Dan Pasanen
6ac91cb6d3
sepolicy: remove BOARD_SEPOLICY_UNION
...
* this is a no-op now
Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
2015-10-07 12:49:00 -07:00
Ricardo Cerqueira
b026605629
sepolicy: Underp the context for persistent storage
...
The dir's context need love, too
TICKET: CYNGNOS-1185
Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
2015-10-05 13:18:31 -07:00
Ed Falk
95682234f1
sepolicy: allow vold to trim persist
...
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
2015-09-30 14:04:23 -07:00
myfluxi
688479223e
sepolicy: Allow system app to set boot anim property
...
Addresses denials observerd when using QuickBoot:
<4>[ 224.756971] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
<3>[ 224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039
<4>[ 226.306456] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
2015-09-21 18:16:18 -07:00
Steve Kondik
e2f23f0e91
cm: Fix a few denials
...
* Missed a few things when cleaning up devices.
Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
2015-09-19 22:49:20 -07:00
Steve Kondik
b5c2cf0408
cm: sepolicy: Create central place for QC-specific policy
...
* We have a number of policy items due to changes in our BSPs or for
other things which interact with the QC sepolicy. Add a place
for us to store this stuff so we don't need to copy it around to
every device.
Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
2015-09-15 15:31:38 -07:00
Steve Kondik
b5dbbdf9cb
cm: sepolicy: Create standard policy for LiveDisplay
...
Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
2015-09-15 15:31:19 -07:00
herriojr
c6d40c01f7
Enable The AppSuggestService
...
We need to enable our custom AppSuggestService in order to show
possible suggestions.
Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
2015-09-14 10:25:22 -07:00
Adnan Begovic
c37c2313cf
vendor/cm: cmsettings -> cmpartnerinterface
...
Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
2015-09-09 17:51:27 -07:00
Steve Kondik
a385501738
cm: SELinux policy for persistent properties API
...
* Set up persistent properties for devices with a /persist partition.
Change-Id: I78974dd4e25831338462c91fc25e36e343795510
2015-09-09 11:53:23 -07:00
Steve Kondik
587a3cff83
cm: Moving CMHW to CMSDK
...
Change-Id: I4dae95dbe68c472ba3703fea588b542758ec8036
2015-08-19 05:30:59 -07:00
Joao Figueiredo
d0f6b187ae
cmsdk: Dual SIM support on CM SDK
...
Change-Id: I209245e1a3165f329ed8a17a942340d96783ca13
2015-08-07 01:32:30 +01:00
Matt Garnes
874defe2bc
Add SettingsManagerService from cmsdk as a system service.
...
Change-Id: I0909a5fd49e8e042293719de93ebc8fbaaa1a196
2015-08-06 16:18:06 -07:00
Steve Kondik
74891faea9
sepolicy: Allow recovery to set system properties
...
* This is used by extremely critical things.
Change-Id: Ie529851469408adac1e081fe4f6dc5daa9002933
2015-08-05 17:54:33 -07:00
Brandon McAnsh
f208523054
sepolicy: system_app: Remove performace setting related entries
...
* Performance Settings has been removed/refactored so these are no longer neccessary.
Change-Id: I5933700815d0037735fc48f8640b37d1f350ea91
Signed-off-by: Brandon McAnsh <brandon.mcansh@gmail.com>
2015-07-14 13:17:01 -07:00
Adnan Begovic
4c4e428da8
vendor/cm: overlay start for ProfileService in external framework.
...
Change-Id: Ib1f8c6d00c2a66cfd8dac2b73ccd1bd053a3a497
2015-06-29 14:39:24 -07:00
Adnan Begovic
b53c503fee
Build CM Platform Library
...
Change-Id: If62e6b1d2ac41730ff2a8d562173abd2cb768f93
Add cmstatusbar service to system server services context
Change-Id: I77c5de75722cc5f36a5326e3da57ab661b89d189
Build Platform resource package.
Change-Id: Id60f66b6db23989db1472a19bcb079b0083f7393
vendor/cm: Lock cm platform library/cmsdk to non-release builds.
Change-Id: I01c1c3fe559d438e28339ce426d7ba7e42724002
2015-05-12 17:45:07 -07:00
Roman Birg
785c50ad3f
vendor: add sepolicy entry for killswitch service
...
