Initial security policy. Change-Id: I0f394bb68952476baa74e0db62ad7436d6c6b2bf Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

commit: e3a69810250866d293a5df3581aae2ad8d51982e [log] [tgz]
author: rpcraig <rpcraig@tycho.ncsc.mil> Tue Dec 11 13:14:14 2012 -0500
committer: rpcraig <rpcraig@tycho.ncsc.mil> Tue Dec 11 13:18:38 2012 -0500
tree: c565951a35e19d28aa42767c0d0a8f0d05e17f9e
parent: 6e7d185d264080c5b932c7e09f790800a1c2a582 [diff]
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 811bdf6..067cccb 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk

@@ -81,3 +81,19 @@
 TARGET_RECOVERY_UI_LIB := librecovery_ui_manta
 TARGET_RECOVERY_UPDATER_LIBS += librecovery_updater_manta
 TARGET_RELEASETOOLS_EXTENSIONS := device/samsung/manta
+
+BOARD_SEPOLICY_DIRS := \
+	device/samsung/manta/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+	file_contexts \
+	genfs_contexts \
+	adbd.te \
+	app.te \
+	device.te \
+	domain.te \
+	gpsd.te \
+	file.te \
+	mediaserver.te \
+	surfaceflinger.te \
+	system.te

diff --git a/init.manta.rc b/init.manta.rc
index 0f0f361..d2cf332 100644
--- a/init.manta.rc
+++ b/init.manta.rc

@@ -34,6 +34,8 @@
 	chmod 0660 /sys/class/rfkill/rfkill0/state
 	chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
 	chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
+	restorecon /sys/class/rfkill/rfkill0/state
+	restorecon /sys/class/rfkill/rfkill0/type
 
 on boot
     # override init.rc to keep plenty of large order chunks around
@@ -60,6 +62,25 @@
     mkdir /factory 0775 radio radio
 
     mount_all /fstab.manta
+    mount ext4 /dev/block/platform/dw_mmc.0/by-name/efs /factory rw remount
+    restorecon /factory
+    restorecon /factory/bluetooth
+    restorecon /factory/bluetooth/bt_addr
+    restorecon /factory/FactoryApp
+    restorecon /factory/FactoryApp/
+    restorecon /factory/FactoryApp/baro_delta
+    restorecon /factory/FactoryApp/factorymode
+    restorecon /factory/FactoryApp/fdata
+    restorecon /factory/FactoryApp/hist_nv
+    restorecon /factory/FactoryApp/hw_ver
+    restorecon /factory/FactoryApp/keystr
+    restorecon /factory/FactoryApp/reset_flag
+    restorecon /factory/FactoryApp/test_nv
+    restorecon /factory/hdcp2.keys
+    restorecon /factory/wv.keys
+    restorecon /factory/wifi
+    restorecon /factory/wifi/
+    mount ext4 /dev/block/platform/dw_mmc.0/by-name/efs /factory ro remount
     setprop ro.crypto.fuse_sdcard true
 
 # Permissions for backlight
@@ -158,6 +179,7 @@
 # Set watchdog timer to 30 seconds and pet it every 10 seconds to get a 20 second margin
 service watchdogd /sbin/watchdogd 10 20
     class core
+    seclabel u:r:watchdogd:s0
 
 service gpsd /system/vendor/bin/gpsd -c /system/vendor/etc/gps.xml
     class main

diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
new file mode 100644
index 0000000..ea89a00
--- /dev/null
+++ b/sepolicy/adbd.te

@@ -0,0 +1 @@
+allow adbd ffs:file rw_file_perms;

diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..8f26a47
--- /dev/null
+++ b/sepolicy/app.te

@@ -0,0 +1,2 @@
+allow appdomain mali_device:chr_file rw_file_perms;
+allow appdomain ion_device:chr_file w_file_perms;

diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..2e30ccf
--- /dev/null
+++ b/sepolicy/device.te

