From 37d09a99fba3945c9cf60a2792541bd2e616dcad Mon Sep 17 00:00:00 2001
From: Chih-Wei Huang <cwhuang@linux.org.tw>
Date: Mon, 18 Jun 2018 11:57:40 +0800
Subject: [PATCH 1/1] Add basic sepolicy

This is the first step to conquer the SELinux issues of Android-x86.
Just copy from build/target/board/generic/sepolicy/ and
build/target/board/generic_x86/sepolicy/ and remove unnecessary
emulator stuff.
---
 BoardConfig.mk                            |  3 +++
 sepolicy/adbd.te                          |  1 +
 sepolicy/audioserver.te                   |  1 +
 sepolicy/bootanim.te                      |  4 ++++
 sepolicy/cameraserver.te                  |  2 ++
 sepolicy/device.te                        |  0
 sepolicy/domain.te                        |  1 +
 sepolicy/file.te                          |  0
 sepolicy/file_contexts                    | 15 +++++++++++++++
 sepolicy/hal_camera_default.te            |  3 +++
 sepolicy/hal_cas_default.te               |  1 +
 sepolicy/hal_drm_default.te               |  2 ++
 sepolicy/hal_drm_widevine.te              | 12 ++++++++++++
 sepolicy/hal_gnss_default.te              |  3 +++
 sepolicy/hal_graphics_composer_default.te |  3 +++
 sepolicy/healthd.te                       |  1 +
 sepolicy/init.te                          |  3 +++
 sepolicy/installd.te                      |  1 +
 sepolicy/logpersist.te                    | 10 ++++++++++
 sepolicy/mediacodec.te                    |  1 +
 sepolicy/netd.te                          |  3 +++
 sepolicy/priv_app.te                      |  5 +++++
 sepolicy/property.te                      |  2 ++
 sepolicy/property_contexts                |  2 ++
 sepolicy/shell.te                         |  1 +
 sepolicy/surfaceflinger.te                |  2 ++
 sepolicy/system_server.te                 |  2 ++
 sepolicy/vold.te                          |  1 +
 sepolicy/zygote.te                        |  5 +++++
 29 files changed, 90 insertions(+)
 create mode 100644 sepolicy/adbd.te
 create mode 100644 sepolicy/audioserver.te
 create mode 100644 sepolicy/bootanim.te
 create mode 100644 sepolicy/cameraserver.te
 create mode 100644 sepolicy/device.te
 create mode 100644 sepolicy/domain.te
 create mode 100644 sepolicy/file.te
 create mode 100644 sepolicy/file_contexts
 create mode 100644 sepolicy/hal_camera_default.te
 create mode 100644 sepolicy/hal_cas_default.te
 create mode 100644 sepolicy/hal_drm_default.te
 create mode 100644 sepolicy/hal_drm_widevine.te
 create mode 100644 sepolicy/hal_gnss_default.te
 create mode 100644 sepolicy/hal_graphics_composer_default.te
 create mode 100644 sepolicy/healthd.te
 create mode 100644 sepolicy/init.te
 create mode 100644 sepolicy/installd.te
 create mode 100644 sepolicy/logpersist.te
 create mode 100644 sepolicy/mediacodec.te
 create mode 100644 sepolicy/netd.te
 create mode 100644 sepolicy/priv_app.te
 create mode 100644 sepolicy/property.te
 create mode 100644 sepolicy/property_contexts
 create mode 100644 sepolicy/shell.te
 create mode 100644 sepolicy/surfaceflinger.te
 create mode 100644 sepolicy/system_server.te
 create mode 100644 sepolicy/vold.te
 create mode 100644 sepolicy/zygote.te

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 2c03a77..185fe39 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -84,3 +84,6 @@ PRC_COMPATIBILITY_PACKAGE := true
 ZIP_OPTIMIZATION_NO_INTEGRITY := true
 