Change-Id: Ib3c44c50138f5715d92addbf8df7ed591785b550
Signed-off-by: Roman Birg <roman@cyngn.com>
(cherry picked from commit 2ca5d3999b35d328f0969a264009bffe0faf889d)
2015-04-20 18:46:23 +00:00
Emerson Pinter
dc699fb190
sepolicy: Permissions for userinit
...
Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296
2015-03-17 12:12:59 +00:00
Tom Marshall
b4bf950060
sepolicy: recovery: Allow data file write
...
Needed to preserve /data/.layout_version (aka nesting bug fix).
Change-Id: Iaae982223e80ad10479cf1ca3db09da7ada5663e
2015-03-10 03:36:03 +00:00
Scott Mertz
69c2e7f721
[3/3] CmHardwareService: add sepolicy
...
Change-Id: I551f61f40225a679593e94dbd47bb2fb0025da7e
2015-03-07 00:53:36 +00:00
dhacker29
c552843f1a
sepolicy: Allow CMUpdater/uncrypt access to recovery_cache_file
...
Change-Id: I514d128160ed4e04564077d7a2e2ad297af92e28
2015-02-21 17:21:47 -05:00
Christopher R. Palmer
da48ab89ac
sepolicy: Allow vold to create tmpfs files for asec containers
...
Change-Id: Ic8f1641928840774204099453b74dc1b52b3c6f8
2015-02-19 10:55:07 -05:00
Brint E. Kriebel
ac15eaedf9
sepolicy: Allow system apps to write cache and media files
...
Updaters need to be able to read and write to these locations.
Change-Id: I928a5f73ec29ab4fecb717072532d449192f3ca9
2015-02-17 17:36:37 -08:00
dhacker29
b4878d4cf1
sepolicy: Fix denails for flash_recovery service
...
Needed when option is checked to update cm recovery
Change-Id: I0b2fbfd7c141ae03ce14b9afeffd3a027d791c80
2015-02-15 15:03:32 -05:00
Ricardo Cerqueira
c75446d072
sepolicy: Split off /cache/recovery's permissions
...
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
2015-02-11 19:44:43 +00:00
Georg Veichtlbauer
2ccd36c73f
sepolicy: allow userinit to set its property
...
Change-Id: I9d8270d889566d169077a1b1fdaee43059d11ee1
2015-02-09 21:03:35 +00:00
Adam Farden
7b865eb046
sepolicy: actually include mediaserver.te
...
Added in patch e9c2de0679
but not included
Change-Id: I2ae901a7c80fceb33dba2ed4122d2aa47bff5a51
2015-02-04 02:55:18 +00:00
Roman Birg
c71cc6c4a8
cm: add torch service sepolicy entry
...
Change-Id: I6e6feae5fe6b4092c137ee2337c4a15b390df45e
Signed-off-by: Roman Birg <roman@cyngn.com>
2015-02-02 21:20:38 +00:00
Steve Kondik
998f53679b
sepolicy: Let drmserver scan themes
...
Change-Id: I7675b302723ef8700067ae9ef237daf6346a6627
2015-01-25 11:02:24 -08:00
Steve Kondik
77cabf5188
sepolicy: Fix policy for keyhandler
...
Change-Id: I2860f469480b082511e30530aed8a9027e9fe4b9
2015-01-25 10:51:23 -08:00
dhacker29
381a6501fa
sepolicy: Allow cmupdater/uncrypt access to media_rw_data_file
...
Change-Id: I800584af2919e3397b19d229fc28ad50cc4b2730
2015-01-24 22:45:15 +00:00
Steve Kondik
c6eb71e57a
cm: sepolicy: Allow use of dexclassloader by systemserver
...
* Needed for custom keyhandler.
Change-Id: Ifa57ad81951f9e1009eb291726cd8dfe36a3482e
2015-01-22 19:57:12 +00:00
Matt Mower
2806bc4f0c
sepolicy: Additional filesystem perms for recovery
...
Change-Id: I66c785de7256ea64302a258af7c33cb717530343
2015-01-16 14:36:24 +00:00
Clark Scheff
e9c2de0679
sepolicy: Apps need to read themed resources
...
