adjust sepolicy to new SE and allow tilapia to use it prob
Change-Id: Idb67d5d6299e6a5f1e1ed58965e455fb5c3d04d3
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 1de751d..7e9c47a 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -44,22 +44,3 @@
RECOVERY_FSTAB_VERSION = 2
TARGET_RECOVERY_FSTAB = device/asus/grouper/fstab.grouper
-
-BOARD_SEPOLICY_DIRS := \
- device/asus/grouper/sepolicy
-
-BOARD_SEPOLICY_UNION := \
- file_contexts \
- genfs_contexts \
- app.te \
- btmacreader.te \
- device.te \
- drmserver.te \
- init_shell.te \
- file.te \
- rild.te \
- sensors_config.te \
- shell.te \
- surfaceflinger.te \
- system.te \
- zygote.te
diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index f3df34f..fcaeac1 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -83,3 +83,21 @@
BOARD_HAS_NO_SELECT_BUTTON := true
TARGET_RUNNING_WITHOUT_SYNC_FRAMEWORK := true
+
+BOARD_SEPOLICY_DIRS += \
+ device/asus/grouper/sepolicy
+
+BOARD_SEPOLICY_UNION += \
+ file_contexts \
+ genfs_contexts \
+ app.te \
+ device.te \
+ drmserver.te \
+ init_shell.te \
+ file.te \
+ mediaserver.te \
+ rild.te \
+ sensors_config.te \
+ shell.te \
+ surfaceflinger.te \
+ system_app.te
diff --git a/sepolicy/app.te b/sepolicy/app.te
index 9d9b5b6..76d4117 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -1 +1 @@
-allow appdomain sysfs_devices_system_cpu:dir r_dir_perms;
+allow appdomain nvhost_writable_device:chr_file rw_file_perms;
diff --git a/sepolicy/btmacreader.te b/sepolicy/btmacreader.te
deleted file mode 100644
index 231777b..0000000
--- a/sepolicy/btmacreader.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type btmacreader, domain;
-permissive btmacreader;
-type btmacreader_exec, exec_type, file_type;
-type mac_data_file, file_type, data_file_type;
-init_daemon_domain(btmacreader)
-file_type_auto_trans(btmacreader, system_data_file, mac_data_file)
-unconfined_domain(btmacreader)
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 0b23c25..5887d3d 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1,3 +1,6 @@
+type knv_device, dev_type;
+type nvhost_writable_device, dev_type, mlstrustedobject;
+type nvhost_device, dev_type;
type elan_ip_device, dev_type;
type sensors_block_device, dev_type;
type sysfs_devices_tegradc, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index cbd5a6c..9e4f808 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,3 @@
type sysfs_firmware_writable, fs_type, sysfs_type;
allow sysfs_devices_tegradc sysfs:filesystem associate;
-allow sysfs_devices_system_cpu sysfs:filesystem associate;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 772943d..b4f5b79 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -4,6 +4,10 @@
/dev/knvmap u:object_r:knv_device:s0
/dev/lightsensor u:object_r:sensors_device:s0
/dev/mi1040 u:object_r:camera_device:s0
+/dev/nvhost.* u:object_r:nvhost_device:s0
+/dev/nvhost-ctrl u:object_r:nvhost_writable_device:s0
+/dev/nvhost-gr2d u:object_r:nvhost_writable_device:s0
+/dev/nvhost-gr3d u:object_r:nvhost_writable_device:s0
/dev/ttyHS1 u:object_r:gps_device:s0
/dev/ttyHS2 u:object_r:hci_attach_dev:s0
@@ -18,7 +22,6 @@
/system/bin/sensors-config -- u:object_r:sensors_config_exec:s0
/sys/bus/i2c/drivers/elan-ktf3k/1-0010/update_fw -- u:object_r:sysfs_firmware_writable:s0
-/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/tegradc\.0(/.*)? u:object_r:sysfs_devices_tegradc:s0
/sys/devices/tegradc\.1(/.*)? u:object_r:sysfs_devices_tegradc:s0
/sys/devices/platform/bcm4330_rfkill/rfkill/rfkill0/state -- u:object_r:sysfs_bluetooth_writable:s0
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..897de36
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+allow mediaserver { nvhost_writable_device }:chr_file rw_file_perms;
diff --git a/sepolicy/sensors_config.te b/sepolicy/sensors_config.te
index 2669715..1a42a44 100644
--- a/sepolicy/sensors_config.te
+++ b/sepolicy/sensors_config.te
@@ -2,9 +2,32 @@
# sensors_config: load calibration files.
##########
type sensors_config, domain;
-permissive sensors_config;
type sensors_config_exec, exec_type, file_type;
type sensors_data_file, file_type, data_file_type;
init_daemon_domain(sensors_config)
file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
-unconfined_domain(sensors_config)
+
+# Execute toolbox commands
+allow sensors_config shell_exec:file rx_file_perms;
+allow sensors_config system_file:file execute_no_trans;
+
+# Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
+allow sensors_config sensors_data_file:dir mounton;
+allow sensors_config sdcard_external:filesystem { mount unmount };
+allow sensors_config { sdcard_external block_device }:dir search;
+
+# Read from the mounted PER partition
+allow sensors_config sdcard_external:file r_file_perms;
+
+# Need to chmod and chown files (/data/lightsensor, /data/sensors)
+allow sensors_config self:capability { chown fowner };
+
+# Checked as a side effect on the chmod (don't allow)
+dontaudit sensors_config self:capability { fsetid };
+
+# Needed for mount/umount
+allow sensors_config self:capability sys_admin;
+
+# Tries to delete /data/calibration (don't allow)
+dontaudit sensors_config system_data_file:dir remove_name;
+dontaudit sensors_config self:capability dac_override;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 36965aa..314ce63 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,3 +1,3 @@
-allow surfaceflinger knv_device:chr_file rw_file_perms;
+allow surfaceflinger { knv_device nvhost_writable_device }:chr_file rw_file_perms;
allow surfaceflinger { sysfs_devices_system_cpu sysfs_devices_tegradc }:file w_file_perms;
allow surfaceflinger sysfs_devices_system_cpu:dir w_dir_perms;
diff --git a/sepolicy/system.te b/sepolicy/system.te
deleted file mode 100644
index c370b77..0000000
--- a/sepolicy/system.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow { system system_app }knv_device:chr_file rw_file_perms;
-allow system sysfs_devices_system_cpu:file w_file_perms;
-allow system sysfs_devices_system_cpu:dir r_dir_perms;
-allow system elan_ip_device:chr_file rw_file_perms;
-allow system diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..5d72dcb
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1 @@
+allow system_app knv_device:chr_file rw_file_perms;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
deleted file mode 100644
index 07389ff..0000000
--- a/sepolicy/zygote.te
+++ /dev/null
@@ -1 +0,0 @@
-allow zygote sysfs_devices_system_cpu:dir r_dir_perms;