From cb32a608a233b3bf59c5a56ecd13588b51537a15 Mon Sep 17 00:00:00 2001
From: Alberto97 <albertop2197@gmail.com>
Date: Mon, 24 Jul 2017 16:28:20 +0200
Subject: [PATCH] addison: sepolicy rework

 * Moar macros
 * Remove forced selinux context on persist

Change-Id: I073fb49bff42e73a76494046452556344eddcba1
---
 rootdir/etc/fstab.qcom     |  2 +-
 sepolicy/adspd.te          |  6 ++----
 sepolicy/cameraserver.te   |  3 +--
 sepolicy/file.te           |  4 ++++
 sepolicy/file_contexts     |  4 ++++
 sepolicy/fingerprintd.te   | 13 ++++++-------
 sepolicy/init.te           | 11 ++---------
 sepolicy/mediacodec.te     |  2 +-
 sepolicy/mediadrmserver.te |  3 +--
 sepolicy/mediaserver.te    |  3 +--
 sepolicy/mm-qcamerad.te    |  5 ++---
 sepolicy/mmi_boot.te       |  5 ++---
 sepolicy/mmi_laser.te      |  3 +--
 sepolicy/netmgrd.te        |  5 ++---
 sepolicy/persist_file.te   |  1 -
 sepolicy/rild.te           |  4 ++--
 sepolicy/rmt_storage.te    |  3 +--
 sepolicy/system_app.te     |  1 +
 sepolicy/system_server.te  |  3 +--
 sepolicy/time_daemon.te    |  1 -
 sepolicy/ueventd.te        |  1 -
 21 files changed, 35 insertions(+), 48 deletions(-)
 delete mode 100644 sepolicy/persist_file.te
 delete mode 100644 sepolicy/time_daemon.te

diff --git a/rootdir/etc/fstab.qcom b/rootdir/etc/fstab.qcom
index 34a42df..82f96e7 100644
--- a/rootdir/etc/fstab.qcom
+++ b/rootdir/etc/fstab.qcom
@@ -12,7 +12,7 @@
 /dev/block/bootdevice/by-name/modem          /firmware    ext4    ro,nosuid,nodev,barrier=0,context=u:object_r:firmware_file:s0                      wait
 /dev/block/bootdevice/by-name/fsg            /fsg         ext4    ro,nosuid,nodev,context=u:object_r:fsg_file:s0                                     wait
 /dev/block/bootdevice/by-name/dsp            /dsp         ext4    ro,nosuid,nodev,barrier=1                                                          wait
-/dev/block/bootdevice/by-name/persist        /persist     ext4    nosuid,nodev,barrier=1,noatime,noauto_da_alloc,context=u:object_r:persist_file:s0  wait
+/dev/block/bootdevice/by-name/persist        /persist     ext4    nosuid,nodev,barrier=1,noatime,noauto_da_alloc                                     wait
 /dev/block/bootdevice/by-name/boot           /boot        emmc    defaults                                                                           recoveryonly
 /dev/block/bootdevice/by-name/recovery       /recovery    emmc    defaults                                                                           recoveryonly
 /dev/block/bootdevice/by-name/misc           /misc        emmc    defaults                                                                           defaults
diff --git a/sepolicy/adspd.te b/sepolicy/adspd.te
index e6cee41..6ab00ef 100644
--- a/sepolicy/adspd.te
+++ b/sepolicy/adspd.te
@@ -2,10 +2,8 @@ type adspd, domain, domain_deprecated;
 type adspd_exec, exec_type, file_type;
 init_daemon_domain(adspd)
 
-allow adspd audio_device:chr_file { ioctl open read write };
-allow adspd audio_device:dir search;
-allow adspd input_device:chr_file { ioctl open read };
-allow adspd input_device:dir search;
+allow adspd audio_device:chr_file rw_file_perms;
+allow adspd input_device:chr_file r_file_perms;
 allow adspd sysfs_adsp:file write;
 # The below one is WRONG
 allow adspd sysfs:file write;
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
index d28a479..51c937e 100644
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@@ -1,2 +1 @@
-# Shouldn't do this here
-allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt };
+allow cameraserver self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 01a2143..8d13c80 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -4,6 +4,10 @@ type fsg_file, fs_type, contextmount_type;
 # RIL
 type netmgr_data_file, file_type, data_file_type;
 
