Roman Birg
785c50ad3f
vendor: add sepolicy entry for killswitch service
...
Change-Id: Ib3c44c50138f5715d92addbf8df7ed591785b550
Signed-off-by: Roman Birg <roman@cyngn.com>
(cherry picked from commit 2ca5d3999b35d328f0969a264009bffe0faf889d)
2015-04-20 18:46:23 +00:00
Emerson Pinter
dc699fb190
sepolicy: Permissions for userinit
...
Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296
2015-03-17 12:12:59 +00:00
Tom Marshall
b4bf950060
sepolicy: recovery: Allow data file write
...
Needed to preserve /data/.layout_version (aka nesting bug fix).
Change-Id: Iaae982223e80ad10479cf1ca3db09da7ada5663e
2015-03-10 03:36:03 +00:00
Scott Mertz
69c2e7f721
[3/3] CmHardwareService: add sepolicy
...
Change-Id: I551f61f40225a679593e94dbd47bb2fb0025da7e
2015-03-07 00:53:36 +00:00
dhacker29
c552843f1a
sepolicy: Allow CMUpdater/uncrypt access to recovery_cache_file
...
Change-Id: I514d128160ed4e04564077d7a2e2ad297af92e28
2015-02-21 17:21:47 -05:00
Christopher R. Palmer
da48ab89ac
sepolicy: Allow vold to create tmpfs files for asec containers
...
Change-Id: Ic8f1641928840774204099453b74dc1b52b3c6f8
2015-02-19 10:55:07 -05:00
Brint E. Kriebel
ac15eaedf9
sepolicy: Allow system apps to write cache and media files
...
Updaters need to be able to read and write to these locations.
Change-Id: I928a5f73ec29ab4fecb717072532d449192f3ca9
2015-02-17 17:36:37 -08:00
dhacker29
b4878d4cf1
sepolicy: Fix denails for flash_recovery service
...
Needed when option is checked to update cm recovery
Change-Id: I0b2fbfd7c141ae03ce14b9afeffd3a027d791c80
2015-02-15 15:03:32 -05:00
Ricardo Cerqueira
c75446d072
sepolicy: Split off /cache/recovery's permissions
...
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
2015-02-11 19:44:43 +00:00
Georg Veichtlbauer
2ccd36c73f
sepolicy: allow userinit to set its property
...
Change-Id: I9d8270d889566d169077a1b1fdaee43059d11ee1
2015-02-09 21:03:35 +00:00
Adam Farden
7b865eb046
sepolicy: actually include mediaserver.te
...
Added in patch e9c2de0679
but not included
Change-Id: I2ae901a7c80fceb33dba2ed4122d2aa47bff5a51
2015-02-04 02:55:18 +00:00
Roman Birg
c71cc6c4a8
cm: add torch service sepolicy entry
...
Change-Id: I6e6feae5fe6b4092c137ee2337c4a15b390df45e
Signed-off-by: Roman Birg <roman@cyngn.com>
2015-02-02 21:20:38 +00:00
Steve Kondik
998f53679b
sepolicy: Let drmserver scan themes
...
Change-Id: I7675b302723ef8700067ae9ef237daf6346a6627
2015-01-25 11:02:24 -08:00
Steve Kondik
77cabf5188
sepolicy: Fix policy for keyhandler
...
Change-Id: I2860f469480b082511e30530aed8a9027e9fe4b9
2015-01-25 10:51:23 -08:00
dhacker29
381a6501fa
sepolicy: Allow cmupdater/uncrypt access to media_rw_data_file
...
Change-Id: I800584af2919e3397b19d229fc28ad50cc4b2730
2015-01-24 22:45:15 +00:00
Steve Kondik
c6eb71e57a
cm: sepolicy: Allow use of dexclassloader by systemserver
...
* Needed for custom keyhandler.
Change-Id: Ifa57ad81951f9e1009eb291726cd8dfe36a3482e
2015-01-22 19:57:12 +00:00
Matt Mower
2806bc4f0c
sepolicy: Additional filesystem perms for recovery
...
Change-Id: I66c785de7256ea64302a258af7c33cb717530343
2015-01-16 14:36:24 +00:00
Clark Scheff
e9c2de0679
sepolicy: Apps need to read themed resources
...
Assets such as composed icons and ringtones need to be accessed
by apps. This patch adds the policy needed to facilitate this.
