SELinux policy additions.
Per-device policy additions targeting the
grouper board.
Change-Id: I54981e1fccd26e233149733a3c98e8b6bd61d6ed
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 232a207..76f2ba9 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -37,3 +37,17 @@
-include vendor/asus/grouper/BoardConfigVendor.mk
include device/asus/grouper/BoardConfigCommon.mk
+
+BOARD_SEPOLICY_DIRS := \
+ device/asus/grouper/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+ file_contexts \
+ btmacreader.te \
+ device.te \
+ drmserver.te \
+ file.te \
+ sensors_config.te \
+ shell.te \
+ surfaceflinger.te \
+ system.te
diff --git a/sepolicy/btmacreader.te b/sepolicy/btmacreader.te
new file mode 100644
index 0000000..5fd2114
--- /dev/null
+++ b/sepolicy/btmacreader.te
@@ -0,0 +1,7 @@
+type btmacreader, domain;
+type btmacreader_exec, exec_type, file_type;
+type mac_data_file, file_type, data_file_type;
+init_daemon_domain(btmacreader)
+allow btmacreader self:capability dac_override;
+allow btmacreader mac_data_file:dir { mounton rmdir };
+allow btmacreader shell_exec:file rx_file_perms;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..40afe55
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type knv_device, dev_type;
diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
new file mode 100644
index 0000000..74c1763
--- /dev/null
+++ b/sepolicy/drmserver.te
@@ -0,0 +1 @@
+allow drmserver knv_device:chr_file rw_file_perms;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..855e7d0
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+type sysfs_firmware_writable, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..f1062fc
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,19 @@
+/dev/knvmap u:object_r:knv_device:s0
+/dev/mi1040 u:object_r:camera_device:s0
+/dev/ttyHS1 u:object_r:gps_device:s0
+/dev/ttyHS2 u:object_r:hci_attach_dev:s0
+
+/data/amit(/.*)? u:object_r:sensors_data_file:s0
+/data/calibration(/.*)? u:object_r:sensors_data_file:s0
+/data/lightsensor(/.*)? u:object_r:sensors_data_file:s0
+/data/mac(/.*)? u:object_r:mac_data_file:s0
+/data/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/tf(/.*)? u:object_r:tee_data_file:s0
+
+/system/bin/brcm_patchram_plus -- u:object_r:hci_attach_exec:s0
+/system/bin/btmacreader -- u:object_r:btmacreader_exec:s0
+/system/bin/glgps -- u:object_r:gpsd_exec:s0
+/system/bin/sensors-config -- u:object_r:sensors_config_exec:s0
+
+/sys/bus/i2c/drivers/elan-ktf3k/1-0010/update_fw -- u:object_r:sysfs_firmware_writable:s0
+/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
diff --git a/sepolicy/sensors_config.te b/sepolicy/sensors_config.te
new file mode 100644
index 0000000..46bc711
--- /dev/null
+++ b/sepolicy/sensors_config.te
@@ -0,0 +1,11 @@
+##########
+# sensors_config: load calibration files.
+##########
+type sensors_config, domain;
+type sensors_config_exec, exec_type, file_type;
+type sensors_data_file, file_type, data_file_type;
+init_daemon_domain(sensors_config)
+allow sensors_config self:capability { dac_override chown fowner fsetid };
+allow sensors_config sensors_data_file:dir { create_dir_perms mounton };
+allow sensors_config sensors_data_file:file create_file_perms;
+allow sensors_config shell_exec:file rx_file_perms;
diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644
index 0000000..26ee654
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1 @@
+allow shell sysfs_firmware_writable:file w_file_perms;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..2ea6ca3
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+allow surfaceflinger knv_device:chr_file rw_file_perms;
+allow surfaceflinger sysfs_devices_system_cpu:file w_file_perms;
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..647aa63
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1,2 @@
+allow { system system_app }knv_device:chr_file rw_file_perms;
+allow system sysfs_devices_system_cpu:file w_file_perms;