+# /dev/socket needs to be file_type so init can create
+type adspd_socket, file_type;
+type cutback_socket, file_type;
+
 # sysfs
 type sysfs_adsp, fs_type, sysfs_type;
 type sysfs_mmi_fp, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 5513b90..58fc204 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -36,5 +36,9 @@
 /dev/motosh_as                                           u:object_r:sensors_device:s0
 /dev/motosh_ms                                           u:object_r:sensors_device:s0
 
+# Sockets
+/dev/socket/adspdsock                                    u:object_r:adspd_socket:s0
+/dev/socket/cutback                                      u:object_r:cutback_socket:s0
+
 # WCNSS
 /sys/module/wcnsscore/parameters(/.*)?                   u:object_r:sysfs_wcnsscore:s0
diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te
index 626519a..201e28c 100644
--- a/sepolicy/fingerprintd.te
+++ b/sepolicy/fingerprintd.te
@@ -1,9 +1,8 @@
-allow fingerprintd firmware_file:dir search;
-allow fingerprintd firmware_file:file { getattr open read };
-allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write };
-allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink };
-allow fingerprintd fingerprintd_data_file:sock_file { create unlink };
-allow fingerprintd sysfs_mmi_fp:dir { open read search };
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+allow fingerprintd fingerprintd_data_file:file create_file_perms;
+allow fingerprintd fingerprintd_data_file:sock_file create_file_perms;
+allow fingerprintd sysfs_mmi_fp:dir r_dir_perms;
 allow fingerprintd sysfs_mmi_fp:file rw_file_perms;
 allow fingerprintd system_data_file:sock_file unlink;
-allow fingerprintd tee_device:chr_file { ioctl open read write };
+allow fingerprintd tee_device:chr_file rw_file_perms;
+r_dir_file(fingerprintd, firmware_file)
diff --git a/sepolicy/init.te b/sepolicy/init.te
index ba86f8f..ef818be 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -3,14 +3,7 @@ allow init input_device:chr_file ioctl;
 allow init sensors_device:chr_file { write ioctl };
 allow init tee_device:chr_file { write ioctl };
 
-allow init servicemanager:binder { transfer call };
-allow init system_server:binder call;
-
-allow init property_socket:sock_file write;
-allow init socket_device:sock_file { create setattr unlink };
-
-allow init system_data_file:file { rename append };
+allow init debugfs:file write;
 allow init firmware_file:dir mounton;
 
-allow init debugfs:file write;
-allow init persist_file:filesystem { getattr mount relabelfrom relabelto };
+binder_use(init)
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 799c2ea..577fc5d 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -1 +1 @@
-allow mediacodec firmware_file:file { open read };
+allow mediacodec firmware_file:file r_file_perms;
diff --git a/sepolicy/mediadrmserver.te b/sepolicy/mediadrmserver.te
index 296f1ee..36eaa28 100644
--- a/sepolicy/mediadrmserver.te
+++ b/sepolicy/mediadrmserver.te
@@ -1,2 +1 @@
-allow mediadrmserver firmware_file:dir search;
-allow mediadrmserver firmware_file:file r_file_perms;
+r_dir_file(mediadrmserver, firmware_file)
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 252b0ef..0cc8b3e 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,2 +1 @@
-allow mediaserver persist_file:dir search;
-allow mediaserver persist_file:file { read getattr open };
+r_dir_file(mediaserver, persist_file)
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 6e4a8c9..2e6e948 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -1,4 +1,3 @@
-allow mm-qcamerad laser_device:chr_file { read write ioctl open };
-allow mm-qcamerad persist_file:dir search;
-allow mm-qcamerad persist_file:file { read getattr open };
+allow mm-qcamerad laser_device:chr_file rw_file_perms;
+allow mm-qcamerad persist_file:file r_file_perms;
 allow mm-qcamerad system_data_file:dir read;
diff --git a/sepolicy/mmi_boot.te b/sepolicy/mmi_boot.te
index 077c0e6..b015488 100644
--- a/sepolicy/mmi_boot.te
+++ b/sepolicy/mmi_boot.te
@@ -6,9 +6,8 @@ init_daemon_domain(mmi_boot)
 allow mmi_boot shell_exec:file rx_file_perms;
 allow mmi_boot toolbox_exec:file rx_file_perms;
 
