diff options
| -rw-r--r-- | rootdir/Android.mk | 15 | ||||
| -rw-r--r-- | rootdir/etc/init.qcom.rc | 5 | ||||
| -rw-r--r-- | sepolicy/adspd.te | 15 | ||||
| -rw-r--r-- | sepolicy/atvc.te | 3 | ||||
| -rw-r--r-- | sepolicy/batt_health.te | 10 | ||||
| -rw-r--r-- | sepolicy/bluetooth_loader.te | 18 | ||||
| -rw-r--r-- | sepolicy/file.te | 5 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 82 | ||||
| -rw-r--r-- | sepolicy/hw_revs.te | 3 | ||||
| -rw-r--r-- | sepolicy/init.te | 5 | ||||
| -rw-r--r-- | sepolicy/init_shell.te | 1 | ||||
| -rw-r--r-- | sepolicy/installd.te | 1 | ||||
| -rw-r--r-- | sepolicy/keystore.te | 2 | ||||
| -rw-r--r-- | sepolicy/location.te | 3 | ||||
| -rw-r--r-- | sepolicy/mediaserver.te | 2 | ||||
| -rw-r--r-- | sepolicy/mm-qcamerad.te | 7 | ||||
| -rw-r--r-- | sepolicy/mmi_boot.te | 13 | ||||
| -rw-r--r-- | sepolicy/mpdecision.te | 3 | ||||
| -rw-r--r-- | sepolicy/msp430.te | 2 | ||||
| -rw-r--r-- | sepolicy/platform_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/property.te | 3 | ||||
| -rw-r--r-- | sepolicy/property_contexts | 12 | ||||
| -rw-r--r-- | sepolicy/rmt_storage.te | 5 | ||||
| -rw-r--r-- | sepolicy/servicemanager.te | 3 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 3 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 4 | ||||
| -rw-r--r-- | sepolicy/ueventd.te | 3 | ||||
| -rw-r--r-- | sepolicy/wcnss_service.te | 7 |
28 files changed, 141 insertions, 96 deletions
diff --git a/rootdir/Android.mk b/rootdir/Android.mk index 0c6f205..f47ce81 100644 --- a/rootdir/Android.mk +++ b/rootdir/Android.mk @@ -3,6 +3,13 @@ LOCAL_PATH:= $(call my-dir) # Configuration scripts include $(CLEAR_VARS) +LOCAL_MODULE := init.mmi.boot.sh +LOCAL_MODULE_TAGS := optional eng +LOCAL_MODULE_CLASS := ETC +LOCAL_SRC_FILES := etc/init.mmi.boot.sh +include $(BUILD_PREBUILT) + +include $(CLEAR_VARS) LOCAL_MODULE := init.qcom.bt.sh LOCAL_MODULE_TAGS := optional eng LOCAL_MODULE_CLASS := ETC @@ -34,14 +41,6 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) include $(BUILD_PREBUILT) include $(CLEAR_VARS) -LOCAL_MODULE := init.mmi.boot.sh -LOCAL_MODULE_TAGS := optional eng -LOCAL_MODULE_CLASS := ETC -LOCAL_SRC_FILES := etc/init.mmi.boot.sh -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) -include $(BUILD_PREBUILT) - -include $(CLEAR_VARS) LOCAL_MODULE := init.mmi.touch.sh LOCAL_MODULE_TAGS := optional eng LOCAL_MODULE_CLASS := ETC diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc index 75e8c59..30c9627 100644 --- a/rootdir/etc/init.qcom.rc +++ b/rootdir/etc/init.qcom.rc @@ -440,6 +440,7 @@ service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh class late_start user bluetooth group bluetooth net_bt_admin + seclabel u:r:bluetooth_loader:s0 disabled oneshot @@ -448,9 +449,10 @@ service irsc_util /system/bin/irsc_util "/etc/sec_config" user root oneshot -service mmi-boot-sh /system/bin/sh /init.mmi.boot.sh +service mmi-boot-sh /system/bin/sh /system/etc/init.mmi.boot.sh class core user root + seclabel u:r:mmi_boot:s0 oneshot service_redefine ril-daemon /system/bin/rild @@ -532,6 +534,7 @@ service wcnss_trigger /system/bin/sh /system/etc/init.qcom.wifi.sh ${ro.serialno class main user root group root + seclabel u:r:wcnss_service:s0 oneshot # WPA diff --git a/sepolicy/adspd.te b/sepolicy/adspd.te index 9a3a67b..5fed50e 100644 --- a/sepolicy/adspd.te +++ b/sepolicy/adspd.te @@ -2,13 +2,12 @@ type adspd, domain; type adspd_exec, exec_type, file_type; init_daemon_domain(adspd) -allow adspd adspd_device:chr_file { open read write ioctl }; +allow adspd adspd_device:chr_file rw_file_perms; +allow adspd adspd_data_file:dir rw_dir_perms; +allow adspd adspd_data_file:file create_file_perms; allow adspd input_device:dir