Move policy files

Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.

Change-Id: Idc475901ed437efb325807897e620904f4ff03e9

file.te

@@ -68,7 +68,8 @@ type asec_apk_file, file_type, data_file_type;
 type asec_image_file, file_type, data_file_type;
 # /data/backup and /data/secure/backup
 type backup_data_file, file_type, data_file_type, mlstrustedobject;
-
+# For /data/security
+type security_file, file_type;
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
 # device policy

file_contexts

@@ -145,6 +145,7 @@
 /data(/.*)?		u:object_r:system_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
+/data/security(/.*)?	u:object_r:security_file:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

property.te

@@ -8,3 +8,4 @@ type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
 type ctl_rildaemon_prop, property_type;
 type audio_prop, property_type;
+type security_prop, property_type;

property_contexts

@@ -33,7 +33,12 @@ persist.audio.          u:object_r:audio_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.security.       u:object_r:system_prop:s0
-selinux.                u:object_r:system_prop:s0
+
+# mmac persistent properties
+persist.mmac.			u:object_r:security_prop:s0
+
+# selinux non-persistent properties
+selinux.                u:object_r:security_prop:s0
 
 # default property context
 *                       u:object_r:default_prop:s0
@@ -46,6 +51,3 @@ crypto.                 u:object_r:vold_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
-
-# mac middleware property
-persist.mac_enforcing_mode    u:object_r:system_prop:s0

system.te

@@ -24,31 +24,26 @@ allow system_app dalvikcache_data_file:file { write setattr };
 unix_socket_connect(system_app, keystore, keystore)
 
 # Read SELinux enforcing status.
+selinux_getenforce(system)
 selinux_getenforce(system_app)
 
+# Settings app reads sdcard for storage stats
+allow system_app sdcard:dir r_dir_perms;
+
 bool manage_selinux true;
 if (manage_selinux) {
-# Set SELinux enforcing status.
-selinux_setenforce(system_app)
-
-# Set SELinux booleans.
-selinux_setbool(system_app)
-
-# Read syslog to display AVC messages.
-allow system_app kernel:system syslog_read;
+selinux_manage_policy(system)
+selinux_manage_policy(system_app)
+access_kmsg(system)
+access_kmsg(system_app)
 }
 
 bool manage_mac true;
 if (manage_mac) {
-# Set properties via the init property service.
-unix_socket_connect(system_app, property, init)
-
-# Set the persist.mac_enforcing_mode property.
-allow system_app system_prop:property_service set;
-
-# Run logcat and read the logs for MAC denials.
-allow system_app system_file:file x_file_perms;
-allow system_app log_device:chr_file read;
+mmac_manage_policy(system)
+mmac_manage_policy(system_app)
+access_logcat(system)
+access_logcat(system_app)
 }
 
 #

te_macros

@@ -224,3 +224,65 @@ allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
+
+#####################################
+# security_access_policy(domain)
+# Read only access to all policy files and
+# selinuxfs
+define(`security_access_policy', `
+allow $1 security_file:dir r_dir_perms;
+allow $1 security_file:file r_file_perms;
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file r_file_perms;
+allow $1 rootfs:dir r_dir_perms;
+allow $1 rootfs:file r_file_perms;
+allow $1 system_file:dir r_dir_perms;
+allow $1 system_file:file r_file_perms;
+')
+
+#####################################
+# selinux_manage_policy(domain)
+# Ability to manage policy files,
+# trigger runtime reload, change
+# enforcing mode, manipulate booleans
+# and access kernel logs.
+define(`selinux_manage_policy', `
+selinux_setenforce($1)
+selinux_setbool($1)
+security_access_policy($1)
+unix_socket_connect($1, property, init)
+allow $1 security_file:dir create_dir_perms;
+allow $1 security_file:file create_file_perms;
+allow $1 security_prop:property_service set;
+')
+
+#####################################
+# mmac_manage_policy(domain)
+# Ability to manage mmac policy files,
+# trigger runtime reload, change
+# mmac enforcing mode and access logcat.
+define(`mmac_manage_policy', `
+unix_socket_connect($1, property, init)
+allow $1 security_file:dir create_dir_perms;
+allow $1 security_file:file create_file_perms;
+allow $1 security_prop:property_service set;
+')
+
+#####################################
+# access_logcat(domain)
+# Ability to read from logcat logs
+# and execute the logcat command
+define(`access_logcat', `
+allow $1 log_device:chr_file read;
+allow $1 system_file:file x_file_perms;
+')
+
+#####################################
+# access_kmsg(domain)
+# Ability to read from kernel logs
+# and execute the klogctl syscall
+# in a non destructive manner. See
+# man 2 klogctl
+define(`access_kmsg', `
+allow $1 kernel:system syslog_read;
+')
\ No newline at end of file