From b1eee63ebf2a4e7d34922d15a1028bbbdcca9016 Mon Sep 17 00:00:00 2001 From: nailyk-fr Date: Sun, 23 Apr 2017 21:54:08 +0200 Subject: shinano-common: sepolicy: Reorganise policies * No policies added or removed, only moved between files to improve se linux management. Change-Id: Ifa7cb9ce84f75c99f2d96dd0a71ced26f2580ba9 --- sepolicy/cameraserver.te | 14 +++++++++++++ sepolicy/cameraserver_new.te | 18 ----------------- sepolicy/credmgrd.te | 36 ++++++++++++++++----------------- sepolicy/file_contexts | 1 + sepolicy/idd.te | 48 ++++++++++++++++---------------------------- sepolicy/system_server.te | 5 ----- sepolicy/workarounds.te | 46 ++---------------------------------------- 7 files changed, 52 insertions(+), 116 deletions(-) create mode 100644 sepolicy/cameraserver.te delete mode 100644 sepolicy/cameraserver_new.te delete mode 100644 sepolicy/system_server.te (limited to 'sepolicy') diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..fd886cf --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,14 @@ +# TODO: useless now? + +#============= cameraserver ============== +allow cameraserver camera_data_file:unix_dgram_socket sendto; +allow cameraserver camera_data_file:unix_stream_socket connectto; +allow cameraserver camera_device:chr_file { ioctl open read write }; + +allow cameraserver ion_device:chr_file { ioctl open read }; + +allow cameraserver mm-qcamerad:unix_stream_socket connectto; + +allow cameraserver credmgrd:unix_stream_socket connectto; +allow cameraserver credmgrd_socket:sock_file write; + diff --git a/sepolicy/cameraserver_new.te b/sepolicy/cameraserver_new.te deleted file mode 100644 index 82196f2..0000000 --- a/sepolicy/cameraserver_new.te +++ /dev/null @@ -1,18 +0,0 @@ - - -allow mm-qcamerad camera_data_file:sock_file rw_file_perms; -allow mm-qcamerad camera_data_file:unix_dgram_socket sendto; -allow mm-qcamerad camera_data_file:unix_stream_socket connectto; -allow mm-qcamerad system_prop:property_service set; - -allow cameraserver camera_data_file:unix_dgram_socket sendto; -allow cameraserver camera_data_file:unix_stream_socket connectto; - -allow cameraserver ion_device:chr_file { ioctl open read }; - -#============= cameraserver ============== -allow cameraserver camera_device:chr_file { ioctl open read write }; -allow cameraserver mm-qcamerad:unix_stream_socket connectto; -allow cameraserver credmgrd:unix_stream_socket connectto; -allow cameraserver credmgrd_socket:sock_file write; - diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te index 9e9df9e..929a2ab 100644 --- a/sepolicy/credmgrd.te +++ b/sepolicy/credmgrd.te @@ -1,50 +1,47 @@ #credmgrd define -type credmgrd, domain; +type credmgrd, domain; type credmgrd_exec, exec_type, file_type; type credmgrd_data_file, file_type; type credmgrd_socket, file_type; -init_daemon_domain(credmgrd); +init_daemon_domain(credmgrd); #credmgrd self allow credmgrd self:socket create_socket_perms; allow credmgrd self:file rw_file_perms; allow credmgrd self:dir rw_file_perms; allow credmgrd self:fifo_file rw_file_perms; -allow credmgrd credmgrd_data_file:file { getattr lock open read setattr write }; allow credmgrd cache_file:dir { remove_name write }; allow credmgrd credmgrd_data_file:dir { add_name open read remove_name write }; -allow credmgrd credmgrd_data_file:file { create unlink }; +allow credmgrd credmgrd_data_file:file { create getattr lock open read setattr unlink write }; #credmgdr tad +allow credmgrd tad:unix_stream_socket connectto; allow credmgrd tad_block_device:blk_file { read write ioctl open }; allow credmgrd tad_socket:unix_dgram_socket sendto; allow credmgrd tad_socket:unix_stream_socket connectto; -allow credmgrd tad:unix_stream_socket connectto; allow credmgrd tad_socket:sock_file write; #credmgrd camera server allow