[PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[Bryan Hinton]

Change-Id: I48f8623ec24728517597fcd77c9c7f3fab5db9be
---
 init.tuna.rc |   18 +++++++++++++++++-
 1 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/init.tuna.rc b/init.tuna.rc
index 70f1cbe..354c292 100755
--- a/init.tuna.rc
+++ b/init.tuna.rc
@@ -23,6 +23,9 @@ on post-fs-data
 	mkdir /data/misc/camera 0770 media media
 	mkdir /data/misc/camera/R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044 0770 media media
 
+   # remount factory as read-only
+   mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory ro remount
+
 	setprop vold.post_fs_data_done 1
 
 # LTE
@@ -56,7 +59,11 @@ on fs
 	setprop ro.crypto.tmpfs_options size=128m,mode=0771,uid=1000,gid=1000
 	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/userdata /data wait noatime nosuid nodev nomblk_io_submit,errors=panic
 	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/cache /cache wait noatime nosuid nodev nomblk_io_submit,errors=panic
-	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory wait ro
+	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory wait
+   chown radio radio /factory
+   restorecon /factory
+   restorecon /factory/nv_data.bin
+   restorecon /factory/nv_data.bin.md5
 	setprop ro.crypto.fuse_sdcard true
 
 # change permissions for mtd device
@@ -82,6 +89,14 @@ on fs
 
 # add symlink for HDCP key
         symlink /factory/hdcp.keys /system/vendor/firmware/hdcp.keys
+        restorecon /factory/hdcp.keys
+        restorecon /factory/imei
+
+# wifi
+   restorecon /factory/wifi
+
+# wv
+   restorecon /factory/wv.keys
 
 # nfc
     setprop ro.nfc.port "COM4"
@@ -98,6 +113,7 @@ on fs
 	chmod 0660 /sys/class/rfkill/rfkill0/state
 	chown bluetooth bluetooth /sys/class/rfkill/rfkill0/state
 	chown bluetooth bluetooth /sys/class/rfkill/rfkill0/type
+   restorecon /factory/bluetooth
 
 # backlight
 	chown system system /sys/class/backlight/s6e8aa0/brightness
-- 
1.7.5.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[Stephen Smalley]

On Tue, 2012-03-06 at 19:31 -0600, Bryan Hinton wrote:
> Change-Id: I48f8623ec24728517597fcd77c9c7f3fab5db9be
> ---
>  init.tuna.rc |   18 +++++++++++++++++-
>  1 files changed, 17 insertions(+), 1 deletions(-)
> 
> diff --git a/init.tuna.rc b/init.tuna.rc
> index 70f1cbe..354c292 100755
> --- a/init.tuna.rc
> +++ b/init.tuna.rc
> @@ -23,6 +23,9 @@ on post-fs-data
>  	mkdir /data/misc/camera 0770 media media
>  	mkdir /data/misc/camera/R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044 0770 media media
>  
> +   # remount factory as read-only
> +   mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory ro remount
> +

Indentation/whitespace should match the rest of the file.  In this file,
they seem to use tabs rather than spaces.  This applies through the
changes to this file.

Also, could we do this particular change earlier, right after the
restorecon calls below?  Any reason to wait until post-fs-data?  Likely
safer to make it read-only as early as possible.

>  	setprop vold.post_fs_data_done 1
>  
>  # LTE
> @@ -56,7 +59,11 @@ on fs
>  	setprop ro.crypto.tmpfs_options size=128m,mode=0771,uid=1000,gid=1000
>  	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/userdata /data wait noatime nosuid nodev nomblk_io_submit,errors=panic
>  	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/cache /cache wait noatime nosuid nodev nomblk_io_submit,errors=panic
> -	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory wait ro
> +	mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory wait
> +   chown radio radio /factory

They do a chown radio radio /factor down further below (along with
chmod), so you could just move the restorecon calls right after the
chown/chmod calls.  Seems like the fact that they mount it ro originally
is a bug since the chown/chmod won't work then either.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[Bryan Hinton]

