From 765df75917ac3fe3da5d1dd092d8c33c0983f9d6 Mon Sep 17 00:00:00 2001
From: nailyk-fr <nailyk_git@nailyk.fr>
Date: Fri, 28 Apr 2017 16:46:44 +0200
Subject: shinano-common: sepolicy: Solve encryption

Change-Id: I078576ec339adcf935b47034f6c5faed429339f5
---
 sepolicy/credmgrd.te       | 10 +++++-----
 sepolicy/idd.te            |  3 +++
 sepolicy/keystore.te       |  8 ++++++++
 sepolicy/property.te       |  3 +++
 sepolicy/property_contexts | 10 ++++++++++
 sepolicy/qseecomd.te       | 29 +++++++++++++++++++++++++++++
 sepolicy/vold.te           |  7 +++++++
 7 files changed, 65 insertions(+), 5 deletions(-)
 create mode 100644 sepolicy/keystore.te
 create mode 100644 sepolicy/property.te
 create mode 100644 sepolicy/property_contexts
 create mode 100644 sepolicy/qseecomd.te
 create mode 100644 sepolicy/vold.te

(limited to 'sepolicy')

diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 929a2ab..662b76d 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -61,15 +61,15 @@ allow credmgrd ion_device:chr_file { ioctl open read };
 
 #============= credmgr init script ==============
 allow credmgrd cache_file:dir { add_name search };
-allow credmgrd cache_file:file { create getattr open read unlink write };
-allow credmgrd credmgrd_data_file:dir { getattr relabelto reparent rename rmdir search };
-allow credmgrd devpts:chr_file { getattr ioctl open read write };
+allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search };
+allow credmgrd credmgrd_data_file:file { append getattr open read unlink write };
+allow credmgrd credmgrd_prop:property_service set;
+allow credmgrd init:unix_stream_socket connectto;
 allow credmgrd property_socket:sock_file write;
 allow credmgrd shell_exec:file { getattr read };
-allow credmgrd system_data_file:dir { add_name remove_name write };
 allow credmgrd system_file:file execute_no_trans;
 allow credmgrd system_prop:property_service set;
-allow credmgrd system_data_file:dir { create relabelfrom setattr };
+allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name setattr write };
 
 #TODO: wrong labeled on dest socket?
 allow credmgrd init:unix_stream_socket connectto;
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index df2eb1c..6ec0b3c 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -30,3 +30,6 @@ allow iddd tmpfs:dir search;
 # Allow proc socket search
 allow iddd proc:file { getattr open read };
 
+# Allow idd to read ro.semc
+allow iddd ta_prop:file { getattr open read };
+
diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te
new file mode 100644
index 0000000..4857479
--- /dev/null
+++ b/sepolicy/keystore.te
@@ -0,0 +1,8 @@
+allow keystore tee_device:chr_file rw_file_perms;
+allow keystore firmware_file:file r_file_perms;
+allow keystore tee_prop:file { getattr open read };
+
+
+allow vold keystore:keystore_key { get_state get insert delete exist list sign verify };
+auditallow vold keystore:keystore_key { get_state get insert delete exist list sign verify };
+
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..a9978eb
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,3 @@
+type timekeep_prop, property_type;
+type tee_prop, property_type;
+type ta_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..a6b2b29
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,10 @@
+
+sys.keymaster.loaded       u:object_r:tee_prop:s0
+sys.listeners.registered   u:object_r:tee_prop:s0
+persist.sys.timeadjust     u:object_r:timekeep_prop:s0
+persist.service.bdroid.bdaddr u:object_r:bluetooth_prop:s0
+persist.tareset.notfirstboot  u:object_r:ta_prop:s0
+sys.credmgrdready		u:object_r:credmgrd_prop:s0
+ro.semc. 				u:object_r:ta_prop:s0
+ro.sony.color_id		u:object_r:ta_prop:s0
+init.taimport			u:object_r:ta_prop:s0
diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te
new file mode 100644
index 0000000..7e61f6d
--- /dev/null
+++ b/sepolicy/qseecomd.te
@@ -0,0 +1,29 @@
+
+# tee starts as root, and drops privileges
+allow tee self:capability {
+    setuid
+    setgid
+};
+
+# Need to directly manipulate certain block devices
+# for anti-rollback protection
+allow tee block_device:dir r_dir_perms;
+allow tee rpmb_device:blk_file rw_file_perms;
+
+# Provide tee access to ssd partition for HW FDE
+allow tee ssd_device:blk_file rw_file_perms;
+
+# Allow tee to directly save and load fingerprint data
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;
+allow tee system_data_file:dir r_dir_perms;
+
+# allow tee to load firmware images
+r_dir_file(tee, firmware_file)
+
+binder_use(tee)
+
+# Provide tee ability to access QMUXD/IPCRouter for QMI
+qmux_socket(tee);
+
+set_prop(tee, tee_prop)
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..e5b776e
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,7 @@
+allow vold diag_data_file:dir { read open ioctl };
+allow vold tee_prop:file { getattr open read };
+allow vold firmware_file:file { getattr open read };
+allow vold iddd_file:dir read;
+allow vold tee_device:unix_stream_socket connectto;
+allow vold tee_device:sock_file write;
+
-- 
cgit v1.2.3