am 2f1f01a6: am 1cab44f7: Merge "flo: updates for SELinux"

* commit '2f1f01a6': flo: updates for SELinux

am 2f1f01a6: am 1cab44f7: Merge "flo: updates for SELinux"
* commit '2f1f01a6': flo: updates for SELinux
4d5db3b3 · Nick Kralevich · Android Git Automerger · c2e0263a · 2f1f01a6 · 4d5db3b3
Commit 4d5db3b3 authored 10 years ago by Nick Kralevich Committed by Android Git Automerger 10 years ago
6 changed files
--- a/device-common.mk
+++ b/device-common.mk
@@ -60,7 +60,7 @@ PRODUCT_COPY_FILES += \
 	device/asus/flo/WCNSS_qcom_cfg.ini:system/etc/wifi/WCNSS_qcom_cfg.ini \
 	device/asus/flo/WCNSS_qcom_wlan_nv_flo.bin:system/etc/wifi/WCNSS_qcom_wlan_nv_flo.bin \
 	device/asus/flo/WCNSS_qcom_wlan_nv_deb.bin:system/etc/wifi/WCNSS_qcom_wlan_nv_deb.bin \
-	device/asus/flo/init.flo.wifi.sh:system/etc/init.flo.wifi.sh
+	device/asus/flo/init.flo.wifi.sh:system/bin/init.flo.wifi.sh

 PRODUCT_COPY_FILES += \
 	device/asus/flo/audio_policy.conf:system/etc/audio_policy.conf
@@ -81,7 +81,7 @@ PRODUCT_COPY_FILES += \
 	device/asus/flo/media_codecs.xml:system/etc/media_codecs.xml

 PRODUCT_COPY_FILES += \
-	device/asus/flo/kickstart_checker.sh:system/etc/kickstart_checker.sh
+	device/asus/flo/kickstart_checker.sh:system/bin/kickstart_checker.sh

 # Prebuilt kl and kcm keymaps
 PRODUCT_COPY_FILES += \
@@ -201,7 +201,7 @@ PRODUCT_PACKAGES += \
 	power.msm8960

 PRODUCT_COPY_FILES += \
-	device/asus/flo/init.flo.bt.sh:system/etc/init.flo.bt.sh
+	device/asus/flo/init.flo.bt.sh:system/bin/init.flo.bt.sh

 PRODUCT_PROPERTY_OVERRIDES += \
 	ro.qualcomm.bt.hci_transport=smd

--- a/init.flo.rc
+++ b/init.flo.rc
@@ -275,11 +275,10 @@ service rmt_storage /system/bin/rmt_storage
    user root
    group system

-service hciattach /system/bin/sh /system/etc/init.flo.bt.sh
+service hciattach /system/bin/init.flo.bt.sh
    class late_start
    user bluetooth
    group qcom_oncrpc bluetooth net_bt_admin system net_bt_stack
-    seclabel u:r:bluetooth_loader:s0
    disabled
    oneshot

@@ -294,11 +293,6 @@ service bridgemgrd /system/bin/bridgemgrd
    user radio
    group radio

-service qcom-c_main-sh /system/bin/sh /init.qcom.class_main.sh
-    class main
-    user root
-    oneshot
-
 # QMUX must be in multiple groups to support external process connections
 service qmuxd /system/bin/qmuxd
    class main
@@ -306,9 +300,8 @@ service qmuxd /system/bin/qmuxd
    group radio audio bluetooth gps net_bt_stack
    disabled

-service ks_checker /system/bin/sh /system/etc/kickstart_checker.sh
+service ks_checker /system/bin/kickstart_checker.sh
    class core
-    seclabel u:r:kickstart:s0
    oneshot

 service kickstart /system/bin/qcks -i /firmware/image/ -r /data/tombstones/mdm/
@@ -430,11 +423,10 @@ service qcamerasvr /system/bin/mm-qcamera-daemon
    user camera
    group camera system inet input

-service wcnss_init /system/bin/sh /system/etc/init.flo.wifi.sh
+service wcnss_init /system/bin/init.flo.wifi.sh
    class late_start
    user system
    group system wifi
-    seclabel u:r:conn_init:s0
    oneshot

 service bdAddrLoader /system/bin/bdAddrLoader -f /persist/bluetooth/.bdaddr -h -x

