From bda77e8b2f5266a03031a294af96876c4410ea6e Mon Sep 17 00:00:00 2001
From: tunturn <arbiter1000@gmail.com>
Date: Thu, 9 Mar 2017 12:36:22 +1100
Subject: sepolicy: changes for bluetooth denials

Change-Id: I2ca85cd2c555b74f8de63c05e1e6dd2cc292dac9
---
 sepolicy/file.te       |  4 ++++
 sepolicy/file_contexts |  3 ++-
 sepolicy/init.te       |  5 +++++
 sepolicy/te_macros     |  9 +++++++++
 sepolicy/uim.te        | 13 +++++++++++++
 5 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/init.te
 create mode 100644 sepolicy/te_macros
 create mode 100644 sepolicy/uim.te

(limited to 'sepolicy')

diff --git a/sepolicy/file.te b/sepolicy/file.te
index 3b612b6..da08fbe 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -6,3 +6,7 @@ type secd_data_file, file_type;
 
 # idd
 type iddd_file, file_type, data_file_type;
+
+# BRCM BT FM
+type brcm_ldisc_sysfs, sysfs_type, fs_type;
+type brcm_uim_exec, exec_type, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index f4f6c13..3c1a1d8 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -36,7 +36,8 @@
 
 /system/bin/wvkbd						u:object_r:wv_exec:s0
 
-
+# Bluetooth
+/system/bin/brcm-uim-sysfs                              u:object_r:brcm_uim_exec:s0
 
 ###########
 #credmgrd
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..dd6d281
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,5 @@
+#FM BCM
+allow init hci_attach_dev:chr_file rw_file_perms;
+allow init brcm_uim_exec:file { execute getattr read open };
+allow init brcm_ldisc_sysfs:lnk_file { read };
+allow init uim:process { siginh noatsecure transition rlimitinh };
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
new file mode 100644
index 0000000..136d928
--- /dev/null
+++ b/sepolicy/te_macros
@@ -0,0 +1,9 @@
+# rw_dir_file(domain, type)
+# Allow the specified domain to read and write directories, files
+# and symbolic links of the specified type.
+define(`rw_dir_file', `
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:{ file lnk_file } rw_file_perms;
+')
+
+
diff --git a/sepolicy/uim.te b/sepolicy/uim.te
new file mode 100644
index 0000000..1a38892
--- /dev/null
+++ b/sepolicy/uim.te
@@ -0,0 +1,13 @@
+type uim, domain;
+
+rw_dir_file(uim, sysfs)
+rw_dir_file(uim, brcm_ldisc_sysfs)
+rw_dir_file(uim, bluetooth_data_file)
+rw_dir_file(uim, sysfs_bluetooth_writable)
+allow uim brcm_uim_exec:file { entrypoint getattr read execute };
+allow uim hci_attach_dev:chr_file { read write ioctl open };
+allow uim self:capability { net_admin dac_override };
+allow uim rootfs:lnk_file getattr;
+allow uim ta_data_file:dir search;
+allow uim bluetooth_prop:sock_file write;
+allow uim ta_data_file:file r_file_perms;
-- 
cgit v1.2.3