Commit caf49167 authored by Bernhard Thoben's avatar Bernhard Thoben
Browse files

Enabled SELinux in enforced mode

This is an important security feature!

Change-Id: Ie0cef85575aeff77bbf7b638ef1dd149c511c14f
parent 9639c608
#
# Copyright (C) 2016 The CyanogenMod Project
# Copyright (C) 2017-2020 The LineageOS Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......
#
# Copyright (C) 2016 The CyanogenMod Project
# Copyright (C) 2017-2020 The LineageOS Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -47,7 +48,8 @@ TARGET_USES_64_BIT_BCMDHD := true
ENABLE_CPUSETS := true
# Boot image/kernel
BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 boot_cpus=0-5 loop.max_part=7 dwc3_msm.hvdcp_max_current=1500 dwc3_msm.prop_chg_detect=Y coherent_pool=2M androidboot.selinux=permissive
BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 boot_cpus=0-5 loop.max_part=7 dwc3_msm.hvdcp_max_current=1500 dwc3_msm.prop_chg_detect=Y coherent_pool=2M
# BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
BOARD_KERNEL_IMAGE_NAME := Image.gz-dtb
BOARD_KERNEL_PAGESIZE := 4096
BOARD_KERNEL_BASE := 0x00000000
......@@ -193,9 +195,7 @@ TARGET_LD_SHIM_LIBS := \
# SELinux
include device/qcom/sepolicy-legacy/sepolicy.mk
BOARD_SEPOLICY_DIRS += \
$(COMMON_PATH)/sepolicy-minimal
BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy
# WiFi
BOARD_WLAN_DEVICE := bcmdhd
......
#
# Copyright (C) 2016 The CyanogenMod Project
# Copyright (C) 2017 The LineageOS Project
# Copyright (C) 2017-2020 The LineageOS Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -326,7 +326,4 @@ PRODUCT_PACKAGES += \
wpa_supplicant \
wpa_supplicant.conf
PRODUCT_PACKAGES += \
macaddrsetup
$(call inherit-product, hardware/broadcom/wlan/bcmdhd/config/config-bcm.mk)
......@@ -238,7 +238,7 @@ on boot
mkdir /data/nfc 0770 nfc nfc
mkdir /data/nfc/param 0770 nfc nfc
# Set the console loglevel to < KERN_INFO
# Set the console loglevel to lt. KERN_INFO
# Set the default message loglevel to KERN_INFO
write /proc/sys/kernel/printk "6 6 1 7"
......@@ -556,7 +556,7 @@ service adsprpcd /system/bin/adsprpcd
group media drmrpc
# SONY misc
service tad_static /system/bin/tad_static /dev/block/bootdevice/by-name/TA 0,16
service tad /system/bin/tad_static /dev/block/bootdevice/by-name/TA 0,16
class core
user oem_2997
group oem_2997 root
......@@ -650,19 +650,18 @@ service per_proxy /system/bin/pm-proxy
group system net_raw
disabled
service ppd /system/vendor/bin/mm-pp-daemon
class hal
user system
socket pps stream 0660 system system
group system graphics
writepid /dev/cpuset/system-background/tasks
on property:init.svc.per_mgr=running
start per_proxy
on property:sys.shutdown.requested=*
stop per_proxy
service ppd /system/vendor/bin/mm-pp-daemon
class hal
user system
socket pps stream 0660 system system
group system graphics
# brcm-uim-sysfs (BT/FM/ANT+)
#service uim /system/vendor/bin/brcm-uim-sysfs
# class late_start
......
