sdm845-common: Make SELinux great again!

Change-Id: Id479e031b584b24f79377aa244add20903a42b02
2019-09-09 21:49:32 +02:00 · 2019-09-09 21:49:32 +02:00 · b7127606f9
commit b7127606f9
parent 1a7873d15d
12 changed files with 24 additions and 13 deletions
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@ -120,6 +120,9 @@ BOARD_ROOT_EXTRA_SYMLINKS := \
 # Telephony
 TARGET_PROVIDES_QTI_TELEPHONY_JAR := true

+# SELinux
+PRIVATE_EXCLUDE_BUILD_TEST := true
+
 # Sepolicy
 BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private

--- a/sepolicy/private/audioserver.te
+++ b/sepolicy/private/audioserver.te
@ -0,0 +1,2 @@
+# Allow audioserver to read system_configs_file
+allow audioserver system_configs_file:file r_file_perms;
--- a/sepolicy/private/file.te
+++ b/sepolicy/private/file.te
@ -18,3 +18,6 @@ type sysfs_oem, sysfs_type, fs_type;

 # data
 type display_misc_file, file_type, data_file_type, core_data_file_type;
+
+# system
+type system_configs_file, system_file_type, file_type;
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@ -13,7 +13,7 @@
 /sys/devices/platform/soc/soc:goodix_fp/proximity_state    u:object_r:sysfs_fpc_proximity:s0

 # Audio
-/system/etc/audio_policy_configuration.xml    u:object_r:vendor_configs_file:s0
+/system/etc/audio_policy_configuration.xml    u:object_r:system_configs_file:s0

 # HALs
 /system/bin/hw/android\.hardware\.light@2\.0-service\.oneplus_sdm845    u:object_r:hal_light_sdm845_exec:s0
@ -23,10 +23,7 @@
 /system/bin/hw/lineage\.trust@1\.0-service                    u:object_r:hal_trust_default_exec:s0

 # Modules
-/system/lib/modules/wlan\.ko    u:object_r:vendor_file:s0
-
-# Power HAL
-/system/lib64/hw/power\.qcom\.so    u:object_r:vendor_file:s0
+/system/lib/modules/wlan\.ko    u:object_r:system_file:s0

 # tri-state-key
 /system/bin/tri-state-key_daemon          u:object_r:tri-state-key_daemon_exec:s0
--- a/sepolicy/private/hal_fod_sdm845.te
+++ b/sepolicy/private/hal_fod_sdm845.te
@ -1,9 +1,12 @@
 type hal_fod_sdm845, coredomain, domain;
 hal_server_domain(hal_fod_sdm845, hal_lineage_fod)

-type hal_fod_sdm845_exec, exec_type, file_type;
+type hal_fod_sdm845_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_fod_sdm845)

+# Allow access to the HALs
+hal_client_domain(hal_fod_sdm845, hal_fingerprint)
+
 # Allow binder communication with hal_display_default
 binder_call(hal_fod_sdm845, hal_display_default)

--- a/sepolicy/private/hal_light_sdm845.te
+++ b/sepolicy/private/hal_light_sdm845.te
@ -12,7 +12,7 @@ binder_call(hal_light_server, hal_light_client)
 add_hwservice(hal_light_server, hal_light_hwservice)
 allow hal_light_client hal_light_hwservice:hwservice_manager find;

-type hal_light_sdm845_exec, exec_type, file_type;
+type hal_light_sdm845_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_light_sdm845)

 allow hal_light_sdm845 { sysfs_graphics sysfs_oem }:lnk_file read;
--- a/sepolicy/private/hal_livedisplay_sdm845.te
+++ b/sepolicy/private/hal_livedisplay_sdm845.te
@ -1,7 +1,7 @@
 type hal_livedisplay_sdm845, coredomain, domain;
 hal_server_domain(hal_livedisplay_sdm845, hal_lineage_livedisplay)

-type hal_livedisplay_sdm845_exec, exec_type, file_type;
+type hal_livedisplay_sdm845_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_livedisplay_sdm845)

 # Allow LiveDisplay to store files under /data/misc/display and access them
--- a/sepolicy/private/hal_touch_sdm845.te
+++ b/sepolicy/private/hal_touch_sdm845.te
@ -1,7 +1,7 @@
 type hal_touch_sdm845, coredomain, domain;
 hal_server_domain(hal_touch_sdm845, hal_lineage_touch)

-type hal_touch_sdm845_exec, exec_type, file_type;
+type hal_touch_sdm845_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_touch_sdm845)

 # Allow access to gesture enable nodes
--- a/sepolicy/private/hal_trust_default.te
+++ b/sepolicy/private/hal_trust_default.te
@ -1,5 +1,5 @@
 type hal_trust_default, coredomain, domain;
 hal_server_domain(hal_trust_default, hal_lineage_trust)

-type hal_trust_default_exec, exec_type, file_type;
+type hal_trust_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_trust_default)
--- a/sepolicy/private/init.te
+++ b/sepolicy/private/init.te
@ -1,8 +1,8 @@
 # Allow init to mount wlan kernel module
-allow init vendor_file:file mounton;
+allow init { system_file vendor_file }:file mounton;

 # Allow init to mount vendor configs
-allow init vendor_configs_file:file mounton;
+allow init { system_configs_file vendor_configs_file }:file mounton;

 # Allow init to chown/chmod on pseudo files in /sys
 allow init {
--- a/sepolicy/private/tri-state-key.te
+++ b/sepolicy/private/tri-state-key.te
@ -1,5 +1,5 @@
 type tri-state-key_daemon, domain, coredomain;
-type tri-state-key_daemon_exec, exec_type, file_type;
+type tri-state-key_daemon_exec, system_file_type, exec_type, file_type;

 init_daemon_domain(tri-state-key_daemon)

--- a/sepolicy/private/vendor_init.te
+++ b/sepolicy/private/vendor_init.te
@ -3,3 +3,6 @@ set_prop(vendor_init, public_vendor_default_prop)

 # Allow vendor_init to set vendor_camera_prop
 set_prop(vendor_init, vendor_camera_prop)
+
+# Allow vendor_init to load wlan kernel module
+allow vendor_init system_file:system module_load;