:unix_dgram_socket { read write };
 
 # logwrapper used with wpa_supplicant