type idd_file, file_type;
type rca_file, file_type;
/idd(/.*)? u:object_r:firmware_file:s0
/rca(/.*)? u:object_r:firmware_file:s0
type addrsetup, domain, domain_deprecated;
type addrsetup_exec, exec_type, file_type;
# Started by init
init_daemon_domain(addrsetup)
# Connect to /dev/socket/tad
unix_socket_connect(addrsetup, tad, tad)
allow addrsetup bluetooth_data_file:dir rw_dir_perms;
allow addrsetup bluetooth_data_file:file create_file_perms;
allow addrsetup sysfs_addrsetup:file rw_file_perms;
allow addrsetup urandom_device:file read;
allow addrsetup tad_socket:sock_file { write };
allow audioserver tad:unix_stream_socket connectto;
allow audioserver tad_socket:sock_file write;
allow audioserver perfd:unix_stream_socket connectto;
allow audioserver socket_device:sock_file write;
allow bluetooth hci_attach_dev:chr_file { open read write };
allow bluetooth ta_data_file:file { open read };
allow bluetooth ta_data_file:dir { search };
allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
allow cameraserver mm-qcamerad:unix_stream_socket connectto;
allow cameraserver camera_data_file:sock_file write;
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver perfd:unix_stream_socket connectto;
allow cameraserver rootfs:lnk_file getattr;
allow cameraserver sysfs_camera_torch:file rw_file_perms;
allow cameraserver sysfs_camera_torch:dir search;
allow cameraserver sysfs_camera_torch:lnk_file read;
allow cameraserver ta_data_file:dir search;
allow cameraserver secd:unix_stream_socket connectto;
allow cameraserver secd_socket:sock_file write;
allow cameraserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow cameraserver hal_configstore_default:binder call;
allow cameraserver socket_device:sock_file write;
allow cameraserver sysfs_graphics:file { getattr open read };
allow cameraserver init:unix_dgram_socket sendto;
allow cameraserver qcamerasvr:unix_dgram_socket sendto;
allow cameraserver qcamerasvr:unix_stream_socket connectto;
allow clatd system_file:file lock;
type trim_area_partition_device, dev_type;
type diag_partition_device, dev_type;
type subsys_modem_device, dev_type;
# BRCM BT FM
type brcm_ldisc_sysfs, sysfs_type, fs_type;
type brcm_uim_exec, exec_type, file_type;
# TAD
type tad_socket, file_type;
type ta_data_file, file_type;
......@@ -14,10 +10,14 @@ type sysfs_timekeep, fs_type, sysfs_type;
# Macaddr
type sysfs_addrsetup, fs_type, sysfs_type;
type proc_kernel_sched, fs_type;
type sysfs_camera_torch, sysfs_type, file_type;
type sysfs_performance, sysfs_type, fs_type;
type sysfs_msm_subsys, sysfs_type, fs_type;
# Fingerprint
type fpc_data_file, file_type;
# Camera
type sysfs_camera, sysfs_type, fs_type;
type sysfs_performance, sysfs_type, fs_type;
# NFC
/dev/pn54x u:object_r:nfc_device:s0
/dev/pn54x u:object_r:nfc_device:s0
/system/bin/macaddrsetup u:object_r:addrsetup_exec:s0
/system/bin/timekeep u:object_r:timekeep_exec:s0
/system/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0
/system/bin/sct_service u:object_r:sct_exec:s0
/system/bin/tad_static u:object_r:tad_exec:s0
/system/bin/ta_qmi_service u:object_r:ta_qmi_exec:s0
/system/bin/taimport u:object_r:taimport_exec:s0
/system/bin/init\.qcom\.power\.sh u:object_r:init-power-sh_exec:s0
/system/bin/updatemiscta u:object_r:ta_qmi_exec:s0
/system/bin/secd u:object_r:secd_exec:s0
/system/vendor/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0
/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0
/system/vendor/bin/sct_service u:object_r:sct_exec:s0
/system/vendor/bin/tad_static u:object_r:tad_exec:s0
/system/vendor/bin/ta_qmi_service u:object_r:ta_qmi_exec:s0
/system/vendor/bin/taimport u:object_r:taimport_exec:s0
/system/vendor/bin/updatemiscta u:object_r:ta_qmi_exec:s0
/system/vendor/bin/secd u:object_r:secd_exec:s0
/dev/block/mmcblk0p1 u:object_r:trim_area_partition_device:s0
/dev/block/platform/soc\.0/7824900\.sdhci/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/bootdevice/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/platform/soc\.0/7824900\.sdhci/by-name/diag u:object_r:diag_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/diag u:object_r:diag_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-num/p39 u:object_r:diag_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/mmcblk0p39 u:object_r:diag_partition_device:s0
