shinano-common: sepolicy: Reorganise policies

* No policies added or removed, only moved between files to improve se linux management. Change-Id: Ifa7cb9ce84f75c99f2d96dd0a71ced26f2580ba9
author: nailyk-fr <nailyk_git@nailyk.fr> 2017-04-23 21:54:08 +0200
committer: nailyk-fr <nailyk_git@nailyk.fr> 2017-05-01 22:33:56 +0200
commit: b1eee63ebf2a4e7d34922d15a1028bbbdcca9016 (patch)
tree: b3e4f18f9b93c32c080dc6b36b6bd1273b4cd8c8
parent: eb1087d79581ee5dcc5b2a58cb819a24d1b7ee0a (diff)
6 files changed, 42 insertions, 106 deletions
diff --git a/sepolicy/cameraserver_new.te b/sepolicy/cameraserver.te
index 82196f2..fd886cf 100644
--- a/sepolicy/cameraserver_new.te
+++ b/sepolicy/cameraserver.te
@@ -1,18 +1,14 @@
+# TODO: useless now?
 
-
-allow mm-qcamerad camera_data_file:sock_file rw_file_perms;
-allow mm-qcamerad camera_data_file:unix_dgram_socket sendto;
-allow mm-qcamerad camera_data_file:unix_stream_socket connectto;
-allow mm-qcamerad system_prop:property_service set;
-
+#============= cameraserver ==============
 allow cameraserver camera_data_file:unix_dgram_socket sendto;
 allow cameraserver camera_data_file:unix_stream_socket connectto;
+allow cameraserver camera_device:chr_file { ioctl open read write };
 
 allow cameraserver ion_device:chr_file { ioctl open read };
 
-#============= cameraserver ==============
-allow cameraserver camera_device:chr_file { ioctl open read write };
 allow cameraserver mm-qcamerad:unix_stream_socket connectto;
+
 allow cameraserver credmgrd:unix_stream_socket connectto;
 allow cameraserver credmgrd_socket:sock_file write;
 
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 9e9df9e..929a2ab 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -1,50 +1,47 @@
 #credmgrd define
-type credmgrd, domain; 
+type credmgrd, domain;
 type credmgrd_exec, exec_type, file_type;
 type credmgrd_data_file, file_type;
 type credmgrd_socket, file_type;
-init_daemon_domain(credmgrd); 
+init_daemon_domain(credmgrd);
 
 #credmgrd self
 allow credmgrd self:socket create_socket_perms;
 allow credmgrd self:file rw_file_perms;
 allow credmgrd self:dir rw_file_perms;
 allow credmgrd self:fifo_file rw_file_perms;
-allow credmgrd credmgrd_data_file:file { getattr lock open read setattr write };
 allow credmgrd cache_file:dir { remove_name write };
 allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write };
-allow credmgrd credmgrd_data_file:file { create unlink };
+allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write };
 
 
 #credmgdr tad
+allow credmgrd tad:unix_stream_socket connectto;
 allow credmgrd tad_block_device:blk_file { read write ioctl open };
 allow credmgrd tad_socket:unix_dgram_socket sendto;
 allow credmgrd tad_socket:unix_stream_socket connectto;
-allow credmgrd tad:unix_stream_socket connectto;
 allow credmgrd tad_socket:sock_file write;
 
 #credmgrd camera server
 allow credmgrd camera_socket:file { read write getattr open };
-allow credmgrd camera_socket:unix_stream_socket sendto;
-allow credmgrd camera_socket:unix_stream_socket connectto;
+allow credmgrd camera_socket:unix_stream_socket { connectto sendto }; 
 
 #credmgrd mediaserver
 allow mediaserver credmgrd:unix_stream_socket connectto;
 
 #credmgrd mm-qcamera
 allow credmgrd mm-qcamerad:file { read write getattr open };
-allow credmgrd mm-qcamerad:unix_stream_socket sendto;
-allow credmgrd mm-qcamerad:unix_stream_socket connectto;
+allow credmgrd mm-qcamerad:unix_stream_socket { connectto sendto };
 