search; -allow adspd input_device:chr_file { open read ioctl }; -allow adspd sysfs_adspd:file { open read write }; -allow adspd system_data_file:dir { search write add_name }; -allow adspd system_data_file:file { create open read write setattr }; +allow adspd input_device:chr_file rw_file_perms; +allow adspd sysfs_adspd:file rw_file_perms; -allow adspd adspd_prop:property_service set; -allow adspd ctl_default_prop:property_service set; -unix_socket_connect(adspd, property, init) +set_prop(adspd, adspd_prop) +set_prop(adspd, ctl_default_prop) diff --git a/sepolicy/atvc.te b/sepolicy/atvc.te index 3a55cf3..d4cd1c9 100644 --- a/sepolicy/atvc.te +++ b/sepolicy/atvc.te @@ -2,6 +2,5 @@ type atvc, domain; type atvc_exec, exec_type, file_type; init_daemon_domain(atvc) -allow atvc atvc_prop:property_service set; allow atvc pds_file:dir search; -unix_socket_connect(atvc, property, init) +set_prop(atvc, atvc_prop) diff --git a/sepolicy/batt_health.te b/sepolicy/batt_health.te index b11886d..04410d9 100644 --- a/sepolicy/batt_health.te +++ b/sepolicy/batt_health.te @@ -2,11 +2,11 @@ type batt_health, domain; type batt_health_exec, exec_type, file_type; init_daemon_domain(batt_health); -allow batt_health batt_health_data_file:dir { search write create add_name }; -allow batt_health batt_health_data_file:file { setattr open write append create }; -allow batt_health pds_file:dir { search write add_name }; -allow batt_health pds_file:file { open read write }; +allow batt_health batt_health_data_file:dir create_dir_perms; +allow batt_health batt_health_data_file:file create_file_perms; +allow batt_health pds_file:dir w_dir_perms; +allow batt_health pds_file:file rw_file_perms; allow batt_health self:capability { dac_override net_admin setuid chown fowner fsetid }; allow batt_health self:netlink_kobject_uevent_socket { create bind setopt read }; allow batt_health sysfs_batt_health:dir search; -allow batt_health sysfs_batt_health:file { open read write }; +allow batt_health sysfs_batt_health:file rw_file_perms; diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te new file mode 100644 index 0000000..e42a1bc --- /dev/null +++ b/sepolicy/bluetooth_loader.te @@ -0,0 +1,18 @@ +type bluetooth_loader, domain; +type bluetooth_loader_exec, exec_type, file_type; + +init_daemon_domain(bluetooth_loader) + +allow bluetooth_loader shell_exec:file { entrypoint read }; +allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans }; + +allow bluetooth_loader hci_attach_dev:chr_file rw_file_perms; +allow bluetooth_loader self:capability { dac_override dac_read_search chown }; +allow hci_attach bluetooth_loader:fd use; +allow hci_attach bluetooth_loader:fifo_file rw_file_perms; +allow hci_attach persist_bluetooth_file:file create_file_perms; +allow hci_attach persist_file:dir w_dir_perms; + +domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach) + +set_prop(bluetooth_loader, bluetooth_prop) diff --git a/sepolicy/file.te b/sepolicy/file.te index e6846f6..bfd3417 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,5 +1,7 @@ # ADSPD type adspd_device, dev_type; +type adspd_data_file, file_type, data_file_type; +type adspd_socket, file_type; type sysfs_adspd, fs_type, sysfs_type; # Battery health @@ -8,3 +10,6 @@ type sysfs_batt_health, fs_type, sysfs_type; # PDS type pds_file, file_type; + +# WiFi +type persist_wifi_file, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index d14e75c..b482ea3 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,27 +1,19 @@ -# Binaries -/system/bin/adspd u:object_r:adspd_exec:s0 -/system/bin/batt_health u:object_r:batt_health_exec:s0 -/system/bin/bootmodem u:object_r:bootmodem_exec:s0 -/system/bin/dbvc_atvc_property_set u:object_r:atvc_exec:s0 -/system/bin/msp430 u:object_r:msp430_exec:s0 - -# Camera -/data/cam_socket([0-9])+ u:object_r:camera_socket:s0 -/dev/motcamera0 u:object_r:camera_device:s0 - -# GPS -/data/misc/gpsone_d(/.