Improve sepolicy labeling and domain confinement.
* Move certain services out of inits domain.
inits domain is unconfined and we should
be limiting those services that need to
run in inits context. For the new domains
introduced, keep them permissive and unconfined
for now until future policy work will individually
drop these constraints.
* Add context option to fstab when mounting
the firmware partition. This will ensure
proper labeling and not use the default vfat
label of sdcard_external.
* Use concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This
will allow sepolicy to exist in the vendor
directory.
Change-Id: I93c7413bf2a8ceb7589f059e754c4b2a787fdbaf
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/BoardConfig.mk b/BoardConfig.mk
index cd50191..31f13fd 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -92,12 +92,16 @@
TARGET_RELEASETOOLS_EXTENSIONS := device/lge/mako
-BOARD_SEPOLICY_DIRS := \
+BOARD_SEPOLICY_DIRS += \
device/lge/mako/sepolicy
-BOARD_SEPOLICY_UNION := \
+BOARD_SEPOLICY_UNION += \
app.te \
bluetooth.te \
+ bluetooth_loader.te \
+ bridge.te \
+ camera.te \
+ conn_init.te \
device.te \
domain.te \
drmserver.te \
@@ -106,12 +110,18 @@
hci_init.te \
init_shell.te \
keystore.te \
- mediaserver.te \
kickstart.te \
+ mediaserver.te \
+ mpdecision.te \
+ netmgrd.te \
nfc.te \
+ qmux.te \
rild.te \
+ rmt.te \
+ sensors.te \
surfaceflinger.te \
system_server.te \
+ thermald.te \
ueventd.te \
wpa.te
diff --git a/fstab.mako b/fstab.mako
index 3ae7c2a..2cee35c 100644
--- a/fstab.mako
+++ b/fstab.mako
@@ -7,7 +7,7 @@
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 noatime,nosuid,nodev,barrier=1,data=ordered wait,check
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc wait,check,encryptable=/dev/block/platform/msm_sdcc.1/by-name/metadata
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 nosuid,nodev,barrier=1,data=ordered,nodelalloc wait
-/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,uid=1000,gid=1000,dmask=227,fmask=337 wait
+/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,uid=1000,gid=1000,dmask=227,fmask=337,context=u:object_r:radio_efs_file:s0 wait
/dev/block/platform/msm_sdcc.1/by-name/boot /boot emmc defaults defaults
/dev/block/platform/msm_sdcc.1/by-name/recovery /recovery emmc defaults defaults
/dev/block/platform/msm_sdcc.1/by-name/misc /misc emmc defaults defaults
diff --git a/init.mako.rc b/init.mako.rc
index 0c77562..3f47ff1 100644
--- a/init.mako.rc
+++ b/init.mako.rc
@@ -272,6 +272,7 @@
class late_start
user bluetooth
group qcom_oncrpc bluetooth net_bt_admin system
+ seclabel u:r:bluetooth_loader:s0
disabled
oneshot
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
new file mode 100644
index 0000000..dd86563
--- /dev/null
+++ b/sepolicy/bluetooth_loader.te
@@ -0,0 +1,9 @@
+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+permissive bluetooth_loader;
+unconfined_domain(bluetooth_loader)
diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te
new file mode 100644
index 0000000..40ef355
--- /dev/null
+++ b/sepolicy/bridge.te
@@ -0,0 +1,9 @@
+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(bridge)
+
+permissive bridge;
+unconfined_domain(bridge)
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
new file mode 100644
index 0000000..3041c50
--- /dev/null
+++ b/sepolicy/camera.te
@@ -0,0 +1,9 @@
+# Qualcomm MSM camera
+type camera, domain;
+type camera_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(camera)
+
+permissive camera;
+unconfined_domain(camera)
diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te
new file mode 100644
index 0000000..3b7c535
--- /dev/null
+++ b/sepolicy/conn_init.te
@@ -0,0 +1,9 @@
+# wifi connection service
+type conn_init, domain;
+type conn_init_exec, exec_type, file_type;
+
+# Started by logwrapper in init
+domain_auto_trans(init, conn_init_exec, conn_init)
+
+permissive conn_init;
+unconfined_domain(conn_init)
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 839b0a4..32a20ed 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -5,3 +5,6 @@
type qmux_radio_socket, file_type;
type audio_firmware_file, file_type;
+
+# Default type for anything under /firmware
+type radio_efs_file, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index ccbb9b6..a4a66c9 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -33,4 +33,16 @@
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
/system/bin/hci_qcomm_init u:object_r:hci_exec:s0
-/system/bin/bdAddrLoader u:object_r:hci_exec:s0
+/system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0
+/system/etc/init.mako.bt.sh u:object_r:bluetooth_loader_exec:s0
+/system/bin/rmt_storage u:object_r:rmt_exec:s0
+/system/bin/bridgemgrd u:object_r:bridge_exec:s0
+/system/bin/qmuxd u:object_r:qmux_exec:s0
+/system/bin/netmgrd u:object_r:netmgrd_exec:s0
+/system/bin/thermald u:object_r:thermald_exec:s0
+/system/bin/mpdecision u:object_r:mpdecision_exec:s0
+/system/bin/sensors.qcom u:object_r:sensors_exec:s0
+/system/bin/mm-qcamera-daemon u:object_r:camera_exec:s0
+/system/bin/qseecomd u:object_r:tee_exec:s0
+/system/bin/conn_init u:object_r:conn_init_exec:s0
+
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
new file mode 100644
index 0000000..a385d09
--- /dev/null
+++ b/sepolicy/mpdecision.te
@@ -0,0 +1,9 @@
+# CPU governor (root process)
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(mpdecision)
+
+permissive mpdecision;
+unconfined_domain(mpdecision)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..7967488
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1,9 @@
+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(netmgrd)
+
+permissive netmgrd;
+unconfined_domain(netmgrd)
diff --git a/sepolicy/qmux.te b/sepolicy/qmux.te
new file mode 100644
index 0000000..8c0233c
--- /dev/null
+++ b/sepolicy/qmux.te
@@ -0,0 +1,9 @@
+# Qualcomm Management Interface Multiplexer
+type qmux, domain;
+type qmux_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(qmux)
+
+permissive qmux;
+unconfined_domain(qmux)
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
new file mode 100644
index 0000000..8cb6b17
--- /dev/null
+++ b/sepolicy/rmt.te
@@ -0,0 +1,9 @@
+# remote storage process
+type rmt, domain;
+type rmt_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(rmt)
+
+permissive rmt;
+unconfined_domain(rmt)
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..0fbcb12
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,9 @@
+# Integrated qualcomm sensor process
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(sensors)
+
+permissive sensors;
+unconfined_domain(sensors)
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
new file mode 100644
index 0000000..585141b
--- /dev/null
+++ b/sepolicy/thermald.te
@@ -0,0 +1,9 @@
+# Temperature sensor daemon (root process)
+type thermald, domain;
+type thermald_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(thermald)
+
+permissive thermald;
+unconfined_domain(thermald)
