summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/bluetooth.te1
-rw-r--r--sepolicy/device.te6
-rw-r--r--sepolicy/file.te2
-rw-r--r--sepolicy/file_contexts49
-rw-r--r--sepolicy/genfs_contexts1
-rw-r--r--sepolicy/init-cpuset-sh.te7
-rw-r--r--sepolicy/init.te11
-rw-r--r--sepolicy/kernel.te5
-rw-r--r--sepolicy/lad_dra7xx.te21
-rw-r--r--sepolicy/mediaserver.te12
-rw-r--r--sepolicy/netd.te8
-rw-r--r--sepolicy/pvr.te12
-rw-r--r--sepolicy/system_server.te2
-rw-r--r--sepolicy/ueventd.te3
-rw-r--r--sepolicy/vis.te20
15 files changed, 160 insertions, 0 deletions
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
new file mode 100644
index 0000000..97f1465
--- /dev/null
+++ b/sepolicy/bluetooth.te
@@ -0,0 +1 @@
allow bluetooth bluetooth_control:chr_file { rw_file_perms };
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..db470f0
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,6 @@
1type bluetooth_control, dev_type;
2type rtc, dev_type;
3type hwspinlock_dev, dev_type;
4type uio_dev, dev_type;
5type cmem_dev, dev_type;
6type i2c_dev, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..2d8644d
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
1# /config
2type configfs, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..8e31df1
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,49 @@
1#Bluettoth tty device
2#/dev/hci_tty u:object_r:bluetooth_control:s0
3#/dev/ttyS2 u:object_r:hci_attach_dev:s0
4#/system/bin/uim-sysfs u:object_r:hci_attach_exec:s0
5
6#Console
7/dev/ttyS2 u:object_r:console_device:s0
8
9#Graphics
10/dev/dri/card0 u:object_r:gpu_device:s0
11/dev/dri/controlD64 u:object_r:gpu_device:s0
12/dev/dri/renderD128 u:object_r:gpu_device:s0
13/dev/pvr_sync u:object_r:gpu_device:s0
14/dev/sw_sync u:object_r:gpu_device:s0
15
16/system/vendor/bin/pvrsrvctl u:object_r:pvr_exec:s0
17/system/vendor/bin/pvrsrvinit u:object_r:pvr_exec:s0
18
19#rpmsg
20/dev/rpmsg-dce u:object_r:rpmsg_device:s0
21
22#Real Time Clock
23/dev/rtc0 u:object_r:rtc:s0
24
25#cpuset script
26/system/bin/init.am43xevmboard.cpuset.sh u:object_r:init-cpuset-sh_exec:s0
27
28#lad_dra7xx
29/system/bin/lad_dra7xx u:object_r:lad_dra7xx_exec:s0
30/data/lad(/.*)? u:object_r:lad_data_file:s0
31
32#hwspinlock and uio
33/dev/hwspinlock u:object_r:hwspinlock_dev:s0
34/dev/uio0 u:object_r:uio_dev:s0
35
36#VIS (RadioApp)
37/system/bin/RadioApp u:object_r:vis_exec:s0
38
39#I2C
40/dev/i2c-[0-9]+ u:object_r:i2c_dev:s0
41
42#CMEM
43/dev/cmem u:object_r:cmem_dev:s0
44
45#Block devices
46/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/system u:object_r:system_block_device:s0
47/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/recovery u:object_r:recovery_block_device:s0
48/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/cache u:object_r:cache_block_device:s0
49/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/userdata u:object_r:userdata_block_device:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..50c7cd7
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1 @@
genfscon configfs / u:object_r:configfs:s0
diff --git a/sepolicy/init-cpuset-sh.te b/sepolicy/init-cpuset-sh.te
new file mode 100644
index 0000000..4547c45
--- /dev/null
+++ b/sepolicy/init-cpuset-sh.te
@@ -0,0 +1,7 @@
1type init-cpuset-sh, domain;
2type init-cpuset-sh_exec, exec_type, file_type;
3
4init_daemon_domain(init-cpuset-sh)
5
6allow init-cpuset-sh system_file:file execute_no_trans;
7allow init-cpuset-sh shell_exec:file read;
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..c96b477
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,11 @@
1#For loading modules via init.rc (wifi,cmem)
2allow init self:capability sys_module;
3#Create symlinks for storage
4allow init tmpfs:lnk_file create_file_perms;
5
6# /config
7allow init configfs:dir create_dir_perms;
8allow init configfs:{ file lnk_file } create_file_perms;
9
10# Allow module insertion
11allow init system_file:system module_load;
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..eb2fb51
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,5 @@
1# This is for suppressing logs generated due to kdevtmpfs being
2# enabled in kernel for non Android reasons. For Android these
3# denials do not matter as it does not rely on kdevtmpfs.
