New SELinux domain for init.mmi.touch.sh
Create a new SELinux domain for init.mmi.touch.sh. Currently,
it's running in the shell SELinux domain, and can't perform the
actions it needs to perform. This hasn't been a problem yet,
since we haven't had to update firmware for the touch driver.
Don't put the shell script on the root partition. It's unneeded
and is better stored on /system where it can have a proper SELinux
label and be marked as executable.
Change-Id: I0902f7cec0e514e3af12db759c974de4f01a50f3
diff --git a/BoardConfig.mk b/BoardConfig.mk
index f361c9f..7f20d5c 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -122,6 +122,7 @@
irsc_util.te \
mdm_helper.te \
mediaserver.te \
+ mmi_touch_sh.te \
mpdecision.te \
netd.te \
netmgrd.te \
diff --git a/device.mk b/device.mk
index c5cd516..fbbefb9 100644
--- a/device.mk
+++ b/device.mk
@@ -89,7 +89,7 @@
# Touch firmware updater
PRODUCT_COPY_FILES += \
- $(LOCAL_PATH)/init.mmi.touch.sh:root/init.mmi.touch.sh
+ $(LOCAL_PATH)/init.mmi.touch.sh:system/bin/init.mmi.touch.sh
# Add WiFi Firmware
$(call inherit-product-if-exists, hardware/broadcom/wlan/bcmdhd/firmware/bcm4356/device-bcm.mk)
diff --git a/init.shamu.rc b/init.shamu.rc
index e134727..fb3aeef 100644
--- a/init.shamu.rc
+++ b/init.shamu.rc
@@ -572,7 +572,7 @@
on property:init.svc.surfaceflinger=stopped
stop ppd
-service mmi-touch-sh /system/bin/sh /init.mmi.touch.sh atmel
+service mmi-touch-sh /system/bin/init.mmi.touch.sh atmel
class main
user root
oneshot
diff --git a/sepolicy/adspd.te b/sepolicy/adspd.te
index bc955c7..f09dd66 100644
--- a/sepolicy/adspd.te
+++ b/sepolicy/adspd.te
@@ -17,3 +17,5 @@
# For now, allow writes to all of /sys.
# TODO: scope down this access.
allow adspd sysfs:file write;
+
+allow adspd sysfs_mmi_touch:dir search;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 563974d..b78ca4d 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -22,6 +22,7 @@
type sysfs_smdcntl_open_timeout, fs_type, sysfs_type;
type sysfs_xhci_msm_hsic, fs_type, sysfs_type;
type sysfs_msm_hsic_host, fs_type, sysfs_type;
+type sysfs_mmi_touch, fs_type, sysfs_type;
type persist_file, file_type;
type persist_data_file, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 97354e9..238cfd5 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -122,6 +122,7 @@
/system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0
/system/bin/bridgemgrd u:object_r:bridge_exec:s0
/system/vendor/bin/gsiff_daemon u:object_r:gsiffd_exec:s0
+/system/bin/init\.mmi\.touch\.sh u:object_r:mmi_touch_sh_exec:s0
/system/bin/irsc_util u:object_r:irsc_util_exec:s0
/system/bin/ks u:object_r:mdm_helper_exec:s0
/system/bin/mdm_helper u:object_r:mdm_helper_exec:s0
@@ -147,6 +148,9 @@
# Sysfs files used by qmuxd
/sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0
+# mmi_touch related /sys files
+/sys/devices/f9966000\.i2c/i2c-1/1-004a(/.*)? u:object_r:sysfs_mmi_touch:s0
+
# Context for mpdecision
/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0
/sys/devices/system/cpu/cpu0/rq-stats(/.*)? u:object_r:sysfs_rqstats:s0
diff --git a/sepolicy/mmi_touch_sh.te b/sepolicy/mmi_touch_sh.te
new file mode 100644
index 0000000..d6bd05b
--- /dev/null
+++ b/sepolicy/mmi_touch_sh.te
@@ -0,0 +1,16 @@
+type mmi_touch_sh, domain;
+type mmi_touch_sh_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(mmi_touch_sh)
+
+# shell scripts need to execute /system/bin/sh
+allow mmi_touch_sh shell_exec:file rx_file_perms;
+
+# Logs to /dev/kmsg
+allow mmi_touch_sh kmsg_device:chr_file w_file_perms;
+
+# Write to /sys/path/to/firmware/forcereflash
+# Read from /sys/path/to/firmware/poweron (and others)
+allow mmi_touch_sh sysfs_mmi_touch:file rw_file_perms;
+allow mmi_touch_sh sysfs_mmi_touch:dir search;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
index 156e035..f58b051 100644
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -1,2 +1,4 @@
allow ueventd { firmware_file }:dir r_dir_perms;
allow ueventd { firmware_file }:file r_file_perms;
+allow ueventd sysfs_mmi_touch:file w_file_perms;
+allow ueventd sysfs_mmi_touch:dir search;