Commit Graph

120 Commits

Author SHA1 Message Date
Wolfgang Wiedmeyer
be9e1314a1
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0 2016-03-18 10:59:16 +01:00
codeworkx
b7c8dec762 cm: sepolicy: allow platform apps to crop user images
Needed for gallery3d when setting contact pics

avc: denied { write } for comm=4173796E635461736B202334
path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p50" ino=65849
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file
permissive=0

03-05 13:07:40.741  22060-22207/com.android.gallery3d W/System.err﹕ java.io.IOException: write
failed: EACCES (Permission denied)

Change-Id: Iaa7f75abfd41c86e1a321d5f35b950f9dc7eb930
2016-03-16 15:48:15 -07:00
d34d
e7036e8387 Themes: Refactor themes to CMSDK [3/6]
Change-Id: Ia8f3a5080f2ca2cecc3474058db4970c5661c89c
TICKET: CYNGNOS-2126
2016-03-01 09:57:15 -08:00
AdrianDC
36cb29d509 recovery: Add new rule for sys.usb.ffs.ready
init: avc:  denied  { set } for property=sys.usb.ffs.ready
    scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0
    tclass=property_service

Change-Id: Id3441ccc3c6a8915a5fdf50efd8c617d1242868a
2016-02-23 16:28:56 -08:00
FrozenCow
ec0322e31b cm: sepolicy: allow kernel to read storage
This fixes issues where the kernel would need to read and write
files from internal or external storage. More specifically, the
kernel needs these rules for USB mass storage to work correctly.

Change-Id: I8cb0307727bc0c464d5470e55275ad808e748ee0
2016-02-20 14:26:41 -08:00
Wolfgang Wiedmeyer
9c205f0603
sepolicy: remove mac_permissions for proprietary google apps and cmupdater
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
2016-02-17 01:16:14 +01:00
Wolfgang Wiedmeyer
cd25e76555
sepolicy: allow bootanim and surfaceflinger execmem and access to ashmem
This allows the device to boot with software rendering
using build/target/board/generic/sepolicy as reference

Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
2016-02-16 17:32:25 +01:00
Pat Erley
18037e7462 sepolicy: Allow system server and uncrypt access pipe
System server needs to be able to create a pipe in the cache partition
for uncrypting OTAs. Uncrypt needs to be able to read and write the
pipe.

Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
2016-02-16 14:49:04 +01:00
Pat Erley
15697319ca sepolicy: Allow system server and uncrypt access pipe
System server needs to be able to create a pipe in the cache partition
for uncrypting OTAs. Uncrypt needs to be able to read and write the
pipe.

Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
2016-02-09 13:24:46 -08:00
Wolfgang Wiedmeyer
5b2d5516ff
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>

Conflicts:
	overlay/common/frameworks/base/core/res/res/drawable-nodpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/drawable-sw600dp-nodpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/drawable-sw720dp-nodpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/drawable-xhdpi/default_wallpaper.jpg
2016-02-03 12:23:07 +01:00
Pat Erley
db4fb0ee6b recovery: Add new rules for recursive wipe
We now use a temporary context when mounting /data, so add permissions
to do that, and add permissions necessary to do the recursive wipe.

Change-Id: Ic925c70f1cf01c8b19a6ac48a9468d6eb9205321
2016-01-28 15:20:51 -08:00
Jani Lusikka
8c780755f2 Grant platform apps access to /mnt/media_rw with sdcard_posix label
Also allow apps to read the contents of mounted OBBs.

See AOSP Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
and Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa

Change-Id: I757a2a8831c69d41c0496025a39eaf79ceb0e65f
2016-01-24 14:39:42 -08:00
Wolfgang Wiedmeyer
cd55ab2858 Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0-toolchain 2016-01-14 15:27:42 +01:00
myfluxi
e8df21c962 sepolicy: Add perfprofd with set_prop macro
Addresses:
avc: denied { write }
for pid=293 comm="perfprofd" name="property_service" dev="tmpfs" ino=9229 scontext=u:r:perfprofd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Change-Id: I5a88722eda4d0751fd9a081c434d385ac1c785ef
2016-01-12 17:21:32 -08:00
Wolfgang Wiedmeyer
a746591c4e Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0 2016-01-02 14:12:03 +01:00
Matt Mower
511152cd2c sepolicy: Allow minivold execute_no_trans
After assimilating minivold into /sbin/recovery, we need to allow the
minivold service (a symlink to the recovery binary) to transition from
the recovery to the vold domain.