Change-Id: If47920b2cc5dbafe8d71a621782bb4a3351bd68c
2015-01-14 15:55:41 +00:00
Dan Pasanen
afbfad59d6
sepolicy: new label for io scheduler sysfs nodes
...
* needed for io scheduler in performance settings
Change-Id: I818340ed62e3e1dd2674b93340b31723c7a985f4
2015-01-13 22:34:16 +00:00
Ricardo Cerqueira
a7dfa18fd5
sepolicy: Add policies for the new superuser sockets.
...
Change-Id: Ia3e1044616bee95eb4774254fb098487d983b5db
2015-01-04 01:16:25 +00:00
Pawit Pornkitprasan
24a971ad42
cm: sepolicy: fix performance settings
...
Change-Id: Idea17856b4aef9258688a3ad58d0e5cac6d805a6
2015-01-03 07:57:44 +00:00
Ricardo Cerqueira
c738cc26ca
selinux: Allow recovery to do recursive deletes
...
Our partial wipes (preserving media) require that recovery can
rmdir dirs and getattr files
Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a
2015-01-03 04:23:08 +00:00
Konsta
444ce4a6b1
cm: Remove KSM permissions
...
CM12 doesn't have a KSM setting in performance settings anymore.
KSM should be configured and enabled on device basis.
Change-Id: I98a0cbe1b01a659eb28bcd459be55d78a88bda86
2015-01-01 00:40:37 +00:00
Matt Mower
038fba3cca
sepolicy: remove stray + in type statement
...
Change-Id: Ic34c9ae32658541064a63153612145c6fd3d55b3
2014-12-22 15:21:57 +00:00
Andy Mast
f274019100
selinux: New rw privileges for themes
...
- New theme_data_file context for files under /data/system/theme
- Permit systemserver to create files/dirs under /data/resource-cache
- Permit systemserver to create files/dirs under /data/system/theme
Change-Id: Id597fc20b477ea395a8631623f26a7edde280799
2014-12-19 10:35:48 -08:00
Dan Pasanen
e33cc1d37d
sepolicy: allow recovery read access to /data/media/ files and dirs
...
Change-Id: I41173d72e86f9cf4d79f7c46166eeb71dc19d2f4
2014-12-14 10:44:53 -06:00
Ricardo Cerqueira
ebc1c942e7
selinux: Downgrade CMFM's domain
...
the filemanager doesn't need to be in platform_app. Put it in untrusted_app,
especially since it's a possible su client
Change-Id: I164853f2c8721d86b5b90677cb33032a3b491ff5
2014-12-13 02:44:52 +00:00
Tom Marshall
d553a9f8b5
cm: sepolicy: Remove vold external sdcard rules, moved to main sepolicy
...
Change-Id: I67756bad2c6e1361ecc0052003f2b4e5e4dbb007
2014-12-13 02:13:52 +00:00
Andy Mast
03555ad053
Sepolicy: Add theme service as system service
...
Change-Id: Idfb690be5d35c03610165b914c0a3f2260e68956
2014-12-12 01:00:34 +00:00
Roman Birg
20114d672c
cm: add sepolicy entry for lockscreen wallpaper
...
Change-Id: Ie779392ab8118d192873a01ec5c7de3e5938ed17
Signed-off-by: Roman Birg <roman@cyngn.com>
2014-12-11 18:17:04 +00:00
Ricardo Cerqueira
4df29e013d
selinux: Workaround for devices with PR_SET_NO_NEW_PRIVS enforcement
...
PR_SET_NO_NEW_PRIVS blocks domain transitions from within app_process,
unless the new domain is bounded by the app's context. So we can't
switch to a domain that has perms not available to untrusted_app :(
This means any app can talk to the daemon, bypassing the su executable
client. That's not a good thing, and needs to be resolved.
Change-Id: I85b74f90b8737caaa193a0555b5262e7392519b2
2014-12-10 20:38:34 +00:00
Ricardo Cerqueira
7cd698341f
Revert "SELinux: su: update policies"
...
This reverts commit 04fd9192b0
.
Change-Id: I69e51fb6c151a48972cf81947c1c59c6f26f60e9
2014-12-10 17:19:14 +00:00
Steve Kondik
06ec5853f3
sepolicy: More rules for recovery
...
Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e
2014-12-09 22:20:14 +00:00
Pawit Pornkitprasan
04fd9192b0
SELinux: su: update policies
...
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket)
- Allow platform_app to use su (fixes CM File Manager)
Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
2014-12-08 05:43:14 +00:00
Diogo Ferreira
5c9f9efba6
sepolicy: Fix permissions for service.adb.tcp.port
...
