addison: sepolicy rework

 * Moar macros
 * Remove forced selinux context on persist

Change-Id: I073fb49bff42e73a76494046452556344eddcba1

rootdir/etc/fstab.qcom

@@ -12,7 +12,7 @@
 /dev/block/bootdevice/by-name/modem          /firmware    ext4    ro,nosuid,nodev,barrier=0,context=u:object_r:firmware_file:s0                      wait
 /dev/block/bootdevice/by-name/fsg            /fsg         ext4    ro,nosuid,nodev,context=u:object_r:fsg_file:s0                                     wait
 /dev/block/bootdevice/by-name/dsp            /dsp         ext4    ro,nosuid,nodev,barrier=1                                                          wait
-/dev/block/bootdevice/by-name/persist        /persist     ext4    nosuid,nodev,barrier=1,noatime,noauto_da_alloc,context=u:object_r:persist_file:s0  wait
+/dev/block/bootdevice/by-name/persist        /persist     ext4    nosuid,nodev,barrier=1,noatime,noauto_da_alloc                                     wait
 /dev/block/bootdevice/by-name/boot           /boot        emmc    defaults                                                                           recoveryonly
 /dev/block/bootdevice/by-name/recovery       /recovery    emmc    defaults                                                                           recoveryonly
 /dev/block/bootdevice/by-name/misc           /misc        emmc    defaults                                                                           defaults

sepolicy/adspd.te

@@ -2,10 +2,8 @@ type adspd, domain, domain_deprecated;
 type adspd_exec, exec_type, file_type;
 init_daemon_domain(adspd)
 
-allow adspd audio_device:chr_file { ioctl open read write };
-allow adspd audio_device:dir search;
-allow adspd input_device:chr_file { ioctl open read };
-allow adspd input_device:dir search;
+allow adspd audio_device:chr_file rw_file_perms;
+allow adspd input_device:chr_file r_file_perms;
 allow adspd sysfs_adsp:file write;
 # The below one is WRONG
 allow adspd sysfs:file write;

sepolicy/cameraserver.te

@@ -1,2 +1 @@
-# Shouldn't do this here
-allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt };
+allow cameraserver self:netlink_kobject_uevent_socket create_socket_perms;

sepolicy/file.te

@@ -4,6 +4,10 @@ type fsg_file, fs_type, contextmount_type;
 # RIL
 type netmgr_data_file, file_type, data_file_type;
 
+# /dev/socket needs to be file_type so init can create
+type adspd_socket, file_type;
+type cutback_socket, file_type;
+
 # sysfs
 type sysfs_adsp, fs_type, sysfs_type;
 type sysfs_mmi_fp, fs_type, sysfs_type;

sepolicy/file_contexts

@@ -36,5 +36,9 @@
 /dev/motosh_as                                           u:object_r:sensors_device:s0
 /dev/motosh_ms                                           u:object_r:sensors_device:s0
 
+# Sockets
+/dev/socket/adspdsock                                    u:object_r:adspd_socket:s0
+/dev/socket/cutback                                      u:object_r:cutback_socket:s0
+
 # WCNSS
 /sys/module/wcnsscore/parameters(/.*)?                   u:object_r:sysfs_wcnsscore:s0

sepolicy/fingerprintd.te

@@ -1,9 +1,8 @@
-allow fingerprintd firmware_file:dir search;
-allow fingerprintd firmware_file:file { getattr open read };
-allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write };
-allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink };
-allow fingerprintd fingerprintd_data_file:sock_file { create unlink };
-allow fingerprintd sysfs_mmi_fp:dir { open read search };
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+allow fingerprintd fingerprintd_data_file:file create_file_perms;
+allow fingerprintd fingerprintd_data_file:sock_file create_file_perms;
+allow fingerprintd sysfs_mmi_fp:dir r_dir_perms;
 allow fingerprintd sysfs_mmi_fp:file rw_file_perms;
 allow fingerprintd system_data_file:sock_file unlink;
-allow fingerprintd tee_device:chr_file { ioctl open read write };
+allow fingerprintd tee_device:chr_file rw_file_perms;
+r_dir_file(fingerprintd, firmware_file)

sepolicy/init.te

@@ -3,14 +3,7 @@ allow init input_device:chr_file ioctl;
 allow init sensors_device:chr_file { write ioctl };
 allow init tee_device:chr_file { write ioctl };
 
