diff options
author | Nick Kralevich <nnk@google.com> | 2015-04-02 00:28:10 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2015-04-02 00:28:11 +0000 |
commit | 1cab44f7733b363bd0be876ba405efaf2db9cc22 (patch) | |
tree | 431df5242727e164ac2ffae663a57da90d11b977 | |
parent | 37a03a81608d081bd1789b91edb9f4b5e4c2c090 (diff) | |
parent | fd5858343999e25493d1d1f5240f7413f63f794e (diff) | |
download | flo-1cab44f7733b363bd0be876ba405efaf2db9cc22.tar.gz |
Merge "flo: updates for SELinux"
-rw-r--r-- | device-common.mk | 6 | ||||
-rw-r--r-- | init.flo.rc | 14 | ||||
-rw-r--r-- | sepolicy/bluetooth_loader.te | 12 | ||||
-rw-r--r-- | sepolicy/conn_init.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 4 | ||||
-rw-r--r-- | sepolicy/kickstart.te | 7 |
6 files changed, 18 insertions, 27 deletions
diff --git a/device-common.mk b/device-common.mk index a9e3c89..841b067 100644 --- a/device-common.mk +++ b/device-common.mk @@ -60,7 +60,7 @@ PRODUCT_COPY_FILES += \ device/asus/flo/WCNSS_qcom_cfg.ini:system/etc/wifi/WCNSS_qcom_cfg.ini \ device/asus/flo/WCNSS_qcom_wlan_nv_flo.bin:system/etc/wifi/WCNSS_qcom_wlan_nv_flo.bin \ device/asus/flo/WCNSS_qcom_wlan_nv_deb.bin:system/etc/wifi/WCNSS_qcom_wlan_nv_deb.bin \ - device/asus/flo/init.flo.wifi.sh:system/etc/init.flo.wifi.sh + device/asus/flo/init.flo.wifi.sh:system/bin/init.flo.wifi.sh PRODUCT_COPY_FILES += \ device/asus/flo/audio_policy.conf:system/etc/audio_policy.conf @@ -81,7 +81,7 @@ PRODUCT_COPY_FILES += \ device/asus/flo/media_codecs.xml:system/etc/media_codecs.xml PRODUCT_COPY_FILES += \ - device/asus/flo/kickstart_checker.sh:system/etc/kickstart_checker.sh + device/asus/flo/kickstart_checker.sh:system/bin/kickstart_checker.sh # Prebuilt kl and kcm keymaps PRODUCT_COPY_FILES += \ @@ -201,7 +201,7 @@ PRODUCT_PACKAGES += \ power.msm8960 PRODUCT_COPY_FILES += \ - device/asus/flo/init.flo.bt.sh:system/etc/init.flo.bt.sh + device/asus/flo/init.flo.bt.sh:system/bin/init.flo.bt.sh PRODUCT_PROPERTY_OVERRIDES += \ ro.qualcomm.bt.hci_transport=smd diff --git a/init.flo.rc b/init.flo.rc index 4cbb260..cc82e8f 100644 --- a/init.flo.rc +++ b/init.flo.rc @@ -288,11 +288,10 @@ service rmt_storage /system/bin/rmt_storage user root group system -service hciattach /system/bin/sh /system/etc/init.flo.bt.sh +service hciattach /system/bin/init.flo.bt.sh class late_start user bluetooth group qcom_oncrpc bluetooth net_bt_admin system net_bt_stack - seclabel u:r:bluetooth_loader:s0 disabled oneshot @@ -307,11 +306,6 @@ service bridgemgrd /system/bin/bridgemgrd user radio group radio -service qcom-c_main-sh /system/bin/sh /init.qcom.class_main.sh - class main - user root - oneshot - # QMUX must be in multiple groups to support external process connections service qmuxd /system/bin/qmuxd class main @@ -319,9 +313,8 @@ service qmuxd /system/bin/qmuxd group radio audio bluetooth gps net_bt_stack disabled -service ks_checker /system/bin/sh /system/etc/kickstart_checker.sh +service ks_checker /system/bin/kickstart_checker.sh class core - seclabel u:r:kickstart:s0 oneshot service kickstart /system/bin/qcks -i /firmware/image/ -r /data/tombstones/mdm/ @@ -447,11 +440,10 @@ service qcamerasvr /system/bin/mm-qcamera-daemon user camera group camera system inet input -service wcnss_init /system/bin/sh /system/etc/init.flo.wifi.sh +service wcnss_init /system/bin/init.flo.wifi.sh class late_start user system group system wifi - seclabel u:r:conn_init:s0 oneshot service bdAddrLoader /system/bin/bdAddrLoader -f /persist/bluetooth/.bdaddr -h -x diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te index 2d9a8e8..da60894 100644 --- a/sepolicy/bluetooth_loader.te +++ b/sepolicy/bluetooth_loader.te @@ -1,18 +1,18 @@ -# Bluetooth