sanders: sepolicy: Initial fixes

2017-11-04 21:10:52 -02:00
parent 89df59f4ce
commit 9b0ed5a8a3
12 changed files with 59 additions and 11 deletions
--- a/sepolicy/adspd.te
+++ b/sepolicy/adspd.te
@@ -1,4 +1,4 @@
-type adspd, domain, domain_deprecated;
+type adspd, domain;
 type adspd_exec, exec_type, file_type;
 init_daemon_domain(adspd)

--- a/sepolicy/akmd.te
+++ b/sepolicy/akmd.te
@@ -1,4 +1,4 @@
-type akmd, domain, domain_deprecated;
+type akmd, domain;
 type akmd_exec, exec_type, file_type;
 init_daemon_domain(akmd)

--- a/sepolicy/bluetooth_loader.te
+++ b/sepolicy/bluetooth_loader.te
@@ -0,0 +1,40 @@
+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+# Run init.qcom.bt.sh
+allow bluetooth_loader shell_exec:file { entrypoint getattr read };
+allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };
+
+# init.qcom.bt.sh needs /system/bin/log access
+allow bluetooth_loader devpts:chr_file rw_file_perms;
+
+# Run hci_qcomm_init from init.qcom.bt.sh
+domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
+allow hci_attach bluetooth_loader:fd use;
+
+# Set persist.service.bdroid.* and bluetooth.* property values
+set_prop(bluetooth_loader, bluetooth_prop)
+
+# Allow getprop/setprop for init.qcom.bt.sh
+allow bluetooth_loader system_file:file execute_no_trans;
+allow bluetooth_loader toolbox_exec:file rx_file_perms;
+
+# Allow hci_qcomm_init /persist/.bt_nv.bin access
+r_dir_file(bluetooth_loader, persist_file);
+allow bluetooth_loader bluetooth_data_file:file r_file_perms;
+
+# Access the smd device
+allow bluetooth_loader hci_attach_dev:chr_file rw_file_perms;
+
+# And qmuxd
+allow bluetooth_loader qmuxd_socket:dir { write add_name remove_name search };
+allow bluetooth_loader qmuxd_socket:sock_file { create setattr getattr write unlink };
+allow bluetooth_loader qmuxd:unix_stream_socket { connectto };
+
+userdebug_or_eng(`
+  diag_use(bluetooth_loader)
+')
--- a/sepolicy/config_bluetooth.te
+++ b/sepolicy/config_bluetooth.te
@@ -1,3 +1,3 @@
-type config_bluetooth, domain, domain_deprecated;
+type config_bluetooth, domain;
 type config_bluetooth_exec, exec_type, file_type;
 init_daemon_domain(config_bluetooth)
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -4,6 +4,7 @@ type compass_device, dev_type;
 type haptics_device, dev_type;
 type hob_device, dev_type;
 type hw_block_device, dev_type;
+type persist_block_device, dev_type;
 type graphics_fb_device, dev_type;
 type synaptics_rmi_device, dev_type;
 type shwi_device, dev_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -15,6 +15,7 @@
 /system/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
 /system/bin/motosh                                       u:object_r:sensor_hub_exec:s0
 /system/bin/akmd09912                                    u:object_r:akmd_exec:s0
+/system/etc/init\.qcom\.bt\.sh                           u:object_r:bluetooth_loader_exec:s0

 # CMActions
 /sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
@@ -48,6 +49,7 @@
 /persist/batt_health(/.*)?                               u:object_r:pds_batt_file:s0
 /persist/public/omadm(/.*)?                              u:object_r:pds_omadm_file:s0
 /persist/factory/audio(/.*)?                             u:object_r:persist_audio_file:s0
+/persist/\.bt_nv\.bin                                    u:object_r:bluetooth_data_file:s0

 /data/wapi_certificate(/.*)?                             u:object_r:wapi_supplicant_data_file:s0

@@ -82,6 +84,7 @@
 /dev/stml0xx_akm                                         u:object_r:compass_device:s0
 /dev/akm09912_dev                                        u:object_r:compass_device:s0
 /dev/mot_hob_ram                                         u:object_r:hob_device:s0
+/dev/smd3                                                u:object_r:hci_attach_dev:s0


 /dev/bcm2079x-i2c                                        u:object_r:nfc_device:s0
--- a/sepolicy/hci_attach.te
+++ b/sepolicy/hci_attach.te
@@ -0,0 +1,9 @@
+type hci_attach, domain;
+type hci_attach_exec, exec_type, file_type;
+
+init_daemon_domain(hci_attach)
+
+allow hci_attach kernel:system module_request;
+allow hci_attach hci_attach_dev:chr_file rw_file_perms;
+allow hci_attach bluetooth_efs_file:dir r_dir_perms;
+allow hci_attach bluetooth_efs_file:file r_file_perms;
--- a/sepolicy/init_wifi.te
+++ b/sepolicy/init_wifi.te
@@ -1,4 +1,4 @@
-type init_wifi, domain, domain_deprecated;
+type init_wifi, domain;
 type init_wifi_exec, exec_type, file_type;
 init_daemon_domain(init_wifi)

--- a/sepolicy/mmi_boot.te
+++ b/sepolicy/mmi_boot.te
@@ -1,4 +1,4 @@
-type mmi_boot, domain, domain_deprecated;
+type mmi_boot, domain;
 type mmi_boot_exec, exec_type, file_type;
 init_daemon_domain(mmi_boot)

--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -8,6 +8,4 @@ allow rild persist_file:file rw_file_perms;
 allow rild sensorservice_service:service_manager find;
 allow rild system_server:binder { transfer call };
 allow rild system_server:unix_stream_socket { read getopt write };
-allow rild wpa:unix_dgram_socket sendto;
-allow rild wpa_socket:sock_file { read write };

--- a/sepolicy/sensor_hub.te
+++ b/sepolicy/sensor_hub.te
@@ -1,4 +1,4 @@
-type sensor_hub, domain, domain_deprecated;
+type sensor_hub, domain;
 type sensor_hub_exec, exec_type, file_type;
 init_daemon_domain(sensor_hub)

--- a/sepolicy/wpa.te
+++ b/sepolicy/wpa.te
@@ -1,3 +0,0 @@
-allow wpa cutback_data_file:dir rw_dir_perms;
-allow wpa cutback_data_file:sock_file rw_file_perms;
-allow wpa rild:unix_dgram_socket sendto;