DO NOT MERGE Update SELinux policy.
Various policy changes and updates concerning
sysfs and proc access, new device node domains,
and updated btmacreader and sensors-config
policy.
Change-Id: I6e4c20a3f2c669427b6d60d8ac1c07dadddf1e1a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 24fde25..96fc2c6 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -47,10 +47,14 @@
BOARD_SEPOLICY_UNION := \
file_contexts \
+ genfs_contexts \
+ app.te \
+ btmacreader.te \
device.te \
drmserver.te \
file.te \
sensors_config.te \
shell.te \
surfaceflinger.te \
- system.te
+ system.te \
+ zygote.te
diff --git a/init.grouper.rc b/init.grouper.rc
index 72ad1e6..acfeae9 100644
--- a/init.grouper.rc
+++ b/init.grouper.rc
@@ -24,10 +24,26 @@
write /sys/devices/system/cpu/cpu2/cpufreq/scaling_governor interactive
write /sys/devices/system/cpu/cpu3/cpufreq/scaling_governor interactive
restorecon /sys/devices/system/cpu
+ restorecon /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/boost
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/boost_factor
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/go_maxspeed_load
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/input_boost
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/max_boost
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/sustain_load
+ restorecon /sys/devices/system/cpu/cpufreq/interactive/timer_rate
+ restorecon /sys/devices/tegradc.0/smartdimmer/aggressiveness
+ restorecon /sys/devices/tegradc.0/smartdimmer/enable
on fs
setprop ro.crypto.umount_sd false
mount_all /fstab.grouper
+ restorecon /dev/block/platform/sdhci-tegra.3/by-name/PER
on post-fs-data
mkdir /data/misc/wifi 0770 wifi wifi
@@ -61,6 +77,8 @@
chmod 0660 /sys/class/rfkill/rfkill0/type
chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
+ restorecon /sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/state
+ restorecon /sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/type
# bluetooth MAC address programming
chown bluetooth net_bt_stack ro.bt.bdaddr_path
diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..9d9b5b6
--- /dev/null
+++ b/sepolicy/app.te
@@ -0,0 +1 @@
+allow appdomain sysfs_devices_system_cpu:dir r_dir_perms;
diff --git a/sepolicy/btmacreader.te b/sepolicy/btmacreader.te
new file mode 100644
index 0000000..8950ee3
--- /dev/null
+++ b/sepolicy/btmacreader.te
@@ -0,0 +1,18 @@
+type btmacreader, domain;
+type btmacreader_exec, exec_type, file_type;
+type mac_data_file, file_type, data_file_type;
+init_daemon_domain(btmacreader)
+allow btmacreader self:capability dac_override;
+allow btmacreader mac_data_file:dir { mounton rmdir };
+allow btmacreader shell_exec:file rx_file_perms;
+file_type_auto_trans(btmacreader, system_data_file, mac_data_file)
+
+# Execute toolbox commands
+allow btmacreader system_file:file execute_no_trans;
+
+# Read from per device partition
+allow btmacreader sensors_block_device:lnk_file read;
+allow btmacreader sdcard_external:filesystem { mount unmount };
+allow btmacreader tty_device:chr_file rw_file_perms;
+allow btmacreader self:capability sys_admin;
+allow btmacreader bluetooth_data_file:dir search;
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 40afe55..98d57c3 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1 +1,4 @@
type knv_device, dev_type;
+type elan_ip_device, dev_type;
+type sensors_block_device, dev_type;
+type sysfs_devices_tegradc, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index bd375c0..5996ed0 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,4 +1,7 @@
+/dev/block/platform/sdhci-tegra.3/by-name/PER u:object_r:sensors_block_device:s0
+/dev/elan-iap u:object_r:elan_ip_device:s0
/dev/knvmap u:object_r:knv_device:s0
+/dev/lightsensor u:object_r:sensors_device:s0
/dev/mi1040 u:object_r:camera_device:s0
/dev/ttyHS1 u:object_r:gps_device:s0
/dev/ttyHS2 u:object_r:hci_attach_dev:s0
@@ -15,3 +18,7 @@
/sys/bus/i2c/drivers/elan-ktf3k/1-0010/update_fw -- u:object_r:sysfs_firmware_writable:s0
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
+/sys/devices/tegradc\.0(/.*)? u:object_r:sysfs_devices_tegradc:s0
+/sys/devices/tegradc\.1(/.*)? u:object_r:sysfs_devices_tegradc:s0
+/sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/state -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/type -- u:object_r:sysfs_bluetooth_writable:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..522ca26
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0
diff --git a/sepolicy/sensors_config.te b/sepolicy/sensors_config.te
index 46bc711..70e683d 100644
--- a/sepolicy/sensors_config.te
+++ b/sepolicy/sensors_config.te
@@ -9,3 +9,14 @@
allow sensors_config sensors_data_file:dir { create_dir_perms mounton };
allow sensors_config sensors_data_file:file create_file_perms;
allow sensors_config shell_exec:file rx_file_perms;
+file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
+
+# Execute toolbox commands
+allow sensors_config system_file:file execute_no_trans;
+
+# Read from per device partition
+allow sensors_config sensors_block_device:lnk_file read;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config sdcard_external:file r_file_perms;
+allow sensors_config tty_device:chr_file rw_file_perms;
+allow sensors_config self:capability sys_admin;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 2ea6ca3..36965aa 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,2 +1,3 @@
allow surfaceflinger knv_device:chr_file rw_file_perms;
-allow surfaceflinger sysfs_devices_system_cpu:file w_file_perms;
+allow surfaceflinger { sysfs_devices_system_cpu sysfs_devices_tegradc }:file w_file_perms;
+allow surfaceflinger sysfs_devices_system_cpu:dir w_dir_perms;
diff --git a/sepolicy/system.te b/sepolicy/system.te
index 647aa63..828c5fb 100644
--- a/sepolicy/system.te
+++ b/sepolicy/system.te
@@ -1,2 +1,4 @@
allow { system system_app }knv_device:chr_file rw_file_perms;
allow system sysfs_devices_system_cpu:file w_file_perms;
+allow system sysfs_devices_system_cpu:dir r_dir_perms;
+allow system elan_ip_device:chr_file rw_file_perms;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..07389ff
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1 @@
+allow zygote sysfs_devices_system_cpu:dir r_dir_perms;