Change-Id: I112e6d371a8da8fc55a06967852c869105190616
2016-01-02 02:07:18 -08:00
codeworkx
14e765cd71 cm: sepolicy: fix denials for external storage
Change-Id: I784a859671c69370cab0118a88a5fb0190352af9
2016-01-01 17:30:27 +01:00
Wolfgang Wiedmeyer
c4a6948aca Merge remote-tracking branch 'cyanogenmod/cm-13.0' into replicant-6.0 2015-12-29 23:09:22 +01:00
codeworkx
053b1805da sepolicy: label exfat and ntfs mkfs executables
Change-Id: Ic5e32818bc54993f4e8c2377cbec64f9444f6d8a
2015-12-29 21:51:32 +01:00
Wolfgang Wiedmeyer
e616dce0a7 Merge remote-tracking branch 'cyanogenmod/cm-13.0' into replicant-6.0 2015-12-21 14:07:49 +01:00
dhacker29
076a1ea54a sepolicy: Set the context for fsck.exfat/ntfs to fsck_exec
This matches the policy for fsck.f2fs, although it still needs to run
as fsck_untrusted for public volumes

Change-Id: Ia04e7f8902e53a9926a87f0c99e603611cc39c5d
2015-12-17 15:43:00 -08:00
Wolfgang Wiedmeyer
f55a720155 Merge remote-tracking branch 'cyanogenmod/cm-13.0' into replicant-6.0
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>

Conflicts:
	config/common.mk
2015-12-17 21:10:59 +01:00
Wolfgang Wiedmeyer
71a01dce17 Merge remote-tracking branch 'github/cm-13.0' into replicant-6.0
remove prebuilt terminal (built-in terminal app can be activated in dev settings)

Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>

Conflicts:
	CHANGELOG.mkdn
	CONTRIBUTORS.mkdn
	config/cdma.mk
	config/cm_audio.mk
	config/common.mk
	config/common_full.mk
	config/common_full_phone.mk
	config/gsm.mk
	config/themes_common.mk
	get-prebuilts
	overlay/common/frameworks/base/core/res/res/drawable-nodpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/drawable-sw600dp-nodpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/drawable-sw720dp-nodpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/drawable-xhdpi/default_wallpaper.jpg
	overlay/common/frameworks/base/core/res/res/values/config.xml
	overlay/common/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
	prebuilt/common/bootanimation/1080.zip
	prebuilt/common/bootanimation/1200.zip
	prebuilt/common/bootanimation/240.zip
	prebuilt/common/bootanimation/320.zip
	prebuilt/common/bootanimation/360.zip
	prebuilt/common/bootanimation/480.zip
	prebuilt/common/bootanimation/540.zip
	prebuilt/common/bootanimation/600.zip
	prebuilt/common/bootanimation/720.zip
	prebuilt/common/bootanimation/768.zip
	prebuilt/common/bootanimation/800.zip
	prebuilt/common/etc/apns-conf.xml
	sepolicy/mac_permissions.xml
	sepolicy/sepolicy.mk
	vendorsetup.sh

Change-Id: I4fc2a5b00721cae8b3a36f33c36f006142bad44f
2015-12-17 18:24:03 +01:00
Ethan Chen
909343f3df SELinux: Use custom ADB over network property
* Use a custom system property to trigger the real one, so we avoid
  running afoul of any SELinux CTS requirements.

Change-Id: If5e7a275f492631a673284408f1e430a12358380
2015-12-16 11:01:50 -08:00
Keith Mok
6bc84be525 sepolicy: Add permission for formatting user/cache partition
If the "formattable" fstab flag is set, init will tries
to format that partition, added the required policy to allow it.

Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
2015-12-16 10:41:51 -08:00
Keith Mok
fcfc13ac6f sepolicy: Add domain for mkfs binaries
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.

Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
2015-12-16 10:40:28 -08:00
Steve Kondik
e01646719a sepolicy: Allow adb pull of executables without root
* Because we aren't actually jerks, contrary to popular belief.

Change-Id: Ie39cce65ecc6a2861547865ff554b108b8b534fa
2015-11-29 05:28:14 -08:00
Diogo Ferreira
140305db6d sepolicy: qcom: Allow reading PSU sysfs by system_server
BatteryService queries the usb state to check whether the usb type
is HVDCP. This patch adds a rule to allow that.

For more context check BatteryService#Led#isHvdcpPresent.

Change-Id: Ifacf13dde4b1df81c92bf5d92196e504e61dd402
2015-11-27 05:25:43 -08:00
Steve Kondik
aeec0ac261 sepolicy: Allow recovery to create links in the rootfs
* Needed to support vold and other new code.

