From e8aa74e6d3548601b9829c69ba5eb96cba0cd211 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Thu, 8 Jul 2021 07:45:01 +0300 Subject: [PATCH] Add NFC SELinux policy --- .../samsung/s5neolte/sepolicy/file_contexts | 1 + device/samsung/s5neolte/sepolicy/nfc.te | 23 +++++++++++++++++++ .../samsung/s5neolte/sepolicy/seapp_contexts | 1 + 3 files changed, 25 insertions(+) create mode 100644 device/samsung/s5neolte/sepolicy/file_contexts create mode 100644 device/samsung/s5neolte/sepolicy/nfc.te create mode 100644 device/samsung/s5neolte/sepolicy/seapp_contexts diff --git a/device/samsung/s5neolte/sepolicy/file_contexts b/device/samsung/s5neolte/sepolicy/file_contexts new file mode 100644 index 0000000..b0100b6 --- /dev/null +++ b/device/samsung/s5neolte/sepolicy/file_contexts @@ -0,0 +1 @@ +/(vendor|system/vendor)/bin/hw/vendor\.hardware\.nfc@\d+\.\d+-service\.samsung u:object_r:nfc_exec:s0 diff --git a/device/samsung/s5neolte/sepolicy/nfc.te b/device/samsung/s5neolte/sepolicy/nfc.te new file mode 100644 index 0000000..9977ca0 --- /dev/null +++ b/device/samsung/s5neolte/sepolicy/nfc.te @@ -0,0 +1,23 @@ +type nfc_exec, exec_type, vendor_file_type, file_type; + +# Init transition. +allow init nfc:process transition; + +# Vendor file accesses. +allow nfc vendor_file:file { entrypoint read }; + +allow init nfc:process { rlimitinh siginh noatsecure }; + +allow nfc hal_nfc_hwservice:hwservice_manager { add find }; +allow nfc hidl_base_hwservice:hwservice_manager { add find }; + +allow nfc mediaserver_exec:file { read }; + +# TODO(b/36657258): Remove data_between_core_and_vendor_violators once +# hal_nfc no longer directly accesses /data owned by the nfc app. +typeattribute nfc data_between_core_and_vendor_violators; + +# Data file accesses. +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms; +allow nfc nfc_data_file:dir { search read write create remove_name}; diff --git a/device/samsung/s5neolte/sepolicy/seapp_contexts b/device/samsung/s5neolte/sepolicy/seapp_contexts new file mode 100644 index 0000000..ba968bb --- /dev/null +++ b/device/samsung/s5neolte/sepolicy/seapp_contexts @@ -0,0 +1 @@ +user=nfc seinfo=platform domain=nfc type=nfc_data_file