/dev/block/bootdevice/by-name/diag u:object_r:diag_partition_device:s0
/dev/block/bootdevice/by-num/p39 u:object_r:diag_partition_device:s0
/dev/block/bootdevice/mmcblk0p39 u:object_r:diag_partition_device:s0
/dev/block/mmcblk0p39 u:object_r:diag_partition_device:s0
/dev/block/mmcblk0p1 u:object_r:trim_area_partition_device:s0
/dev/block/platform/soc\.0/7824900\.sdhci/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/bootdevice/by-name/TA u:object_r:trim_area_partition_device:s0
/dev/block/platform/soc\.0/7824900\.sdhci/by-name/diag u:object_r:diag_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/diag u:object_r:diag_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-num/p39 u:object_r:diag_partition_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/mmcblk0p39 u:object_r:diag_partition_device:s0
/dev/block/bootdevice/by-name/diag u:object_r:diag_partition_device:s0
/dev/block/bootdevice/by-num/p39 u:object_r:diag_partition_device:s0
/dev/block/bootdevice/mmcblk0p39 u:object_r:diag_partition_device:s0
/dev/block/mmcblk0p39 u:object_r:diag_partition_device:s0
# WiFi MAC address
/sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0
/sys/devices(/soc\.0)?/bcmdhd_wlan.83/macaddr u:object_r:sysfs_addrsetup:s0
/sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0
/sys/devices(/soc\.0)?/bcmdhd_wlan.83/macaddr u:object_r:sysfs_addrsetup:s0
# Camera
/sys/devices(/soc\.0)?/pmi8994-flash-27(/.*)? u:object_r:sysfs_camera_torch:s0
# MSM Performance
/sys/module/msm_performance(/.*)? u:object_r:sysfs_performance:s0
/sys/devices(/soc\.0)?/pmi8994-flash-27(/.*)? u:object_r:sysfs_camera_torch:s0
# HCI
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/brcm_bt_drv u:object_r:hci_attach_dev:s0
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/brcm_bt_drv u:object_r:hci_attach_dev:s0
/dev/subsys_modem u:object_r:subsys_modem_device:s0
# Taimport
/data/etc u:object_r:ta_data_file:s0
/data/etc(/.*) u:object_r:ta_data_file:s0
/data/etc u:object_r:ta_data_file:s0
/data/etc(/.*) u:object_r:ta_data_file:s0
#TA
/dev/socket/tad u:object_r:tad_socket:s0
/dev/socket/secd_credmgr_sock u:object_r:secd_socket:s0
/dev/socket/secd_devsec_sock u:object_r:secd_socket:s0
/dev/socket/secd_ebl_sock u:object_r:secd_socket:s0
/data/credmgr u:object_r:secd_data_file:s0
/data/credmgr(/.*) u:object_r:secd_data_file:s0
/idd u:object_r:diag_data_file:s0
/idd(/.*)? u:object_r:diag_data_file:s0
# Fingerprint sensor SPI device
/data/fpc(/.*)? u:object_r:fpc_data_file:s0
/data/fpcd(/.*)? u:object_r:fpc_data_file:s0
# TimeKeep
/data/time(/.*) u:object_r:timekeep_data_file:s0
# TA
/dev/socket/tad u:object_r:tad_socket:s0
/dev/socket/secd_credmgr_sock u:object_r:secd_socket:s0
/dev/socket/secd_devsec_sock u:object_r:secd_socket:s0
/dev/socket/secd_ebl_sock u:object_r:secd_socket:s0
/data/credmgr u:object_r:secd_data_file:s0
/data/credmgr(/.*) u:object_r:secd_data_file:s0
/idd u:object_r:diag_data_file:s0
/idd(/.*)? u:object_r:diag_data_file:s0
/rca(/.*)? u:object_r:firmware_file:s0
# Fingerprint sensor SPI device
# TimeKeep
/data/time(/.*) u:object_r:timekeep_data_file:s0
/data/fpcd(/.*)? u:object_r:fpcd_old_data_file:s0
# Misc
/system/bin/adsprpcd u:object_r:adsprpcd_exec:s0
/system/bin/iddd u:object_r:iddd_exec:s0
/system/bin/init\.qcom\.power\.sh u:object_r:init-power-sh_exec:s0
/system/bin/irsc_util u:object_r:irsc_util_exec:s0
/system/bin/loc_launcher u:object_r:loc_launcher_exec:s0
/system/bin/mlog_qmi_service u:object_r:mlog_qmi_service_exec:s0
/system/bin/mm-qcamera-daemon u:object_r:qcamerasvr_exec:s0
/system/bin/msm_irqbalance u:object_r:msm_irqbalance_exec:s0
/system/bin/netmgrd u:object_r:netmgrd_exec:s0
/system/bin/pm-proxy u:object_r:per_proxy_exec:s0
/system/bin/pm-service u:object_r:per_mgr_exec:s0
/system/bin/qmuxd u:object_r:qmuxd_exec:s0
/system/bin/qseecomd u:object_r:tee_exec:s0
/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0
/system/bin/sct_service u:object_r:sct_service_exec:s0
/system/bin/secd u:object_r:secd_exec:s0
/system/bin/sensors\.qcom u:object_r:sensors_exec:s0
/system/bin/tad_static u:object_r:tad_exec:s0