Assets such as composed icons and ringtones need to be accessed
by apps. This patch adds the policy needed to facilitate this.
Change-Id: If47920b2cc5dbafe8d71a621782bb4a3351bd68c
2015-01-14 15:55:41 +00:00
Dan Pasanen
afbfad59d6
sepolicy: new label for io scheduler sysfs nodes
...
* needed for io scheduler in performance settings
Change-Id: I818340ed62e3e1dd2674b93340b31723c7a985f4
2015-01-13 22:34:16 +00:00
Ricardo Cerqueira
a7dfa18fd5
sepolicy: Add policies for the new superuser sockets.
...
Change-Id: Ia3e1044616bee95eb4774254fb098487d983b5db
2015-01-04 01:16:25 +00:00
Pawit Pornkitprasan
24a971ad42
cm: sepolicy: fix performance settings
...
Change-Id: Idea17856b4aef9258688a3ad58d0e5cac6d805a6
2015-01-03 07:57:44 +00:00
Ricardo Cerqueira
c738cc26ca
selinux: Allow recovery to do recursive deletes
...
Our partial wipes (preserving media) require that recovery can
rmdir dirs and getattr files
Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a
2015-01-03 04:23:08 +00:00
Konsta
444ce4a6b1
cm: Remove KSM permissions
...
CM12 doesn't have a KSM setting in performance settings anymore.
KSM should be configured and enabled on device basis.
Change-Id: I98a0cbe1b01a659eb28bcd459be55d78a88bda86
2015-01-01 00:40:37 +00:00
Matt Mower
038fba3cca
sepolicy: remove stray + in type statement
...
Change-Id: Ic34c9ae32658541064a63153612145c6fd3d55b3
2014-12-22 15:21:57 +00:00
Andy Mast
f274019100
selinux: New rw privileges for themes
...
- New theme_data_file context for files under /data/system/theme
- Permit systemserver to create files/dirs under /data/resource-cache
- Permit systemserver to create files/dirs under /data/system/theme
Change-Id: Id597fc20b477ea395a8631623f26a7edde280799
2014-12-19 10:35:48 -08:00
Dan Pasanen
e33cc1d37d
sepolicy: allow recovery read access to /data/media/ files and dirs
...
Change-Id: I41173d72e86f9cf4d79f7c46166eeb71dc19d2f4
2014-12-14 10:44:53 -06:00
Ricardo Cerqueira
ebc1c942e7
selinux: Downgrade CMFM's domain
...
the filemanager doesn't need to be in platform_app. Put it in untrusted_app,
especially since it's a possible su client
Change-Id: I164853f2c8721d86b5b90677cb33032a3b491ff5
2014-12-13 02:44:52 +00:00
Tom Marshall
d553a9f8b5
cm: sepolicy: Remove vold external sdcard rules, moved to main sepolicy
...
Change-Id: I67756bad2c6e1361ecc0052003f2b4e5e4dbb007
2014-12-13 02:13:52 +00:00
Andy Mast
03555ad053
Sepolicy: Add theme service as system service
...
Change-Id: Idfb690be5d35c03610165b914c0a3f2260e68956
2014-12-12 01:00:34 +00:00
Roman Birg
20114d672c
cm: add sepolicy entry for lockscreen wallpaper
...
Change-Id: Ie779392ab8118d192873a01ec5c7de3e5938ed17
Signed-off-by: Roman Birg <roman@cyngn.com>
2014-12-11 18:17:04 +00:00
Ricardo Cerqueira
4df29e013d
selinux: Workaround for devices with PR_SET_NO_NEW_PRIVS enforcement
...
PR_SET_NO_NEW_PRIVS blocks domain transitions from within app_process,
unless the new domain is bounded by the app's context. So we can't
switch to a domain that has perms not available to untrusted_app :(
This means any app can talk to the daemon, bypassing the su executable
client. That's not a good thing, and needs to be resolved.
Change-Id: I85b74f90b8737caaa193a0555b5262e7392519b2
2014-12-10 20:38:34 +00:00
Ricardo Cerqueira
7cd698341f
Revert "SELinux: su: update policies"
...
This reverts commit 04fd9192b0
.