--- a/sepolicy/bluetooth_loader.te
+++ b/sepolicy/bluetooth_loader.te
-# Bluetooth executables and script (bdAddrLoader, init.mako.bt.sh)
+# Bluetooth executables and script (bdAddrLoader, init.flo.bt.sh)
 type bluetooth_loader, domain;
 type bluetooth_loader_exec, exec_type, file_type;

 # Start bdAddrLoader from init
 init_daemon_domain(bluetooth_loader)

-# Run init.mako.bt.sh
-allow bluetooth_loader shell_exec:file { entrypoint read };
+# Run init.flo.bt.sh
+allow bluetooth_loader shell_exec:file rx_file_perms;
 allow bluetooth_loader bluetooth_loader_exec:file rx_file_perms;

-# init.mako.bt.sh needs /system/bin/log access
+# init.flo.bt.sh needs /system/bin/log access
 allow bluetooth_loader devpts:chr_file rw_file_perms;

-# Run hci_qcomm_init from init.mako.bt.sh
+# Run hci_qcomm_init from init.flo.bt.sh
 domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
 allow hci_attach bluetooth_loader:fd use;

@@ -25,5 +25,5 @@ unix_socket_connect(bluetooth_loader, property, init)
 # Set persist.service.bdroid.* and bluetooth.* property values
 allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set;

-# Allow getprop/setprop for init.mako.bt.sh
+# Allow getprop/setprop for init.flo.bt.sh
 allow bluetooth_loader system_file:file execute_no_trans;
--- a/sepolicy/conn_init.te
+++ b/sepolicy/conn_init.te
@@ -5,7 +5,7 @@ type conn_init_exec, exec_type, file_type;
 init_daemon_domain(conn_init)

 # Runs init.flo.wifi.sh
-allow conn_init shell_exec:file { entrypoint read };
+allow conn_init shell_exec:file rx_file_perms;
 allow conn_init conn_init_exec:file rx_file_perms;

 # Allow /persist/wifi access

--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -101,6 +101,7 @@
 /system/bin/qcks                   u:object_r:kickstart_exec:s0
 /system/bin/efsks                  u:object_r:kickstart_exec:s0
 /system/bin/ks                     u:object_r:kickstart_exec:s0
+/system/bin/kickstart_checker\.sh  u:object_r:kickstart_exec:s0

 /data/cam_socket[0-9]              u:object_r:camera_socket:s0
 /data/app/sensor_ctl_socket        u:object_r:sensors_socket:s0
@@ -114,7 +115,6 @@

 /system/bin/hci_qcomm_init         u:object_r:hci_attach_exec:s0
 /system/bin/bdAddrLoader           u:object_r:bluetooth_loader_exec:s0
-/system/etc/init\.mako\.bt\.sh        u:object_r:bluetooth_loader_exec:s0
 # rmt_storage is a qualcomm specific daemon responsible
 # for servicing modem filesystem requests.
 /system/bin/rmt_storage            u:object_r:rmt_exec:s0
@@ -127,7 +127,9 @@
 /system/bin/mm-qcamera-daemon      u:object_r:camera_exec:s0
 /system/bin/qseecomd               u:object_r:tee_exec:s0
 /system/bin/conn_init              u:object_r:conn_init_exec:s0
+/system/bin/init\.flo\.wifi\.sh    u:object_r:conn_init_exec:s0
 /system/bin/irsc_util              u:object_r:irsc_util_exec:s0
+/system/bin/init\.flo\.bt\.sh      u:object_r:bluetooth_loader_exec:s0

 # Persist firmware filesystem
 /persist(/.*)?                    u:object_r:persist_file:s0

--- a/sepolicy/kickstart.te
+++ b/sepolicy/kickstart.te
@@ -5,16 +5,13 @@ type kickstart_exec, file_type, exec_type;
 init_daemon_domain(kickstart)

 # Run kickstart_checker.sh
-allow kickstart shell_exec:file { entrypoint read };
-allow kickstart kickstart_exec:file { getattr open execute_no_trans };
+allow kickstart shell_exec:file rx_file_perms;
+allow kickstart kickstart_exec:file rx_file_perms;

 # kickstart_checker.sh changes block devices
 # /dev/block/platform/msm_sdcc.1/by-name/m9kefs*
 allow kickstart self:capability { chown fowner };

-# Spawn /system/bin/efsks and /system/bin/ks
-allow kickstart kickstart_exec:file { open execute_no_trans getattr };
-
 # Let qcks access /dev/mdm node (modem driver)
 allow kickstart radio_device:chr_file r_file_perms;