ADHOC
/
replicant-vendor_replicant
3
0
Fork 0
Code Issues 6 Pull Requests Releases Activity
2,450 Commits 2 Branches 0 Tags 430 MiB
Commit Graph

94 Commits

Author SHA1 Message Date
Keith Mok 6bc84be525 sepolicy: Add permission for formatting user/cache partition 
If the "formattable" fstab flag is set, init will tries
to format that partition, added the required policy to allow it.

Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
 2015-12-16 10:41:51 -08:00
Keith Mok fcfc13ac6f sepolicy: Add domain for mkfs binaries 
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.

Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
 2015-12-16 10:40:28 -08:00
Steve Kondik e01646719a sepolicy: Allow adb pull of executables without root 
* Because we aren't actually jerks, contrary to popular belief.

Change-Id: Ie39cce65ecc6a2861547865ff554b108b8b534fa
 2015-11-29 05:28:14 -08:00
Diogo Ferreira 140305db6d sepolicy: qcom: Allow reading PSU sysfs by system_server 
BatteryService queries the usb state to check whether the usb type
is HVDCP. This patch adds a rule to allow that.

For more context check BatteryService#Led#isHvdcpPresent.

Change-Id: Ifacf13dde4b1df81c92bf5d92196e504e61dd402
 2015-11-27 05:25:43 -08:00
Steve Kondik aeec0ac261 sepolicy: Allow recovery to create links in the rootfs 
* Needed to support vold and other new code.

Change-Id: I25a0b1cc6461eced7112dd4b3974a71423f7957b
 2015-11-26 02:19:44 -08:00
Steve Kondik 48149d05a1 sepolicy: Rule for CM's perfd extension 
Manual apply and refactor of cm-12.1 patch:
e04329df88211264e7a9c8f1d6b87a16d8d5639b

Use the unix_socket_connect macro and switch to the new
perfd domain.

Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
 2015-11-23 15:11:18 -08:00
codeworkx 01490eface sepolicy: fix denial for sudaemon 
fixes root access for apps

Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
 2015-11-22 09:57:08 -08:00
Dan Pasanen a90b69e921 sepolicy: add persist_block_device type 
* This is likely defined in several device trees, but not all
  remove it from your device trees if we're going to write rules
  for it here.

Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
 2015-11-17 08:38:43 -08:00
Steve Kondik 2c3b5d353e sepolicy: Remove some denials 
* Allow apps to run the "df" command to look at disk usage.
 * Allow thermal engine to check/set battery limits.

Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
 2015-11-16 19:46:00 -08:00
Steve Kondik 7d3eca93f4 sepolicy: Add policy for thermal engine changes 
* Cyngn devices will need this.

Change-Id: I1e7528e92d0d4ed8c4029667d7ef3cf9081a6575
 2015-11-14 23:58:46 +01:00
myfluxi 98df019cb4 sepolicy: qcom: Remove duplicate entry 
We have this in qcom/sepolicy/common already.

Change-Id: Ibe6ada531f77d3ec00ff61081d21b3d36a1fe7a7
 2015-11-10 17:28:12 +01:00
myfluxi 8501771607 sepolicy: Make superuser_device and sudaemon mlstrustedobjects 
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0

avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0

And thus fix su.

Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
 2015-11-05 23:53:50 +01:00
Steve Kondik aeea5ad7a3 perf: Moving PerformanceManager to CMSDK 
* Devices will need to update their configurations!

Change-Id: I22cf4ec96656b98f515cf28fef95443cf6adb397
 2015-11-03 18:55:49 -08:00
Steve Kondik 714a761061 cm: Remove duplicate SEPolicy items 
* These are handled by the master SEPolicy now due to neverallow
   exceptions which occur on non-production builds.

Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
 2015-10-31 02:08:33 -07:00
Dan Pasanen 9ca9d95a76 sepolicy: remove sudaemon type declaration 
* this is already defined in external/sepolicy

Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
 2015-10-17 09:22:14 -05:00
Adnan Begovic c3d3969971 vendor/cm: Fix up service contexts for sepolicy. 
Change-Id: Ibb04e967bd027c6d1118b8b471ec328c3b034d9d
 2015-10-16 13:20:33 -07:00
Dan Pasanen 6ac91cb6d3 sepolicy: remove BOARD_SEPOLICY_UNION 
* this is a no-op now

Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
 2015-10-07 12:49:00 -07:00
Ricardo Cerqueira b026605629 sepolicy: Underp the context for persistent storage 
The dir's context need love, too

TICKET: CYNGNOS-1185
Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
 2015-10-05 13:18:31 -07:00
Ed Falk 95682234f1 sepolicy: allow vold to trim persist 
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
 2015-09-30 14:04:23 -07:00
myfluxi 688479223e sepolicy: Allow system app to set boot anim property 
Addresses denials observerd when using QuickBoot:

<4>[  224.756971] avc:  denied  { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
<3>[  224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039
<4>[  226.306456] avc:  denied  { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service

Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
 2015-09-21 18:16:18 -07:00
Steve Kondik e2f23f0e91 cm: Fix a few denials 
* Missed a few things when cleaning up devices.

Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
 2015-09-19 22:49:20 -07:00
Steve Kondik b5c2cf0408 cm: sepolicy: Create central place for QC-specific policy 
* We have a number of policy items due to changes in our BSPs or for
   other things which interact with the QC sepolicy. Add a place
   for us to store this stuff so we don't need to copy it around to
   every device.

Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
 2015-09-15 15:31:38 -07:00
Steve Kondik b5dbbdf9cb cm: sepolicy: Create standard policy for LiveDisplay 
Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
 2015-09-15 15:31:19 -07:00
herriojr c6d40c01f7 Enable The AppSuggestService 
We need to enable our custom AppSuggestService in order to show
possible suggestions.

Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
 2015-09-14 10:25:22 -07:00
Adnan Begovic c37c2313cf vendor/cm: cmsettings -> cmpartnerinterface 
Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
 2015-09-09 17:51:27 -07:00
Steve Kondik a385501738 cm: SELinux policy for persistent properties API 
* Set up persistent properties for devices with a /persist partition.

Change-Id: I78974dd4e25831338462c91fc25e36e343795510
 2015-09-09 11:53:23 -07:00
Steve Kondik 587a3cff83 cm: Moving CMHW to CMSDK 
Change-Id: I4dae95dbe68c472ba3703fea588b542758ec8036
 2015-08-19 05:30:59 -07:00
Joao Figueiredo d0f6b187ae cmsdk: Dual SIM support on CM SDK 
Change-Id: I209245e1a3165f329ed8a17a942340d96783ca13
 2015-08-07 01:32:30 +01:00
Matt Garnes 874defe2bc Add SettingsManagerService from cmsdk as a system service. 
Change-Id: I0909a5fd49e8e042293719de93ebc8fbaaa1a196
 2015-08-06 16:18:06 -07:00
Steve Kondik 74891faea9 sepolicy: Allow recovery to set system properties 
* This is used by extremely critical things.

Change-Id: Ie529851469408adac1e081fe4f6dc5daa9002933
 2015-08-05 17:54:33 -07:00
Brandon McAnsh f208523054 sepolicy: system_app: Remove performace setting related entries 
* Performance Settings has been removed/refactored so these are no longer neccessary.

Change-Id: I5933700815d0037735fc48f8640b37d1f350ea91
Signed-off-by: Brandon McAnsh <brandon.mcansh@gmail.com>
 2015-07-14 13:17:01 -07:00
Adnan Begovic 4c4e428da8 vendor/cm: overlay start for ProfileService in external framework. 
Change-Id: Ib1f8c6d00c2a66cfd8dac2b73ccd1bd053a3a497
 2015-06-29 14:39:24 -07:00
Adnan Begovic b53c503fee Build CM Platform Library 
Change-Id: If62e6b1d2ac41730ff2a8d562173abd2cb768f93

Add cmstatusbar service to system server services context

Change-Id: I77c5de75722cc5f36a5326e3da57ab661b89d189

Build Platform resource package.

Change-Id: Id60f66b6db23989db1472a19bcb079b0083f7393

vendor/cm: Lock cm platform library/cmsdk to non-release builds.

