sepolicy: selinux changes for persist due to mount point changes.

1- labeling /mnt/vendor/persist to mnt_vendor_file. 2- adding vendor_persit_type attrbute for persist 2- removing persist related rule for coredomains 3- Adding required policy to access persist Change-Id: I0d9cd14ecd0653c37c8aee3a6a4f4e076c92abee
2018-05-30 12:06:41 -07:00
parent 5cb6a57305
commit c2224c66f9
18 changed files with 38 additions and 40 deletions
--- a/vendor/common/attributes
+++ b/vendor/common/attributes
@@ -52,3 +52,6 @@ attribute hal_display_config_server;
 attribute hal_display_postproc;
 attribute hal_display_postproc_client;
 attribute hal_display_postproc_server;
+
+# All types in /mnt/vendor/persist
+attribute vendor_persist_type;
--- a/vendor/common/diag.te
+++ b/vendor/common/diag.te
@@ -28,7 +28,7 @@ userdebug_or_eng(`
  wakelock_use(diag)
  allow diag kernel:system syslog_mod;
  # allow drmdiagapp access to drm related paths
-  allow diag persist_file:dir r_dir_perms;
+  allow diag mnt_vendor_file:dir r_dir_perms;
  r_dir_file(diag, persist_data_file)
  # Write to drm related pieces of persist partition
  allow diag persist_drm_file:file create_file_perms;
--- a/vendor/common/file.te
+++ b/vendor/common/file.te
@@ -72,17 +72,17 @@ type vendor_audio_data_file, file_type, data_file_type;
 type vendor_radio_data_file, file_type, data_file_type;
 type wifi_vendor_log_data_file, file_type, data_file_type;

-type persist_file, file_type;
-type persist_data_file, file_type;
+type persist_file, file_type, vendor_persist_type;
+type persist_data_file, file_type , vendor_persist_type;
 type persist_display_file, file_type;
-type persist_drm_file, file_type;
+type persist_drm_file, file_type, vendor_persist_type;
 type persist_elabel_file, file_type;
 type persist_haptics_file, file_type;
 type persist_rfs_file, file_type;
 type persist_sensors_file, file_type;
 type persist_time_file, file_type;
 type persist_audio_file, file_type;
-type persist_bluetooth_file, file_type;
+type persist_bluetooth_file, file_type, vendor_persist_type;

 type netmgr_data_file, file_type, data_file_type;
 type netmgr_recovery_data_file, file_type, data_file_type;
@@ -97,7 +97,7 @@ type modem_dump_file, file_type, data_file_type;
 type sensors_vendor_data_file, file_type, data_file_type;
 type port_bridge_data_file, file_type, data_file_type;
 type vendor_firmware_file, vendor_file_type, file_type;
-type bt_firmware_file, fs_type, contextmount_type;
+type bt_firmware_file, file_type, contextmount_type, vendor_file_type;
 type vendor_mdmhelperdata_data_file, file_type, data_file_type;

 #widevine data file
--- a/vendor/common/file_contexts
+++ b/vendor/common/file_contexts
@@ -72,7 +72,7 @@

 # files in /vendor
 /vendor/firmware(/.*)?          u:object_r:vendor_firmware_file:s0
-/bt_firmware(/.*)?              u:object_r:bt_firmware_file:s0
+/vendor/bt_firmware(/.*)?       u:object_r:vendor_firmware_file:s0

 /vendor/bin/ATFWD-daemon        u:object_r:atfwd_exec:s0
 /vendor/bin/hw/android\.hardware\.vr@1\.0-service.crosshatch      u:object_r:hal_vr_default_exec:s0
@@ -218,21 +218,18 @@
 /tombstones             u:object_r:rootfs:s0
 /dsp(/.*)?              u:object_r:adsprpcd_file:s0