Change-Id: I25a0b1cc6461eced7112dd4b3974a71423f7957b
2015-11-26 02:19:44 -08:00
Steve Kondik
48149d05a1 sepolicy: Rule for CM's perfd extension
Manual apply and refactor of cm-12.1 patch:
e04329df88211264e7a9c8f1d6b87a16d8d5639b

Use the unix_socket_connect macro and switch to the new
perfd domain.

Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
2015-11-23 15:11:18 -08:00
codeworkx
01490eface sepolicy: fix denial for sudaemon
fixes root access for apps

Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
2015-11-22 09:57:08 -08:00
Dan Pasanen
a90b69e921 sepolicy: add persist_block_device type
* This is likely defined in several device trees, but not all
  remove it from your device trees if we're going to write rules
  for it here.

Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
2015-11-17 08:38:43 -08:00
Steve Kondik
2c3b5d353e sepolicy: Remove some denials
* Allow apps to run the "df" command to look at disk usage.
 * Allow thermal engine to check/set battery limits.

Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
2015-11-16 19:46:00 -08:00
Steve Kondik
7d3eca93f4 sepolicy: Add policy for thermal engine changes
* Cyngn devices will need this.

Change-Id: I1e7528e92d0d4ed8c4029667d7ef3cf9081a6575
2015-11-14 23:58:46 +01:00
myfluxi
98df019cb4 sepolicy: qcom: Remove duplicate entry
We have this in qcom/sepolicy/common already.

Change-Id: Ibe6ada531f77d3ec00ff61081d21b3d36a1fe7a7
2015-11-10 17:28:12 +01:00
myfluxi
8501771607 sepolicy: Make superuser_device and sudaemon mlstrustedobjects
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0

avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0

And thus fix su.

Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
2015-11-05 23:53:50 +01:00
Steve Kondik
aeea5ad7a3 perf: Moving PerformanceManager to CMSDK
* Devices will need to update their configurations!

Change-Id: I22cf4ec96656b98f515cf28fef95443cf6adb397
2015-11-03 18:55:49 -08:00
Steve Kondik
714a761061 cm: Remove duplicate SEPolicy items
* These are handled by the master SEPolicy now due to neverallow
   exceptions which occur on non-production builds.

Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
2015-10-31 02:08:33 -07:00
Dan Pasanen
9ca9d95a76 sepolicy: remove sudaemon type declaration
* this is already defined in external/sepolicy

Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
2015-10-17 09:22:14 -05:00
Adnan Begovic
c3d3969971 vendor/cm: Fix up service contexts for sepolicy.
Change-Id: Ibb04e967bd027c6d1118b8b471ec328c3b034d9d
2015-10-16 13:20:33 -07:00
Dan Pasanen
6ac91cb6d3 sepolicy: remove BOARD_SEPOLICY_UNION
* this is a no-op now

Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
2015-10-07 12:49:00 -07:00
Ricardo Cerqueira
b026605629 sepolicy: Underp the context for persistent storage
The dir's context need love, too

TICKET: CYNGNOS-1185
Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
2015-10-05 13:18:31 -07:00
Ed Falk
95682234f1 sepolicy: allow vold to trim persist
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
2015-09-30 14:04:23 -07:00
myfluxi
688479223e sepolicy: Allow system app to set boot anim property
Addresses denials observerd when using QuickBoot:

<4>[  224.756971] avc:  denied  { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
<3>[  224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039
<4>[  226.306456] avc:  denied  { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service

Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
2015-09-21 18:16:18 -07:00
Steve Kondik
e2f23f0e91 cm: Fix a few denials
* Missed a few things when cleaning up devices.

Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
2015-09-19 22:49:20 -07:00
Steve Kondik
b5c2cf0408 cm: sepolicy: Create central place for QC-specific policy
* We have a number of policy items due to changes in our BSPs or for
   other things which interact with the QC sepolicy. Add a place
   for us to store this stuff so we don't need to copy it around to
   every device.

Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
2015-09-15 15:31:38 -07:00
Steve Kondik
b5dbbdf9cb cm: sepolicy: Create standard policy for LiveDisplay
Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
2015-09-15 15:31:19 -07:00
herriojr
c6d40c01f7 Enable The AppSuggestService
We need to enable our custom AppSuggestService in order to show
possible suggestions.

Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
2015-09-14 10:25:22 -07:00
Adnan Begovic
c37c2313cf vendor/cm: cmsettings -> cmpartnerinterface
Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
2015-09-09 17:51:27 -07:00
Steve Kondik
a385501738 cm: SELinux policy for persistent properties API
* Set up persistent properties for devices with a /persist partition.

Change-Id: I78974dd4e25831338462c91fc25e36e343795510
2015-09-09 11:53:23 -07:00