*)? u:object_r:location_data_file:s0 - -# JPEG engine -/dev/gemini.* u:object_r:camera_device:s0 - -# Motorola services -/data/power_supply_logger(/.*)? u:object_r:batt_health_data_file:s0 +# adspd +/data/adspd(/.*)? u:object_r:adspd_data_file:s0 +/dev/socket/adspdsock u:object_r:adspd_socket:s0 /dev/ttyHS3 u:object_r:adspd_device:s0 /sys/devices/801000.gpio/gpio/gpio15/value u:object_r:sysfs_adspd:s0 /sys/devices/801000.gpio/gpio/gpio65/edge u:object_r:sysfs_adspd:s0 /sys/devices/801000.gpio/gpio/gpio65/value u:object_r:sysfs_adspd:s0 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8xxx-gpio/gpio/gpio166/value u:object_r:sysfs_adspd:s0 +/system/bin/adspd u:object_r:adspd_exec:s0 + +# atvc +/system/bin/dbvc_atvc_property_set u:object_r:atvc_exec:s0 + +# batt_health +/system/bin/batt_health u:object_r:batt_health_exec:s0 +/data/power_supply_logger(/.*)? u:object_r:batt_health_data_file:s0 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger/force_chg_auto_enable u:object_r:sysfs_batt_health:s0 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger/force_chg_fail_clear u:object_r:sysfs_batt_health:s0 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger/force_chg_ibatt u:object_r:sysfs_batt_health:s0 @@ -32,26 +24,44 @@ /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger/pcb_temp u:object_r:sysfs_batt_health:s0 /sys/module/pm8921_bms/parameters(/.*)? u:object_r:sysfs_batt_health:s0 -# MPDecision -/data/system/default_values u:object_r:mpctl_data_file:s0 -/dev/socket/mpctl u:object_r:mpctl_socket:s0 -/dev/socket/mpdecision u:object_r:mpctl_socket:s0 +# Bluetooth +/dev/smd3 u:object_r:hci_attach_dev:s0 +/persist/.bt_nv.bin u:object_r:persist_bluetooth_file:s0 +/system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 +/system/etc/init\.qcom\.bt\.sh u:object_r:bluetooth_loader_exec:s0 + +# bootmodem +/system/bin/bootmodem u:object_r:bootmodem_exec:s0 + +# Camera +/data/cam_socket([0-9])+ u:object_r:camera_socket:s0 +/dev/gemini.* u:object_r:camera_device:s0 +/dev/motcamera0 u:object_r:camera_device:s0 + +# msp430 +/system/bin/msp430 u:object_r:msp430_exec:s0 +/dev/msp430 u:object_r:sensors_device:s0 +/dev/msp430_as u:object_r:sensors_device:s0 +/dev/msp430_ms u:object_r:sensors_device:s0 + +# MMI +/system/etc/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0 # Partitions -/dev/block/mmcblk0p8 u:object_r:utags_block_device:s0 -/dev/block/mmcblk0p21 u:object_r:hob_block_device:s0 -/dev/block/mmcblk0p22 u:object_r:hob_block_device:s0 -/dev/block/mmcblk0p29 u:object_r:cid_block_device:s0 -/dev/block/mmcblk0p31 u:object_r:clogo_block_device:s0 +/dev/block/platform/msm_sdcc.1/by-name/cid u:object_r:cid_block_device:s0 +/dev/block/platform/msm_sdcc.1/by-name/clogo u:object_r:clogo_block_device:s0 +/dev/block/platform/msm_sdcc.1/by-name/dhob u:object_r:hob_block_device:s0 +/dev/block/platform/msm_sdcc.1/by-name/hob u:object_r:hob_block_device:s0 +/dev/block/platform/msm_sdcc.1/by-name/utags u:object_r:utags_block_device:s0 # PDS -/pds(/.*)? u:object_r:pds_file:s0 -/pds/camera(/.*)? u:object_r:camera_data_file:s0 +/pds(/.*)? u:object_r:pds_file:s0 +/pds/camera(/.*)? u:object_r:camera_data_file:s0 -# Ramdump -/dev/coredump_modem u:object_r:ramdump_device:s0 +# RIL +/dev/socket/cutback u:object_r:rild_socket:s0 +/system/etc/firmware/wlan(/.*)? u:object_r:wifi_data_file:s0 -# Sensors -/dev/msp430 u:object_r:sensors_device:s0 -/dev/msp430_as u:object_r:sensors_device:s0 -/dev/msp430_ms u:object_r:sensors_device:s0 +# WiFi +/persist/WCNSS_qcom_wlan.