Wolfgang Wiedmeyer
be9e1314a1
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0
2016-03-18 10:59:16 +01:00
codeworkx
b7c8dec762
cm: sepolicy: allow platform apps to crop user images
...
Needed for gallery3d when setting contact pics
avc: denied { write } for comm=4173796E635461736B202334
path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p50" ino=65849
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file
permissive=0
03-05 13:07:40.741 22060-22207/com.android.gallery3d W/System.err﹕ java.io.IOException: write
failed: EACCES (Permission denied)
Change-Id: Iaa7f75abfd41c86e1a321d5f35b950f9dc7eb930
2016-03-16 15:48:15 -07:00
d34d
e7036e8387
Themes: Refactor themes to CMSDK [3/6]
...
Change-Id: Ia8f3a5080f2ca2cecc3474058db4970c5661c89c
TICKET: CYNGNOS-2126
2016-03-01 09:57:15 -08:00
AdrianDC
36cb29d509
recovery: Add new rule for sys.usb.ffs.ready
...
init: avc: denied { set } for property=sys.usb.ffs.ready
scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0
tclass=property_service
Change-Id: Id3441ccc3c6a8915a5fdf50efd8c617d1242868a
2016-02-23 16:28:56 -08:00
FrozenCow
ec0322e31b
cm: sepolicy: allow kernel to read storage
...
This fixes issues where the kernel would need to read and write
files from internal or external storage. More specifically, the
kernel needs these rules for USB mass storage to work correctly.
Change-Id: I8cb0307727bc0c464d5470e55275ad808e748ee0
2016-02-20 14:26:41 -08:00
Wolfgang Wiedmeyer
9c205f0603
sepolicy: remove mac_permissions for proprietary google apps and cmupdater
...
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
2016-02-17 01:16:14 +01:00
Wolfgang Wiedmeyer
cd25e76555
sepolicy: allow bootanim and surfaceflinger execmem and access to ashmem
...
This allows the device to boot with software rendering
using build/target/board/generic/sepolicy as reference
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
2016-02-16 17:32:25 +01:00
Pat Erley
18037e7462
sepolicy: Allow system server and uncrypt access pipe
...
System server needs to be able to create a pipe in the cache partition
for uncrypting OTAs. Uncrypt needs to be able to read and write the
pipe.
Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
2016-02-16 14:49:04 +01:00
Pat Erley
15697319ca
sepolicy: Allow system server and uncrypt access pipe
...
System server needs to be able to create a pipe in the cache partition
for uncrypting OTAs. Uncrypt needs to be able to read and write the
pipe.
Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
2016-02-09 13:24:46 -08:00
Wolfgang Wiedmeyer
5b2d5516ff
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0
...
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Conflicts:
overlay/common/frameworks/base/core/res/res/drawable-nodpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/drawable-sw600dp-nodpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/drawable-sw720dp-nodpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/drawable-xhdpi/default_wallpaper.jpg
2016-02-03 12:23:07 +01:00
Pat Erley
db4fb0ee6b
recovery: Add new rules for recursive wipe
...
We now use a temporary context when mounting /data, so add permissions
to do that, and add permissions necessary to do the recursive wipe.
Change-Id: Ic925c70f1cf01c8b19a6ac48a9468d6eb9205321
2016-01-28 15:20:51 -08:00
Jani Lusikka
8c780755f2
Grant platform apps access to /mnt/media_rw with sdcard_posix label
...
Also allow apps to read the contents of mounted OBBs.
See AOSP Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
and Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
Change-Id: I757a2a8831c69d41c0496025a39eaf79ceb0e65f
2016-01-24 14:39:42 -08:00
Wolfgang Wiedmeyer
cd55ab2858
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0-toolchain
2016-01-14 15:27:42 +01:00
myfluxi
e8df21c962
sepolicy: Add perfprofd with set_prop macro
...
Addresses:
avc: denied { write }
for pid=293 comm="perfprofd" name="property_service" dev="tmpfs" ino=9229 scontext=u:r:perfprofd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
Change-Id: I5a88722eda4d0751fd9a081c434d385ac1c785ef
2016-01-12 17:21:32 -08:00
Wolfgang Wiedmeyer
a746591c4e
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0
2016-01-02 14:12:03 +01:00
Matt Mower
511152cd2c
sepolicy: Allow minivold execute_no_trans
...
After assimilating minivold into /sbin/recovery, we need to allow the
minivold service (a symlink to the recovery binary) to transition from
the recovery to the vold domain.
Change-Id: I112e6d371a8da8fc55a06967852c869105190616
2016-01-02 02:07:18 -08:00
codeworkx
14e765cd71
cm: sepolicy: fix denials for external storage
...