 #credmgrd qseecomd tee
 allow credmgrd tee_device:chr_file rw_file_perms;
 
 #credmgrd suntrold
+allow credmgrd suntrold:unix_stream_socket connectto;
 allow credmgrd suntrold_sock_socket:dir search;
 allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto;
 allow credmgrd suntrold_sock_socket:unix_stream_socket connectto;
 allow credmgrd suntrold_sock_socket:sock_file write;
-allow credmgrd suntrold:unix_stream_socket connectto;
 
 #credmgrd iddd
 allow credmgrd iddd:unix_dgram_socket sendto;
@@ -61,22 +58,25 @@ allow credmgrd tmpfs:lnk_file read;
 #credmgrd ion
 allow credmgrd ion_device:chr_file { ioctl open read };
 
-#credmgrd files: 
-#============= credmgrd ==============
-allow credmgrd cache_file:dir search;
 
 #============= credmgr init script ==============
-allow credmgrd cache_file:dir add_name;
+allow credmgrd cache_file:dir { add_name search };
 allow credmgrd cache_file:file { create getattr open read unlink write };
-allow credmgrd credmgrd_data_file:dir { getattr rename search };
+allow credmgrd credmgrd_data_file:dir { getattr relabelto reparent rename rmdir search };
 allow credmgrd devpts:chr_file { getattr ioctl open read write };
-allow credmgrd init:unix_stream_socket connectto;
 allow credmgrd property_socket:sock_file write;
 allow credmgrd shell_exec:file { getattr read };
 allow credmgrd system_data_file:dir { add_name remove_name write };
 allow credmgrd system_file:file execute_no_trans;
 allow credmgrd system_prop:property_service set;
-allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
-allow credmgrd credmgrd_data_file:dir { relabelto reparent rmdir };
 allow credmgrd system_data_file:dir { create relabelfrom setattr };
 
+#TODO: wrong labeled on dest socket?
+allow credmgrd init:unix_stream_socket connectto;
+
+#TODO: remove
+allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read };
+type credmgr, domain;
+type credmgr_exec, exec_type, file_type;
+init_daemon_domain(credmgr);
+
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 9f2d734..7c5353b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -41,6 +41,7 @@
 /dev/socket/credmgr						u:object_r:credmgrd_socket:s0
 /data/credmgr(/.*)?						u:object_r:credmgrd_data_file:s0
 /cache/CredentialManagerData			u:object_r:credmgrd_data_file:s0
+/ta(/.*)? -- 							u:object_r:ta_data_file:s0
 
 #cam_socket
 /data/misc/camera(/.*)					u:object_r:camera_data_file:s0
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index 1a59cc4..df2eb1c 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -1,46 +1,32 @@
-type iddd, domain; 
+# iddd daemon
+type iddd, domain;
 
-type iddd_exec, exec_type, file_type; 
+type iddd_exec, exec_type, file_type;
 init_daemon_domain(iddd)
 
+type_transition iddd system_data_file:file iddd_file;
+
 allow iddd self:socket create_socket_perms;
+allow iddd iddd_file:sock_file { create setattr unlink write };
+
 allow iddd iddd_file:fifo_file rw_file_perms;
 allow iddd iddd_file:file rw_file_perms;
-allow iddd iddd_file:dir rw_file_perms;
-allow iddd iddd_file:dir { add_name remove_name search };
 allow iddd iddd_file:file { create rename unlink };
-allow iddd iddd_file:sock_file { create setattr unlink write };
-
-
-type_transition iddd system_data_file:file iddd_file;
-
-type credmgr, domain;
-type credmgr_exec, exec_type, file_type;
-init_daemon_domain(credmgr);
-
-
-type scd, domain;
-type scd_exec, exec_type, file_type;
-type scd_data, file_type;
-init_daemon_domain(scd)
+allow iddd iddd_file:dir rw_file_perms;
+allow iddd iddd_file:dir { add_name create remove_name search };
 
-type wv,domain;
-type wv_exec, exec_type, file_type;
-init_daemon_domain(wv)
+# TODO: label the right way / Allow context change
+allow iddd system_file:file execute_no_trans;
+allow iddd iddd_exec:file execute_no_trans;
 
-#iddd logd
+# Allow iddd send to logd
 allow iddd logd:unix_stream_socket connectto;
 allow iddd logdr_socket:sock_file write;
 
-#============= system_server ==============
-allow system_server credmgr_exec:dir search;
-allow system_server credmgr_exec:file { getattr open read };
-allow system_server iddd_exec:dir search;
-allow system_server iddd_exec:file { getattr open read };
+# Allow file system create (we use tmpfs now)
 allow iddd tmpfs:lnk_file read;
-#============= iddd ==============
-allow iddd iddd_exec:file execute_no_trans;
-allow iddd iddd_file:dir create;
+allow iddd tmpfs:dir search;
+
+# Allow proc socket search
 allow iddd proc:file { getattr open read };
 
-allow iddd tmpfs:dir search;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
deleted file mode 100644
index f3fd273..0000000
--- a/sepolicy/system_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow system_server sysfs_vibrator:file rw_file_perms;
-
-r_dir_file(system_server, sysfs_addrsetup)
-
-allow system_server unlabeled:file unlink;
diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te
index 686d5cb..e425163 100644
--- a/sepolicy/workarounds.te
+++ b/sepolicy/workarounds.te
@@ -1,48 +1,6 @@
-#============= iddd ==============
-allow iddd system_file:file execute_no_trans;
 
-#============= init ==============
-allow init debugfs:file write;
-allow init tad_block_device:blk_file setattr;
 
-#============= qti_init_shell ==============
-allow qti_init_shell iddd_file:dir { getattr open read remove_name rmdir write };
-allow qti_init_shell tad:unix_stream_socket connectto;
-allow qti_init_shell tad_socket:sock_file write;
-allow qti_init_shell toolbox_exec:file entrypoint;
-
-#============= mm-qcamerad ==============
-allow mm-qcamerad camera_device:chr_file { ioctl open read write };
-allow mm-qcamerad ta_data_file:dir { getattr open read search };
-
-#============= thermanager ==============
-allow thermanager sysfs:file { open read };
-allow thermanager sysfs_battery_supply:dir search;
-allow thermanager sysfs_battery_supply:file { open read write };
-
-#============= scd ==============
-allow scd scd_data:dir { getattr search write add_name };
-allow scd scd_data:file { getattr open read write create };
-allow scd socket_device:dir { add_name remove_name write };
-allow scd socket_device:sock_file { create getattr setattr unlink write };
-allow scd sysfs:file { getattr open read };
-
-#============= wv ==============
-allow wv ion_device:chr_file { ioctl open read };
-allow wv suntrold:unix_stream_socket connectto;
-allow wv suntrold_sock_socket:dir search;
-allow wv suntrold_sock_socket:sock_file write;
-allow wv tad:unix_stream_socket connectto;
-allow wv tad_socket:sock_file write;
-allow wv tee_device:chr_file { ioctl open read write };
-
-#============= mediaserver ==============
-allow mediaserver sensorservice_service:service_manager find;
-allow mediaserver sysfs:file write;
-allow mediaserver sysfs_battery_supply:dir search;
-allow mediaserver sysfs_battery_supply:file { getattr open read };
-allow mediaserver ta_data_file:dir { getattr open read };
-
-#============= rmt_storage ==============
+#TODO: shouldnot exist
 allow rmt_storage self:capability dac_override;
 
+
author	nailyk-fr <nailyk_git@nailyk.fr>	2017-04-23 21:54:08 +0200
committer	nailyk-fr <nailyk_git@nailyk.fr>	2017-05-01 22:33:56 +0200
commit	b1eee63ebf2a4e7d34922d15a1028bbbdcca9016 (patch)
tree	b3e4f18f9b93c32c080dc6b36b6bd1273b4cd8c8
parent	eb1087d79581ee5dcc5b2a58cb819a24d1b7ee0a (diff)