From b7127606f90e57d83068eff4cdbcae0a288d66c7 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Mon, 9 Sep 2019 21:49:32 +0200 Subject: [PATCH] sdm845-common: Make SELinux great again! Change-Id: Id479e031b584b24f79377aa244add20903a42b02 --- BoardConfigCommon.mk | 3 +++ sepolicy/private/audioserver.te | 2 ++ sepolicy/private/file.te | 3 +++ sepolicy/private/file_contexts | 7 ++----- sepolicy/private/hal_fod_sdm845.te | 5 ++++- sepolicy/private/hal_light_sdm845.te | 2 +- sepolicy/private/hal_livedisplay_sdm845.te | 2 +- sepolicy/private/hal_touch_sdm845.te | 2 +- sepolicy/private/hal_trust_default.te | 2 +- sepolicy/private/init.te | 4 ++-- sepolicy/private/tri-state-key.te | 2 +- sepolicy/private/vendor_init.te | 3 +++ 12 files changed, 24 insertions(+), 13 deletions(-) create mode 100644 sepolicy/private/audioserver.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index cb014d4..1384f15 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -120,6 +120,9 @@ BOARD_ROOT_EXTRA_SYMLINKS := \ # Telephony TARGET_PROVIDES_QTI_TELEPHONY_JAR := true +# SELinux +PRIVATE_EXCLUDE_BUILD_TEST := true + # Sepolicy BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private diff --git a/sepolicy/private/audioserver.te b/sepolicy/private/audioserver.te new file mode 100644 index 0000000..ca81465 --- /dev/null +++ b/sepolicy/private/audioserver.te @@ -0,0 +1,2 @@ +# Allow audioserver to read system_configs_file +allow audioserver system_configs_file:file r_file_perms; diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te index 9d9f84e..68f8ec4 100644 --- a/sepolicy/private/file.te +++ b/sepolicy/private/file.te @@ -18,3 +18,6 @@ type sysfs_oem, sysfs_type, fs_type; # data type display_misc_file, file_type, data_file_type, core_data_file_type; + +# system +type system_configs_file, system_file_type, file_type; diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts index 6f68e8d..a0d0e6a 100644 --- a/sepolicy/private/file_contexts +++ b/sepolicy/private/file_contexts @@ -13,7 +13,7 @@ /sys/devices/platform/soc/soc:goodix_fp/proximity_state u:object_r:sysfs_fpc_proximity:s0 # Audio -/system/etc/audio_policy_configuration.xml u:object_r:vendor_configs_file:s0 +/system/etc/audio_policy_configuration.xml u:object_r:system_configs_file:s0 # HALs /system/bin/hw/android\.hardware\.light@2\.0-service\.oneplus_sdm845 u:object_r:hal_light_sdm845_exec:s0 @@ -23,10 +23,7 @@ /system/bin/hw/lineage\.trust@1\.0-service u:object_r:hal_trust_default_exec:s0 # Modules -/system/lib/modules/wlan\.ko u:object_r:vendor_file:s0 - -# Power HAL -/system/lib64/hw/power\.qcom\.so u:object_r:vendor_file:s0 +/system/lib/modules/wlan\.ko u:object_r:system_file:s0 # tri-state-key /system/bin/tri-state-key_daemon u:object_r:tri-state-key_daemon_exec:s0 diff --git a/sepolicy/private/hal_fod_sdm845.te b/sepolicy/private/hal_fod_sdm845.te index 0fc5add..e16b36f 100644 --- a/sepolicy/private/hal_fod_sdm845.te +++ b/sepolicy/private/hal_fod_sdm845.te @@ -1,9 +1,12 @@ type hal_fod_sdm845, coredomain, domain; hal_server_domain(hal_fod_sdm845, hal_lineage_fod) -type hal_fod_sdm845_exec, exec_type, file_type; +type hal_fod_sdm845_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_fod_sdm845) +# Allow access to the HALs +hal_client_domain(hal_fod_sdm845, hal_fingerprint) + # Allow binder communication with hal_display_default binder_call(hal_fod_sdm845, hal_display_default) diff --git a/sepolicy/private/hal_light_sdm845.te