4# So putting it in dontaudit list
5dontaudit kernel self:capability mknod;
diff --git a/sepolicy/lad_dra7xx.te b/sepolicy/lad_dra7xx.te
new file mode 100644
index 0000000..ff95009
--- /dev/null
+++ b/sepolicy/lad_dra7xx.te
@@ -0,0 +1,21 @@
1type lad_dra7xx, domain;
2type lad_dra7xx_exec, exec_type, file_type;
3type lad_data_file, file_type, data_file_type;
4
5# Started by init
6init_daemon_domain(lad_dra7xx)
7
8# Allow access to /data/lad
9allow lad_dra7xx devpts:chr_file {read write ioctl getattr };
10allow lad_dra7xx lad_data_file:dir { create_dir_perms };
11allow lad_dra7xx lad_data_file:fifo_file { create_file_perms };
12allow lad_dra7xx self:socket { create_socket_perms };
13
14# Allow access to hwspinlock and uio device
15allow lad_dra7xx hwspinlock_dev:chr_file { rw_file_perms };
16allow lad_dra7xx uio_dev:chr_file { rw_file_perms };
17allow lad_dra7xx sysfs:file { r_file_perms };
18
19# Allow signull operation from known client processes
20allow lad_dra7xx mediaserver:process signull;
21allow lad_dra7xx vis:process signull;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..9e69353
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,12 @@
1allow mediaserver system_server:unix_stream_socket { read write };
2
3#Camera
4allow mediaserver device:dir { read open };
5
6#APPE
7allow mediaserver lad_data_file:fifo_file { create_file_perms };
8allow mediaserver hwspinlock_dev:chr_file { rw_file_perms };
9allow mediaserver cmem_dev:chr_file { rw_file_perms };
10allow mediaserver self:socket { create_socket_perms };
11allow mediaserver self:tcp_socket { create_stream_socket_perms };
12allow mediaserver ctl_default_prop:property_service set;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..143cc61
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,8 @@
1# These denials are seen with WLAN, but are not harmful.
2# Ignore them
3dontaudit netd self:capability sys_module;
4dontaudit netd kernel:system module_request;
5
6# VIS
7allow netd vis:fd use;
8allow netd vis:tcp_socket { rw_socket_perms };
diff --git a/sepolicy/pvr.te b/sepolicy/pvr.te
new file mode 100644
index 0000000..1e9cfa8
--- /dev/null
+++ b/sepolicy/pvr.te
@@ -0,0 +1,12 @@
1type pvr, domain;
2type pvr_exec, exec_type, file_type;
3
4# Started by init
5init_daemon_domain(pvr)
6
7# allow access to /dev/dri/
8allow pvr gpu_device:chr_file rw_file_perms;
9
10# allow graphics driver initialization
11allow pvr self:capability sys_module;
12allow pvr system_file:system module_load;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..f1b4200
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
1allow system_server rtc:chr_file rw_file_perms;
2allow system_server rpmsg_device:chr_file rw_file_perms;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..690cf1e
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1,3 @@
1#Rules for crda operations
2allow ueventd self:netlink_generic_socket { create_socket_perms };
3allow ueventd system_file:file { execute_no_trans };
diff --git a/sepolicy/vis.te b/sepolicy/vis.te
new file mode 100644
index 0000000..d8cbb7a
--- /dev/null
+++ b/sepolicy/vis.te
@@ -0,0 +1,20 @@
1type vis, domain;
2type vis_exec, exec_type, file_type;
3
4# Started by init
5init_daemon_domain(vis)
6
7# Allow access to IPC related resources
8allow vis devpts:chr_file { read write ioctl getattr };
9allow vis fwmarkd_socket:sock_file write;
10allow vis self:socket { create_socket_perms };
11allow vis self:tcp_socket { create_stream_socket_perms };
12allow vis netd:unix_stream_socket connectto;
13allow vis node:tcp_socket node_bind;
14allow vis port:tcp_socket name_bind;
15allow vis lad_data_file:fifo_file { rw_file_perms };
16allow vis cmem_dev:chr_file { rw_file_perms };
17allow vis hwspinlock_dev:chr_file { rw_file_perms };
18
19# Allow access to I2C for audio codec configuration
20allow vis i2c_dev:chr_file { rw_file_perms };