From 00575eea94e4c78e7cce9514efe2de6f8e75b0c5 Mon Sep 17 00:00:00 2001 From: Nikhil Punathil Date: Tue, 22 Aug 2017 00:36:59 +0530 Subject: shinano-common: move common sepolicy to msm8974-common Change-Id: I270a673ac8c13dd192799e2513ec377919653458 Signed-off-by: Nikhil Punathil --- sepolicy/addrsetup.te | 20 ------------ sepolicy/cameraserver.te | 14 --------- sepolicy/credmgrd.te | 77 ---------------------------------------------- sepolicy/file.te | 6 ---- sepolicy/file_contexts | 42 ------------------------- sepolicy/idd.te | 37 ---------------------- sepolicy/priv_app.te | 3 -- sepolicy/property.te | 3 -- sepolicy/property_contexts | 10 ------ sepolicy/vold.te | 8 ----- sepolicy/workarounds.te | 6 ---- 11 files changed, 226 deletions(-) delete mode 100644 sepolicy/addrsetup.te delete mode 100644 sepolicy/cameraserver.te delete mode 100644 sepolicy/credmgrd.te delete mode 100644 sepolicy/idd.te delete mode 100644 sepolicy/priv_app.te delete mode 100644 sepolicy/property.te delete mode 100644 sepolicy/property_contexts delete mode 100644 sepolicy/vold.te delete mode 100644 sepolicy/workarounds.te (limited to 'sepolicy') diff --git a/sepolicy/addrsetup.te b/sepolicy/addrsetup.te deleted file mode 100644 index 805450c..0000000 --- a/sepolicy/addrsetup.te +++ /dev/null @@ -1,20 +0,0 @@ -type addrsetup, domain, domain_deprecated; -type addrsetup_exec, exec_type, file_type; - -# Started by init -init_daemon_domain(addrsetup) - -# Connect to /dev/socket/tad -unix_socket_connect(addrsetup, tad, tad) - -allow addrsetup bluetooth_data_file:dir rw_dir_perms; -allow addrsetup bluetooth_data_file:file create_file_perms; - -allow addrsetup self:capability dac_override; - -allow addrsetup sysfs_addrsetup:file rw_file_perms; - -allow addrsetup urandom_device:file read; -allow addrsetup tad_socket:sock_file { write }; - - diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te deleted file mode 100644 index fd886cf..0000000 --- a/sepolicy/cameraserver.te +++ /dev/null @@ -1,14 +0,0 @@ -# TODO: useless now? - -#============= cameraserver ============== -allow cameraserver camera_data_file:unix_dgram_socket sendto; -allow cameraserver camera_data_file:unix_stream_socket connectto; -allow cameraserver camera_device:chr_file { ioctl open read write }; - -allow cameraserver ion_device:chr_file { ioctl open read }; - -allow cameraserver mm-qcamerad:unix_stream_socket connectto; - -allow cameraserver credmgrd:unix_stream_socket connectto; -allow cameraserver credmgrd_socket:sock_file write; - diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te deleted file mode 100644 index d82ddac..0000000 --- a/sepolicy/credmgrd.te +++ /dev/null @@ -1,77 +0,0 @@ -#credmgrd define -type credmgrd, domain; -type credmgrd_exec, exec_type, file_type; -type credmgrd_data_file, file_type; -type credmgrd_socket, file_type; -type credmgrd_prop, property_type; -init_daemon_domain(credmgrd); - -#credmgrd self -allow credmgrd self:socket create_socket_perms; -allow credmgrd self:file rw_file_perms; -allow credmgrd self:dir rw_file_perms; -allow credmgrd self:fifo_file rw_file_perms; -allow credmgrd cache_file:dir { remove_name write }; -allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write }; -allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write }; - -#credmgdr tad -allow credmgrd tad:unix_stream_socket connectto; -allow credmgrd tad_block_device:blk_file { read write ioctl open }; -allow credmgrd tad_socket:unix_dgram_socket sendto; -allow credmgrd tad_socket:unix_stream_socket connectto; -allow credmgrd tad_socket:sock_file write; - -#credmgrd camera server -allow credmgrd camera_socket:file { read write getattr open }; -allow credmgrd camera_socket:unix_stream_socket { connectto