Label files and address a bunch of selinux denials

diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
new file mode 100644 (file)
index 0000000..bb82320
--- /dev/null
+++ b/sepolicy/adbd.te
@@ -0,0 +1 @@
+allow adbd proc_last_kmsg:file { getattr read };

diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644 (file)
index 0000000..0aad1ec
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1 @@
+allow bootanim device:chr_file { getattr ioctl };

diff --git a/sepolicy/crash_dump.te b/sepolicy/crash_dump.te
new file mode 100644 (file)
index 0000000..b73ebbf
--- /dev/null
+++ b/sepolicy/crash_dump.te
@@ -0,0 +1 @@
+allow crash_dump hwservicemanager_prop:file { getattr open };

diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644 (file)
index 0000000..b73f830
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,4 @@
+type batch_io_device, dev_type;
+
+# sysfs types
+type sysfs_graphics, fs_type, sysfs_type;

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 01e69212e6844ee18d8c352c21e0c4d9e42ee50c..480f580f8ab784fc5e7712347a0c28b1bae3b4a9 100644 (file)
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1 +1,7 @@
 /cpefs(/.*)?             u:object_r:efs_file:s0
+/dev/mali0               u:object_r:gpu_device:s0
+/dev/umts_ipc0           u:object_r:radio_device:s0
+/dev/fimg2d              u:object_r:video_device:s0
+
+# Sensors
+/dev/batch_io            u:object_r:batch_io_device:s0

diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644 (file)
index 0000000..c961f81
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,2 @@
+# LED
+genfscon sysfs /devices/virtual/sec/led/led_blink u:object_r:sysfs_graphics:s0

diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te
new file mode 100644 (file)
index 0000000..8755bcd
--- /dev/null
+++ b/sepolicy/hal_audio_default.te
@@ -0,0 +1,3 @@
+allow hal_audio_default efs_file:dir search;
+allow hal_audio_default efs_file:file { open read };
+allow hal_audio_default property_socket:sock_file write;

diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
new file mode 100644 (file)
index 0000000..c9ea2de
--- /dev/null
+++ b/sepolicy/hal_bluetooth_default.te
@@ -0,0 +1 @@
+allow hal_bluetooth_default efs_file:file { open read };

diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
new file mode 100644 (file)
index 0000000..c1adea5
--- /dev/null
+++ b/sepolicy/hal_camera_default.te
@@ -0,0 +1 @@
+allow hal_camera_default vndbinder_device:chr_file read;

diff --git a/sepolicy/hal_gatekeeper_default.te b/sepolicy/hal_gatekeeper_default.te
new file mode 100644 (file)
index 0000000..c3ce50e
--- /dev/null
+++ b/sepolicy/hal_gatekeeper_default.te
@@ -0,0 +1,2 @@
+allow hal_gatekeeper_default efs_file:file { open read };
+allow hal_gatekeeper_default tee_device:chr_file { open read write };

diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644 (file)
index 0000000..0d67dbd
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,8 @@
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { create read };
+allow hal_graphics_composer_default servicemanager:binder call;
+allow hal_graphics_composer_default sysfs:file read;
+allow hal_graphics_composer_default vendor_data_file:file append;
+allow hal_graphics_composer_default vndbinder_device:chr_file read;
+
+# /dev/fimg2d
+allow hal_graphics_composer_default video_device:chr_file ioctl;

diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te
new file mode 100644 (file)
index 0000000..64e4b19
--- /dev/null
+++ b/sepolicy/hal_health_default.te
@@ -0,0 +1 @@
+allow hal_health_default sysfs:file { getattr open read };

diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te
new file mode 100644 (file)
index 0000000..ce78258
--- /dev/null
+++ b/sepolicy/hal_keymaster_default.te
@@ -0,0 +1 @@
+allow hal_keymaster_default device:chr_file ioctl;

diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
new file mode 100644 (file)
index 0000000..452fcde
--- /dev/null
+++ b/sepolicy/hal_sensors_default.te
@@ -0,0 +1,5 @@
+allow hal_sensors_default efs_file:dir search;
+allow hal_sensors_default sysfs:file { read write getattr open };
+
+# sensor_device
+allow hal_sensors_default sensor_device:chr_file rw_file_perms;

diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644 (file)
index 0000000..ee399e9
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,15 @@
+allow init device:chr_file ioctl;
+allow init rild:unix_stream_socket connectto;
+allow init self:netlink_kobject_uevent_socket { create setopt };
+allow init socket_device:sock_file create;
+allow init sysfs_devices_system_cpu:file write;
+allow init vendor_data_file:fifo_file write;
+allow init vendor_data_file:file append;
+allow init dnsproxyd_socket:sock_file write;
+allow init fwk_sensor_hwservice:hwservice_manager find;
+allow init hwservicemanager:binder call;
+allow init netd:unix_stream_socket connectto;
+allow init self:tcp_socket create;
+
+# LED
+allow init sysfs_graphics:file { open read write };

diff --git a/sepolicy/installd.te b/sepolicy/installd.te
new file mode 100644 (file)
index 0000000..702e5ad
--- /dev/null
+++ b/sepolicy/installd.te
@@ -0,0 +1 @@
+allow installd device:file write;

diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644 (file)
index 0000000..9f9de3a
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,2 @@
+allow kernel device:dir write;
+allow kernel efs_file:file open;

diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
new file mode 100644 (file)
index 0000000..0be4af4
--- /dev/null
+++ b/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec sysfs:file { getattr open read };

diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644 (file)
index 0000000..5051d72
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,3 @@
+allow netd device:file write;
+allow netd self:capability sys_module;
+allow netd init:tcp_socket { read write };

diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644 (file)
index 0000000..8a50549
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1,2 @@
+# /dev/mali0
+allow platform_app gpu_device:chr_file { ioctl read write };

diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
new file mode 100644 (file)
index 0000000..9bd1bc6
--- /dev/null
+++ b/sepolicy/priv_app.te
@@ -0,0 +1,2 @@
+# /dev/mali0
+allow priv_app gpu_device:chr_file { ioctl read write };

diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644 (file)
index 0000000..b660636
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,6 @@
+allow rild init:file read;
+allow rild proc_net:file write;
+allow rild vendor_data_file:file { getattr read write open };
+
+# /dev/umts_ipc0
+allow rild radio_device:chr_file ioctl;

diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644 (file)
index 0000000..fe57529
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1 @@
+allow shell proc:file getattr;

diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644 (file)
index 0000000..c4dd4ad
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+# /dev/mali0
+allow surfaceflinger gpu_device:chr_file { ioctl read write };

diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644 (file)
index 0000000..bfee089
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1,4 @@
+allow system_app proc_pagetypeinfo:file { getattr open read };
+
+# /dev/mali0
+allow system_app gpu_device:chr_file { ioctl read write };

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644 (file)
index 0000000..685cfce
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,11 @@
+# /sys/kernel/debug/mali/mem
+# allow system_server debugfs:dir { open read };
+# allow system_server debugfs:file { open read };
+
+# /dev/mali0
+allow system_server gpu_device:chr_file { ioctl read write };
+
+# memtrack HAL
+allow system_server debugfs:dir r_dir_perms;
+allow system_server debugfs_mali:dir r_dir_perms;
+allow system_server debugfs_mali:file r_file_perms;

diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
new file mode 100644 (file)
index 0000000..57dec0a
--- /dev/null
+++ b/sepolicy/toolbox.te
@@ -0,0 +1 @@
+allow toolbox ram_device:blk_file { open read write };
\ No newline at end of file

diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644 (file)
index 0000000..71b786b
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1,2 @@
+# /dev/mali0
+allow untrusted_app gpu_device:chr_file { ioctl open read write };

diff --git a/sepolicy/untrusted_app_25.te b/sepolicy/untrusted_app_25.te
new file mode 100644 (file)
index 0000000..89c5763
--- /dev/null
+++ b/sepolicy/untrusted_app_25.te
@@ -0,0 +1,2 @@
+# /dev/mali0
+allow untrusted_app_25 gpu_device:chr_file ioctl;

diff --git a/sepolicy/untrusted_app_27.te b/sepolicy/untrusted_app_27.te
new file mode 100644 (file)
index 0000000..037e6c6
--- /dev/null
+++ b/sepolicy/untrusted_app_27.te
@@ -0,0 +1,2 @@
+# /dev/mali0
+allow untrusted_app_27 gpu_device:chr_file { ioctl read write };

diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644 (file)
index 0000000..25ee73f
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1 @@
+allow zygote device:file { open write };