Comments below

On Thu, Mar 8, 2012 at 9:29 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2012-03-06 at 19:31 -0600, Bryan Hinton wrote:
>> Change-Id: I48f8623ec24728517597fcd77c9c7f3fab5db9be
>> ---
>>  init.tuna.rc |   18 +++++++++++++++++-
>>  1 files changed, 17 insertions(+), 1 deletions(-)
>>
>> diff --git a/init.tuna.rc b/init.tuna.rc
>> index 70f1cbe..354c292 100755
>> --- a/init.tuna.rc
>> +++ b/init.tuna.rc
>> @@ -23,6 +23,9 @@ on post-fs-data
>>       mkdir /data/misc/camera 0770 media media
>>       mkdir /data/misc/camera/R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044 0770 media media
>>
>> +   # remount factory as read-only
>> +   mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory ro remount
>> +
>
> Indentation/whitespace should match the rest of the file.  In this file,
> they seem to use tabs rather than spaces.  This applies through the
> changes to this file.
>
> Also, could we do this particular change earlier, right after the
> restorecon calls below?  Any reason to wait until post-fs-data?  Likely
> safer to make it read-only as early as possible.
Yes, agree, the ro remount should be moved to the earliest point in time.
I was attempting to move the ro remount to the earliest point.
I placed the remount in 'post-fs-data' because of the wait flag on
mount for /factory fs in the 'on fs' action.
I was about to add a post-fs action but hesitated since there is not
one in the init.tuna.rc.
I initially placed the remount after restorecon in on fs, but ran into
a problem doing so.
I'm thinking there should not be a wait on /factory. What are your thoughts?
Consequently, wait could be removed from the initial mount for
/factory in 'on fs' and the ro remount could be placed right after the
restorecon calls in 'on fs'.
This could use some refining and testing which I will continue to do.

>>       setprop vold.post_fs_data_done 1
>>
>>  # LTE
>> @@ -56,7 +59,11 @@ on fs
>>       setprop ro.crypto.tmpfs_options size=128m,mode=0771,uid=1000,gid=1000
>>       mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/userdata /data wait noatime nosuid nodev nomblk_io_submit,errors=panic
>>       mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/cache /cache wait noatime nosuid nodev nomblk_io_submit,errors=panic
>> -     mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory wait ro
>> +     mount ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory wait
>> +   chown radio radio /factory
>
> They do a chown radio radio /factor down further below (along with
> chmod), so you could just move the restorecon calls right after the
> chown/chmod calls.  Seems like the fact that they mount it ro originally
> is a bug since the chown/chmod won't work then either.
>
Yes, or move the chown/chmod calls up to the top of 'on fs' since we
want to minimize the time that /factory is rw.  The initial ro mount
does seem like a bug.
Also, chown radio radio seems too broad (in terms of naming
conventions) for /factory as all of the files within /factory are not
radio related.  An efs group id for /factory seems more fitting.

> --
> Stephen Smalley
> National Security Agency
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[Stephen Smalley]

On Tue, 2012-03-06 at 19:31 -0600, Bryan Hinton wrote:
> Change-Id: I48f8623ec24728517597fcd77c9c7f3fab5db9be
> ---
>  init.tuna.rc |   18 +++++++++++++++++-
>  1 files changed, 17 insertions(+), 1 deletions(-)

Merged, with indentation fixes on top.  Thanks.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[William Roberts]

[-- Attachment #1.1: Type: text/plain, Size: 52 bytes --]

Their was some indentations missed, see below patch:

Re: [PATCH] (SCH-i515 US LTE) Modified init.tuna.rc for proper labeling of /factory/* files.[PUBLIC DOMAIN]

[Stephen Smalley]

On Mon, 2012-03-19 at 14:59 -0700, William Roberts wrote:
> Their was some indentations missed, see below patch:
> 
> 
> From c6a562721491441472336efea6590739155e72ea Mon Sep 17 00:00:00 2001
> From: William Roberts <w.roberts@sta.samsung.com>
> Date: Mon, 19 Mar 2012 14:51:58 -0700
> Subject: [PATCH] Fixed indentation
> 
> 
> Change-Id: Ib9643732abd6a7b8321389096f374f873e288abe

Thanks.  Patch was whitespace-damaged, but I applied it manually.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.