Initial security policy.
Change-Id: I0f394bb68952476baa74e0db62ad7436d6c6b2bf
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 811bdf6..067cccb 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -81,3 +81,19 @@
TARGET_RECOVERY_UI_LIB := librecovery_ui_manta
TARGET_RECOVERY_UPDATER_LIBS += librecovery_updater_manta
TARGET_RELEASETOOLS_EXTENSIONS := device/samsung/manta
+
+BOARD_SEPOLICY_DIRS := \
+ device/samsung/manta/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+ file_contexts \
+ genfs_contexts \
+ adbd.te \
+ app.te \
+ device.te \
+ domain.te \
+ gpsd.te \
+ file.te \
+ mediaserver.te \
+ surfaceflinger.te \
+ system.te
diff --git a/init.manta.rc b/init.manta.rc
index 0f0f361..d2cf332 100644
--- a/init.manta.rc
+++ b/init.manta.rc
@@ -34,6 +34,8 @@
chmod 0660 /sys/class/rfkill/rfkill0/state
chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/state
chown bluetooth net_bt_stack /sys/class/rfkill/rfkill0/type
+ restorecon /sys/class/rfkill/rfkill0/state
+ restorecon /sys/class/rfkill/rfkill0/type
on boot
# override init.rc to keep plenty of large order chunks around
@@ -60,6 +62,25 @@
mkdir /factory 0775 radio radio
mount_all /fstab.manta
+ mount ext4 /dev/block/platform/dw_mmc.0/by-name/efs /factory rw remount
+ restorecon /factory
+ restorecon /factory/bluetooth
+ restorecon /factory/bluetooth/bt_addr
+ restorecon /factory/FactoryApp
+ restorecon /factory/FactoryApp/
+ restorecon /factory/FactoryApp/baro_delta
+ restorecon /factory/FactoryApp/factorymode
+ restorecon /factory/FactoryApp/fdata
+ restorecon /factory/FactoryApp/hist_nv
+ restorecon /factory/FactoryApp/hw_ver
+ restorecon /factory/FactoryApp/keystr
+ restorecon /factory/FactoryApp/reset_flag
+ restorecon /factory/FactoryApp/test_nv
+ restorecon /factory/hdcp2.keys
+ restorecon /factory/wv.keys
+ restorecon /factory/wifi
+ restorecon /factory/wifi/
+ mount ext4 /dev/block/platform/dw_mmc.0/by-name/efs /factory ro remount
setprop ro.crypto.fuse_sdcard true
# Permissions for backlight
@@ -158,6 +179,7 @@
# Set watchdog timer to 30 seconds and pet it every 10 seconds to get a 20 second margin
service watchdogd /sbin/watchdogd 10 20
class core
+ seclabel u:r:watchdogd:s0
service gpsd /system/vendor/bin/gpsd -c /system/vendor/etc/gps.xml
class main
diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
new file mode 100644
index 0000000..ea89a00
--- /dev/null
+++ b/sepolicy/adbd.te
@@ -0,0 +1 @@
+allow adbd ffs:file rw_file_perms;
diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..8f26a47
--- /dev/null
+++ b/sepolicy/app.te
@@ -0,0 +1,2 @@
+allow appdomain mali_device:chr_file rw_file_perms;
+allow appdomain ion_device:chr_file w_file_perms;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..2e30ccf
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,4 @@
+type mali_device, dev_type, mlstrustedobject;
+type secmem_device, dev_type;
+# Unified Memory Management device
+type ump_device, dev_type;
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
new file mode 100644
index 0000000..17cc5f0
--- /dev/null
+++ b/sepolicy/domain.te
@@ -0,0 +1 @@
+dontaudit domain rootfs:chr_file { read write };
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..6628a4c
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1 @@
+type ffs, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..ec6a885
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,35 @@
+# label graphics device with a new type, we need
+# to allow write operation from appdomain
+/dev/mali0 u:object_r:mali_device:s0
+
+/dev/bcm2079x u:object_r:nfc_device:s0
+/dev/ttySAC0 u:object_r:hci_attach_dev:s0
+/dev/ttySAC1 u:object_r:gps_device:s0
+/dev/s5p-smem u:object_r:secmem_device:s0
+/dev/ump u:object_r:ump_device:s0
+
+/dev/mobicore u:object_r:tee_device:s0
+/dev/mobicore-user u:object_r:tee_device:s0
+
+/dev/v4l-subdev[0-9]* u:object_r:video_device:s0
+/dev/media0 u:object_r:video_device:s0
+/dev/media1 u:object_r:video_device:s0
+
+/dev/video16 u:object_r:video_device:s0
+/dev/video17 u:object_r:video_device:s0
+/dev/video18 u:object_r:video_device:s0
+/dev/video19 u:object_r:video_device:s0
+
+/dev/video40 u:object_r:camera_device:s0
+/dev/video41 u:object_r:camera_device:s0
+/dev/video42 u:object_r:camera_device:s0
+/dev/video43 u:object_r:camera_device:s0
+/dev/video44 u:object_r:camera_device:s0
+/dev/media2 u:object_r:camera_device:s0
+
+/data/nfc u:object_r:nfc_data_file:s0
+
+/factory(/.*)? u:object_r:efs_file:s0
+/factory/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
+
+/system/bin/mcDriverDaemon -- u:object_r:tee_exec:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..17ddc45
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1 @@
+genfscon functionfs / u:object_r:ffs:s0
diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te
new file mode 100644
index 0000000..f054da0
--- /dev/null
+++ b/sepolicy/gpsd.te
@@ -0,0 +1,4 @@
+# gpsd on manta uses /data/.gps.interface.pipe.to_gpsd,
+# /data/.gps.interface.pipe.to_jni, /data/.gpsd.lock,
+# and /data/gldata.sto
+file_type_auto_trans(gpsd, system_data_file, gps_data_file);
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..fbaef63
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+allow mediaserver system:unix_stream_socket { read write setopt };
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..986ee1d
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger mali_device:chr_file rw_file_perms;
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..495b650
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1 @@
+allow system mali_device:chr_file rw_file_perms;