Change-Id: I784a859671c69370cab0118a88a5fb0190352af9
2016-01-01 17:30:27 +01:00
Wolfgang Wiedmeyer
c4a6948aca
Merge remote-tracking branch 'cyanogenmod/cm-13.0' into replicant-6.0
2015-12-29 23:09:22 +01:00
codeworkx
053b1805da
sepolicy: label exfat and ntfs mkfs executables
...
Change-Id: Ic5e32818bc54993f4e8c2377cbec64f9444f6d8a
2015-12-29 21:51:32 +01:00
Wolfgang Wiedmeyer
e616dce0a7
Merge remote-tracking branch 'cyanogenmod/cm-13.0' into replicant-6.0
2015-12-21 14:07:49 +01:00
dhacker29
076a1ea54a
sepolicy: Set the context for fsck.exfat/ntfs to fsck_exec
...
This matches the policy for fsck.f2fs, although it still needs to run
as fsck_untrusted for public volumes
Change-Id: Ia04e7f8902e53a9926a87f0c99e603611cc39c5d
2015-12-17 15:43:00 -08:00
Wolfgang Wiedmeyer
f55a720155
Merge remote-tracking branch 'cyanogenmod/cm-13.0' into replicant-6.0
...
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Conflicts:
config/common.mk
2015-12-17 21:10:59 +01:00
Wolfgang Wiedmeyer
71a01dce17
Merge remote-tracking branch 'github/cm-13.0' into replicant-6.0
...
remove prebuilt terminal (built-in terminal app can be activated in dev settings)
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Conflicts:
CHANGELOG.mkdn
CONTRIBUTORS.mkdn
config/cdma.mk
config/cm_audio.mk
config/common.mk
config/common_full.mk
config/common_full_phone.mk
config/gsm.mk
config/themes_common.mk
get-prebuilts
overlay/common/frameworks/base/core/res/res/drawable-nodpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/drawable-sw600dp-nodpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/drawable-sw720dp-nodpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/drawable-xhdpi/default_wallpaper.jpg
overlay/common/frameworks/base/core/res/res/values/config.xml
overlay/common/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
prebuilt/common/bootanimation/1080.zip
prebuilt/common/bootanimation/1200.zip
prebuilt/common/bootanimation/240.zip
prebuilt/common/bootanimation/320.zip
prebuilt/common/bootanimation/360.zip
prebuilt/common/bootanimation/480.zip
prebuilt/common/bootanimation/540.zip
prebuilt/common/bootanimation/600.zip
prebuilt/common/bootanimation/720.zip
prebuilt/common/bootanimation/768.zip
prebuilt/common/bootanimation/800.zip
prebuilt/common/etc/apns-conf.xml
sepolicy/mac_permissions.xml
sepolicy/sepolicy.mk
vendorsetup.sh
Change-Id: I4fc2a5b00721cae8b3a36f33c36f006142bad44f
2015-12-17 18:24:03 +01:00
Ethan Chen
909343f3df
SELinux: Use custom ADB over network property
...
* Use a custom system property to trigger the real one, so we avoid
running afoul of any SELinux CTS requirements.
Change-Id: If5e7a275f492631a673284408f1e430a12358380
2015-12-16 11:01:50 -08:00
Keith Mok
6bc84be525
sepolicy: Add permission for formatting user/cache partition
...
If the "formattable" fstab flag is set, init will tries
to format that partition, added the required policy to allow it.
Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
2015-12-16 10:41:51 -08:00
Keith Mok
fcfc13ac6f
sepolicy: Add domain for mkfs binaries
...
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.
Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
2015-12-16 10:40:28 -08:00
Steve Kondik
e01646719a
sepolicy: Allow adb pull of executables without root
...
* Because we aren't actually jerks, contrary to popular belief.
Change-Id: Ie39cce65ecc6a2861547865ff554b108b8b534fa
2015-11-29 05:28:14 -08:00
Diogo Ferreira
140305db6d
sepolicy: qcom: Allow reading PSU sysfs by system_server
...
BatteryService queries the usb state to check whether the usb type
is HVDCP. This patch adds a rule to allow that.
For more context check BatteryService#Led#isHvdcpPresent.
Change-Id: Ifacf13dde4b1df81c92bf5d92196e504e61dd402
2015-11-27 05:25:43 -08:00
Steve Kondik
aeec0ac261
sepolicy: Allow recovery to create links in the rootfs
...
* Needed to support vold and other new code.
Change-Id: I25a0b1cc6461eced7112dd4b3974a71423f7957b
2015-11-26 02:19:44 -08:00
Steve Kondik
48149d05a1
sepolicy: Rule for CM's perfd extension
...
