Add basic sepolicy

This is the first step to conquer the SELinux issues of Android-x86.
Just copy from build/target/board/generic/sepolicy/ and
build/target/board/generic_x86/sepolicy/ and remove unnecessary
emulator stuff.

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 2c03a77..185fe39 100644 (file)
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -84,3 +84,6 @@ PRC_COMPATIBILITY_PACKAGE := true
 ZIP_OPTIMIZATION_NO_INTEGRITY := true
 
 DEVICE_MANIFEST_FILE := device/generic/common/manifest.xml
 ZIP_OPTIMIZATION_NO_INTEGRITY := true
 
 DEVICE_MANIFEST_FILE := device/generic/common/manifest.xml

+
+BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy \
+                       system/bt/vendor_libs/linux/sepolicy \

diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
new file mode 100644 (file)
index 0000000..9546c1a
--- /dev/null
+++ b/sepolicy/adbd.te
@@ -0,0 +1 @@
+set_prop(adbd, ctl_mdnsd_prop);

diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644 (file)
index 0000000..c3c4a3a
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1 @@
+allow audioserver bootanim:binder call;

diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644 (file)
index 0000000..98d453f
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1,4 @@
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit bootanim system_data_file:dir read;

diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644 (file)
index 0000000..6cf5d6a
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1,2 @@
+allow cameraserver system_file:dir { open read };
+allow cameraserver hal_allocator:fd use;

diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/sepolicy/domain.te b/sepolicy/domain.te
new file mode 100644 (file)
index 0000000..0bc8d87
--- /dev/null
+++ b/sepolicy/domain.te
@@ -0,0 +1 @@
+allow domain cpuctl_device:dir search;

diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644 (file)
index 0000000..258dc98
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,15 @@
+# ranchu
+/dev/block/vda               u:object_r:system_block_device:s0
+/dev/block/vdb               u:object_r:cache_block_device:s0
+/dev/block/vdc               u:object_r:userdata_block_device:s0
+/dev/block/vdd               u:object_r:metadata_block_device:s0
+/dev/block/vde               u:object_r:system_block_device:s0
+
+/dev/ttyS0                   u:object_r:console_device:s0
+
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
+
+/vendor/lib(64)?/libEGL_swiftshader\.so          u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_swiftshader\.so       u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libOpenglSystemCommon\.so       u:object_r:same_process_hal_file:s0

diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
new file mode 100644 (file)
index 0000000..eb88c36
--- /dev/null
+++ b/sepolicy/hal_camera_default.te
@@ -0,0 +1,3 @@
+vndbinder_use(hal_camera_default);
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+hal_client_domain(hal_camera_default, hal_graphics_composer)

diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te
new file mode 100644 (file)
index 0000000..3ed3bee
--- /dev/null
+++ b/sepolicy/hal_cas_default.te
@@ -0,0 +1 @@
+vndbinder_use(hal_cas_default);

diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
new file mode 100644 (file)
index 0000000..5a07433
--- /dev/null
+++ b/sepolicy/hal_drm_default.te
@@ -0,0 +1,2 @@
+vndbinder_use(hal_drm_default);
+hal_client_domain(hal_drm_default, hal_graphics_composer)

diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
new file mode 100644 (file)
index 0000000..42d462a
--- /dev/null
+++ b/sepolicy/hal_drm_widevine.te
@@ -0,0 +1,12 @@
+# define SELinux domain
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+allow hal_drm mediacodec:fd use;
+allow hal_drm { appdomain -isolated_app }:fd use;
+
+vndbinder_use(hal_drm_widevine);
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);

diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te
new file mode 100644 (file)
index 0000000..0dd3d03
--- /dev/null
+++ b/sepolicy/hal_gnss_default.te
@@ -0,0 +1,3 @@
+#============= hal_gnss_default ==============
+allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
+

diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644 (file)
index 0000000..034bdef
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+

diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
new file mode 100644 (file)
index 0000000..95fa807
--- /dev/null
+++ b/sepolicy/healthd.te
@@ -0,0 +1 @@
+allow healthd self:capability sys_nice;

diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644 (file)
index 0000000..5e1a5d1
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,3 @@
+allow init tmpfs:lnk_file create_file_perms;
+dontaudit init kernel:system module_request;
+allow init tmpfs:lnk_file create_file_perms;

diff --git a/sepolicy/installd.te b/sepolicy/installd.te
new file mode 100644 (file)
index 0000000..7a558b1
--- /dev/null
+++ b/sepolicy/installd.te
@@ -0,0 +1 @@
+allow installd self:process execmem;

diff --git a/sepolicy/logpersist.te b/sepolicy/logpersist.te
new file mode 100644 (file)
index 0000000..cae03bb
--- /dev/null
+++ b/sepolicy/logpersist.te
@@ -0,0 +1,10 @@
+# See global logcat.te/logpersist.te, only set for eng & userdebug,
+# allow for all builds in a non-conflicting manner.
+
+domain_auto_trans(init, logcat_exec, logpersist)
+
+# Read from logd.
+unix_socket_connect(logpersist, logdr, logd)
+
+# Write to /dev/ttyS2 and /dev/ttyGF2.
+allow logpersist serial_device:chr_file { write open };

diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
new file mode 100644 (file)
index 0000000..acf4e59
--- /dev/null
+++ b/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec system_file:dir { open read };

diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644 (file)
index 0000000..09a28b9
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,3 @@
+dontaudit netd self:capability sys_module;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit netd kernel:system module_request;

diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
new file mode 100644 (file)
index 0000000..3d16f32
--- /dev/null
+++ b/sepolicy/priv_app.te
@@ -0,0 +1,5 @@
+#TODO: b/62908025
+dontaudit priv_app firstboot_prop:file { getattr open };
+dontaudit priv_app device:dir { open read };
+dontaudit priv_app proc_interrupts:file { getattr open read };
+dontaudit priv_app proc_modules:file { getattr open read };

diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644 (file)
index 0000000..d216ff2
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,2 @@
+type radio_noril_prop, property_type;
+type opengles_prop, property_type;

diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644 (file)
index 0000000..3bfe5a1
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,2 @@
+ro.radio.noril          u:object_r:radio_noril_prop:s0
+ro.opengles.            u:object_r:opengles_prop:s0

diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644 (file)
index 0000000..b246d7e
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1 @@
+allow shell serial_device:chr_file rw_file_perms;

diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644 (file)
index 0000000..4c35469
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644 (file)
index 0000000..9063095
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+get_prop(system_server, opengles_prop)
+get_prop(system_server, radio_noril_prop)

diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644 (file)
index 0000000..5f3bdd4
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1 @@
+dontaudit vold kernel:system module_request;

diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644 (file)
index 0000000..0bf668a
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1,5 @@
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+allow zygote self:process execmem;
+allow zygote self:capability sys_nice;