diff options
| author | c457 <android.c357@gmail.com> | 2017-01-24 00:53:23 -0600 |
|---|---|---|
| committer | c457 <android.c357@gmail.com> | 2017-01-31 23:11:35 -0600 |
| commit | 704d0a09fd8543a952bfe63870ff9f1b1a72e802 (patch) | |
| tree | dea9a8beed760ef0e639aa71414a104173534f14 | |
| parent | 94c73ecec3a03a96f539b20a5a028e74adc9e146 (diff) | |
ailsa_ii: Initial Sepolicy
| -rw-r--r-- | board/kernel.mk | 2 | ||||
| -rw-r--r-- | rootdir/etc/fstab.qcom | 4 | ||||
| -rwxr-xr-x | rootdir/etc/init.qcom.rc | 12 | ||||
| -rw-r--r-- | rootdir/etc/ueventd.qcom.rc | 2 | ||||
| -rw-r--r-- | sepolicy/device.te | 2 | ||||
| -rw-r--r-- | sepolicy/file.te | 3 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 9 | ||||
| -rw-r--r-- | sepolicy/fingerprintd.te | 12 | ||||
| -rw-r--r-- | sepolicy/genfs_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/gx_fpd.te | 39 | ||||
| -rw-r--r-- | sepolicy/init.te | 1 | ||||
| -rw-r--r-- | sepolicy/per_mgr.te | 1 | ||||
| -rw-r--r-- | sepolicy/service.te | 1 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 7 | ||||
| -rw-r--r-- | sepolicy/tee.te | 2 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 2 | ||||
| -rw-r--r-- | sepolicy/time_daemon.te | 2 | ||||
| -rw-r--r-- | sepolicy/ueventd.te | 1 | ||||
| -rw-r--r-- | sepolicy/vold.te | 1 |
21 files changed, 98 insertions, 11 deletions
diff --git a/board/kernel.mk b/board/kernel.mk index e284963..16544b7 100644 --- a/board/kernel.mk +++ b/board/kernel.mk @@ -1,6 +1,6 @@ # Kernel BOARD_KERNEL_BASE := 0x80000000 -BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff androidboot.selinux=permissive +BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff BOARD_KERNEL_PAGESIZE := 4096 BOARD_KERNEL_TAGS_OFFSET := 0x00000100 BOARD_RAMDISK_OFFSET := 0x01000000 diff --git a/rootdir/etc/fstab.qcom b/rootdir/etc/fstab.qcom index 1d04815..5650f14 100644 --- a/rootdir/etc/fstab.qcom +++ b/rootdir/etc/fstab.qcom @@ -15,8 +15,8 @@ /dev/block/bootdevice/by-name/cache /cache ext4 nosuid,nodev,noatime,nodiratime,barrier=1 wait,check,formattable /dev/block/bootdevice/by-name/persist /persist ext4 nosuid,nodev,barrier=1 wait /dev/block/bootdevice/by-name/dsp /dsp ext4 ro,nosuid,nodev,barrier=1 wait -/dev/block/bootdevice/by-name/modem /firmware vfat ro,shortname=lower,uid=1000,gid=1000,dmask=227,fmask=337 wait -/dev/block/bootdevice/by-name/bluetooth /bt_firmware vfat ro,shortname=lower,uid=1002,gid=3002,dmask=222,fmask=333 wait +/dev/block/bootdevice/by-name/modem /firmware vfat ro,shortname=lower,uid=1000,gid=1000,dmask=227,fmask=337,context=u:object_r:firmware_file:s0 wait +/dev/block/bootdevice/by-name/bluetooth /bt_firmware vfat ro,shortname=lower,uid=1002,gid=3002,dmask=222,fmask=333,context=u:object_r:bt_firmware_file:s0 wait /dev/block/bootdevice/by-name/misc /misc emmc defaults defaults /dev/block/bootdevice/by-name/frp /frp emmc defaults defaults diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc index dc3a39e..e384e23 100755 --- a/rootdir/etc/init.qcom.rc +++ b/rootdir/etc/init.qcom.rc @@ -239,17 +239,13 @@ on boot # Set the default message loglevel to KERN_INFO write /proc/sys/kernel/printk "6 6 1 7" - # NFC - chmod 0660 /dev/pn548 - chown nfc system /dev/pn548 - # Allow access to dload sysfs node chown root system /sys/kernel/dload/emmc_dload chmod 0660 /sys/kernel/dload/emmc_dload # Wake gesture and KeyDisabler - chown system system /proc/touchscreen/wake_gesture - chmod 0644 /proc/touchscreen/wake_gesture + chown system radio /proc/touchscreen/wake_gesture + chmod 0660 /proc/touchscreen/wake_gesture chown system system /sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input2/0dbutton # NDT weight port @@ -360,11 +356,13 @@ service config_bt_addr /system/bin/bt_mac_writer -O class core user bluetooth group bluetooth radio + seclabel u:r:btnvtool_exec:s0 oneshot service config_bluetooth /system/bin/sh /system/etc/init.qcom.bt.sh "onboot" class core user root + seclabel u:r:bluetooth_loader:s0 oneshot service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh @@ -372,6 +370,7 @@ service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh user bluetooth group bluetooth net_bt_admin disabled + seclabel u:r:bluetooth_loader:s0 oneshot on property:bluetooth.hciattach=true @@ -704,7 +703,6 @@ service hvdcp_opti /system/bin/hvdcp_opti group root writepid /dev/cpuset/system-background/tasks - service gx_fpd /system/bin/gx_fpd class late_start user root diff --git a/rootdir/etc/ueventd.qcom.rc b/rootdir/etc/ueventd.qcom.rc index 88436bb..b66dadd 100644 --- a/rootdir/etc/ueventd.qcom.rc +++ b/rootdir/etc/ueventd.qcom.rc @@ -90,7 +90,7 @@ /sys/devices/soc/600000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net/p2p0/queues/rx-* rps_cpus 0660 system system #nfc permissions -/dev/nq-nci 0660 nfc nfc +/dev/pn548 0660 nfc nfc # UIO devices /dev/uio0 0660 system system diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..26320a3 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,2 @@ +# Goodix fingerprint +type gx_fpd_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..d09a18f --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,3 @@ +# Touchscreen +type proc_touchscreen, fs_type; +type gx_fpd_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..482694e --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,9 @@ +# NFC +/dev/pn548 u:object_r:nfc_device:s0 + +# Goodix fingerprint +/dev/goodix_fp* u:object_r:gx_fpd_device:s0 +/system/bin/gx_fpd u:object_r:gx_fpd_exec:s0 + +# Goodix Fingerprint data +/data/system/fingerprint(/.