Manual apply and refactor of cm-12.1 patch:
e04329df88211264e7a9c8f1d6b87a16d8d5639b
Use the unix_socket_connect macro and switch to the new
perfd domain.
Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
2015-11-23 15:11:18 -08:00
codeworkx
01490eface
sepolicy: fix denial for sudaemon
...
fixes root access for apps
Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
2015-11-22 09:57:08 -08:00
Dan Pasanen
a90b69e921
sepolicy: add persist_block_device type
...
* This is likely defined in several device trees, but not all
remove it from your device trees if we're going to write rules
for it here.
Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
2015-11-17 08:38:43 -08:00
Steve Kondik
2c3b5d353e
sepolicy: Remove some denials
...
* Allow apps to run the "df" command to look at disk usage.
* Allow thermal engine to check/set battery limits.
Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
2015-11-16 19:46:00 -08:00
Steve Kondik
7d3eca93f4
sepolicy: Add policy for thermal engine changes
...
* Cyngn devices will need this.
Change-Id: I1e7528e92d0d4ed8c4029667d7ef3cf9081a6575
2015-11-14 23:58:46 +01:00
myfluxi
98df019cb4
sepolicy: qcom: Remove duplicate entry
...
We have this in qcom/sepolicy/common already.
Change-Id: Ibe6ada531f77d3ec00ff61081d21b3d36a1fe7a7
2015-11-10 17:28:12 +01:00
myfluxi
8501771607
sepolicy: Make superuser_device and sudaemon mlstrustedobjects
...
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0
avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0
And thus fix su.
Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
2015-11-05 23:53:50 +01:00
Steve Kondik
aeea5ad7a3
perf: Moving PerformanceManager to CMSDK
...
* Devices will need to update their configurations!
Change-Id: I22cf4ec96656b98f515cf28fef95443cf6adb397
2015-11-03 18:55:49 -08:00
Steve Kondik
714a761061
cm: Remove duplicate SEPolicy items
...
* These are handled by the master SEPolicy now due to neverallow
exceptions which occur on non-production builds.
Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
2015-10-31 02:08:33 -07:00
Dan Pasanen
9ca9d95a76
sepolicy: remove sudaemon type declaration
...
* this is already defined in external/sepolicy
Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
2015-10-17 09:22:14 -05:00
Adnan Begovic
c3d3969971
vendor/cm: Fix up service contexts for sepolicy.
...
Change-Id: Ibb04e967bd027c6d1118b8b471ec328c3b034d9d
2015-10-16 13:20:33 -07:00
Dan Pasanen
6ac91cb6d3
sepolicy: remove BOARD_SEPOLICY_UNION
...
* this is a no-op now
Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
2015-10-07 12:49:00 -07:00
Ricardo Cerqueira
b026605629
sepolicy: Underp the context for persistent storage
...
The dir's context need love, too
TICKET: CYNGNOS-1185
Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
2015-10-05 13:18:31 -07:00
Ed Falk
95682234f1
sepolicy: allow vold to trim persist
...
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
2015-09-30 14:04:23 -07:00
myfluxi
688479223e
sepolicy: Allow system app to set boot anim property
...
Addresses denials observerd when using QuickBoot:
<4>[ 224.756971] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
<3>[ 224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039
<4>[ 226.306456] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
2015-09-21 18:16:18 -07:00
Steve Kondik
e2f23f0e91
cm: Fix a few denials
...
* Missed a few things when cleaning up devices.
Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
2015-09-19 22:49:20 -07:00
Steve Kondik
b5c2cf0408
cm: sepolicy: Create central place for QC-specific policy
...
* We have a number of policy items due to changes in our BSPs or for
other things which interact with the QC sepolicy. Add a place
for us to store this stuff so we don't need to copy it around to
every device.
Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
2015-09-15 15:31:38 -07:00
Steve Kondik
b5dbbdf9cb
cm: sepolicy: Create standard policy for LiveDisplay
...
Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
2015-09-15 15:31:19 -07:00
herriojr
c6d40c01f7
Enable The AppSuggestService
...
We need to enable our custom AppSuggestService in order to show
possible suggestions.
Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
2015-09-14 10:25:22 -07:00
Adnan Begovic
c37c2313cf
vendor/cm: cmsettings -> cmpartnerinterface
...
Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
2015-09-09 17:51:27 -07:00
Steve Kondik
a385501738
cm: SELinux policy for persistent properties API
...
* Set up persistent properties for devices with a /persist partition.
Change-Id: I78974dd4e25831338462c91fc25e36e343795510
2015-09-09 11:53:23 -07:00