Merge pull request #3 from ramsudharsan/cm-12.1

surnia: SELinux is now 'Enforcing'

BoardConfig.mk

@@ -41,7 +41,7 @@ TARGET_USE_QCOM_BIONIC_OPTIMIZATION := true
 #Kernel
 BOARD_CUSTOM_BOOTIMG_MK := $(LOCAL_PATH)/mkbootimg.mk
 BOARD_KERNEL_BASE := 0x80000000
-BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x3F ehci-hcd.park=3 vmalloc=400M androidboot.bootdevice=soc.0 utags.blkdev=/dev/block/platform/soc.0/by-name/utags utags.backup=/dev/block/platform/soc.0/by-name/utagsBackup movablecore=160M androidboot.selinux=permissive
+BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x3F ehci-hcd.park=3 vmalloc=400M androidboot.bootdevice=soc.0 utags.blkdev=/dev/block/platform/soc.0/by-name/utags utags.backup=/dev/block/platform/soc.0/by-name/utagsBackup movablecore=160M
 BOARD_KERNEL_PAGESIZE := 2048
 BOARD_KERNEL_SEPARATED_DT := true
 BOARD_RAMDISK_OFFSET := 0x01000000
@@ -141,24 +141,30 @@ BOARD_SEPOLICY_DIRS += \
 BOARD_SEPOLICY_UNION += \
     atvc.te \
     batt_health.te \
+    bluetooth_loader.te \
+    bootanim.te \
     device.te \
     dropboxd.te \
     file.te \
     file_contexts \
+    healthd.te \
     init.te \
     init_shell.te \
     mbm_spy.te \
     mm-qcamerad.te \
     mpdecision.te \
     property.te \
     property_contexts \
+    qseecomd.te \
     rild.te \
     rmt_storage.te \
     stml0xx.te \
+    surfaceflinger.te \
     system_server.te \
     tcmd.te \
     tee.te \
-    ueventd.te
+    ueventd.te \
+    wcnss_service.te
 
 # Time services
 BOARD_USES_QC_TIME_SERVICES := true

sepolicy/bluetooth_loader.te

@@ -0,0 +1,43 @@
+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+# Run init.qcom.bt.sh
+allow bluetooth_loader shell_exec:file { entrypoint read };
+allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };
+
+# init.qcom.bt.sh needs /system/bin/log access
+allow bluetooth_loader devpts:chr_file rw_file_perms;
+
+# Run hci_qcomm_init from init.qcom.bt.sh
+domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
+allow hci_attach bluetooth_loader:fd use;
+
+# Read mac address from persist partition
+allow bluetooth_loader persist_file:dir search;
+r_dir_file(bluetooth_loader, bluetooth_data_file)
+allow bluetooth_loader self:capability { dac_override dac_read_search chown };
+
+# It may write a random mac here
+allow bluetooth_loader persist_file:dir { add_name write };
+allow bluetooth_loader persist_file:file { create_file_perms };
+
+# Talk to init over the property socket
+unix_socket_connect(bluetooth_loader, property, init)
+# Set persist.service.bdroid.* and bluetooth.* property values
+allow bluetooth_loader bluetooth_prop:property_service set;
+
+# Allow getprop/setprop for init.qcom.bt.sh
+allow bluetooth_loader system_file:file execute_no_trans;
+
+# Access the smd device
+allow bluetooth_loader hci_attach_dev:chr_file rw_file_perms;
+
+# And qmuxd
+allow bluetooth_loader qmuxd_socket:dir { write add_name remove_name search };
+allow bluetooth_loader qmuxd_socket:sock_file { create setattr getattr write unlink };
+allow bluetooth_loader qmuxd:unix_stream_socket { connectto };
+#

sepolicy/bootanim.te

@@ -0,0 +1,2 @@
+allow bootanim mpctl_socket:dir search;
+unix_socket_send(bootanim, mpctl, perfd)

sepolicy/healthd.te

@@ -0,0 +1 @@
+allow healthd rtc_device:chr_file rw_file_perms;

sepolicy/perfd.te

@@ -0,0 +1,2 @@
+allow perfd sysfs_devices_system_iosched:file rw_file_perms;
+unix_socket_connect(perfd, thermal, thermal-engine)

sepolicy/property_contexts

@@ -1,2 +1,5 @@
 # Motorola service properties
 persist.atvc                u:object_r:atvc_prop:s0
+
+qualcomm.bluetooth.         u:object_r:bluetooth_prop:s0
+qualcomm.bt.                u:object_r:bluetooth_prop:s0

sepolicy/qseecomd.te

@@ -0,0 +1 @@
+allow tee system_prop:property_service set;

sepolicy/surfaceflinger.te

@@ -0,0 +1,2 @@
+# secure display
+allow surfaceflinger persist_file:dir r_dir_perms;

sepolicy/system_server.te

@@ -3,4 +3,5 @@ allow system_server vibeamp_sysfs:file { getattr open read write };
 
 allow system_server default_prop:property_service set;
 
+allow system_server time_daemon:unix_stream_socket connectto;
 

sepolicy/wcnss_service.te

@@ -0,0 +1 @@
+allow wcnss_service persist_file:dir search;