clean sepolicy project

Tracked-On: OAM-84134
Signed-off-by: Sun, Yi J <[email protected]>
Signed-off-by: sheng wei <[email protected]>

boot-arch/project-celadon/cel_kbl/postinstall.te → abota/efi/postinstall.te

@@ -1,6 +1,3 @@
-typeattribute postinstall system_writes_vendor_properties_violators;
-typeattribute postinstall system_executes_vendor_violators;
-
 recovery_only(`
   allow postinstall rootfs:file rx_file_perms;
 ')

abota/fw_update/file_contexts

@@ -0,0 +1 @@
+(/system)?/vendor/bin/fw_update.sh u:object_r:fw_update_exec:s0

abota/fw_update/fw_update.te

@@ -0,0 +1,25 @@
+# seclabel is specified in init.rc
+type fw_update, domain;
+type fw_update_exec, exec_type, file_type, vendor_file_type;
+
+recovery_only(`
+  domain_trans(init, rootfs, fw_update)
+  allow fw_update rootfs:file rx_file_perms;
+')
+
+init_daemon_domain(fw_update)
+
+not_full_treble(`
+  binder_use(fw_update)
+  add_service(fw_update, fw_update_service)
+')
+
+allow fw_update proc:file r_file_perms;
+allow fw_update userdata_block_device:{ lnk_file blk_file } w_file_perms;
+allow fw_update vendor_toolbox_exec:file execute_no_trans;
+allow fw_update vendor_file:file execute_no_trans;
+allow fw_update block_device:dir search;
+allow fw_update boot_block_device:blk_file r_file_perms;
+allow fw_update tmpfs:dir w_dir_perms;
+allow fw_update tmpfs:file w_file_perms;
+allow fw_update proc_cmdline:file r_file_perms;

abota/fw_update/no_vendor_prefix/fw_update.te

@@ -0,0 +1 @@
+set_prop(fw_update, ota_prop)

abota/fw_update/service.te

@@ -0,0 +1 @@
+type fw_update_service, service_manager_type;

abota/fw_update/service_contexts

@@ -0,0 +1 @@
+fw_update u:object_r:fw_update_service:s0

abota/fw_update/vendor_prefix/fw_update.te

@@ -0,0 +1 @@
+set_prop(fw_update, vendor_ota_prop)

boot-arch/abl/init.te → abota/generic/init.te

@@ -1,3 +1,2 @@
 allow init system_file:system module_load;
 allow init tmpfs:file r_file_perms;
-allow init { boot_block_device vendor_block_device }:lnk_file relabelto;

abota/generic/no_vendor_prefix/postinstall.te

@@ -0,0 +1,4 @@
+typeattribute postinstall system_writes_vendor_properties_violators;
+typeattribute postinstall system_executes_vendor_violators;
+set_prop(postinstall, ota_prop)
+

abota/generic/no_vendor_prefix/property.te

@@ -0,0 +1 @@
+type ota_prop, property_type;

abota/generic/no_vendor_prefix/property_contexts

@@ -0,0 +1,2 @@
+ota.update.abl               u:object_r:ota_prop:s0
+ota.update.sbl               u:object_r:ota_prop:s0

abota/generic/no_vendor_prefix/vendor_init.te

@@ -0,0 +1 @@
+set_prop(vendor_init, ota_prop)

abota/generic/postinstall.te

@@ -0,0 +1,4 @@
+recovery_only(`
+  allow postinstall rootfs:file rx_file_perms;
+')
+

boot-arch/project-celadon/cel_kbl/update_engine.te → abota/generic/update_engine.te

@@ -1,15 +1,14 @@
 allow update_engine vendor_block_device:blk_file rw_file_perms;
+allow update_engine product_block_device:blk_file rw_file_perms;
+allow update_engine odm_block_device:blk_file rw_file_perms;
+allow update_engine acpi_block_device:blk_file rw_file_perms;
+allow update_engine acpio_block_device:blk_file rw_file_perms;
 allow update_engine tmpfs:dir r_dir_perms;
 allow update_engine tmpfs:file r_file_perms;
 allow update_engine tmpfs:lnk_file r_file_perms;
-allow update_engine vendor_shell_exec:file rx_file_perms;
 
 allow update_engine platform_app:binder call;
 allow update_engine vfat:dir search;
 allow update_engine vfat:file r_file_perms;
-allow update_engine sdcardfs:dir search;
-allow update_engine sdcardfs:file r_file_perms;
 allow update_engine mnt_media_rw_file:file r_file_perms;
 allow update_engine mnt_media_rw_file:dir r_dir_perms;
-allow update_engine storage_file:file r_file_perms;
-allow update_engine storage_file:dir r_dir_perms;

abota/generic/vendor_prefix/postinstall.te

@@ -0,0 +1,3 @@
+typeattribute postinstall system_writes_vendor_properties_violators;
+typeattribute postinstall system_executes_vendor_violators;
+set_prop(postinstall, vendor_ota_prop)

