am65xevm: Fix selinux warnings

This patch fixes selinux warnings during bootup process and video playback. Additionally to dontaudit and allow rules for basic objects one more object was declared - mmc_block_device (data partition) to include fsck permissions for it. Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org> Acked-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
author: Mykhailo Sopiha 2018-10-30 14:38:18 -0500
committer: Praneeth Bajjuri 2018-10-30 22:12:56 -0500
commit: 26468d71e65dc1c8f383586166218c99b372981c (patch)
tree: 79bb5f7fa5b88c21abe931864a3871c0958447b0
parent: 88a08af230b5808a1934f075d3a8e98862fc1d6e (diff)
download: device-ti-am65xevm-26468d71e65dc1c8f383586166218c99b372981c.tar.gz
device-ti-am65xevm-26468d71e65dc1c8f383586166218c99b372981c.tar.xz
device-ti-am65xevm-26468d71e65dc1c8f383586166218c99b372981c.zip
10 files changed, 22 insertions, 0 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..20572f2
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type mmc_block_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 699c477..ce971da 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -11,6 +11,12 @@
 # Sysfs
 /sys/devices/soc0(/.*)?         u:object_r:sysfs_socinfo:s0
+# Block devices for fsck
+/dev/block/mmcblk0p6            u:object_r:mmc_block_device:s0
+#Mark android.hidl.memory@1.0-impl.so as sphal
+/system/lib/vndk-sp/hw                          u:object_r:same_process_hal_file:s0
 /vendor/lib64/libIMGegl.so                      u:object_r:same_process_hal_file:s0
 /vendor/lib64/libsrv_um.so                      u:object_r:same_process_hal_file:s0
 /vendor/lib64/libusc.so                         u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
new file mode 100644
index 0000000..fc13bab
--- /dev/null
+++ b/sepolicy/fsck.te
@@ -0,0 +1 @@
+allow fsck mmc_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
new file mode 100644
index 0000000..d4f839d
--- /dev/null
+++ b/sepolicy/healthd.te
@@ -0,0 +1 @@
+allow healthd self:capability2 wake_alarm;
diff --git a/sepolicy/lmkd.te b/sepolicy/lmkd.te
new file mode 100644
index 0000000..e2d26d5
--- /dev/null
+++ b/sepolicy/lmkd.te
@@ -0,0 +1 @@
+dontaudit lmkd self:capability dac_read_search;
diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te
new file mode 100644
index 0000000..3e22092
--- /dev/null
+++ b/sepolicy/mediaextractor.te
@@ -0,0 +1 @@
+allow mediaextractor sdcardfs:file r_file_perms;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..406fa53
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,7 @@
+# These denials are seen with WLAN, but are not harmful.
+# Ignore them
+dontaudit netd self:capability sys_module;
+dontaudit netd kernel:system module_request;
+allow netd proc_net:dir {add_name write};
+allow netd proc_net:file create;
diff --git a/sepolicy/proc_net.te b/sepolicy/proc_net.te
new file mode 100644
index 0000000..0f22770
--- /dev/null
+++ b/sepolicy/proc_net.te
@@ -0,0 +1 @@
+allow proc_net proc:filesystem associate;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..27ec6a0
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1 @@
+dontaudit vold self:capability dac_read_search;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..ed4f36b
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1,2 @@
+dontaudit zygote self:capability dac_read_search;
+allow zygote cgroup:file create;
author	Mykhailo Sopiha	2018-10-30 14:38:18 -0500
committer	Praneeth Bajjuri	2018-10-30 22:12:56 -0500
commit	26468d71e65dc1c8f383586166218c99b372981c (patch)
tree	79bb5f7fa5b88c21abe931864a3871c0958447b0
parent	88a08af230b5808a1934f075d3a8e98862fc1d6e (diff)
download	device-ti-am65xevm-26468d71e65dc1c8f383586166218c99b372981c.tar.gz device-ti-am65xevm-26468d71e65dc1c8f383586166218c99b372981c.tar.xz device-ti-am65xevm-26468d71e65dc1c8f383586166218c99b372981c.zip

diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..20572f2 --- /dev/null +++ b/sepolicy/device.te
@@ -0,0 +1 @@
			type mmc_block_device, dev_type;


diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 699c477..ce971da 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts
@@ -11,6 +11,12 @@
11	# Sysfs	11	# Sysfs
12	/sys/devices/soc0(/.*)? u:object_r:sysfs_socinfo:s0	12	/sys/devices/soc0(/.*)? u:object_r:sysfs_socinfo:s0
13		13
		14	# Block devices for fsck
		15	/dev/block/mmcblk0p6 u:object_r:mmc_block_device:s0
		16
		17	#Mark android.hidl.memory@1.0-impl.so as sphal
		18	/system/lib/vndk-sp/hw u:object_r:same_process_hal_file:s0
		19
14	/vendor/lib64/libIMGegl.so u:object_r:same_process_hal_file:s0	20	/vendor/lib64/libIMGegl.so u:object_r:same_process_hal_file:s0
15	/vendor/lib64/libsrv_um.so u:object_r:same_process_hal_file:s0	21	/vendor/lib64/libsrv_um.so u:object_r:same_process_hal_file:s0
16	/vendor/lib64/libusc.so u:object_r:same_process_hal_file:s0	22	/vendor/lib64/libusc.so u:object_r:same_process_hal_file:s0


diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..fc13bab --- /dev/null +++ b/sepolicy/fsck.te
@@ -0,0 +1 @@
			allow fsck mmc_block_device:blk_file rw_file_perms;


diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..d4f839d --- /dev/null +++ b/sepolicy/healthd.te
@@ -0,0 +1 @@
			allow healthd self:capability2 wake_alarm;


diff --git a/sepolicy/lmkd.te b/sepolicy/lmkd.te new file mode 100644 index 0000000..e2d26d5 --- /dev/null +++ b/sepolicy/lmkd.te
@@ -0,0 +1 @@
			dontaudit lmkd self:capability dac_read_search;


diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te new file mode 100644 index 0000000..3e22092 --- /dev/null +++ b/sepolicy/mediaextractor.te
@@ -0,0 +1 @@
			allow mediaextractor sdcardfs:file r_file_perms;


diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..406fa53 --- /dev/null +++ b/sepolicy/netd.te
@@ -0,0 +1,7 @@
		1	# These denials are seen with WLAN, but are not harmful.
		2	# Ignore them
		3	dontaudit netd self:capability sys_module;
		4	dontaudit netd kernel:system module_request;
		5
		6	allow netd proc_net:dir {add_name write};
		7	allow netd proc_net:file create;


diff --git a/sepolicy/proc_net.te b/sepolicy/proc_net.te new file mode 100644 index 0000000..0f22770 --- /dev/null +++ b/sepolicy/proc_net.te
@@ -0,0 +1 @@
			allow proc_net proc:filesystem associate;


diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..27ec6a0 --- /dev/null +++ b/sepolicy/vold.te
@@ -0,0 +1 @@
			dontaudit vold self:capability dac_read_search;


diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..ed4f36b --- /dev/null +++ b/sepolicy/zygote.te
@@ -0,0 +1,2 @@
		1	dontaudit zygote self:capability dac_read_search;
		2	allow zygote cgroup:file create;