-# files in firmware
-/firmware(/.*)?         u:object_r:firmware_file:s0

 # /persist
-/persist(/.*)?            u:object_r:persist_file:s0
-/persist/data(/.*)?       u:object_r:persist_data_file:s0
-/persist/display(/.*)?    u:object_r:persist_display_file:s0
-/persist/drm(/.*)?        u:object_r:persist_drm_file:s0
-/persist/elabel(/.*)?     u:object_r:persist_elabel_file:s0
-/persist/haptics(/.*)?    u:object_r:persist_haptics_file:s0
-/persist/hlos_rfs(/.*)?   u:object_r:persist_rfs_file:s0
-/persist/rfs(/.*)?        u:object_r:persist_rfs_file:s0
-/persist/sensors(/.*)?    u:object_r:persist_sensors_file:s0
-/persist/time(/.*)?       u:object_r:persist_time_file:s0
-/persist/audio(/.*)?      u:object_r:persist_audio_file:s0
+/mnt/vendor/persist/data(/.*)?       u:object_r:persist_data_file:s0
+/mnt/vendor/persist/display(/.*)?    u:object_r:persist_display_file:s0
+/mnt/vendor/persist/drm(/.*)?        u:object_r:persist_drm_file:s0
+/mnt/vendor/persist/elabel(/.*)?     u:object_r:persist_elabel_file:s0
+/mnt/vendor/persist/haptics(/.*)?    u:object_r:persist_haptics_file:s0
+/mnt/vendor/persist/hlos_rfs(/.*)?   u:object_r:persist_rfs_file:s0
+/mnt/vendor/persist/rfs(/.*)?        u:object_r:persist_rfs_file:s0
+/mnt/vendor/persist/sensors(/.*)?    u:object_r:persist_sensors_file:s0
+/mnt/vendor/persist/time(/.*)?       u:object_r:persist_time_file:s0
+/mnt/vendor/persist/audio(/.*)?      u:object_r:persist_audio_file:s0

 /metadata                 u:object_r:rootfs:s0
 /metadata/.*              u:object_r:vold_data_file:s0
@@ -254,7 +251,7 @@
 /sys/devices/virtual/xt_idletimer/timers(/.*)?                      u:object_r:sysfs_data:s0

 #persist_bluetooth_file
-/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
+/mnt/vendor/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0


 /(vendor|system/vendor)/bin/hbtp_daemon         u:object_r:hbtp_exec:s0
--- a/vendor/common/hal_audio_default.te
+++ b/vendor/common/hal_audio_default.te
@@ -10,7 +10,7 @@ hal_client_domain(hal_audio_default, hal_power)

 # read-only permission to obtain the calibration data
 r_dir_file(hal_audio_default, persist_audio_file);
-allow hal_audio_default persist_file:dir search;
+allow hal_audio_default mnt_vendor_file:dir search;

 #Allow access to firmware
 allow hal_audio firmware_file:dir r_dir_perms;
--- a/vendor/common/hal_bluetooth_default.te
+++ b/vendor/common/hal_bluetooth_default.te
@@ -25,4 +25,4 @@ allow hal_bluetooth_default debugfs_ipc:file rw_file_perms;
 allow hal_bluetooth_default debugfs_ipc:dir  rw_dir_perms;
 ')

-r_dir_file(hal_bluetooth_default, persist_file)
+r_dir_file(hal_bluetooth_default, mnt_vendor_file)
--- a/vendor/common/hal_camera.te
+++ b/vendor/common/hal_camera.te
@@ -56,4 +56,7 @@ hal_client_domain(hal_camera_default, hal_perf)
 allow hal_camera_default sysfs_data:file read;
 allow hal_camera sysfs_data:file r_file_perms;

+allow hal_camera_default mnt_vendor_file:lnk_file r_file_perms;
+allow hal_camera_default mnt_vendor_file:dir r_dir_perms;
+
 r_dir_file(hal_camera_default, sysfs_graphics)
--- a/vendor/common/hal_graphics_composer_default.te
+++ b/vendor/common/hal_graphics_composer_default.te
@@ -8,7 +8,7 @@ allow hal_graphics_composer_default persist_display_file:file r_file_perms;

 allow hal_graphics_composer sysfs_graphics:dir r_dir_perms;
 allow hal_graphics_composer sysfs_graphics:file rw_file_perms;
-allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default mnt_vendor_file:dir search;

 allow hal_graphics_composer oemfs:dir r_dir_perms;

--- a/vendor/common/hal_sensors_default.te
+++ b/vendor/common/hal_sensors_default.te
@@ -1,5 +1,5 @@
 # read factory calibration and sensor configuration data
-allow hal_sensors_default persist_file:dir search;
+allow hal_sensors_default mnt_vendor_file:dir search;
 r_dir_file(hal_sensors_default, persist_sensors_file)

 # interact with the sensors low power island (SLPI) CPU
--- a/vendor/common/hal_vibrator_default.te
+++ b/vendor/common/hal_vibrator_default.te
@@ -3,4 +3,4 @@ allow hal_vibrator_default sysfs_leds:file rw_file_perms;