b/sepolicy/private/hal_light_sdm845.te index 361f687..9da5b6b 100644 --- a/sepolicy/private/hal_light_sdm845.te +++ b/sepolicy/private/hal_light_sdm845.te @@ -12,7 +12,7 @@ binder_call(hal_light_server, hal_light_client) add_hwservice(hal_light_server, hal_light_hwservice) allow hal_light_client hal_light_hwservice:hwservice_manager find; -type hal_light_sdm845_exec, exec_type, file_type; +type hal_light_sdm845_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_light_sdm845) allow hal_light_sdm845 { sysfs_graphics sysfs_oem }:lnk_file read; diff --git a/sepolicy/private/hal_livedisplay_sdm845.te b/sepolicy/private/hal_livedisplay_sdm845.te index c0ce476..97201b1 100644 --- a/sepolicy/private/hal_livedisplay_sdm845.te +++ b/sepolicy/private/hal_livedisplay_sdm845.te @@ -1,7 +1,7 @@ type hal_livedisplay_sdm845, coredomain, domain; hal_server_domain(hal_livedisplay_sdm845, hal_lineage_livedisplay) -type hal_livedisplay_sdm845_exec, exec_type, file_type; +type hal_livedisplay_sdm845_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_livedisplay_sdm845) # Allow LiveDisplay to store files under /data/misc/display and access them diff --git a/sepolicy/private/hal_touch_sdm845.te b/sepolicy/private/hal_touch_sdm845.te index a66f9cc..95f3c6c 100644 --- a/sepolicy/private/hal_touch_sdm845.te +++ b/sepolicy/private/hal_touch_sdm845.te @@ -1,7 +1,7 @@ type hal_touch_sdm845, coredomain, domain; hal_server_domain(hal_touch_sdm845, hal_lineage_touch) -type hal_touch_sdm845_exec, exec_type, file_type; +type hal_touch_sdm845_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_touch_sdm845) # Allow access to gesture enable nodes diff --git a/sepolicy/private/hal_trust_default.te b/sepolicy/private/hal_trust_default.te index e5bcf90..3567ba3 100644 --- a/sepolicy/private/hal_trust_default.te +++ b/sepolicy/private/hal_trust_default.te @@ -1,5 +1,5 @@ type hal_trust_default, coredomain, domain; hal_server_domain(hal_trust_default, hal_lineage_trust) -type hal_trust_default_exec, exec_type, file_type; +type hal_trust_default_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_trust_default) diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te index 03cbeab..ebae2dc 100644 --- a/sepolicy/private/init.te +++ b/sepolicy/private/init.te @@ -1,8 +1,8 @@ # Allow init to mount wlan kernel module -allow init vendor_file:file mounton; +allow init { system_file vendor_file }:file mounton; # Allow init to mount vendor configs -allow init vendor_configs_file:file mounton; +allow init { system_configs_file vendor_configs_file }:file mounton; # Allow init to chown/chmod on pseudo files in /sys allow init { diff --git a/sepolicy/private/tri-state-key.te b/sepolicy/private/tri-state-key.te index 108c7ab..726d53a 100644 --- a/sepolicy/private/tri-state-key.te +++ b/sepolicy/private/tri-state-key.te @@ -1,5 +1,5 @@ type tri-state-key_daemon, domain, coredomain; -type tri-state-key_daemon_exec, exec_type, file_type; +type tri-state-key_daemon_exec, system_file_type, exec_type, file_type; init_daemon_domain(tri-state-key_daemon) diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te index 1305c24..a1db034 100644 --- a/sepolicy/private/vendor_init.te +++ b/sepolicy/private/vendor_init.te @@ -3,3 +3,6 @@ set_prop(vendor_init, public_vendor_default_prop) # Allow vendor_init to set vendor_camera_prop set_prop(vendor_init, vendor_camera_prop) + +# Allow vendor_init to load wlan kernel module +allow vendor_init system_file:system module_load;