/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
Assets such as composed icons and ringtones need to be accessed
by apps. This patch adds the policy needed to facilitate this.
Change-Id: If47920b2cc5dbafe8d71a621782bb4a3351bd68c
CM12 doesn't have a KSM setting in performance settings anymore.
KSM should be configured and enabled on device basis.
Change-Id: I98a0cbe1b01a659eb28bcd459be55d78a88bda86
- New theme_data_file context for files under /data/system/theme
- Permit systemserver to create files/dirs under /data/resource-cache
- Permit systemserver to create files/dirs under /data/system/theme
Change-Id: Id597fc20b477ea395a8631623f26a7edde280799
the filemanager doesn't need to be in platform_app. Put it in untrusted_app,
especially since it's a possible su client
Change-Id: I164853f2c8721d86b5b90677cb33032a3b491ff5
PR_SET_NO_NEW_PRIVS blocks domain transitions from within app_process,
unless the new domain is bounded by the app's context. So we can't
switch to a domain that has perms not available to untrusted_app :(
This means any app can talk to the daemon, bypassing the su executable
client. That's not a good thing, and needs to be resolved.
Change-Id: I85b74f90b8737caaa193a0555b5262e7392519b2
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket)
- Allow platform_app to use su (fixes CM File Manager)
Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
This makes the rule more specific by overriding the upstream sepolicy.
Also adds the adbd context which is necessary for "adb tcpip".
Change-Id: Ia17eb56fc1682ab248764329e88eebd2a4075c97
Required due to CAF's abc9c0f4fe574ee9847f118e5d2ae8c530bac650 in
system/netd
Fixes showing how many devices are connected to the tethered hotspot
Change-Id: I1d83f7ac0b28efa6973e0baf429de2a398c471e3
Our healthd's support for power-on alarms adds some steps that imply
reading files its user doesn't own. Let it.
Change-Id: I3d4735aaab8fbec7acc460f812bc21f1dfa516ab
These should be treated as regular dex cache files, but they're
expanded outside of the normal cache dir
Change-Id: Id046e1b90116b35d2e7817ed4717fcef78135f08
When vold mounts an ext4 sdcard, it needs to force the context to
sdcard_external.
avc: denied { relabelfrom } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem
avc: denied { relabelto } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
avc: denied { relabelfrom } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
Change-Id: I80f42fbdf738dee10958ce1bdc1893a41234f0d9
This is required for ASEC support. Vold can already create and
access directories, but do not yet have the permission for files.
Change-Id: I5082bbff692e5dc53c7000e4b3a293e42d33f901
installd need to query ASEC size on sdcard_external
to show on the Settings -> Apps page correctly.
Change-Id: I2d9a49b8f0652f05d73d0ff464a3835595e2cc3c
Rather than having to maintain out of tree changes, it is often
easier to maintain a hiearchy of changes, starting with the vendors
common config file. From there, inheriting products can pick up a base
and start to add or remove certain bits from it, making use of the
BOARD_SEPOLICY_* functions documented in external/sepolicy/README.
Change-Id: I28a4aaf6c126535f0a88001582641b234a750015