mofd: more selinux

* relabel /config at boot
* allow apps using houdini access to cpuinfo
* allow apps to use ffmpeg
* allow asus_config to set all teh propz

Change-Id: Iedb815d693ce4686a9bf76bde92d33df775cd719

4 files changed, 8 insertions, 0 deletions

diff --git a/rootdir/etc/init.mofd_v1.rc b/rootdir/etc/init.mofd_v1.rc
index fbf3f71..1b5bc9a 100644
--- a/rootdir/etc/init.mofd_v1.rc
+++ b/rootdir/etc/init.mofd_v1.rc
@@ -206,6 +206,7 @@ on post-fs
     chown system system /sys/devices/platform/bcove_bcu/camflash_ctrl
     symlink /sys/devices/platform/bcove_bcu /dev/bcu
 
+    restorecon /config
     restorecon_recursive /factory
     restorecon_recursive /config
     restorecon_recursive /logs
diff --git a/sepolicy/asus_config.te b/sepolicy/asus_config.te
index 969be56..3bdb2cf 100644
--- a/sepolicy/asus_config.te
+++ b/sepolicy/asus_config.te
@@ -7,6 +7,8 @@ set_prop(asus_config, audio_prop)
 set_prop(asus_config, asus_prop)
 set_prop(asus_config, config_prop)
 set_prop(asus_config, radio_prop)
+set_prop(asus_config, ctl_default_prop)
+set_prop(asus_config, ctl_rildaemon_prop)
 
 allow asus_config config_file:dir search;
 allow asus_config config_file:file rw_file_perms;
diff --git a/sepolicy/rootfs.te b/sepolicy/rootfs.te
new file mode 100644
index 0000000..7cfb964
--- /dev/null
+++ b/sepolicy/rootfs.te
@@ -0,0 +1 @@
+allow rootfs labeledfs:filesystem associate;
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644
index 0000000..5f21d49
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1,4 @@
+allow untrusted_app asus_tee_device:chr_file rw_file_perms;
+allow untrusted_app system_file:file execmod;
+allow untrusted_app cpuinfo_file:file { mounton };
+allow untrusted_app cpuinfo_file:file r_file_perms;