* u:object_r:persist_wifi_file:s0 +/system/etc/init\.qcom\.wifi\.sh u:object_r:wcnss_service_exec:s0 diff --git a/sepolicy/hw_revs.te b/sepolicy/hw_revs.te new file mode 100644 index 0000000..1f191df --- /dev/null +++ b/sepolicy/hw_revs.te @@ -0,0 +1,3 @@ +type hw_revs, domain; +type hw_revs_exec, exec_type, file_type; +init_daemon_domain(hw_revs) diff --git a/sepolicy/init.te b/sepolicy/init.te deleted file mode 100644 index 984d4d5..0000000 --- a/sepolicy/init.te +++ /dev/null @@ -1,5 +0,0 @@ -allow init cid_block_device:blk_file create_file_perms; -allow init clogo_block_device:blk_file create_file_perms; -allow init fuse:dir { create_dir_perms relabelfrom }; -allow init hob_block_device:blk_file create_file_perms; -allow init utags_block_device:blk_file create_file_perms; diff --git a/sepolicy/init_shell.te b/sepolicy/init_shell.te deleted file mode 100644 index d091c6d..0000000 --- a/sepolicy/init_shell.te +++ /dev/null @@ -1 +0,0 @@ -allow init_shell utags_block_device:blk_file { open read }; diff --git a/sepolicy/installd.te b/sepolicy/installd.te deleted file mode 100644 index 8663062..0000000 --- a/sepolicy/installd.te +++ /dev/null @@ -1 +0,0 @@ -allow installd fuse:dir search; diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te deleted file mode 100644 index c95ec02..0000000 --- a/sepolicy/keystore.te +++ /dev/null @@ -1,2 +0,0 @@ -allow keystore firmware_file:dir search; -allow keystore firmware_file:file { read getattr open }; diff --git a/sepolicy/location.te b/sepolicy/location.te deleted file mode 100644 index f749b36..0000000 --- a/sepolicy/location.te +++ /dev/null @@ -1,3 +0,0 @@ -allow location system_server:unix_stream_socket { read write }; -binder_call(location, system_server) -type_transition location system_data_file:file location_data_file; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 0c2f6a4..ae9239a 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1 +1 @@ -allow mediaserver shell_data_file:dir search; +allow mediaserver system_file:file execmod; # for libl6encgain and many others diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index 89a771b..8345647 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -1,4 +1,5 @@ -allow mm-qcamerad graphics_device:dir search; -allow mm-qcamerad graphics_device:chr_file { open read write ioctl }; -allow mm-qcamerad system_server:unix_stream_socket read; +allow mm-qcamerad system_file:file execmod; # for libl6lencgain and many others +# WARNING: these sockets shouldn't be under /data +allow mm-qcamerad system_data_file:dir w_dir_perms; +allow mm-qcamerad system_data_file:sock_file unlink; type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket0"; diff --git a/sepolicy/mmi_boot.te b/sepolicy/mmi_boot.te new file mode 100644 index 0000000..cfee7ed --- /dev/null +++ b/sepolicy/mmi_boot.te @@ -0,0 +1,13 @@ +type mmi_boot, domain; +type mmi_boot_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(mmi_boot) + +allow mmi_boot shell_exec:file { entrypoint read }; +allow mmi_boot mmi_boot_exec:file { getattr open execute_no_trans }; + +allow mmi_boot self:capability { dac_override sys_module }; +allow mmi_boot utags_block_device:blk_file r_file_perms; + +set_prop(mmi_boot, mmi_boot_prop) diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te index 3d32227..16204d2 100644 --- a/sepolicy/mpdecision.te +++ b/sepolicy/mpdecision.te @@ -1,3 +1,2 @@ -allow mpdecision system_data_file:dir { write add_name }; +file_type_auto_trans(mpdecision, system_data_file, mpctl_data_file) type_transition mpdecision socket_device:sock_file mpctl_socket; -type_transition mpdecision system_data_file:file mpctl_data_file; diff --git a/sepolicy/msp430.te b/sepolicy/msp430.te index 6084915..6dc6adf 100644 --- a/sepolicy/msp430.te +++ b/sepolicy/msp430.te @@ -2,4 +2,4 @@ type msp430, domain; type msp430_exec, exec_type, file_type; init_daemon_domain(msp430) -allow msp430 sensors_device:chr_file { open write ioctl }; +allow msp430 sensors_device:chr_file rw_file_perms; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index 0c45951..757015a 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -1,3 +1 @@ -allow platform_app location_data_file:dir { write remove_name search add_name }; -allow platform_app location_data_file:sock_file { create unlink setattr }; allow platform_app time_daemon:unix_stream_socket connectto; diff --git a/sepolicy/property.te b/sepolicy/property.te index fa3bc36..89f542b 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -1,3 +1,6 @@ +# MMI boot +type mmi_boot_prop, property_type; + # Motorola service properties type adspd_prop, property_type; type atvc_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 81c8ac7..cc8552b 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,4 +1,12 @@ -# Motorola service properties -hw.aov. u:object_r:adspd_prop:s0 +# Bluetooth +qualcomm.bt u:object_r:bluetooth_prop:s0 + +# MMI boot +hw.revision u:object_r:mmi_boot_prop:s0 +manufacturedate u:object_r:mmi_boot_prop:s0 +mot.iccid u:object_r:mmi_boot_prop:s0 +mot.cust_md5 u:object_r:mmi_boot_prop:s0 +# Motorola services +hw.aov. u:object_r:adspd_prop:s0 persist.atvc u:object_r:atvc_prop:s0 diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te index 64f49eb..b816ced 100644 --- a/sepolicy/rmt_storage.te +++ b/sepolicy/rmt_storage.te @@ -1,5 +1,2 @@ -typeattribute rmt_storage rmt_placeholder; allow rmt_storage firmware_file:dir search; -allow rmt_storage firmware_file:file { open read }; -allow rmt_storage kmem_device:chr_file { open read write }; -allow rmt_storage self:capability sys_rawio; +allow rmt_storage firmware_file:file r_file_perms; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te deleted file mode 100644 index c394f19..0000000 --- a/sepolicy/servicemanager.te +++ /dev/null @@ -1,3 +0,0 @@ -allow servicemanager mm-qcamerad:dir search; -allow servicemanager mm-qcamerad:file { open read }; -allow servicemanager mm-qcamerad:process getattr; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index 78614ad..27c3408 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,2 +1 @@ -allow system_app sensors_device:chr_file { getattr open read write ioctl }; -allow system_app shell_data_file:dir search; +allow system_app sensors_device:chr_file rw_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index e9b0429..d8c9c2c 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -1,3 +1 @@ -allow thermal-engine self:capability { chown net_admin }; -allow thermal-engine self:netlink_kobject_uevent_socket { read bind setopt }; -allow thermal-engine sysfs:file { open read write }; +allow thermal-engine self:capability { chown net_admin sys_nice }; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index b6e54e8..6f602b3 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1 +1,2 @@ -allow ueventd persist_file:lnk_file read; +allow ueventd persist_wifi_file:file r_file_perms; +allow ueventd persist_wifi_file:lnk_file r_file_perms; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te new file mode 100644 index 0000000..c7eee22 --- /dev/null +++ b/sepolicy/wcnss_service.te @@ -0,0 +1,7 @@ +allow wcnss_service shell_exec:file { entrypoint read }; +allow wcnss_service wcnss_service_exec:file { getattr open execute_no_trans }; + +allow wcnss_service persist_file:dir w_dir_perms; +allow wcnss_service persist_wifi_file:file r_file_perms; +allow wcnss_service persist_wifi_file:lnk_file create_file_perms; +type_transition wcnss_service persist_file:lnk_file persist_wifi_file; |