summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPraneeth Bajjuri2019-02-28 01:30:34 -0600
committerPraneeth Bajjuri2019-02-27 19:31:00 -0600
commit6e3af004da9381f3211abc487fd67e67026855e2 (patch)
tree75e1ab5555742886baf7a5e78a6037d594235068
parent2efd81db50e6480a3ca6d7ae388439cfbcb2ef9c (diff)
downloaddevice-ti-am65xevm-6e3af004da9381f3211abc487fd67e67026855e2.tar.gz
device-ti-am65xevm-6e3af004da9381f3211abc487fd67e67026855e2.tar.xz
device-ti-am65xevm-6e3af004da9381f3211abc487fd67e67026855e2.zip
am65xevm: sepolicy: Update to pie
Initial sepolicy with reference from pie device/ti/beagle_x15 project. Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
-rw-r--r--sepolicy/device.te1
-rw-r--r--sepolicy/file.te2
-rw-r--r--sepolicy/file_contexts11
-rw-r--r--sepolicy/fsck.te1
-rw-r--r--sepolicy/hal_camera_default.te3
-rw-r--r--sepolicy/hal_cas_default.te1
-rw-r--r--sepolicy/hal_drm_default.te2
-rw-r--r--sepolicy/hal_graphics_allocator_default.te1
-rw-r--r--sepolicy/hal_memtrack_default.te1
-rw-r--r--sepolicy/init.te21
-rw-r--r--sepolicy/installd.te1
-rw-r--r--sepolicy/lmkd.te1
-rw-r--r--sepolicy/mediaextractor.te1
-rw-r--r--sepolicy/netd.te5
-rw-r--r--sepolicy/proc_net.te1
-rw-r--r--sepolicy/pvr.te1
-rw-r--r--sepolicy/surfaceflinger.te2
-rw-r--r--sepolicy/ueventd.te5
-rw-r--r--sepolicy/vold.te1
-rw-r--r--sepolicy/zygote.te2
20 files changed, 12 insertions, 52 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te
deleted file mode 100644
index 20572f2..0000000
--- a/sepolicy/device.te
+++ /dev/null
@@ -1 +0,0 @@
1type mmc_block_device, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..7162631
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
1# sysfs types
2type sysfs_socinfo, sysfs_type, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index ce971da..8014641 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -11,11 +11,14 @@
11# Sysfs 11# Sysfs
12/sys/devices/soc0(/.*)? u:object_r:sysfs_socinfo:s0 12/sys/devices/soc0(/.*)? u:object_r:sysfs_socinfo:s0
13 13
14# Block devices for fsck 14#Block devices
15/dev/block/mmcblk0p6 u:object_r:mmc_block_device:s0 15#/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/system u:object_r:system_block_device:s0
16#/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/recovery u:object_r:recovery_block_device:s0
17#/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/cache u:object_r:cache_block_device:s0
18#/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/userdata u:object_r:userdata_block_device:s0
19#/dev/block/platform/44000000.ocp/480b4000.mmc/by-name/misc u:object_r:misc_block_device:s0
20
16 21
17#Mark android.hidl.memory@1.0-impl.so as sphal
18/system/lib/vndk-sp/hw u:object_r:same_process_hal_file:s0
19 22
20/vendor/lib64/libIMGegl.so u:object_r:same_process_hal_file:s0 23/vendor/lib64/libIMGegl.so u:object_r:same_process_hal_file:s0
21/vendor/lib64/libsrv_um.so u:object_r:same_process_hal_file:s0 24/vendor/lib64/libsrv_um.so u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
deleted file mode 100644
index fc13bab..0000000
--- a/sepolicy/fsck.te
+++ /dev/null
@@ -1 +0,0 @@
1allow fsck mmc_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
deleted file mode 100644
index 300b156..0000000
--- a/sepolicy/hal_camera_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
1vndbinder_use(hal_camera_default);
2allow hal_camera_default device:dir { read open };
3allow hal_camera_default gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te
deleted file mode 100644
index 3ed3bee..0000000
--- a/sepolicy/hal_cas_default.te
+++ /dev/null
@@ -1 +0,0 @@
1vndbinder_use(hal_cas_default);
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
index 0acbc0d..5177496 100644
--- a/sepolicy/hal_drm_default.te
+++ b/sepolicy/hal_drm_default.te
@@ -1 +1 @@
vndbinder_use(hal_drm_default) vndbinder_use(hal_drm_default);
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te
deleted file mode 100644
index 02c6d78..0000000
--- a/sepolicy/hal_graphics_allocator_default.te
+++ /dev/null
@@ -1 +0,0 @@
1allow hal_graphics_allocator_default ion_device:chr_file write;
diff --git a/sepolicy/hal_memtrack_default.te b/sepolicy/hal_memtrack_default.te
deleted file mode 100644