abota/generic/vendor_prefix/property.te

@@ -0,0 +1 @@
+type vendor_ota_prop, property_type;

abota/generic/vendor_prefix/property_contexts

@@ -0,0 +1 @@
+vendor.ota.update.fw               u:object_r:vendor_ota_prop:s0

abota/generic/vendor_prefix/vendor_init.te

@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_ota_prop)

abota/xbl/drmrpc.te

@@ -0,0 +1,20 @@
+# Abl_user_cmd service, which is set the drmrpc service property,
+# would capsule the target slot info message and write it into
+# /dev/mei interface to notice ABL to update itself.
+#
+# There are two types of abl_user_cmd service, the one is under the
+# vendor partition in normal boot mode, and the another is under the
+# ramdisk in the recovery mode.
+
+type drmrpc, domain;
+
+not_recovery_only(`
+  type drmrpc_exec, exec_type, file_type, vendor_file_type;
+  init_daemon_domain(drmrpc)
+')
+
+recovery_only(`
+  typeattribute drmrpc coredomain;
+  domain_trans(init, rootfs, drmrpc)
+')
+allow drmrpc tee_device:chr_file rw_file_perms;

abota/xbl/file_contexts

@@ -0,0 +1,2 @@
+/vendor/bin/abl-user-cmd_vendor					u:object_r:drmrpc_exec:s0
+/vendor/bin/sbl-user-cmd_vendor					u:object_r:drmrpc_exec:s0

abota/xbl/init.te

@@ -0,0 +1 @@
+allow init block_device:lnk_file relabelfrom;

autodetect/false/init.te

@@ -0,0 +1 @@
+allow init self:capability sys_module;

autodetect/true/adbd.te

@@ -0,0 +1,2 @@
+allow adbd hal_socket:sock_file write;
+allow adbd hal:unix_stream_socket connectto;

autodetect/true/appdomain.te

@@ -0,0 +1 @@
+unix_socket_connect(appdomain, hal, hal)

autodetect/true/bluetooth.te

@@ -0,0 +1,6 @@
+allow bluetooth hal_socket:sock_file write;
+allow bluetooth hal:fd use;
+allow bluetooth hal:unix_stream_socket { connectto read write };
+allow bluetooth rfkill:fd use;
+allow bluetooth self:netlink_socket create_socket_perms;
+

autodetect/true/bootanim.te

@@ -0,0 +1,6 @@
+#
+# bootanim
+#
+
+# hal access
+unix_socket_connect(bootanim, hal, hal)

autodetect/true/cameraserver.te

@@ -0,0 +1 @@
+unix_socket_connect(cameraserver, hal, hal)

autodetect/true/device.te

@@ -0,0 +1 @@
+type hal_device, dev_type;

autodetect/true/drmserver.te

@@ -0,0 +1 @@
+unix_socket_connect(drmserver, hal, hal)

autodetect/true/file.te

@@ -0,0 +1,7 @@
+# HAL
+# Now that MLS is enabled on plat_app, we need to make the hal
+# socket an mlstrustedsubject.
+type hal_socket, file_type, mlstrustedobject;
+
+# Hal mounts a lot of filesystems, label the locations specifically
+type hal_mnt_pnt, file_type;

autodetect/true/file_contexts

@@ -0,0 +1,28 @@
+# Bluetooth
+/dev/ttyBT[0-9]             u:object_r:hci_attach_dev:s0
+
+#HAL
+/dev/socket/halbindings     u:object_r:hal_socket:s0
+
+/dev/hald.ready             u:object_r:hal_device:s0
+
+/system/bin/hald            u:object_r:hal_exec:s0
+/system/bin/hald_media_hook u:object_r:hal_exec:s0
+/system/bin/halctl          u:object_r:hal_exec:s0
+
+/system/rt/hal_mnt_pnt(/.*)?   u:object_r:hal_mnt_pnt:s0
+# hal mounts filesystems at:
+#  /system/etc/permissions
+#  /system/etc/atomisp
+#  /system/etc/modprobe.d
+/system/etc/permissions(/.*)?  u:object_r:hal_mnt_pnt:s0
+/system/etc/atomisp(/.*)?      u:object_r:hal_mnt_pnt:s0
+/system/etc/modprobe.d(/.*)?   u:object_r:hal_mnt_pnt:s0
+# dm device mounted here
+/system/rt/gfx                 u:object_r:hal_mnt_pnt:s0
+/system/rt/hal_fuse            u:object_r:hal_mnt_pnt:s0
+/system/rt/media               u:object_r:hal_mnt_pnt:s0
+/system/rt/wifi                u:object_r:hal_mnt_pnt:s0
+
+#rfkill
+(/system)?/vendor/bin/rfkillp         u:object_r:rfkill_exec:s0

autodetect/true/gatekeeperd.te

@@ -0,0 +1 @@
+unix_socket_connect(gatekeeperd, hal, hal)