From 61c80d5ec8632cadcf754eed0986b23284217c06 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 16 Nov 2012 09:06:47 -0500
Subject: [PATCH] Update policy for Android 4.2 / latest master.

Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 adbd.te        |  2 +-
 bluetooth.te   | 21 ++++++++++++++++++++-
 file.te        |  2 ++
 file_contexts  |  4 ++++
 keystore.te    |  2 ++
 seapp_contexts |  1 +
 system.te      |  4 ++--
 zygote.te      |  6 ++++++
 8 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/adbd.te b/adbd.te
index d3f9905df..f92414953 100644
--- a/adbd.te
+++ b/adbd.te
@@ -4,7 +4,7 @@ type adbd, domain, mlstrustedsubject;
 allow adbd adb_device:chr_file rw_file_perms;
 allow adbd qemu_device:chr_file rw_file_perms;
 allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
-allow adbd rootfs:file entrypoint;
+allow adbd rootfs:file { read entrypoint };
 allow adbd init:process sigchld;
 allow adbd self:tcp_socket *;
 allow adbd self:unix_stream_socket *;
diff --git a/bluetooth.te b/bluetooth.te
index f43543c1f..ac7233f10 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,4 +1,23 @@
-# Domains that can create and use bluetooth sockets.
+# bluetooth subsystem
+type bluetooth, domain;
+app_domain(bluetooth)
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+
+# Device accesses.
+allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth input_device:chr_file write;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+dontaudit bluetooth self:capability net_admin;
+
+# Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;
diff --git a/file.te b/file.te
index 70100a955..6bbda3afe 100644
--- a/file.te
+++ b/file.te
@@ -9,6 +9,7 @@ type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type inotify, fs_type, mlstrustedobject;
 type devpts, fs_type;
@@ -69,6 +70,7 @@ type asec_image_file, file_type, data_file_type;
 type bluetooth_efs_file, file_type;
 
 # Socket types
+type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dbus_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 713da7991..43e532a80 100644
--- a/file_contexts
+++ b/file_contexts
@@ -55,6 +55,7 @@
 /dev/s3c-mfc		u:object_r:graphics_device:s0
 /dev/snd(/.*)?		u:object_r:audio_device:s0
 /dev/socket		u:object_r:socket_device:s0
+/dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dbus_bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dbus	u:object_r:dbus_socket:s0
@@ -127,6 +128,7 @@
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
 /data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
 /data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
@@ -150,6 +152,8 @@
 #
 /sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
diff --git a/keystore.te b/keystore.te
index 20e7222f7..c44d254ba 100644
--- a/keystore.te
+++ b/keystore.te
@@ -3,6 +3,8 @@ type keystore_exec, exec_type, file_type;
 
 # keystore daemon
 init_daemon_domain(keystore)
+binder_use(keystore)
+binder_service(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
diff --git a/seapp_contexts b/seapp_contexts
index f63da7c92..258477a9a 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -33,6 +33,7 @@
 #
 isSystemServer=true domain=system
 user=system domain=system_app type=system_data_file
+user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=_app domain=untrusted_app type=app_data_file levelFromUid=true
diff --git a/system.te b/system.te
index bace071a8..85b43470d 100644
--- a/system.te
+++ b/system.te
@@ -82,8 +82,8 @@ allow system self:netlink_kobject_uevent_socket *;
 allow system appdomain:process { sigkill signal };
 
 # Set scheduling info for apps.
-allow system appdomain:process setsched;
-allow system mediaserver:process setsched;
+allow system appdomain:process { getsched setsched };
+allow system mediaserver:process { getsched setsched };
 
 # Read /proc data for apps.
 allow system appdomain:dir r_dir_perms;
diff --git a/zygote.te b/zygote.te
index 0601707db..3350ce343 100644
--- a/zygote.te
+++ b/zygote.te
@@ -29,3 +29,9 @@ selinux_check_access(zygote)
 # Read /seapp_contexts, presently on the rootfs.
 allow zygote rootfs:file r_file_perms;
 
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton };
+allow zygote tmpfs:filesystem mount;
-- 
GitLab