sendto }; - -#credmgrd mediaserver -allow mediaserver credmgrd:unix_stream_socket connectto; - -#credmgrd mm-qcamera -allow credmgrd mm-qcamerad:file { read write getattr open }; -allow credmgrd mm-qcamerad:unix_stream_socket { connectto sendto }; - -#credmgrd qseecomd tee -allow credmgrd tee_device:chr_file rw_file_perms; - -#credmgrd suntrold -allow credmgrd suntrold:unix_stream_socket connectto; -allow credmgrd suntrold_sock_socket:dir search; -allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto; -allow credmgrd suntrold_sock_socket:unix_stream_socket connectto; -allow credmgrd suntrold_sock_socket:sock_file write; - -#credmgrd iddd -allow credmgrd iddd:unix_dgram_socket sendto; -allow credmgrd iddd_file:dir search; -allow credmgrd iddd_file:sock_file write; -allow credmgrd iddd_file:unix_stream_socket connectto; -allow credmgrd iddd_file:unix_dgram_socket sendto; -allow credmgrd iddd_file:lnk_file { read }; - -#/mnt/idd is tmpfs -allow credmgrd tmpfs:dir search; -allow credmgrd tmpfs:lnk_file read; - -#credmgrd ion -allow credmgrd ion_device:chr_file { ioctl open read }; - -#============= credmgr init script ============== -allow credmgrd cache_file:dir { add_name search }; -allow credmgrd cache_file:file { create_file_perms }; -allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search }; -allow credmgrd credmgrd_data_file:file { append getattr open read unlink write }; -allow credmgrd credmgrd_prop:property_service set; -allow credmgrd property_socket:sock_file write; -allow credmgrd shell_exec:file { getattr read }; -allow credmgrd system_file:file execute_no_trans; -allow credmgrd system_prop:property_service set; -allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name setattr write }; - -#TODO: wrong labeled on dest socket? -allow credmgrd init:unix_stream_socket connectto; - -allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read }; - diff --git a/sepolicy/file.te b/sepolicy/file.te index 48c3b1f..26a4973 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,12 +1,6 @@ type sysfs_vibrator, fs_type, sysfs_type; -# idd -type iddd_file, file_type, data_file_type; - # BRCM BT FM type brcm_ldisc_sysfs, sysfs_type, fs_type; type brcm_uim_exec, exec_type, file_type; -# Macaddr -type sysfs_addrsetup, fs_type, sysfs_type; - diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 560f2b6..24fab9d 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -11,52 +11,10 @@ # Hardware tunables /sys/devices/virtual/timed_output/vibrator/vtg_level -- u:object_r:sysfs_vibrator:s0 -# In Device Diagnostics (idd) -/system/bin/iddd u:object_r:iddd_exec:s0 -/system/bin/idd-logreader u:object_r:iddd_exec:s0 -/idd(/.*)? u:object_r:iddd_file:s0 -/mnt/idd u:object_r:iddd_file:s0 - # HCI /dev/ttyHS0 u:object_r:hci_attach_dev:s0 /dev/brcm_bt_drv u:object_r:hci_attach_dev:s0 -# Taimport -/data/etc(/.*) u:object_r:ta_data_file:s0 - -/system/bin/scd u:object_r:scd_exec:s0 -/data/scd u:object_r:scd_data:s0 -/data/scd(/.*) u:object_r:scd_data:s0 -/system/bin/scdnotifier u:object_r:scd_exec:s0 - -/system/bin/wvkbd u:object_r:wv_exec:s0 - # Bluetooth /system/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 -########### -#credmgrd -/system/bin/credmgrd u:object_r:credmgrd_exec:s0 -/system/bin/credmgrfirstboot.sh u:object_r:credmgrd_exec:s0 -/dev/socket/credmgr u:object_r:credmgrd_socket:s0 -/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 -/cache/CredentialManagerData u:object_r:credmgrd_data_file:s0 -/cache/credmgr.log u:object_r:credmgrd_data_file:s0 -/ta(/.*)? -- u:object_r:ta_data_file:s0 - -#cam_socket -/data/misc/camera(/.