Change-Id: I69e51fb6c151a48972cf81947c1c59c6f26f60e9
2014-12-10 17:19:14 +00:00
Steve Kondik
06ec5853f3
sepolicy: More rules for recovery
...
Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e
2014-12-09 22:20:14 +00:00
Pawit Pornkitprasan
04fd9192b0
SELinux: su: update policies
...
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket)
- Allow platform_app to use su (fixes CM File Manager)
Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
2014-12-08 05:43:14 +00:00
Diogo Ferreira
5c9f9efba6
sepolicy: Fix permissions for service.adb.tcp.port
...
This makes the rule more specific by overriding the upstream sepolicy.
Also adds the adbd context which is necessary for "adb tcpip".
Change-Id: Ia17eb56fc1682ab248764329e88eebd2a4075c97
2014-12-01 20:36:13 +00:00
Pawit Pornkitprasan
e815923b0d
vendor: add policies for netd
...
Required due to CAF's abc9c0f4fe574ee9847f118e5d2ae8c530bac650 in
system/netd
Fixes showing how many devices are connected to the tethered hotspot
Change-Id: I1d83f7ac0b28efa6973e0baf429de2a398c471e3
2014-11-29 23:33:52 -08:00
Chirayu Desai
9e0dba30b7
SELinux: su: Remove extra quote in a comment
...
* Fixes
vendor/cm/sepolicy/su.te:46:WARNING 'unrecognized character' at token '''
Change-Id: I3957ba7ac05062766cbf6c8f3c3975f20c95532e
2014-11-30 03:05:41 +00:00
Ricardo Cerqueira
e4016afa72
Allow SystemServer to set service.adb.tcp.* properties
...
Required for network adb enable/disable to function
Change-Id: I3e2aacb6b8e9b107dcd229187a5dd76128e20001
2014-11-29 09:01:56 -08:00
Tom Marshall
39a4244c77
cm: sepolicy: Add contexts for cm recovery
...
* Allow setup of secure adb (setup_adbd)
* minivold in recovery
Change-Id: Id1243154f4016b59e54890404cadea46a2aad212
2014-11-27 23:05:26 +00:00
Ricardo Cerqueira
d22efb80e1
selinux: Fix healthd's access to /dev nodes
...
Our healthd's support for power-on alarms adds some steps that imply
reading files its user doesn't own. Let it.
Change-Id: I3d4735aaab8fbec7acc460f812bc21f1dfa516ab
2014-11-27 22:57:21 +00:00
Ricardo Cerqueira
fa63e50707
selinux: Add a rule to label the extended keyhandler dex files
...
These should be treated as regular dex cache files, but they're
expanded outside of the normal cache dir
Change-Id: Id046e1b90116b35d2e7817ed4717fcef78135f08
2014-11-27 18:26:39 +00:00
Ricardo Cerqueira
09159ac7ce
Add selinux policies for superuser
...
Change-Id: I878eaa9d25feaedf46e89083f91d6a21f4aff37a
2014-11-27 01:45:53 +00:00
myfluxi
12daaee8a5
vendor: Update SELinux policy for sysinit
...
Change-Id: I41d4c25d9d6246cd2ca0a8ff3b5a4e114e3bc4d4
2014-11-24 15:37:52 +01:00
Kyrylo Mikos
319b556868
[1/2] SEPolicy: Add Edgegesture service.
...
Change-Id: Id9fc2d68b954e1cd6792739309a0df40e2dc998c
2014-11-19 10:04:18 +02:00
Ricardo Cerqueira
15df17f9ac
selinux: Add rules for the audit daemon
...
Change-Id: I050a9ef39d58d2592d880d225d45eb64d8a40b7b
2014-11-09 17:20:54 +00:00
Ricardo Cerqueira
49a30e7d17
Updates for CM12
2014-11-06 14:54:32 +00:00
Steve Kondik
3325783298
sepolicy: Allow relabeling after wallpaper change
...
Change-Id: I89220fae961f483dad8b92faaee9ed8fe6c8a7cf
2014-05-18 18:16:12 -07:00
Steve Kondik
fdf1aff5ad
cm: policy for ipv6 tethering
...