-allow init servicemanager:binder { transfer call };
-allow init system_server:binder call;
-
-allow init property_socket:sock_file write;
-allow init socket_device:sock_file { create setattr unlink };
-
-allow init system_data_file:file { rename append };
+allow init debugfs:file write;
 allow init firmware_file:dir mounton;
 
-allow init debugfs:file write;
-allow init persist_file:filesystem { getattr mount relabelfrom relabelto };
+binder_use(init)

sepolicy/mediacodec.te

@@ -1 +1 @@
-allow mediacodec firmware_file:file { open read };
+allow mediacodec firmware_file:file r_file_perms;

sepolicy/mediadrmserver.te

@@ -1,2 +1 @@
-allow mediadrmserver firmware_file:dir search;
-allow mediadrmserver firmware_file:file r_file_perms;
+r_dir_file(mediadrmserver, firmware_file)

sepolicy/mediaserver.te

@@ -1,2 +1 @@
-allow mediaserver persist_file:dir search;
-allow mediaserver persist_file:file { read getattr open };
+r_dir_file(mediaserver, persist_file)

sepolicy/mm-qcamerad.te

@@ -1,4 +1,3 @@
-allow mm-qcamerad laser_device:chr_file { read write ioctl open };
-allow mm-qcamerad persist_file:dir search;
-allow mm-qcamerad persist_file:file { read getattr open };
+allow mm-qcamerad laser_device:chr_file rw_file_perms;
+allow mm-qcamerad persist_file:file r_file_perms;
 allow mm-qcamerad system_data_file:dir read;

sepolicy/mmi_boot.te

@@ -6,9 +6,8 @@ init_daemon_domain(mmi_boot)
 allow mmi_boot shell_exec:file rx_file_perms;
 allow mmi_boot toolbox_exec:file rx_file_perms;
 
-allow mmi_boot radio_data_file:dir { add_name search write };
-allow mmi_boot radio_data_file:file { create setattr };
-allow mmi_boot radio_data_file:file rw_file_perms;
+allow mmi_boot radio_data_file:dir w_dir_perms;
+allow mmi_boot radio_data_file:file create_file_perms;
 allow mmi_boot self:capability chown;
 allow mmi_boot sysfs_socinfo:file write;
 

sepolicy/mmi_laser.te

@@ -9,6 +9,5 @@ allow mmi_laser toolbox_exec:file rx_file_perms;
 # Logs to /dev/kmsg
 allow mmi_laser kmsg_device:chr_file w_file_perms;
 
-allow mmi_laser persist_file:dir search;
-allow mmi_laser persist_file:file r_file_perms;
 allow mmi_laser sysfs_mmi_laser:file rw_file_perms;
+r_dir_file(mmi_laser, persist_file)

sepolicy/netmgrd.te

@@ -1,3 +1,2 @@
-allow netmgrd netmgr_data_file:dir { add_name search write };
-allow netmgrd netmgr_data_file:file create;
-allow netmgrd netmgr_data_file:file rw_file_perms;
+allow netmgrd netmgr_data_file:dir w_dir_perms;
+allow netmgrd netmgr_data_file:file create_file_perms;

sepolicy/rild.te

@@ -1,4 +1,4 @@
 allow rild persist_file:dir search;
 allow rild persist_file:file rw_file_perms;
-allow rild system_data_file:dir { write add_name remove_name };
-allow rild system_data_file:sock_file { create write unlink };
+allow rild system_data_file:dir w_dir_perms;
+allow rild system_data_file:sock_file create_file_perms;

sepolicy/rmt_storage.te

@@ -1,3 +1,2 @@
-allow rmt_storage fsg_file:dir search;
-allow rmt_storage fsg_file:file { read open };
 allow rmt_storage self:capability dac_override;
+r_dir_file(rmt_storage, fsg_file)

sepolicy/system_app.te

@@ -1,2 +1,3 @@
 allow system_app sysfs_mmi_fp:file rw_file_perms;
 allow system_app sysfs_mmi_fp:dir search;
+binder_call(system_app, fingerprintd)

sepolicy/system_server.te

@@ -1,2 +1 @@
-allow system_server persist_file:dir rw_dir_perms;
-allow system_server persist_file:file rw_file_perms;
+allow system_server debugfs:dir r_dir_perms;

sepolicy/ueventd.te

@@ -1,4 +1,3 @@
 allow ueventd device:chr_file { relabelfrom relabelto };
 allow ueventd sysfs_mmi_fp:file w_file_perms;
 allow ueventd sysfs_mmi_touch:file w_file_perms;
-allow ueventd sysfs_mmi_touch:dir search;