*) u:object_r:camera_data_file:s0 -/dev/block/mmcblk0p1 u:object_r:tad_block_device:s0 - -# macaddrsetup -/system/bin/macaddrsetup u:object_r:addrsetup_exec:s0 -/sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0 - -#KGSL -/sys/devices/fdb00000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:sysfs_thermal:s0 -/sys/devices(/soc\.0)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk u:object_r:sysfs_thermal:s0 -/sys/devices(/soc\.0)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/reset_count u:object_r:sysfs_thermal:s0 - -# ZRAM -/sys/devices/virtual/block/zram0/mm_stat u:object_r:sysfs_zram:s0 - diff --git a/sepolicy/idd.te b/sepolicy/idd.te deleted file mode 100644 index 1c068d7..0000000 --- a/sepolicy/idd.te +++ /dev/null @@ -1,37 +0,0 @@ -# iddd daemon -type iddd, domain; - -type iddd_exec, exec_type, file_type; -init_daemon_domain(iddd) - -type_transition iddd system_data_file:file iddd_file; - -allow iddd self:socket create_socket_perms; -allow iddd iddd_file:sock_file { create setattr unlink write }; - -allow iddd iddd_file:fifo_file rw_file_perms; -allow iddd iddd_file:file rw_file_perms; -allow iddd iddd_file:file { create rename unlink }; -allow iddd iddd_file:dir rw_file_perms; -allow iddd iddd_file:dir { add_name create remove_name search }; - -# TODO: label the right way / Allow context change -allow iddd system_file:file execute_no_trans; -allow iddd iddd_exec:file execute_no_trans; - -# Allow iddd send to logd -allow iddd logd:unix_stream_socket connectto; -allow iddd logdr_socket:sock_file write; - -# Allow file system create (we use tmpfs now) -allow iddd tmpfs:lnk_file read; -allow iddd tmpfs:dir search; - -# Allow proc socket search -allow iddd proc:file { getattr open read }; - -# Allow idd to read ro.semc -allow iddd ta_prop:file { getattr open read }; - -# Allow reading via symlink -allow iddd iddd_file:lnk_file { read }; \ No newline at end of file diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te deleted file mode 100644 index 9da0f51..0000000 --- a/sepolicy/priv_app.te +++ /dev/null @@ -1,3 +0,0 @@ -allow priv_app device:dir { open read getattr }; -allow priv_app cache_private_backup_file:dir { getattr setattr }; -allow vold cache_file:dir create; diff --git a/sepolicy/property.te b/sepolicy/property.te deleted file mode 100644 index a9978eb..0000000 --- a/sepolicy/property.te +++ /dev/null @@ -1,3 +0,0 @@ -type timekeep_prop, property_type; -type tee_prop, property_type; -type ta_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts deleted file mode 100644 index a6b2b29..0000000 --- a/sepolicy/property_contexts +++ /dev/null @@ -1,10 +0,0 @@ - -sys.keymaster.loaded u:object_r:tee_prop:s0 -sys.listeners.registered u:object_r:tee_prop:s0 -persist.sys.timeadjust u:object_r:timekeep_prop:s0 -persist.service.bdroid.bdaddr u:object_r:bluetooth_prop:s0 -persist.tareset.notfirstboot u:object_r:ta_prop:s0 -sys.credmgrdready u:object_r:credmgrd_prop:s0 -ro.semc. u:object_r:ta_prop:s0 -ro.sony.color_id u:object_r:ta_prop:s0 -init.taimport u:object_r:ta_prop:s0 diff --git a/sepolicy/vold.te b/sepolicy/vold.te deleted file mode 100644 index 0881f15..0000000 --- a/sepolicy/vold.te +++ /dev/null @@ -1,8 +0,0 @@ -allow vold diag_data_file:dir { read open ioctl }; -allow vold tee_prop:file { getattr open read }; -allow vold firmware_file:file { getattr open read }; -allow vold iddd_file:dir { open read ioctl }; -allow vold tee_device:unix_stream_socket connectto; -allow vold tee_device:sock_file write; -allow vold tee_device:unix_stream_socket connectto; -allow vold tee_device:sock_file write; diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te deleted file mode 100644 index e425163..0000000 --- a/sepolicy/workarounds.te +++ /dev/null @@ -1,6 +0,0 @@ - - -#TODO: shouldnot exist -allow rmt_storage self:capability dac_override; - - -- cgit v1.2.3