credmgrd camera_socket:file { read write getattr open }; -allow credmgrd camera_socket:unix_stream_socket sendto; -allow credmgrd camera_socket:unix_stream_socket connectto; +allow credmgrd camera_socket:unix_stream_socket { connectto sendto }; #credmgrd mediaserver allow mediaserver credmgrd:unix_stream_socket connectto; #credmgrd mm-qcamera allow credmgrd mm-qcamerad:file { read write getattr open }; -allow credmgrd mm-qcamerad:unix_stream_socket sendto; -allow credmgrd mm-qcamerad:unix_stream_socket connectto; +allow credmgrd mm-qcamerad:unix_stream_socket { connectto sendto }; #credmgrd qseecomd tee allow credmgrd tee_device:chr_file rw_file_perms; #credmgrd suntrold +allow credmgrd suntrold:unix_stream_socket connectto; allow credmgrd suntrold_sock_socket:dir search; allow credmgrd suntrold_sock_socket:unix_dgram_socket sendto; allow credmgrd suntrold_sock_socket:unix_stream_socket connectto; allow credmgrd suntrold_sock_socket:sock_file write; -allow credmgrd suntrold:unix_stream_socket connectto; #credmgrd iddd allow credmgrd iddd:unix_dgram_socket sendto; @@ -61,22 +58,25 @@ allow credmgrd tmpfs:lnk_file read; #credmgrd ion allow credmgrd ion_device:chr_file { ioctl open read }; -#credmgrd files: -#============= credmgrd ============== -allow credmgrd cache_file:dir search; #============= credmgr init script ============== -allow credmgrd cache_file:dir add_name; +allow credmgrd cache_file:dir { add_name search }; allow credmgrd cache_file:file { create getattr open read unlink write }; -allow credmgrd credmgrd_data_file:dir { getattr rename search }; +allow credmgrd credmgrd_data_file:dir { getattr relabelto reparent rename rmdir search }; allow credmgrd devpts:chr_file { getattr ioctl open read write }; -allow credmgrd init:unix_stream_socket connectto; allow credmgrd property_socket:sock_file write; allow credmgrd shell_exec:file { getattr read }; allow credmgrd system_data_file:dir { add_name remove_name write }; allow credmgrd system_file:file execute_no_trans; allow credmgrd system_prop:property_service set; -allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read }; -allow credmgrd credmgrd_data_file:dir { relabelto reparent rmdir }; allow credmgrd system_data_file:dir { create relabelfrom setattr }; +#TODO: wrong labeled on dest socket? +allow credmgrd init:unix_stream_socket connectto; + +#TODO: remove +allow credmgrd toolbox_exec:file { execute execute_no_trans getattr open read }; +type credmgr, domain; +type credmgr_exec, exec_type, file_type; +init_daemon_domain(credmgr); + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 9f2d734..7c5353b 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -41,6 +41,7 @@ /dev/socket/credmgr u:object_r:credmgrd_socket:s0 /data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 /cache/CredentialManagerData u:object_r:credmgrd_data_file:s0 +/ta(/.*)? -- u:object_r:ta_data_file:s0 #cam_socket /data/misc/camera(/.*) u:object_r:camera_data_file:s0 diff --git a/sepolicy/idd.te b/sepolicy/idd.te index 1a59cc4..df2eb1c 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -1,46 +1,32 @@ -type iddd, domain; +# iddd daemon +type iddd, domain; -type iddd_exec, exec_type, file_type; +type iddd_exec, exec_type, file_type; init_daemon_domain(iddd) +type_transition iddd system_data_file:file iddd_file; + allow iddd self:socket create_socket_perms; +allow iddd iddd_file:sock_file { create setattr unlink write }; + allow iddd iddd_file:fifo_file rw_file_perms; allow iddd iddd_file:file rw_file_perms; -allow iddd iddd_file:dir rw_file_perms; -allow iddd iddd_file:dir { add_name remove_name search }; allow iddd iddd_file:file { create rename unlink }; -allow iddd iddd_file:sock_file { create setattr unlink write }; - - -type_transition iddd system_data_file:file