sepolicy: Set SELinux in enforcing mode

Minimal SELinux policies to boot dragonboards to UI.

Change-Id: I05f3ccd346cb9bf09529db44466896dd5225adb4
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

8 files changed, 17 insertions, 8 deletions

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 811be39..e8e5a23 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -53,7 +53,6 @@ BOARD_WLAN_DEVICE := qcwcn
 BOARD_HAVE_BLUETOOTH := true
 
 BOARD_SEPOLICY_DIRS += \
-    build/target/board/generic/sepolicy \
     device/linaro/dragonboard/sepolicy \
     system/bt/vendor_libs/linux/sepolicy
 
diff --git a/db410c32_only/BoardConfig.mk b/db410c32_only/BoardConfig.mk
index 9abe09c..602997f 100644
--- a/db410c32_only/BoardConfig.mk
+++ b/db410c32_only/BoardConfig.mk
@@ -19,7 +19,7 @@ TARGET_BOARD_PLATFORM := db410c_32
 # Image Configuration
 BOARD_KERNEL_BASE := 0x80008000
 BOARD_MKBOOTIMG_ARGS := --ramdisk_offset 0x0
-BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive firmware_class.path=/system/vendor/firmware/ androidboot.hardware=db410c
+BOARD_KERNEL_CMDLINE := firmware_class.path=/system/vendor/firmware/ androidboot.hardware=db410c
 BOARD_KERNEL_CMDLINE += printk.devkmsg=on
 BOARD_SYSTEMIMAGE_PARTITION_SIZE := 1288491008
 BOARD_USERDATAIMAGE_PARTITION_SIZE := 5653544960
diff --git a/db820c/BoardConfig.mk b/db820c/BoardConfig.mk
index 100e368..3b36403 100644
--- a/db820c/BoardConfig.mk
+++ b/db820c/BoardConfig.mk
@@ -10,7 +10,7 @@ TARGET_BOARD_PLATFORM := db820c
 # Image Configuration
 BOARD_KERNEL_BASE := 0x80000000
 BOARD_KERNEL_PAGESIZE := 4096
-BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive firmware_class.path=/system/vendor/firmware/ androidboot.hardware=db820c
+BOARD_KERNEL_CMDLINE := firmware_class.path=/system/vendor/firmware/ androidboot.hardware=db820c
 BOARD_KERNEL_CMDLINE += printk.devkmsg=on maxcpus=2
 BOARD_SYSTEMIMAGE_PARTITION_SIZE := 3221225472
 BOARD_USERDATAIMAGE_PARTITION_SIZE := 12884901888
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 0db8b94..e9f3496 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1 +1,2 @@
-type sync_file, fs_type, debugfs_type;
+type debugfs_sync, fs_type, debugfs_type;
+type sw_sync_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 97258e7..688de5f 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,3 +1,8 @@
-/dev/sw_sync           u:object_r:graphics_device:s0
-/sys/kernel/debug/sync         u:object_r:sync_file:s0
-/sys/kernel/debug/sync(/.*)?          u:object_r:sync_file:s0
+/dev/ttyMSM0			u:object_r:console_device:s0
+
+/dev/sw_sync			u:object_r:sw_sync_device:s0
+/sys/kernel/debug/sync		u:object_r:debugfs_sync:s0
+/sys/kernel/debug/sync(/.*)?	u:object_r:debugfs_sync:s0
+
+/dev/dri/card0			u:object_r:gpu_device:s0
+/dev/dri/renderD128		u:object_r:gpu_device:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..aae4d97
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1 @@
+genfscon debugfs /sync		u:object_r:debugfs_sync:s0
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..037a292
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read };
+allow hal_graphics_composer_default debugfs_sync:file { ioctl open read write };
+allow hal_graphics_composer_default debugfs_sync:dir search;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 9849b7b..a77e5f3 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1 +1 @@
-allow surfaceflinger sync_file:file rw_file_perms;
+allow surfaceflinger sw_sync_device:chr_file rw_file_perms;