This makes the rule more specific by overriding the upstream sepolicy.
Also adds the adbd context which is necessary for "adb tcpip".
Change-Id: Ia17eb56fc1682ab248764329e88eebd2a4075c97
2014-12-01 20:36:13 +00:00
Pawit Pornkitprasan
e815923b0d
vendor: add policies for netd
...
Required due to CAF's abc9c0f4fe574ee9847f118e5d2ae8c530bac650 in
system/netd
Fixes showing how many devices are connected to the tethered hotspot
Change-Id: I1d83f7ac0b28efa6973e0baf429de2a398c471e3
2014-11-29 23:33:52 -08:00
Chirayu Desai
9e0dba30b7
SELinux: su: Remove extra quote in a comment
...
* Fixes
vendor/cm/sepolicy/su.te:46:WARNING 'unrecognized character' at token '''
Change-Id: I3957ba7ac05062766cbf6c8f3c3975f20c95532e
2014-11-30 03:05:41 +00:00
Ricardo Cerqueira
e4016afa72
Allow SystemServer to set service.adb.tcp.* properties
...
Required for network adb enable/disable to function
Change-Id: I3e2aacb6b8e9b107dcd229187a5dd76128e20001
2014-11-29 09:01:56 -08:00
Tom Marshall
39a4244c77
cm: sepolicy: Add contexts for cm recovery
...
* Allow setup of secure adb (setup_adbd)
* minivold in recovery
Change-Id: Id1243154f4016b59e54890404cadea46a2aad212
2014-11-27 23:05:26 +00:00
Ricardo Cerqueira
d22efb80e1
selinux: Fix healthd's access to /dev nodes
...
Our healthd's support for power-on alarms adds some steps that imply
reading files its user doesn't own. Let it.
Change-Id: I3d4735aaab8fbec7acc460f812bc21f1dfa516ab
2014-11-27 22:57:21 +00:00
Ricardo Cerqueira
fa63e50707
selinux: Add a rule to label the extended keyhandler dex files
...
These should be treated as regular dex cache files, but they're
expanded outside of the normal cache dir
Change-Id: Id046e1b90116b35d2e7817ed4717fcef78135f08
2014-11-27 18:26:39 +00:00
Ricardo Cerqueira
09159ac7ce
Add selinux policies for superuser
...
Change-Id: I878eaa9d25feaedf46e89083f91d6a21f4aff37a
2014-11-27 01:45:53 +00:00
myfluxi
12daaee8a5
vendor: Update SELinux policy for sysinit
...
Change-Id: I41d4c25d9d6246cd2ca0a8ff3b5a4e114e3bc4d4
2014-11-24 15:37:52 +01:00
Kyrylo Mikos
319b556868
[1/2] SEPolicy: Add Edgegesture service.
...
Change-Id: Id9fc2d68b954e1cd6792739309a0df40e2dc998c
2014-11-19 10:04:18 +02:00
Ricardo Cerqueira
15df17f9ac
selinux: Add rules for the audit daemon
...
Change-Id: I050a9ef39d58d2592d880d225d45eb64d8a40b7b
2014-11-09 17:20:54 +00:00
Ricardo Cerqueira
49a30e7d17
Updates for CM12
2014-11-06 14:54:32 +00:00
Steve Kondik
3325783298
sepolicy: Allow relabeling after wallpaper change
...
Change-Id: I89220fae961f483dad8b92faaee9ed8fe6c8a7cf
2014-05-18 18:16:12 -07:00
Steve Kondik
fdf1aff5ad
cm: policy for ipv6 tethering
...
* Enable use of radish via netd for ipv6 tethering
Change-Id: Ifa0e85686fc70f59c089ca40a78cea9935820185
2014-05-11 03:49:18 -07:00
Steve Kondik
d3827c4f41
cm: sepolicy: Allow ueventd to load WiFi and audio irmware
...
* Every device which uses Prima or WCD will hit this, so just allow it.
Change-Id: Ie2303ad7fc3498276d41e567a738cd016f635453
2014-04-05 14:56:09 -07:00
Steve Kondik
002b4f0a4f
cm: sepolicy: Allow ueventd to properly handle cpufreq changes
...
* We need to allow relabeling since these files can pop in and out if
the governor is changed.
Change-Id: Id75099290e24dac9962d4fed8148ec2df9e256b2
2014-04-05 14:05:13 -07:00