*)? u:object_r:gx_fpd_data_file:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te new file mode 100644 index 0000000..60a1dd7 --- /dev/null +++ b/sepolicy/fingerprintd.te @@ -0,0 +1,12 @@ +binder_call(fingerprintd, gx_fpd); +allow fingerprintd gx_fpd_service:service_manager find; + +# allow TEE +allow fingerprintd tee_device:chr_file rw_file_perms; + +# allow log +allow fingerprintd log_device:dir search; +allow fingerprintd log_device:chr_file rw_file_perms; + +# allow writing fp_msg_type +allow fingerprintd sysfs:file write; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..49c1338 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,2 @@ +genfscon proc /gloved_finger_switch u:object_r:proc_touchscreen:s0 +genfscon proc /touchscreen u:object_r:proc_touchscreen:s0 diff --git a/sepolicy/gx_fpd.te b/sepolicy/gx_fpd.te new file mode 100644 index 0000000..22b0aff --- /dev/null +++ b/sepolicy/gx_fpd.te @@ -0,0 +1,39 @@ +type gx_fpd, domain; +type gx_fpd_exec, exec_type, file_type; + +# gx_fpd +init_daemon_domain(gx_fpd) +binder_use(gx_fpd) + +# callback to fingerprintd with binder +binder_call(gx_fpd, fingerprintd) + +# need to find KeyStore and add self +allow gx_fpd gx_fpd_service:service_manager { add find }; +allow gx_fpd self:capability { dac_override dac_read_search }; + +# allow HAL module to read dir contents +allow gx_fpd gx_fpd_data_file:file { create_file_perms }; + +# allow HAL module to read/write/unlink contents of this dir +allow gx_fpd gx_fpd_data_file:dir rw_dir_perms; + +# Need to add auth tokens to KeyStore +use_keystore(gx_fpd) +allow gx_fpd keystore:keystore_key { add_auth }; + +# For permissions checking +binder_call(gx_fpd, system_server); +allow gx_fpd permission_service:service_manager find; + +# allow system_file +allow gx_fpd system_file:file rx_file_perms; + +# allow TEE +allow gx_fpd tee_device:chr_file rw_file_perms; + +# allow goodix to read write device +allow gx_fpd gx_fpd_device:chr_file { read write ioctl open }; + +# R dir perms for firmware dir +r_dir_file(gx_fpd, firmware_file) diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..5e21037 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1 @@ +allow init debugfs:file write; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te new file mode 100644 index 0000000..6d75682 --- /dev/null +++ b/sepolicy/per_mgr.te @@ -0,0 +1 @@ +allow per_mgr self:capability net_raw; diff --git a/sepolicy/service.te b/sepolicy/service.te new file mode 100644 index 0000000..46963c5 --- /dev/null +++ b/sepolicy/service.te @@ -0,0 +1 @@ +type gx_fpd_service, app_api_service, system_server_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..268b97a --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,2 @@ +# Goodix fingerprint +goodix.fp u:object_r:gx_fpd_service:s0 diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..9ded414 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,2 @@ +allow system_app proc_touchscreen:dir search; +allow system_app proc_touchscreen:file rw_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..0101db9 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,7 @@ +allow system_server persist_file:dir { read write }; +allow system_server proc_touchscreen:dir search; +allow system_server proc_touchscreen:file rw_file_perms; + +# Allow system server access to gx_fpd daemon +binder_call(system_server, gx_fpd); +allow system_server gx_fpd_service:service_manager find; diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..03116f6 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,2 @@ +allow tee gx_fpd_data_file:dir create_dir_perms; +allow tee gx_fpd_data_file:file create_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te new file mode 100644 index 0000000..1ec1135 --- /dev/null +++ b/sepolicy/thermal-engine.te @@ -0,0 +1,2 @@ +allow thermal-engine sysfs_batteryinfo:file r_file_perms; +allow thermal-engine sysfs_kgsl:file r_file_perms; diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te new file mode 100644 index 0000000..f5327ba --- /dev/null +++ b/sepolicy/time_daemon.te @@ -0,0 +1,2 @@ +allow time_daemon property_socket:sock_file write; +allow time_daemon init:unix_stream_socket connectto; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..ea55aa4 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1 @@ +allow ueventd vfat:file { read open }; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..436c11d --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1 @@ +allow vold proc_touchscreen:dir r_dir_perms; |