index 142af21..0000000
--- a/sepolicy/hal_memtrack_default.te
+++ /dev/null
@@ -1 +0,0 @@
1allow hal_memtrack_default gpu_device:chr_file { ioctl map open read write };
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 8a1581e..2329198 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,28 +1,11 @@
1#For holding a wake_lock in init.rc 1#For loading modules via init.rc (ex: wifi)
2wakelock_use(init)
3
4#For loading modules via init.rc
5allow init self:capability sys_module; 2allow init self:capability sys_module;
6
7#Create symlinks for storage 3#Create symlinks for storage
8allow init tmpfs:lnk_file create_file_perms; 4allow init tmpfs:lnk_file create_file_perms;
9
10# Allow module insertion 5# Allow module insertion
11allow init vendor_file:system module_load; 6allow init vendor_file:system module_load;
12
13# Configfs 7# Configfs
14allow init configfs:file write; 8allow init configfs:file write;
15allow init configfs:lnk_file { create unlink } ; 9allow init configfs:lnk_file { create unlink } ;
16 10
17# For cgroups creating 11dontaudit init proc:file write;
18allow init cgroup:file create;
19
20# Access to /proc
21allow init proc:dir { add_name write };
22allow init proc:file create;
23
24# Access to /sys
25allow init sysfs:file create;
26allow init sysfs:dir add_name;
27
28dontaudit init self:capability dac_read_search;
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
deleted file mode 100644
index e0495b8..0000000
--- a/sepolicy/installd.te
+++ /dev/null
@@ -1 +0,0 @@
1dontaudit installd self:capability dac_read_search;
diff --git a/sepolicy/lmkd.te b/sepolicy/lmkd.te
deleted file mode 100644
index e2d26d5..0000000
--- a/sepolicy/lmkd.te
+++ /dev/null
@@ -1 +0,0 @@
1dontaudit lmkd self:capability dac_read_search;
diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te
deleted file mode 100644
index 3e22092..0000000
--- a/sepolicy/mediaextractor.te
+++ /dev/null
@@ -1 +0,0 @@
1allow mediaextractor sdcardfs:file r_file_perms;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
index 406fa53..954fc6a 100644
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@@ -1,7 +1,2 @@
1# These denials are seen with WLAN, but are not harmful.
2# Ignore them
3dontaudit netd self:capability sys_module; 1dontaudit netd self:capability sys_module;
4dontaudit netd kernel:system module_request; 2dontaudit netd kernel:system module_request;
5
6allow netd proc_net:dir {add_name write};
7allow netd proc_net:file create;
diff --git a/sepolicy/proc_net.te b/sepolicy/proc_net.te
deleted file mode 100644
index 0f22770..0000000
--- a/sepolicy/proc_net.te
+++ /dev/null
@@ -1 +0,0 @@
1allow proc_net proc:filesystem associate;
diff --git a/sepolicy/pvr.te b/sepolicy/pvr.te
index 53ac238..da7c5b2 100644
--- a/sepolicy/pvr.te
+++ b/sepolicy/pvr.te
@@ -1,6 +1,5 @@
1type pvr, domain; 1type pvr, domain;
2type pvr_exec, exec_type, vendor_file_type, file_type; 2type pvr_exec, exec_type, vendor_file_type, file_type;
3type sysfs_socinfo, sysfs_type, fs_type;
4 3
5# Started by init 4# Started by init
6init_daemon_domain(pvr) 5init_daemon_domain(pvr)
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
deleted file mode 100644
index fd7dc3f..0000000
--- a/sepolicy/surfaceflinger.te
+++ /dev/null
@@ -1,2 +0,0 @@
1hal_server_domain(surfaceflinger, hal_graphics_allocator);
2allow surfaceflinger ion_device:chr_file write;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
deleted file mode 100644
index 1194452..0000000
--- a/sepolicy/ueventd.te
+++ /dev/null
@@ -1,5 +0,0 @@
1allow ueventd self:capability {sys_module sys_nice};
2allow ueventd vendor_file:system module_load;
3allow ueventd kernel:key search;
4allow ueventd kernel:process setsched;
5allow ueventd kernel:system module_request;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
deleted file mode 100644
index 27ec6a0..0000000
--- a/sepolicy/vold.te
+++ /dev/null
@@ -1 +0,0 @@
1dontaudit vold self:capability dac_read_search;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
deleted file mode 100644
index ed4f36b..0000000
--- a/sepolicy/zygote.te
+++ /dev/null
@@ -1,2 +0,0 @@
1dontaudit zygote self:capability dac_read_search;
2allow zygote cgroup:file create;