[PATCH] initial take at mako policy

[jbrindle]

From: Joshua Brindle <jbrin...@tresys.com>

I haven't finished this and won't be able to get back to it for a little while 
so I thought I'd throw it out in case anyone else is working on it.

A word of note, kickstart is scary, it reads and writes partitions at bootup, I 
believe to extract/update binary blobs that aren't distributed. It runs several 
programs and is launched via init and by running sh. I haven't figured out what 
I can deny it without it getting angry.

Change-Id: If5bfbe4eee8237fa6ca299639484a07f29a2853d
---
 BoardConfig.mk          |    9 +++++++++
 sepolicy/file_contexts  |   28 ++++++++++++++++++++++++++++
 sepolicy/genfs_contexts |    2 ++
 sepolicy/ks.te          |   24 ++++++++++++++++++++++++
 sepolicy/mediaserver.te |    4 ++++
 5 files changed, 67 insertions(+)
 create mode 100644 sepolicy/file_contexts
 create mode 100644 sepolicy/genfs_contexts
 create mode 100644 sepolicy/ks.te
 create mode 100644 sepolicy/mediaserver.te

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 43d8531..4a0f509 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -90,4 +90,13 @@ TARGET_NO_RPC := true
 
 TARGET_RELEASETOOLS_EXTENSIONS := device/lge/mako
 
+BOARD_SEPOLICY_DIRS := \
+        device/lge/mako/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+        file_contexts \
+        genfs_contexts \
+        mediaserver.te \
+        ks.te
+
 -include vendor/lge/mako/BoardConfigVendor.mk
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..e11f03c
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,28 @@
+/dev/v4l-subdev.*              u:object_r:video_device:s0
+/dev/media.*                   u:object_r:video_device:s0
+/dev/gemini0                   u:object_r:video_device:s0
+/dev/msm_camera.*              u:object_r:video_device:s0
+/dev/kgsl-3d0                  u:object_r:graphics_device:s0
+
+/dev/hsicct.*                  u:object_r:radio_device:s0
+/dev/mdm                       u:object_r:radio_device:s0
+/dev/smdcnt.*                  u:object_r:radio_device:s0
+/dev/ttyUSB0                   u:object_r:radio_device:s0
+
+/dev/msm_vidc_dec              u:object_r:audio_device:s0
+/dev/msm_vidc_dec_sec          u:object_r:audio_device:s0
+/dev/msm_vidc_enc              u:object_r:audio_device:s0
+/dev/msm_rtac                  u:object_r:audio_device:s0
+/dev/msm_mp3                   u:object_r:audio_device:s0
+/dev/msm_acdb                  u:object_r:audio_device:s0
+
+/dev/bcm2079x-i2c              u:object_r:nfc_device:s0
+
+/data/misc/audio/mbhc.bin      u:object_r:media_fw:s0
+
+/system/bin/ks                 u:object_r:ks_exec:s0
+/system/bin/qcks               u:object_r:ks_exec:s0
+/system/bin/efsks              u:object_r:ks_exec:s0
+
+# kickstart reads and writes mmcblk0p8
+/dev/block/mmcblk0p8           u:object_r:ks_block_device:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..b97bd5a
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,2 @@
+# mako vfat is /firmware
+genfscon vfat / u:object_r:radio_firmware:s0
diff --git a/sepolicy/ks.te b/sepolicy/ks.te
new file mode 100644
index 0000000..d1709de
--- /dev/null
+++ b/sepolicy/ks.te
@@ -0,0 +1,24 @@
+#kickstart
+
+type ks, domain;
+type ks_exec, exec_type, file_type;
+type ks_block_device, file_type, dev_type;
+
+# ks is run by init by running sh
+domain_auto_trans(shell, ks_exec, ks)
+
+# qcks is run by init directly
+domain_auto_trans(init, ks_exec, ks)
+
+# ks runs itself
+allow ks ks_exec:file rx_file_perms;
+
+# ks reads from /firmware/image
+allow ks radio_firmware:file r_file_perms;
+
+# ks reads and writes /dev/block/mmcblk0p{8,9}
+allow ks block_device:lnk_file r_file_perms;
+allow ks ks_block_device:blk_file rw_file_perms;
+
+# and writes to /dev/block/platform/msm_sdcc.1/by-name
+
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..54a5f1f
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,4 @@
+# mediaserver - multimedia daemon
+type media_fw, file_type;
+
+allow mediaserver media_fw:file rw_file_perms;
-- 
1.7.9.5


--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.