Commits

Anonymous committed 0d12b8f Merge

Merge "Initial security policy."

Comments (0)

Files changed (13)

 TARGET_RECOVERY_UI_LIB := librecovery_ui_manta
 TARGET_RECOVERY_UPDATER_LIBS += librecovery_updater_manta
 TARGET_RELEASETOOLS_EXTENSIONS := device/samsung/manta
+
+BOARD_SEPOLICY_DIRS := \
+	device/samsung/manta/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+	file_contexts \
+	genfs_contexts \
+	adbd.te \
+	app.te \
+	device.te \
+	domain.te \
+	gpsd.te \
+	file.te \
+	mediaserver.te \
+	surfaceflinger.te \
+	system.te
 	chmod 0660 /sys/class/rfkill/rfkill0/state
 	chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
 	chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
+	restorecon /sys/class/rfkill/rfkill0/state
+	restorecon /sys/class/rfkill/rfkill0/type
 
 on boot
     # override init.rc to keep plenty of large order chunks around
     mkdir /factory 0775 radio radio
 
     mount_all /fstab.manta
+    mount ext4 /dev/block/platform/dw_mmc.0/by-name/efs /factory rw remount
+    restorecon /factory
+    restorecon /factory/bluetooth
+    restorecon /factory/bluetooth/bt_addr
+    restorecon /factory/FactoryApp
+    restorecon /factory/FactoryApp/
+    restorecon /factory/FactoryApp/baro_delta
+    restorecon /factory/FactoryApp/factorymode
+    restorecon /factory/FactoryApp/fdata
+    restorecon /factory/FactoryApp/hist_nv
+    restorecon /factory/FactoryApp/hw_ver
+    restorecon /factory/FactoryApp/keystr
+    restorecon /factory/FactoryApp/reset_flag
+    restorecon /factory/FactoryApp/test_nv
+    restorecon /factory/hdcp2.keys
+    restorecon /factory/wv.keys
+    restorecon /factory/wifi
+    restorecon /factory/wifi/
+    mount ext4 /dev/block/platform/dw_mmc.0/by-name/efs /factory ro remount
     setprop ro.crypto.fuse_sdcard true
 
 # Permissions for backlight
 # Set watchdog timer to 30 seconds and pet it every 10 seconds to get a 20 second margin
 service watchdogd /sbin/watchdogd 10 20
     class core
+    seclabel u:r:watchdogd:s0
 
 service gpsd /system/vendor/bin/gpsd -c /system/vendor/etc/gps.xml
     class main
+allow adbd ffs:file rw_file_perms;
+allow appdomain mali_device:chr_file rw_file_perms;
+allow appdomain ion_device:chr_file w_file_perms;

sepolicy/device.te

+type mali_device, dev_type, mlstrustedobject;
+type secmem_device, dev_type;
+# Unified Memory Management device
+type ump_device, dev_type;

sepolicy/domain.te

+dontaudit domain rootfs:chr_file { read write };
+type ffs, fs_type;

sepolicy/file_contexts

+# label graphics device with a new type, we need
+# to allow write operation from appdomain
+/dev/mali0              u:object_r:mali_device:s0
+
+/dev/bcm2079x           u:object_r:nfc_device:s0
+/dev/ttySAC0            u:object_r:hci_attach_dev:s0
+/dev/ttySAC1            u:object_r:gps_device:s0
+/dev/s5p-smem           u:object_r:secmem_device:s0
+/dev/ump                u:object_r:ump_device:s0
+
+/dev/mobicore           u:object_r:tee_device:s0
+/dev/mobicore-user      u:object_r:tee_device:s0
+
+/dev/v4l-subdev[0-9]*   u:object_r:video_device:s0
+/dev/media0             u:object_r:video_device:s0
+/dev/media1             u:object_r:video_device:s0
+
+/dev/video16            u:object_r:video_device:s0
+/dev/video17            u:object_r:video_device:s0
+/dev/video18            u:object_r:video_device:s0
+/dev/video19            u:object_r:video_device:s0
+
+/dev/video40            u:object_r:camera_device:s0
+/dev/video41            u:object_r:camera_device:s0
+/dev/video42            u:object_r:camera_device:s0
+/dev/video43            u:object_r:camera_device:s0
+/dev/video44            u:object_r:camera_device:s0
+/dev/media2             u:object_r:camera_device:s0
+
+/data/nfc               u:object_r:nfc_data_file:s0
+
+/factory(/.*)?          u:object_r:efs_file:s0
+/factory/bluetooth(/.*)?        u:object_r:bluetooth_efs_file:s0
+
+/system/bin/mcDriverDaemon  --  u:object_r:tee_exec:s0

sepolicy/genfs_contexts

+genfscon functionfs / u:object_r:ffs:s0
+# gpsd on manta uses /data/.gps.interface.pipe.to_gpsd,
+# /data/.gps.interface.pipe.to_jni, /data/.gpsd.lock,
+# and /data/gldata.sto
+file_type_auto_trans(gpsd, system_data_file, gps_data_file);

sepolicy/mediaserver.te

+allow mediaserver system:unix_stream_socket { read write setopt };

sepolicy/surfaceflinger.te

+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger mali_device:chr_file rw_file_perms;

sepolicy/system.te

+allow system mali_device:chr_file rw_file_perms;