executables and script (bdAddrLoader, init.mako.bt.sh) +# Bluetooth executables and script (bdAddrLoader, init.flo.bt.sh) type bluetooth_loader, domain; type bluetooth_loader_exec, exec_type, file_type; # Start bdAddrLoader from init init_daemon_domain(bluetooth_loader) -# Run init.mako.bt.sh -allow bluetooth_loader shell_exec:file { entrypoint read }; +# Run init.flo.bt.sh +allow bluetooth_loader shell_exec:file rx_file_perms; allow bluetooth_loader bluetooth_loader_exec:file rx_file_perms; -# init.mako.bt.sh needs /system/bin/log access +# init.flo.bt.sh needs /system/bin/log access allow bluetooth_loader devpts:chr_file rw_file_perms; -# Run hci_qcomm_init from init.mako.bt.sh +# Run hci_qcomm_init from init.flo.bt.sh domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach) allow hci_attach bluetooth_loader:fd use; @@ -25,5 +25,5 @@ unix_socket_connect(bluetooth_loader, property, init) # Set persist.service.bdroid.* and bluetooth.* property values allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set; -# Allow getprop/setprop for init.mako.bt.sh +# Allow getprop/setprop for init.flo.bt.sh allow bluetooth_loader system_file:file execute_no_trans; diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te index 352609c..da693f2 100644 --- a/sepolicy/conn_init.te +++ b/sepolicy/conn_init.te @@ -5,7 +5,7 @@ type conn_init_exec, exec_type, file_type; init_daemon_domain(conn_init) # Runs init.flo.wifi.sh -allow conn_init shell_exec:file { entrypoint read }; +allow conn_init shell_exec:file rx_file_perms; allow conn_init conn_init_exec:file rx_file_perms; # Allow /persist/wifi access diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index fde9600..b453823 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -101,6 +101,7 @@ /system/bin/qcks u:object_r:kickstart_exec:s0 /system/bin/efsks u:object_r:kickstart_exec:s0 /system/bin/ks u:object_r:kickstart_exec:s0 +/system/bin/kickstart_checker\.sh u:object_r:kickstart_exec:s0 /data/cam_socket[0-9] u:object_r:camera_socket:s0 /data/app/sensor_ctl_socket u:object_r:sensors_socket:s0 @@ -114,7 +115,6 @@ /system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 /system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0 -/system/etc/init\.mako\.bt\.sh u:object_r:bluetooth_loader_exec:s0 # rmt_storage is a qualcomm specific daemon responsible # for servicing modem filesystem requests. /system/bin/rmt_storage u:object_r:rmt_exec:s0 @@ -127,7 +127,9 @@ /system/bin/mm-qcamera-daemon u:object_r:camera_exec:s0 /system/bin/qseecomd u:object_r:tee_exec:s0 /system/bin/conn_init u:object_r:conn_init_exec:s0 +/system/bin/init\.flo\.wifi\.sh u:object_r:conn_init_exec:s0 /system/bin/irsc_util u:object_r:irsc_util_exec:s0 +/system/bin/init\.flo\.bt\.sh u:object_r:bluetooth_loader_exec:s0 # Persist firmware filesystem /persist(/.*)? u:object_r:persist_file:s0 diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te index 3c406fa..9ee9a43 100644 --- a/sepolicy/kickstart.te +++ b/sepolicy/kickstart.te @@ -5,16 +5,13 @@ type kickstart_exec, file_type, exec_type; init_daemon_domain(kickstart) # Run kickstart_checker.sh -allow kickstart shell_exec:file { entrypoint read }; -allow kickstart kickstart_exec:file { getattr open execute_no_trans }; +allow kickstart shell_exec:file rx_file_perms; +allow kickstart kickstart_exec:file rx_file_perms; # kickstart_checker.sh changes block devices # /dev/block/platform/msm_sdcc.1/by-name/m9kefs* allow kickstart self:capability { chown fowner }; -# Spawn /system/bin/efsks and /system/bin/ks -allow kickstart kickstart_exec:file { open execute_no_trans getattr }; - # Let qcks access /dev/mdm node (modem driver) allow kickstart radio_device:chr_file r_file_perms; |