 DEVICE_MANIFEST_FILE := device/generic/common/manifest.xml
+
+BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy \
+                       system/bt/vendor_libs/linux/sepolicy \
diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
new file mode 100644
index 0000000..9546c1a
--- /dev/null
+++ b/sepolicy/adbd.te
@@ -0,0 +1 @@
+set_prop(adbd, ctl_mdnsd_prop);
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644
index 0000000..c3c4a3a
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1 @@
+allow audioserver bootanim:binder call;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644
index 0000000..98d453f
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1,4 @@
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit bootanim system_data_file:dir read;
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644
index 0000000..6cf5d6a
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1,2 @@
+allow cameraserver system_file:dir { open read };
+allow cameraserver hal_allocator:fd use;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..e69de29
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
new file mode 100644
index 0000000..0bc8d87
--- /dev/null
+++ b/sepolicy/domain.te
@@ -0,0 +1 @@
+allow domain cpuctl_device:dir search;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..e69de29
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..258dc98
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,15 @@
+# ranchu
+/dev/block/vda               u:object_r:system_block_device:s0
+/dev/block/vdb               u:object_r:cache_block_device:s0
+/dev/block/vdc               u:object_r:userdata_block_device:s0
+/dev/block/vdd               u:object_r:metadata_block_device:s0
+/dev/block/vde               u:object_r:system_block_device:s0
+
+/dev/ttyS0                   u:object_r:console_device:s0
+
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
+
+/vendor/lib(64)?/libEGL_swiftshader\.so          u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_swiftshader\.so       u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libOpenglSystemCommon\.so       u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..eb88c36
--- /dev/null
+++ b/sepolicy/hal_camera_default.te
@@ -0,0 +1,3 @@
+vndbinder_use(hal_camera_default);
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+hal_client_domain(hal_camera_default, hal_graphics_composer)
diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te
new file mode 100644
index 0000000..3ed3bee
--- /dev/null
+++ b/sepolicy/hal_cas_default.te
@@ -0,0 +1 @@
+vndbinder_use(hal_cas_default);
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
new file mode 100644
index 0000000..5a07433
--- /dev/null
+++ b/sepolicy/hal_drm_default.te
@@ -0,0 +1,2 @@
+vndbinder_use(hal_drm_default);
+hal_client_domain(hal_drm_default, hal_graphics_composer)
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
new file mode 100644
index 0000000..42d462a
--- /dev/null
+++ b/sepolicy/hal_drm_widevine.te
@@ -0,0 +1,12 @@
+# define SELinux domain
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+allow hal_drm mediacodec:fd use;
+allow hal_drm { appdomain -isolated_app }:fd use;
+
+vndbinder_use(hal_drm_widevine);
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);
diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te
new file mode 100644
index 0000000..0dd3d03
--- /dev/null
+++ b/sepolicy/hal_gnss_default.te
@@ -0,0 +1,3 @@
+#============= hal_gnss_default ==============
+allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..034bdef
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
new file mode 100644
index 0000000..95fa807
--- /dev/null
+++ b/sepolicy/healthd.te
@@ -0,0 +1 @@
+allow healthd self:capability sys_nice;
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..5e1a5d1
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,3 @@
+allow init tmpfs:lnk_file create_file_perms;
+dontaudit init kernel:system module_request;
+allow init tmpfs:lnk_file create_file_perms;
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
new file mode 100644
index 0000000..7a558b1
--- /dev/null
+++ b/sepolicy/installd.te
@@ -0,0 +1 @@
+allow installd self:process execmem;
diff --git a/sepolicy/logpersist.te b/sepolicy/logpersist.te
new file mode 100644
index 0000000..cae03bb
--- /dev/null
+++ b/sepolicy/logpersist.te
@@ -0,0 +1,10 @@
+# See global logcat.te/logpersist.te, only set for eng & userdebug,
+# allow for all builds in a non-conflicting manner.
+
+domain_auto_trans(init, logcat_exec, logpersist)
+
+# Read from logd.
+unix_socket_connect(logpersist, logdr, logd)
+
+# Write to /dev/ttyS2 and /dev/ttyGF2.
+allow logpersist serial_device:chr_file { write open };
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
new file mode 100644
index 0000000..acf4e59
--- /dev/null
+++ b/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec system_file:dir { open read };
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..09a28b9
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,3 @@
+dontaudit netd self:capability sys_module;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit netd kernel:system module_request;
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
new file mode 100644
index 0000000..3d16f32
--- /dev/null
+++ b/sepolicy/priv_app.te
@@ -0,0 +1,5 @@
+#TODO: b/62908025
+dontaudit priv_app firstboot_prop:file { getattr open };
+dontaudit priv_app device:dir { open read };
+dontaudit priv_app proc_interrupts:file { getattr open read };
+dontaudit priv_app proc_modules:file { getattr open read };
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..d216ff2
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,2 @@
+type radio_noril_prop, property_type;
+type opengles_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..3bfe5a1
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,2 @@
+ro.radio.noril          u:object_r:radio_noril_prop:s0
+ro.opengles.            u:object_r:opengles_prop:s0
diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644
index 0000000..b246d7e
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1 @@
+allow shell serial_device:chr_file rw_file_perms;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..4c35469
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..9063095
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+get_prop(system_server, opengles_prop)
+get_prop(system_server, radio_noril_prop)
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..5f3bdd4
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1 @@
+dontaudit vold kernel:system module_request;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..0bf668a
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1,5 @@
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+allow zygote self:process execmem;
+allow zygote self:capability sys_nice;
-- 
2.11.0