* Enable use of radish via netd for ipv6 tethering
Change-Id: Ifa0e85686fc70f59c089ca40a78cea9935820185
2014-05-11 03:49:18 -07:00
Steve Kondik
d3827c4f41
cm: sepolicy: Allow ueventd to load WiFi and audio irmware
...
* Every device which uses Prima or WCD will hit this, so just allow it.
Change-Id: Ie2303ad7fc3498276d41e567a738cd016f635453
2014-04-05 14:56:09 -07:00
Steve Kondik
002b4f0a4f
cm: sepolicy: Allow ueventd to properly handle cpufreq changes
...
* We need to allow relabeling since these files can pop in and out if
the governor is changed.
Change-Id: Id75099290e24dac9962d4fed8148ec2df9e256b2
2014-04-05 14:05:13 -07:00
Pawit Pornkitprasan
54c91b849c
sepolicy: allow vold to mount fuse-based sdcard
...
exfat and NTFS-3g requires access to /dev/fuse
Change-Id: I35b13ada586c8de3fbe04156c2d10bf5e3c07b3a
2013-12-10 17:10:50 +07:00
Pawit Pornkitprasan
9a19f575a4
sepolicy: allow vold to mount ext4 sdcard
...
When vold mounts an ext4 sdcard, it needs to force the context to
sdcard_external.
avc: denied { relabelfrom } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem
avc: denied { relabelto } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
avc: denied { relabelfrom } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
Change-Id: I80f42fbdf738dee10958ce1bdc1893a41234f0d9
2013-11-15 10:02:25 +07:00
Pawit Pornkitprasan
ef907713b7
sepolicy: allow vold to create files on external sdcard
...
This is required for ASEC support. Vold can already create and
access directories, but do not yet have the permission for files.
Change-Id: I5082bbff692e5dc53c7000e4b3a293e42d33f901
2013-11-14 10:48:08 +07:00
Pawit Pornkitprasan
1b6aa84f9d
sepolicy: allow installd to query ASEC size
...
installd need to query ASEC size on sdcard_external
to show on the Settings -> Apps page correctly.
Change-Id: I2d9a49b8f0652f05d73d0ff464a3835595e2cc3c
2013-11-13 22:35:17 +07:00
Pawit Pornkitprasan
a30ec115e3
sepolicy: treat fuseblk as sdcard_external
...
Allow fuse-mounted NTFS/exFAT file systems to be written to
Change-Id: I1492914dd269a305e27aba58e61064d853adf2bc
2013-11-13 09:37:42 +07:00
Ricardo Cerqueira
98c81ead7a
selinux: Fix asec mounting
...
Change-Id: I92392f3d810dfaf8dfc35f5c9170178a651d28dc
2013-11-12 21:05:31 +00:00
dhacker29
26a925919b
sepolicy: f2fs: Allow fs_use_xattr
...
Change-Id: I458d464598777fa06751dad0aa9cfd4d903a4de1
2013-11-10 15:01:44 -06:00
Ricardo Cerqueira
e58e23e131
selinux: Add missing seapp_contexts file
...
Change-Id: I6bda9e4876b9053ea16fe3c11c21b9c1e7acb17a
2013-11-06 11:39:24 +00:00
Ricardo Cerqueira
ac8d09538e
selinux: Add CM-specific file_contexts
...
Change-Id: Ie70c59acedbb7be2f5b34a83c1d3d011f440ba05
2013-11-06 03:00:16 +00:00
Ricardo Cerqueira
8521d46944
selinux: CM policies are now inserted last
...
Inclusion of the makefile is done by the build system to enforce
the wanted order
Change-Id: I86d7c6fb08b6bb1f6e0385e951a54827345aaf84
2013-11-05 22:19:33 +00:00
William Roberts
9642d1dd8b
sepolicy: Start CM Common sepolicy
...
Rather than having to maintain out of tree changes, it is often
easier to maintain a hiearchy of changes, starting with the vendors
common config file. From there, inheriting products can pick up a base
and start to add or remove certain bits from it, making use of the
BOARD_SEPOLICY_* functions documented in external/sepolicy/README.
Change-Id: I28a4aaf6c126535f0a88001582641b234a750015
2013-08-17 22:27:45 +01:00