@@ -0,0 +1,4 @@
+type mali_device, dev_type, mlstrustedobject;
+type secmem_device, dev_type;
+# Unified Memory Management device
+type ump_device, dev_type;

diff --git a/sepolicy/domain.te b/sepolicy/domain.te
new file mode 100644
index 0000000..17cc5f0
--- /dev/null
+++ b/sepolicy/domain.te

@@ -0,0 +1 @@
+dontaudit domain rootfs:chr_file { read write };

diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..6628a4c
--- /dev/null
+++ b/sepolicy/file.te

@@ -0,0 +1 @@
+type ffs, fs_type;

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..ec6a885
--- /dev/null
+++ b/sepolicy/file_contexts

@@ -0,0 +1,35 @@
+# label graphics device with a new type, we need
+# to allow write operation from appdomain
+/dev/mali0              u:object_r:mali_device:s0
+
+/dev/bcm2079x           u:object_r:nfc_device:s0
+/dev/ttySAC0            u:object_r:hci_attach_dev:s0
+/dev/ttySAC1            u:object_r:gps_device:s0
+/dev/s5p-smem           u:object_r:secmem_device:s0
+/dev/ump                u:object_r:ump_device:s0
+
+/dev/mobicore           u:object_r:tee_device:s0
+/dev/mobicore-user      u:object_r:tee_device:s0
+
+/dev/v4l-subdev[0-9]*   u:object_r:video_device:s0
+/dev/media0             u:object_r:video_device:s0
+/dev/media1             u:object_r:video_device:s0
+
+/dev/video16            u:object_r:video_device:s0
+/dev/video17            u:object_r:video_device:s0
+/dev/video18            u:object_r:video_device:s0
+/dev/video19            u:object_r:video_device:s0
+
+/dev/video40            u:object_r:camera_device:s0
+/dev/video41            u:object_r:camera_device:s0
+/dev/video42            u:object_r:camera_device:s0
+/dev/video43            u:object_r:camera_device:s0
+/dev/video44            u:object_r:camera_device:s0
+/dev/media2             u:object_r:camera_device:s0
+
+/data/nfc               u:object_r:nfc_data_file:s0
+
+/factory(/.*)?          u:object_r:efs_file:s0
+/factory/bluetooth(/.*)?        u:object_r:bluetooth_efs_file:s0
+
+/system/bin/mcDriverDaemon  --  u:object_r:tee_exec:s0

diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..17ddc45
--- /dev/null
+++ b/sepolicy/genfs_contexts

@@ -0,0 +1 @@
+genfscon functionfs / u:object_r:ffs:s0

diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te
new file mode 100644
index 0000000..f054da0
--- /dev/null
+++ b/sepolicy/gpsd.te

@@ -0,0 +1,4 @@
+# gpsd on manta uses /data/.gps.interface.pipe.to_gpsd,
+# /data/.gps.interface.pipe.to_jni, /data/.gpsd.lock,
+# and /data/gldata.sto
+file_type_auto_trans(gpsd, system_data_file, gps_data_file);

diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..fbaef63
--- /dev/null
+++ b/sepolicy/mediaserver.te

@@ -0,0 +1 @@
+allow mediaserver system:unix_stream_socket { read write setopt };

diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..986ee1d
--- /dev/null
+++ b/sepolicy/surfaceflinger.te

@@ -0,0 +1,2 @@
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger mali_device:chr_file rw_file_perms;

diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..495b650
--- /dev/null
+++ b/sepolicy/system.te

@@ -0,0 +1 @@
+allow system mali_device:chr_file rw_file_perms;
commit	e3a69810250866d293a5df3581aae2ad8d51982e	[log] [tgz]
author	rpcraig <rpcraig@tycho.ncsc.mil>	Tue Dec 11 13:14:14 2012 -0500
committer	rpcraig <rpcraig@tycho.ncsc.mil>	Tue Dec 11 13:18:38 2012 -0500
tree	c565951a35e19d28aa42767c0d0a8f0d05e17f9e
parent	6e7d185d264080c5b932c7e09f790800a1c2a582 [diff]