Change-Id: I01c1c3fe559d438e28339ce426d7ba7e42724002
 2015-05-12 17:45:07 -07:00
Roman Birg 785c50ad3f vendor: add sepolicy entry for killswitch service 
Change-Id: Ib3c44c50138f5715d92addbf8df7ed591785b550
Signed-off-by: Roman Birg <roman@cyngn.com>
(cherry picked from commit 2ca5d3999b35d328f0969a264009bffe0faf889d)
 2015-04-20 18:46:23 +00:00
Emerson Pinter dc699fb190 sepolicy: Permissions for userinit 
Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296
 2015-03-17 12:12:59 +00:00
Tom Marshall b4bf950060 sepolicy: recovery: Allow data file write 
Needed to preserve /data/.layout_version (aka nesting bug fix).

Change-Id: Iaae982223e80ad10479cf1ca3db09da7ada5663e
 2015-03-10 03:36:03 +00:00
Scott Mertz 69c2e7f721 [3/3] CmHardwareService: add sepolicy 
Change-Id: I551f61f40225a679593e94dbd47bb2fb0025da7e
 2015-03-07 00:53:36 +00:00
dhacker29 c552843f1a sepolicy: Allow CMUpdater/uncrypt access to recovery_cache_file 
Change-Id: I514d128160ed4e04564077d7a2e2ad297af92e28
 2015-02-21 17:21:47 -05:00
Christopher R. Palmer da48ab89ac sepolicy: Allow vold to create tmpfs files for asec containers 
Change-Id: Ic8f1641928840774204099453b74dc1b52b3c6f8
 2015-02-19 10:55:07 -05:00
Brint E. Kriebel ac15eaedf9 sepolicy: Allow system apps to write cache and media files 
Updaters need to be able to read and write to these locations.

Change-Id: I928a5f73ec29ab4fecb717072532d449192f3ca9
 2015-02-17 17:36:37 -08:00
dhacker29 b4878d4cf1 sepolicy: Fix denails for flash_recovery service 
Needed when option is checked to update cm recovery

Change-Id: I0b2fbfd7c141ae03ce14b9afeffd3a027d791c80
 2015-02-15 15:03:32 -05:00
Ricardo Cerqueira c75446d072 sepolicy: Split off /cache/recovery's permissions 
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients

Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
 2015-02-11 19:44:43 +00:00
Georg Veichtlbauer 2ccd36c73f sepolicy: allow userinit to set its property 
Change-Id: I9d8270d889566d169077a1b1fdaee43059d11ee1
 2015-02-09 21:03:35 +00:00
Adam Farden 7b865eb046 sepolicy: actually include mediaserver.te 
Added in patch e9c2de0679 but not included

Change-Id: I2ae901a7c80fceb33dba2ed4122d2aa47bff5a51
 2015-02-04 02:55:18 +00:00
Roman Birg c71cc6c4a8 cm: add torch service sepolicy entry 
Change-Id: I6e6feae5fe6b4092c137ee2337c4a15b390df45e
Signed-off-by: Roman Birg <roman@cyngn.com>
 2015-02-02 21:20:38 +00:00
Steve Kondik 998f53679b sepolicy: Let drmserver scan themes 
Change-Id: I7675b302723ef8700067ae9ef237daf6346a6627
 2015-01-25 11:02:24 -08:00
Steve Kondik 77cabf5188 sepolicy: Fix policy for keyhandler 
Change-Id: I2860f469480b082511e30530aed8a9027e9fe4b9
 2015-01-25 10:51:23 -08:00
dhacker29 381a6501fa sepolicy: Allow cmupdater/uncrypt access to media_rw_data_file 
Change-Id: I800584af2919e3397b19d229fc28ad50cc4b2730
 2015-01-24 22:45:15 +00:00
Steve Kondik c6eb71e57a cm: sepolicy: Allow use of dexclassloader by systemserver 
* Needed for custom keyhandler.

Change-Id: Ifa57ad81951f9e1009eb291726cd8dfe36a3482e
 2015-01-22 19:57:12 +00:00
Matt Mower 2806bc4f0c sepolicy: Additional filesystem perms for recovery 
Change-Id: I66c785de7256ea64302a258af7c33cb717530343
 2015-01-16 14:36:24 +00:00