 # read-only permission to obtain the calibration data
 r_dir_file(hal_vibrator_default, persist_haptics_file)
-allow hal_vibrator_default persist_file:dir search;
+allow hal_vibrator_default mnt_vendor_file:dir search;
--- a/vendor/common/init-qcom-sensors-sh.te
+++ b/vendor/common/init-qcom-sensors-sh.te
@@ -33,7 +33,7 @@ init_daemon_domain(init-qcom-sensors-sh)
 allow init-qcom-sensors-sh vendor_shell_exec:file rx_file_perms;
 allow init-qcom-sensors-sh vendor_toolbox_exec:file rx_file_perms;

-r_dir_file(init-qcom-sensors-sh, persist_file)
+r_dir_file(init-qcom-sensors-sh, mnt_vendor_file)
 r_dir_file(init-qcom-sensors-sh, persist_sensors_file)

 allow init-qcom-sensors-sh persist_sensors_file:file setattr;
--- a/vendor/common/init.te
+++ b/vendor/common/init.te
@@ -1,7 +1,7 @@
 allow init {
    adsprpcd_file
    cache_file
-    persist_file
+    mnt_vendor_file
    storage_file
 }:dir mounton;

@@ -10,7 +10,7 @@ allow init tmpfs:lnk_file create;

 allow init tty_device:chr_file rw_file_perms;

-allow init persist_file:dir mounton;
+allow init mnt_vendor_file:dir mounton;

 allow init ab_block_device:lnk_file relabelto;

--- a/vendor/common/init_shell.te
+++ b/vendor/common/init_shell.te
@@ -19,8 +19,8 @@ allow qti_init_shell vendor_toolbox_exec:file  rx_file_perms;
 allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr};
 allow qti_init_shell sysfs:file setattr;

-allow qti_init_shell persist_file:dir w_dir_perms;
-allow qti_init_shell persist_file:file create_file_perms;
+allow qti_init_shell mnt_vendor_file:dir w_dir_perms;
+allow qti_init_shell mnt_vendor_file:file create_file_perms;
 allow qti_init_shell smd_device:chr_file rw_file_perms;

 # Run helpers from / or /system without changing domain.
@@ -71,7 +71,7 @@ allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
 allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;

 # To start sensors for DSPS enabled platforms
-r_dir_file(qti_init_shell, persist_file)
+r_dir_file(qti_init_shell, mnt_vendor_file)
 r_dir_file(qti_init_shell, persist_bluetooth_file)

 allow qti_init_shell { proc proc_net}:file write;
--- a/vendor/common/sensors.te
+++ b/vendor/common/sensors.te
@@ -15,7 +15,7 @@ allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls;

 allow sensors persist_sensors_file:dir rw_dir_perms;
 allow sensors persist_sensors_file:file create_file_perms;
-allow sensors persist_file:dir { getattr search };
+allow sensors mnt_vendor_file:dir { getattr search };

 allow sensors sensors_vendor_data_file:dir create_dir_perms;
 allow sensors sensors_vendor_data_file:file create_file_perms;
--- a/vendor/common/tee.te
+++ b/vendor/common/tee.te
@@ -11,7 +11,7 @@ allow tee rpmb_device:blk_file rw_file_perms;
 allow tee ssd_block_device:blk_file rw_file_perms;
 allow tee sg_device:chr_file { rw_file_perms setattr };

-allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee persist_drm_file:dir create_dir_perms;
 allow tee persist_drm_file:file create_file_perms;
 allow tee persist_data_file:dir create_dir_perms;
--- a/vendor/common/time_daemon.te
+++ b/vendor/common/time_daemon.te
@@ -19,7 +19,7 @@ allow time_daemon persist_time_file:dir w_dir_perms;
 allow time_daemon persist_time_file:file create_file_perms;
 allow time_daemon persist_time_file:dir search;

-allow time_daemon persist_file:dir search;
+allow time_daemon mnt_vendor_file:dir search;

 allow time_daemon self:socket create_socket_perms;
 allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
--- a/vendor/common/vold.te
+++ b/vendor/common/vold.te
@@ -1,3 +1,2 @@
 get_prop(vold, vendor_tee_listener_prop)

-allow vold persist_file:dir r_dir_perms;
--- a/vendor/sdm710/file_contexts
+++ b/vendor/sdm710/file_contexts
@@ -79,10 +79,6 @@
 /dev/block/platform/soc/7c4000.sdhci/by-name/storsec                            u:object_r:boot_block_device:s0


-##################################
-# non-hlos mount points
-/firmware                  u:object_r:firmware_file:s0
-/bt_firmware               u:object_r:bt_firmware_file:s0

 #################################
 # libs