iddd_file; - -type credmgr, domain; -type credmgr_exec, exec_type, file_type; -init_daemon_domain(credmgr); - - -type scd, domain; -type scd_exec, exec_type, file_type; -type scd_data, file_type; -init_daemon_domain(scd) +allow iddd iddd_file:dir rw_file_perms; +allow iddd iddd_file:dir { add_name create remove_name search }; -type wv,domain; -type wv_exec, exec_type, file_type; -init_daemon_domain(wv) +# TODO: label the right way / Allow context change +allow iddd system_file:file execute_no_trans; +allow iddd iddd_exec:file execute_no_trans; -#iddd logd +# Allow iddd send to logd allow iddd logd:unix_stream_socket connectto; allow iddd logdr_socket:sock_file write; -#============= system_server ============== -allow system_server credmgr_exec:dir search; -allow system_server credmgr_exec:file { getattr open read }; -allow system_server iddd_exec:dir search; -allow system_server iddd_exec:file { getattr open read }; +# Allow file system create (we use tmpfs now) allow iddd tmpfs:lnk_file read; -#============= iddd ============== -allow iddd iddd_exec:file execute_no_trans; -allow iddd iddd_file:dir create; +allow iddd tmpfs:dir search; + +# Allow proc socket search allow iddd proc:file { getattr open read }; -allow iddd tmpfs:dir search; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te deleted file mode 100644 index f3fd273..0000000 --- a/sepolicy/system_server.te +++ /dev/null @@ -1,5 +0,0 @@ -allow system_server sysfs_vibrator:file rw_file_perms; - -r_dir_file(system_server, sysfs_addrsetup) - -allow system_server unlabeled:file unlink; diff --git a/sepolicy/workarounds.te b/sepolicy/workarounds.te index 686d5cb..e425163 100644 --- a/sepolicy/workarounds.te +++ b/sepolicy/workarounds.te @@ -1,48 +1,6 @@ -#============= iddd ============== -allow iddd system_file:file execute_no_trans; -#============= init ============== -allow init debugfs:file write; -allow init tad_block_device:blk_file setattr; -#============= qti_init_shell ============== -allow qti_init_shell iddd_file:dir { getattr open read remove_name rmdir write }; -allow qti_init_shell tad:unix_stream_socket connectto; -allow qti_init_shell tad_socket:sock_file write; -allow qti_init_shell toolbox_exec:file entrypoint; - -#============= mm-qcamerad ============== -allow mm-qcamerad camera_device:chr_file { ioctl open read write }; -allow mm-qcamerad ta_data_file:dir { getattr open read search }; - -#============= thermanager ============== -allow thermanager sysfs:file { open read }; -allow thermanager sysfs_battery_supply:dir search; -allow thermanager sysfs_battery_supply:file { open read write }; - -#============= scd ============== -allow scd scd_data:dir { getattr search write add_name }; -allow scd scd_data:file { getattr open read write create }; -allow scd socket_device:dir { add_name remove_name write }; -allow scd socket_device:sock_file { create getattr setattr unlink write }; -allow scd sysfs:file { getattr open read }; - -#============= wv ============== -allow wv ion_device:chr_file { ioctl open read }; -allow wv suntrold:unix_stream_socket connectto; -allow wv suntrold_sock_socket:dir search; -allow wv suntrold_sock_socket:sock_file write; -allow wv tad:unix_stream_socket connectto; -allow wv tad_socket:sock_file write; -allow wv tee_device:chr_file { ioctl open read write }; - -#============= mediaserver ============== -allow mediaserver sensorservice_service:service_manager find; -allow mediaserver sysfs:file write; -allow mediaserver sysfs_battery_supply:dir search; -allow mediaserver sysfs_battery_supply:file { getattr open read }; -allow mediaserver ta_data_file:dir { getattr open read }; - -#============= rmt_storage ============== +#TODO: shouldnot exist allow rmt_storage self:capability dac_override; + -- cgit v1.2.3