/system/bin/taimport u:object_r:taimport_exec:s0
/system/bin/ta_qmi_service u:object_r:ta_qmi_service_exec:s0
/system/bin/updatemiscta u:object_r:updatemiscta_exec:s0
/system/vendor/bin/mm-pp-daemon u:object_r:ppd_exec:s0
/system/vendor/bin/perfd u:object_r:perfd_exec:s0
/system/vendor/bin/timekeep u:object_r:timekeep_exec:s0
/data/fpc(/.*)? u:object_r:fpcd_data_file:s0
/data/fpc/socket(/.*)? u:object_r:fpcd_socket:s0
/system/vendor/(lib|lib64)/libril-wrapper\.so u:object_r:hal_ril_wrapper_exec:s0
/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/irq u:object_r:sysfs_fpcd_irq:s0
/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/clk_enable u:object_r:sysfs_fpcd_clk_enable:s0
/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/spi_prepare u:object_r:sysfs_fpcd_spi_prepare:s0
/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/wakeup_enable u:object_r:sysfs_fpcd_wakeup:s0
allow fingerprintd tee_device:chr_file rw_file_perms;
allow fingerprintd sysfs:file w_file_perms;
type fpcd_old_data_file, file_type, data_file_type;
type fpcd_data_file,file_type, data_file_type;
type fpcd_socket, file_type;
type sysfs_fpcd_clk_enable, fs_type, sysfs_type;
type sysfs_fpcd_irq, fs_type, sysfs_type;
type sysfs_fpcd_spi_prepare, fs_type, sysfs_type;
type sysfs_fpcd_wakeup, fs_type, sysfs_type;
allow fingerprintd diag_data_file:dir search;
allow fingerprintd diag_data_file:dir rw_dir_perms;
allow fingerprintd diag_data_file:file rw_file_perms;
allow fingerprintd diag_data_file:sock_file { write create unlink };
allow fingerprintd fpcd_old_data_file:file rw_file_perms;
allow fingerprintd fpcd_data_file:dir rw_dir_perms;
allow fingerprintd fpcd_data_file:file rw_file_perms;
allow fingerprintd fpcd_data_file:sock_file { write create unlink };
allow fingerprintd fpcd_socket:file rw_file_perms;
allow fingerprintd input_device:dir r_dir_perms;
allow fingerprintd input_device:chr_file r_file_perms;
allow fingerprintd sysfs_fpcd_irq:file rw_file_perms;
allow fingerprintd sysfs_fpcd_clk_enable:file rw_file_perms;
allow fingerprintd sysfs_fpcd_spi_prepare:file rw_file_perms;
allow fingerprintd sysfs_fpcd_wakeup:file rw_file_perms;
allow fsck urandom_device:file getattr;
allow gatekeeperd firmware_file:file r_file_perms;
allow gatekeeperd firmware_file:dir search;
set_prop(gatekeeperd, tee_prop)
allow gatekeeperd tee_prop:file { getattr open read };
allow hal_bluetooth_default firmware_file:file { open read };
allow hal_bluetooth_default sysfs:file write;
allow hal_bluetooth_default system_data_file:file { open read };
allow hal_bluetooth_default firmware_file:dir search;
allow hal_bluetooth_default ta_data_file:dir search;
allow hal_bluetooth_default ta_data_file:file { open read };
allow hal_camera_default camera_data_file:sock_file write;
allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow hal_camera_default hal_configstore_default:binder call;
allow hal_camera_default socket_device:sock_file write;
allow hal_fingerprint_default tee_device:chr_file ioctl;
allow hal_fingerprint_default firmware_file:dir search;
allow hal_fingerprint_default sysfs:file write;
allow hal_fingerprint_default tee_device:chr_file { open read write };
allow hal_fingerprint_default firmware_file:file { getattr open read };
allow hal_fingerprint_default input_device:chr_file { ioctl open read };
allow hal_fingerprint_default input_device:dir { open read };
allow hal_fingerprint_default system_data_file:dir { add_name remove_name write };
allow hal_fingerprint_default system_data_file:sock_file { create unlink };
allow hal_fingerprint_default diag_data_file:sock_file write;
allow hal_fingerprint_default fpc_data_file:dir { add_name remove_name write };
allow hal_fingerprint_default fpc_data_file:sock_file { create unlink };
allow hal_fingerprint_default init:unix_dgram_socket sendto;
allow hal_fingerprint_default iddd:unix_dgram_socket sendto;
allow hal_fingerprint_default firmware_file:lnk_file read;
allow hal_fingerprint_default fpc_data_file:dir search;
allow hal_fingerprint_default input_device:dir search;
allow hal_fingerprint_default diag_data_file:dir search;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment