Steve Kondik
48149d05a1
sepolicy: Rule for CM's perfd extension
...
Manual apply and refactor of cm-12.1 patch:
e04329df88211264e7a9c8f1d6b87a16d8d5639b
Use the unix_socket_connect macro and switch to the new
perfd domain.
Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
2015-11-23 15:11:18 -08:00
codeworkx
01490eface
sepolicy: fix denial for sudaemon
...
fixes root access for apps
Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
2015-11-22 09:57:08 -08:00
Dan Pasanen
a90b69e921
sepolicy: add persist_block_device type
...
* This is likely defined in several device trees, but not all
remove it from your device trees if we're going to write rules
for it here.
Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
2015-11-17 08:38:43 -08:00
Steve Kondik
2c3b5d353e
sepolicy: Remove some denials
...
* Allow apps to run the "df" command to look at disk usage.
* Allow thermal engine to check/set battery limits.
Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
2015-11-16 19:46:00 -08:00
Steve Kondik
7d3eca93f4
sepolicy: Add policy for thermal engine changes
...
* Cyngn devices will need this.
Change-Id: I1e7528e92d0d4ed8c4029667d7ef3cf9081a6575
2015-11-14 23:58:46 +01:00
myfluxi
98df019cb4
sepolicy: qcom: Remove duplicate entry
...
We have this in qcom/sepolicy/common already.
Change-Id: Ibe6ada531f77d3ec00ff61081d21b3d36a1fe7a7
2015-11-10 17:28:12 +01:00
myfluxi
8501771607
sepolicy: Make superuser_device and sudaemon mlstrustedobjects
...
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0
avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0
And thus fix su.
Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
2015-11-05 23:53:50 +01:00
Steve Kondik
aeea5ad7a3
perf: Moving PerformanceManager to CMSDK
...
* Devices will need to update their configurations!
Change-Id: I22cf4ec96656b98f515cf28fef95443cf6adb397
2015-11-03 18:55:49 -08:00
Steve Kondik
714a761061
cm: Remove duplicate SEPolicy items
...
* These are handled by the master SEPolicy now due to neverallow
exceptions which occur on non-production builds.
Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
2015-10-31 02:08:33 -07:00
Dan Pasanen
9ca9d95a76
sepolicy: remove sudaemon type declaration
...
* this is already defined in external/sepolicy
Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
2015-10-17 09:22:14 -05:00
Adnan Begovic
c3d3969971
vendor/cm: Fix up service contexts for sepolicy.
...
Change-Id: Ibb04e967bd027c6d1118b8b471ec328c3b034d9d
2015-10-16 13:20:33 -07:00
Dan Pasanen
6ac91cb6d3
sepolicy: remove BOARD_SEPOLICY_UNION
...
* this is a no-op now
Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
2015-10-07 12:49:00 -07:00
Ricardo Cerqueira
b026605629
sepolicy: Underp the context for persistent storage
...
The dir's context need love, too
TICKET: CYNGNOS-1185
Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
2015-10-05 13:18:31 -07:00
Ed Falk
95682234f1
sepolicy: allow vold to trim persist
...
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
2015-09-30 14:04:23 -07:00
myfluxi
688479223e
sepolicy: Allow system app to set boot anim property
...
Addresses denials observerd when using QuickBoot:
<4>[ 224.756971] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
<3>[ 224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039
<4>[ 226.306456] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
2015-09-21 18:16:18 -07:00
Steve Kondik
e2f23f0e91
cm: Fix a few denials
...
* Missed a few things when cleaning up devices.
Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
2015-09-19 22:49:20 -07:00
Steve Kondik
b5c2cf0408
cm: sepolicy: Create central place for QC-specific policy
...
* We have a number of policy items due to changes in our BSPs or for
other things which interact with the QC sepolicy. Add a place
for us to store this stuff so we don't need to copy it around to
every device.
Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
2015-09-15 15:31:38 -07:00
Steve Kondik
b5dbbdf9cb
cm: sepolicy: Create standard policy for LiveDisplay
...
Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
2015-09-15 15:31:19 -07:00
herriojr
c6d40c01f7
Enable The AppSuggestService
...
We need to enable our custom AppSuggestService in order to show
possible suggestions.
Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
2015-09-14 10:25:22 -07:00
Adnan Begovic
c37c2313cf
vendor/cm: cmsettings -> cmpartnerinterface
...
Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
2015-09-09 17:51:27 -07:00
Steve Kondik
a385501738
cm: SELinux policy for persistent properties API
...
* Set up persistent properties for devices with a /persist partition.
Change-Id: I78974dd4e25831338462c91fc25e36e343795510
2015-09-09 11:53:23 -07:00
Steve Kondik
587a3cff83
cm: Moving CMHW to CMSDK
...
Change-Id: I4dae95dbe68c472ba3703fea588b542758ec8036
2015-08-19 05:30:59 -07:00
Joao Figueiredo
d0f6b187ae
cmsdk: Dual SIM support on CM SDK
...
Change-Id: I209245e1a3165f329ed8a17a942340d96783ca13
2015-08-07 01:32:30 +01:00
Matt Garnes
874defe2bc
Add SettingsManagerService from cmsdk as a system service.
...
Change-Id: I0909a5fd49e8e042293719de93ebc8fbaaa1a196
2015-08-06 16:18:06 -07:00
Steve Kondik
74891faea9
sepolicy: Allow recovery to set system properties
...
* This is used by extremely critical things.
Change-Id: Ie529851469408adac1e081fe4f6dc5daa9002933
2015-08-05 17:54:33 -07:00
Brandon McAnsh
f208523054
sepolicy: system_app: Remove performace setting related entries
...
* Performance Settings has been removed/refactored so these are no longer neccessary.
Change-Id: I5933700815d0037735fc48f8640b37d1f350ea91
Signed-off-by: Brandon McAnsh <brandon.mcansh@gmail.com>
2015-07-14 13:17:01 -07:00
Adnan Begovic
4c4e428da8
vendor/cm: overlay start for ProfileService in external framework.
...
Change-Id: Ib1f8c6d00c2a66cfd8dac2b73ccd1bd053a3a497
2015-06-29 14:39:24 -07:00
Adnan Begovic
b53c503fee
Build CM Platform Library
...
Change-Id: If62e6b1d2ac41730ff2a8d562173abd2cb768f93
Add cmstatusbar service to system server services context
Change-Id: I77c5de75722cc5f36a5326e3da57ab661b89d189
Build Platform resource package.
Change-Id: Id60f66b6db23989db1472a19bcb079b0083f7393
vendor/cm: Lock cm platform library/cmsdk to non-release builds.
Change-Id: I01c1c3fe559d438e28339ce426d7ba7e42724002
2015-05-12 17:45:07 -07:00
Roman Birg
785c50ad3f
vendor: add sepolicy entry for killswitch service
...
Change-Id: Ib3c44c50138f5715d92addbf8df7ed591785b550
Signed-off-by: Roman Birg <roman@cyngn.com>
(cherry picked from commit 2ca5d3999b35d328f0969a264009bffe0faf889d)
2015-04-20 18:46:23 +00:00
Emerson Pinter
dc699fb190
sepolicy: Permissions for userinit
...
Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296
2015-03-17 12:12:59 +00:00
Tom Marshall
b4bf950060
sepolicy: recovery: Allow data file write
...
Needed to preserve /data/.layout_version (aka nesting bug fix).
Change-Id: Iaae982223e80ad10479cf1ca3db09da7ada5663e
2015-03-10 03:36:03 +00:00
Scott Mertz
69c2e7f721
[3/3] CmHardwareService: add sepolicy
...
Change-Id: I551f61f40225a679593e94dbd47bb2fb0025da7e
2015-03-07 00:53:36 +00:00
dhacker29
c552843f1a
sepolicy: Allow CMUpdater/uncrypt access to recovery_cache_file
...
Change-Id: I514d128160ed4e04564077d7a2e2ad297af92e28
2015-02-21 17:21:47 -05:00
Christopher R. Palmer
da48ab89ac
sepolicy: Allow vold to create tmpfs files for asec containers
...
Change-Id: Ic8f1641928840774204099453b74dc1b52b3c6f8
2015-02-19 10:55:07 -05:00
Brint E. Kriebel
ac15eaedf9
sepolicy: Allow system apps to write cache and media files
...
Updaters need to be able to read and write to these locations.
Change-Id: I928a5f73ec29ab4fecb717072532d449192f3ca9
2015-02-17 17:36:37 -08:00
dhacker29
b4878d4cf1
sepolicy: Fix denails for flash_recovery service
...
Needed when option is checked to update cm recovery
Change-Id: I0b2fbfd7c141ae03ce14b9afeffd3a027d791c80
2015-02-15 15:03:32 -05:00
Ricardo Cerqueira
c75446d072
sepolicy: Split off /cache/recovery's permissions
...
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
2015-02-11 19:44:43 +00:00
Georg Veichtlbauer
2ccd36c73f
sepolicy: allow userinit to set its property
...
Change-Id: I9d8270d889566d169077a1b1fdaee43059d11ee1
2015-02-09 21:03:35 +00:00
Adam Farden
7b865eb046
sepolicy: actually include mediaserver.te
...
Added in patch e9c2de0679
but not included
Change-Id: I2ae901a7c80fceb33dba2ed4122d2aa47bff5a51
2015-02-04 02:55:18 +00:00
Roman Birg
c71cc6c4a8
cm: add torch service sepolicy entry
...
Change-Id: I6e6feae5fe6b4092c137ee2337c4a15b390df45e
Signed-off-by: Roman Birg <roman@cyngn.com>
2015-02-02 21:20:38 +00:00
Steve Kondik
998f53679b
sepolicy: Let drmserver scan themes
...
Change-Id: I7675b302723ef8700067ae9ef237daf6346a6627
2015-01-25 11:02:24 -08:00
Steve Kondik
77cabf5188
sepolicy: Fix policy for keyhandler
...
Change-Id: I2860f469480b082511e30530aed8a9027e9fe4b9
2015-01-25 10:51:23 -08:00
dhacker29
381a6501fa
sepolicy: Allow cmupdater/uncrypt access to media_rw_data_file
...
Change-Id: I800584af2919e3397b19d229fc28ad50cc4b2730
2015-01-24 22:45:15 +00:00
Steve Kondik
c6eb71e57a
cm: sepolicy: Allow use of dexclassloader by systemserver
...
* Needed for custom keyhandler.
Change-Id: Ifa57ad81951f9e1009eb291726cd8dfe36a3482e
2015-01-22 19:57:12 +00:00
Matt Mower
2806bc4f0c
sepolicy: Additional filesystem perms for recovery
...
Change-Id: I66c785de7256ea64302a258af7c33cb717530343
2015-01-16 14:36:24 +00:00
Clark Scheff
e9c2de0679
sepolicy: Apps need to read themed resources
...
Assets such as composed icons and ringtones need to be accessed
by apps. This patch adds the policy needed to facilitate this.
Change-Id: If47920b2cc5dbafe8d71a621782bb4a3351bd68c
2015-01-14 15:55:41 +00:00
Dan Pasanen
afbfad59d6
sepolicy: new label for io scheduler sysfs nodes
...
* needed for io scheduler in performance settings
Change-Id: I818340ed62e3e1dd2674b93340b31723c7a985f4
2015-01-13 22:34:16 +00:00
Ricardo Cerqueira
a7dfa18fd5
sepolicy: Add policies for the new superuser sockets.
...
Change-Id: Ia3e1044616bee95eb4774254fb098487d983b5db
2015-01-04 01:16:25 +00:00
Pawit Pornkitprasan
24a971ad42
cm: sepolicy: fix performance settings
...
Change-Id: Idea17856b4aef9258688a3ad58d0e5cac6d805a6
2015-01-03 07:57:44 +00:00
Ricardo Cerqueira
c738cc26ca
selinux: Allow recovery to do recursive deletes
...
Our partial wipes (preserving media) require that recovery can
rmdir dirs and getattr files
Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a
2015-01-03 04:23:08 +00:00