sepolicy: avoid macaddrsetup denials

Change-Id: I0e726ca654ac6758569b6c754461872dcc9e60c0

4 files changed, 24 insertions, 5 deletions

diff --git a/sepolicy/addrsetup.te b/sepolicy/addrsetup.te
new file mode 100644
index 0000000..773acef
--- /dev/null
+++ b/sepolicy/addrsetup.te
@@ -0,0 +1,18 @@
+type addrsetup, domain, domain_deprecated;
+type addrsetup_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(addrsetup)
+
+# Connect to /dev/socket/tad
+unix_socket_connect(addrsetup, tad, tad)
+
+allow addrsetup bluetooth_data_file:dir rw_dir_perms;
+allow addrsetup bluetooth_data_file:file create_file_perms;
+
+allow addrsetup sysfs_addrsetup:file rw_file_perms;
+
+allow addrsetup urandom_device:file read;
+allow addrsetup tad_socket:sock_file { write };
+
+
diff --git a/sepolicy/file.te b/sepolicy/file.te
index b8322b1..48c3b1f 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -7,7 +7,6 @@ type iddd_file, file_type, data_file_type;
 type brcm_ldisc_sysfs, sysfs_type, fs_type;
 type brcm_uim_exec, exec_type, file_type;
 
-# macaddrsetup
-type sysfs_wlanmac, fs_type, sysfs_type;
-
+# Macaddr
+type sysfs_addrsetup, fs_type, sysfs_type;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index f4ce42c..5bd984a 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -51,5 +51,5 @@
 /dev/block/mmcblk0p1					u:object_r:tad_block_device:s0
 
 # macaddrsetup
-/sys/devices/platform/bcmdhd_wlan/macaddr    u:object_r:sysfs_wlanmac:s0
-
+/system/bin/macaddrsetup                 u:object_r:addrsetup_exec:s0
+/sys/devices/platform/bcmdhd_wlan/macaddr    u:object_r:sysfs_addrsetup:s0
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index fa2e40d..d499f98 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1 +1,3 @@
 allow system_server sysfs_vibrator:file rw_file_perms;
+
+r_dir_file(system_server, sysfs_addrsetup)