-allow mmi_boot radio_data_file:dir { add_name search write };
-allow mmi_boot radio_data_file:file { create setattr };
-allow mmi_boot radio_data_file:file rw_file_perms;
+allow mmi_boot radio_data_file:dir w_dir_perms;
+allow mmi_boot radio_data_file:file create_file_perms;
 allow mmi_boot self:capability chown;
 allow mmi_boot sysfs_socinfo:file write;
 
diff --git a/sepolicy/mmi_laser.te b/sepolicy/mmi_laser.te
index cc00309..6a79bf2 100644
--- a/sepolicy/mmi_laser.te
+++ b/sepolicy/mmi_laser.te
@@ -9,6 +9,5 @@ allow mmi_laser toolbox_exec:file rx_file_perms;
 # Logs to /dev/kmsg
 allow mmi_laser kmsg_device:chr_file w_file_perms;
 
-allow mmi_laser persist_file:dir search;
-allow mmi_laser persist_file:file r_file_perms;
 allow mmi_laser sysfs_mmi_laser:file rw_file_perms;
+r_dir_file(mmi_laser, persist_file)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index b1f811a..819c6ff 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,3 +1,2 @@
-allow netmgrd netmgr_data_file:dir { add_name search write };
-allow netmgrd netmgr_data_file:file create;
-allow netmgrd netmgr_data_file:file rw_file_perms;
+allow netmgrd netmgr_data_file:dir w_dir_perms;
+allow netmgrd netmgr_data_file:file create_file_perms;
diff --git a/sepolicy/persist_file.te b/sepolicy/persist_file.te
deleted file mode 100644
index a55225e..0000000
--- a/sepolicy/persist_file.te
+++ /dev/null
@@ -1 +0,0 @@
-allow persist_file self:filesystem associate;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 35b9b3f..ad87045 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,4 +1,4 @@
 allow rild persist_file:dir search;
 allow rild persist_file:file rw_file_perms;
-allow rild system_data_file:dir { write add_name remove_name };
-allow rild system_data_file:sock_file { create write unlink };
+allow rild system_data_file:dir w_dir_perms;
+allow rild system_data_file:sock_file create_file_perms;
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
index d4aa68b..ceb8978 100644
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@@ -1,3 +1,2 @@
-allow rmt_storage fsg_file:dir search;
-allow rmt_storage fsg_file:file { read open };
 allow rmt_storage self:capability dac_override;
+r_dir_file(rmt_storage, fsg_file)
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 96cbcd1..a4cc04e 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,2 +1,3 @@
 allow system_app sysfs_mmi_fp:file rw_file_perms;
 allow system_app sysfs_mmi_fp:dir search;
+binder_call(system_app, fingerprintd)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 3253d80..b9d34fa 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,2 +1 @@
-allow system_server persist_file:dir rw_dir_perms;
-allow system_server persist_file:file rw_file_perms;
+allow system_server debugfs:dir r_dir_perms;
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
deleted file mode 100644
index 7ff6dc3..0000000
--- a/sepolicy/time_daemon.te
+++ /dev/null
@@ -1 +0,0 @@
-allow time_daemon persist_file:file rw_file_perms;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
index 57eb7cb..f097515 100644
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -1,4 +1,3 @@
 allow ueventd device:chr_file { relabelfrom relabelto };
 allow ueventd sysfs_mmi_fp:file w_file_perms;
 allow ueventd sysfs_mmi_touch:file w_file_perms;
-allow ueventd sysfs_mmi_touch:dir search;