diff options
| author | Greg Wallace <greg@gregtwallace.com> | 2017-01-27 19:00:54 -0500 |
|---|---|---|
| committer | Drgravy <drg113001@gmail.com> | 2017-01-30 17:20:14 -0600 |
| commit | 4ec74c1de067878c2ba7c212ba38ad39a68136b8 (patch) | |
| tree | 8ed266b3e689837feaa964d315e1fb6efe87ca7f | |
| parent | 6a4208c4329bc20115c60f8bd533c75ba7d21b1f (diff) | |
sepolicy: Fix baseband
* Rewrite sepolicy
Based mostly on: https://github.com/LineageOS/android_device_lge_g5-common/commit/a45e48b746b80a2b3ecccfddef6a61954f69420a
* In set_baseband.te, big change:
allow set_baseband toolbox_exec:file { getattr };
- changed to -
allow set_baseband toolbox_exec:file { execute_no_trans open read getattr execute };
* Change baseband script to not require getprop
* Change baseband script to check for common variants first (speed)
* (REVERTED in PS5) ///Slight tweak to when the script is run.///
PS2:
* Fix overbroad { dac_override dac_read_search } by running service as
correct user 'system'
PS3:
* Fix PS2. The shell script is owned by root:shell. If we use user
'system' we fix the overbroad permissions. Using group 'shell' we
regain access to the shell script.
PS5:
* Revert script timing, as this may have been causing intermittent
function.
* Output baseband script tests to /dev/null so there is no shell output
Change-Id: I2e39de86e6f172596718d427aad7376f734ce883
| -rwxr-xr-x | rootdir/bin/set_baseband.sh | 16 | ||||
| -rw-r--r-- | rootdir/etc/init.g2.rc | 3 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 6 | ||||
| -rw-r--r-- | sepolicy/private_app.te | 1 | ||||
| -rw-r--r-- | sepolicy/set_baseband.te | 4 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 1 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 3 | ||||
| -rw-r--r-- | sepolicy/untrusted_app.te | 1 |
8 files changed, 19 insertions, 16 deletions
diff --git a/rootdir/bin/set_baseband.sh b/rootdir/bin/set_baseband.sh index cd72150..db984ee 100755 --- a/rootdir/bin/set_baseband.sh +++ b/rootdir/bin/set_baseband.sh @@ -1,12 +1,10 @@ #!/system/bin/sh -product=`getprop ro.build.product` # grep the modem partition for baseband version and set it -case "$product" in - "ls980" | "vs980") - setprop gsm.version.baseband `strings /firmware/image/modem.b18 | grep "^MPSS.DI" | head -1` - ;; - "d800" | "d801" | "d802" | "d803" | "f320" | "l01f") - setprop gsm.version.baseband `strings /firmware/image/modem.b21 | grep "^M8974A-" | head -1` - ;; -esac +if strings /firmware/image/modem.b21 | grep "^M8974A-" >> /dev/null; then + # "d800" | "d801" | "d802" | "d803" | "f320" | "l01f" + setprop gsm.version.baseband `strings /firmware/image/modem.b21 | grep "^M8974A-" | head -1` +elif strings /firmware/image/modem.b18 | grep "^MPSS.DI" >> /dev/null; then + # "ls980" | "vs980" + setprop gsm.version.baseband `strings /firmware/image/modem.b18 | grep "^MPSS.DI" | head -1` +fi diff --git a/rootdir/etc/init.g2.rc b/rootdir/etc/init.g2.rc index db33e88..5b4f419 100644 --- a/rootdir/etc/init.g2.rc +++ b/rootdir/etc/init.g2.rc @@ -368,7 +368,8 @@ service sensors /system/bin/sensors.qcom service set_baseband /system/bin/set_baseband.sh class late_start - user root + user system + group shell oneshot disabled diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index ad047ba..ee8c0d5 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,3 +1,6 @@ +# Baseband +/system/bin/set_baseband.sh u:object_r:set_baseband_exec:s0 + # Bluetooth /dev/rfkill u:object_r:rfkill_device:s0 /dev/btlock u:object_r:btlock_file:s0 @@ -38,9 +41,6 @@ /persist-lg/sensors(/.*)? u:object_r:sensors_persist_file:s0 /sns(/.*)? u:object_r:sensors_persist_file:s0 -# Baseband -/system/bin/set_baseband.sh u:object_r:set_baseband_exec:s0 - # Thermal /system/bin/thermal-engine u:object_r:thermal-engine_exec:s0 diff --git a/sepolicy/private_app.te b/sepolicy/private_app.te new file mode 100644 index 0000000..b4f6325 --- /dev/null +++ b/sepolicy/private_app.te @@ -0,0 +1 @@ +allow priv_app baseband_prop:file r_file_perms; diff --git a/sepolicy/set_baseband.te b/sepolicy/set_baseband.te index 55a1ae8..01b9072 100644 --- a/sepolicy/set_baseband.te +++ b/sepolicy/set_baseband.te @@ -5,6 +5,6 @@ init_daemon_domain(set_baseband) allow set_baseband baseband_prop:property_service set; allow set_baseband firmware_file:dir search; allow set_baseband firmware_file:file r_file_perms; -allow set_baseband self:capability { dac_override dac_read_search }; -allow set_baseband shell_exec:file { entrypoint read }; +allow set_baseband shell_exec:file { entrypoint read getattr }; +allow set_baseband toolbox_exec:file { execute_no_trans open read getattr execute }; unix_socket_connect(set_baseband, property, init) diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..56f548e --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1 @@ +allow system_app baseband_prop:file r_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index d021f65..0c4fff0 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -3,4 +3,5 @@ allow system_server sysfs_touchpanel:dir search; allow system_server sysfs_touchpanel:file rw_file_perms; allow system_server sysfs_usb_supply:dir search; allow system_server sysfs_usb_supply:file r_file_perms; -allow system_server sysfs_vibeamp:file rw_file_perms;
\ No newline at end of file +allow system_server sysfs_vibeamp:file rw_file_perms; +allow system_server baseband_prop:file r_file_perms; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..b412a36 --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1 @@ +allow untrusted_app baseband_prop:file r_file_perms; |