From 4518d68489b189118903728fbe8bdf6313176074 Mon Sep 17 00:00:00 2001 From: karthick111 Date: Sat, 22 Jul 2017 16:07:03 +0200 Subject: [PATCH] land: Initial sepolicy --- sepolicy/device.te | 2 ++ sepolicy/file.te | 5 ++++ sepolicy/file_contexts | 24 +++++++++++++++++++ sepolicy/fingerprintd.te | 11 +++++++++ sepolicy/fsck.te | 1 + sepolicy/gx_fpd.te | 49 ++++++++++++++++++++++++++++++++++++++ sepolicy/netmgrd.te | 4 ++++ sepolicy/qti_init_shell.te | 2 ++ sepolicy/service.te | 1 + sepolicy/service_contexts | 1 + sepolicy/system_server.te | 1 + sepolicy/tee.te | 6 +++++ sepolicy/ueventd.te | 1 + 13 files changed, 108 insertions(+) create mode 100644 sepolicy/device.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/fingerprintd.te create mode 100644 sepolicy/fsck.te create mode 100644 sepolicy/gx_fpd.te create mode 100644 sepolicy/netmgrd.te create mode 100644 sepolicy/qti_init_shell.te create mode 100644 sepolicy/service.te create mode 100644 sepolicy/service_contexts create mode 100644 sepolicy/system_server.te create mode 100644 sepolicy/tee.te create mode 100644 sepolicy/ueventd.te diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..8b4b5c2 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,2 @@ +type gx_fpd_device, dev_type; +type lirc_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..abf3166 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,5 @@ +type fpc_data_file, file_type, data_file_type; +type fpce_socket, file_type; +type fpc_sysfs, fs_type, sysfs_type; +type netmgrd_data_file, file_type; +type gx_fpd_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..d1a584e --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,24 @@ +# Block devices +/dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/bootdevice/by-name/userdata u:object_r:userdata_block_device:s0 + +# Data files +/data/misc/netmgr/log\.txt u:object_r:netmgrd_data_file:s0 + +# Fpc Fingerprint +/data/fpc(/.*)? u:object_r:fpc_data_file:s0 +/dev/socket/fpce(/.*)? u:object_r:fpce_socket:s0 +/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fpc_sysfs:s0 + +# For Goodix fingerprint +/dev/gf66xx-spi u:object_r:gx_fpd_device:s0 +/dev/ttyACM[0-9]* u:object_r:gx_fpd_device:s0 +/dev/goodix_fp* u:object_r:gx_fpd_device:s0 +/system/bin/gx_fpd u:object_r:gx_fpd_exec:s0 + +# Goodix Fingerprint data +/data/system/fingerprint(/.*)? u:object_r:gx_fpd_data_file:s0 +/persist/data/gxfp(/.*)? u:object_r:gx_fpd_data_file:s0 + +# Ir +/dev/lirc[0-9]* u:object_r:lirc_device:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te new file mode 100644 index 0000000..72b5aac --- /dev/null +++ b/sepolicy/fingerprintd.te @@ -0,0 +1,11 @@ +allow fingerprintd gx_fpd:binder { transfer call }; +allow fingerprintd gx_fpd_service:service_manager find; +allow fingerprintd fingerprint_service:service_manager find; +allow fingerprintd fpc_sysfs:file rw_file_perms; +allow fingerprintd fpc_sysfs:dir rw_dir_perms; +allow fingerprintd tee_device:chr_file rw_file_perms; +allow fingerprintd uhid_device:chr_file rw_file_perms; +allow fingerprintd fpc_data_file:dir rw_dir_perms; +allow fingerprintd fpc_data_file:sock_file create_file_perms; +set_prop(fingerprintd, system_prop) +r_dir_file(fingerprintd, firmware_file) diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..1500b5f --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1 @@ +allow fsck persist_block_device:blk_file rw_file_perms; diff --git a/sepolicy/gx_fpd.te b/sepolicy/gx_fpd.te new file mode 100644 index 0000000..fc20c07 --- /dev/null +++ b/sepolicy/gx_fpd.te @@ -0,0 +1,49 @@ +type gx_fpd, domain; +type gx_fpd_exec, exec_type, file_type; + +# gx_fpd +init_daemon_domain(gx_fpd) +binder_use(gx_fpd) + +# need to find KeyStore and add self +allow gx_fpd fingerprintd_service:service_manager { add find }; + +# allow HAL module to read dir contents +allow gx_fpd gx_fpd_data_file:file create_file_perms; + +# allow HAL module to read/write/unlink contents of this dir +allow gx_fpd gx_fpd_data_file:dir create_dir_perms; + +# Need to add auth tokens to KeyStore +use_keystore(gx_fpd) +allow gx_fpd keystore:keystore_key { add_auth }; + +# For permissions checking +binder_call(gx_fpd, system_server); +allow gx_fpd permission_service:service_manager find; + +#Allow access to goodix device +allow gx_fpd gx_fpd_device:chr_file rw_file_perms; + +#Allow access to tee device +allow gx_fpd tee_device:chr_file rw_file_perms; + +# Allow access to ion device +allow gx_fpd ion_device:chr_file rw_file_perms; + +#allow create socket +allow gx_fpd self:socket create_socket_perms; +allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms; + +#allow read/write property +set_prop(gx_fpd, system_prop) + +allow gx_fpd gx_fpd_service:service_manager { add find }; + +allow gx_fpd fingerprintd:binder { transfer call }; +allow gx_fpd fuse:dir search; +allow gx_fpd fuse:file { getattr open append }; +allow gx_fpd self:capability dac_override; +allow gx_fpd storage_file:dir search; +allow gx_fpd storage_file:lnk_file read; +r_dir_file(gx_fpd, firmware_file) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te new file mode 100644 index 0000000..e3d6d6e --- /dev/null +++ b/sepolicy/netmgrd.te @@ -0,0 +1,4 @@ +type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt"; + +allow netmgrd self:capability dac_override; +allow netmgrd netmgrd_data_file:file create_file_perms; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te new file mode 100644 index 0000000..2808a59 --- /dev/null +++ b/sepolicy/qti_init_shell.te @@ -0,0 +1,2 @@ +allow qti_init_shell bluetooth_data_file:file r_file_perms; +allow qti_init_shell bluetooth_loader_exec:file { read open }; diff --git a/sepolicy/service.te b/sepolicy/service.te new file mode 100644 index 0000000..c6ad55b --- /dev/null +++ b/sepolicy/service.te @@ -0,0 +1 @@ +type gx_fpd_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..eb3bd76 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1 @@ +goodix.fp u:object_r:gx_fpd_service:s0 diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..9e71316 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1 @@ +allow system_server lirc_device:chr_file rw_file_perms; diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..949da7b --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,6 @@ +# /data/goodix labeling +type_transition tee system_data_file:{ dir file } gx_fpd_data_file; + +allow tee gx_fpd_data_file:dir create_dir_perms; +allow tee gx_fpd_data_file:file create_file_perms; +allow tee system_data_file:dir create_dir_perms; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..801be3d --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1 @@ +allow ueventd fpc_sysfs:file rw_file_perms;