Move policy files
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.
Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
diff --git a/file.te b/file.te
index 4dbf1c8..484b8fe 100644
--- a/file.te
+++ b/file.te
@@ -68,7 +68,8 @@
type asec_image_file, file_type, data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, mlstrustedobject;
-
+# For /data/security
+type security_file, file_type;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
diff --git a/file_contexts b/file_contexts
index c47b44b..0d2db38 100644
--- a/file_contexts
+++ b/file_contexts
@@ -145,6 +145,7 @@
/data(/.*)? u:object_r:system_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
+/data/security(/.*)? u:object_r:security_file:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
diff --git a/property.te b/property.te
index ed84c64..adebc6a 100644
--- a/property.te
+++ b/property.te
@@ -8,3 +8,4 @@
type ctl_dumpstate_prop, property_type;
type ctl_rildaemon_prop, property_type;
type audio_prop, property_type;
+type security_prop, property_type;
diff --git a/property_contexts b/property_contexts
index d86bcb6..7b0ce04 100644
--- a/property_contexts
+++ b/property_contexts
@@ -33,7 +33,12 @@
persist.sys. u:object_r:system_prop:s0
persist.service. u:object_r:system_prop:s0
persist.security. u:object_r:system_prop:s0
-selinux. u:object_r:system_prop:s0
+
+# mmac persistent properties
+persist.mmac. u:object_r:security_prop:s0
+
+# selinux non-persistent properties
+selinux. u:object_r:security_prop:s0
# default property context
* u:object_r:default_prop:s0
@@ -46,6 +51,3 @@
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-
-# mac middleware property
-persist.mac_enforcing_mode u:object_r:system_prop:s0
diff --git a/system.te b/system.te
index 7e207c3..a872516 100644
--- a/system.te
+++ b/system.te
@@ -24,31 +24,26 @@
unix_socket_connect(system_app, keystore, keystore)
# Read SELinux enforcing status.
+selinux_getenforce(system)
selinux_getenforce(system_app)
+# Settings app reads sdcard for storage stats
+allow system_app sdcard:dir r_dir_perms;
+
bool manage_selinux true;
if (manage_selinux) {
-# Set SELinux enforcing status.
-selinux_setenforce(system_app)
-
-# Set SELinux booleans.
-selinux_setbool(system_app)
-
-# Read syslog to display AVC messages.
-allow system_app kernel:system syslog_read;
+selinux_manage_policy(system)
+selinux_manage_policy(system_app)
+access_kmsg(system)
+access_kmsg(system_app)
}
bool manage_mac true;
if (manage_mac) {
-# Set properties via the init property service.
-unix_socket_connect(system_app, property, init)
-
-# Set the persist.mac_enforcing_mode property.
-allow system_app system_prop:property_service set;
-
-# Run logcat and read the logs for MAC denials.
-allow system_app system_file:file x_file_perms;
-allow system_app log_device:chr_file read;
+mmac_manage_policy(system)
+mmac_manage_policy(system_app)
+access_logcat(system)
+access_logcat(system_app)
}
#
diff --git a/te_macros b/te_macros
index 7883c40..bda87d4 100644
--- a/te_macros
+++ b/te_macros
@@ -224,3 +224,65 @@
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setbool;
')
+
+#####################################
+# security_access_policy(domain)
+# Read only access to all policy files and
+# selinuxfs
+define(`security_access_policy', `
+allow $1 security_file:dir r_dir_perms;
+allow $1 security_file:file r_file_perms;
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file r_file_perms;
+allow $1 rootfs:dir r_dir_perms;
+allow $1 rootfs:file r_file_perms;
+allow $1 system_file:dir r_dir_perms;
+allow $1 system_file:file r_file_perms;
+')
+
+#####################################
+# selinux_manage_policy(domain)
+# Ability to manage policy files,
+# trigger runtime reload, change
+# enforcing mode, manipulate booleans
+# and access kernel logs.
+define(`selinux_manage_policy', `
+selinux_setenforce($1)
+selinux_setbool($1)
+security_access_policy($1)
+unix_socket_connect($1, property, init)
+allow $1 security_file:dir create_dir_perms;
+allow $1 security_file:file create_file_perms;
+allow $1 security_prop:property_service set;
+')
+
+#####################################
+# mmac_manage_policy(domain)
+# Ability to manage mmac policy files,
+# trigger runtime reload, change
+# mmac enforcing mode and access logcat.
+define(`mmac_manage_policy', `
+unix_socket_connect($1, property, init)
+allow $1 security_file:dir create_dir_perms;
+allow $1 security_file:file create_file_perms;
+allow $1 security_prop:property_service set;
+')
+
+#####################################
+# access_logcat(domain)
+# Ability to read from logcat logs
+# and execute the logcat command
+define(`access_logcat', `
+allow $1 log_device:chr_file read;
+allow $1 system_file:file x_file_perms;
+')
+
+#####################################
+# access_kmsg(domain)
+# Ability to read from kernel logs
+# and execute the klogctl syscall
+# in a non destructive manner. See
+# man 2 klogctl
+define(`access_kmsg', `
+allow $1 kernel:system syslog_read;
+')
\ No newline at end of file
