* Will be re-written in device/lineage Change-Id: I755d129efbc69b712a20833b7b51187bfd66e844gugelfrei
Luca Stefani
7 years ago
committed by
Dan Pasanen
parent
52b7080796
commit
19464ebac0
@ -1 +0,0 @@
|
||||
set_prop(adbd, adbsecure_prop)
|
||||
@ -1,3 +0,0 @@
|
||||
# Themed resources (i.e. composed icons)
|
||||
allow appdomain themeservice_app_data_file:dir r_dir_perms;
|
||||
allow appdomain themeservice_app_data_file:file r_file_perms;
|
||||
@ -1 +0,0 @@
|
||||
r_dir_file(bluetooth, storage_stub_file);
|
||||
@ -1,3 +0,0 @@
|
||||
# Themed resources (bootanimation)
|
||||
allow bootanim themeservice_app_data_file:dir search;
|
||||
allow bootanim themeservice_app_data_file:file r_file_perms;
|
||||
@ -1,4 +0,0 @@
|
||||
allow domain block_device:dir { search getattr };
|
||||
allow domain block_device:blk_file getattr;
|
||||
allow domain cache_block_device:blk_file getattr;
|
||||
allow domain userdata_block_device:blk_file getattr;
|
||||
@ -1 +0,0 @@
|
||||
allow drmserver themeservice_app_data_file:file r_file_perms;
|
||||
@ -1,18 +0,0 @@
|
||||
# Support asec containers getting mounted
|
||||
allow file_type rootfs:filesystem associate;
|
||||
|
||||
# Themes
|
||||
type themeservice_app_data_file, file_type, data_file_type;
|
||||
|
||||
# Performance settings
|
||||
type sysfs_devices_system_iosched, file_type, sysfs_type;
|
||||
|
||||
# Persistent property storage
|
||||
type persist_property_file, file_type;
|
||||
|
||||
# Knobs for LiveDisplay
|
||||
type livedisplay_sysfs, sysfs_type, file_type;
|
||||
|
||||
# Filesystems
|
||||
type exfat, sdcard_type, fs_type, mlstrustedobject;
|
||||
type ntfs, sdcard_type, fs_type, mlstrustedobject;
|
||||
@ -1,52 +0,0 @@
|
||||
/cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
|
||||
# Themes
|
||||
/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0
|
||||
|
||||
/system/bin/sysinit u:object_r:sysinit_exec:s0
|
||||
|
||||
/system/etc/init\.d/90userinit u:object_r:userinit_exec:s0
|
||||
/data/local/userinit\.sh u:object_r:userinit_data_exec:s0
|
||||
|
||||
# For EXFAT/F2FS/NTFS partitions marked "formattable"
|
||||
/system/bin/mkfs\.exfat u:object_r:mkfs_exec:s0
|
||||
/system/bin/mkfs\.f2fs u:object_r:mkfs_exec:s0
|
||||
/system/bin/mkfs\.ntfs u:object_r:mkfs_exec:s0
|
||||
|
||||
# For minivold in recovery
|
||||
/sbin/minivold u:object_r:vold_exec:s0
|
||||
|
||||
#############################
|
||||
# performance-related sysfs files (CM)
|
||||
/sys/devices/system/cpu.*/cpufreq(/.*)? u:object_r:sysfs_devices_system_cpu:s0
|
||||
/sys/block/mmcblk.*/queue/scheduler u:object_r:sysfs_devices_system_iosched:s0
|
||||
|
||||
/data/hostapd(/.*)? u:object_r:wifi_data_file:s0
|
||||
|
||||
#############
|
||||
# Superuser's control sockets
|
||||
/dev/socket/su-daemon(/.*)? u:object_r:superuser_device:s0
|
||||
|
||||
# Expansion of these hooks is a bit unconventional
|
||||
/cache/com\.cyanogenmod\.keyhandler\.dex u:object_r:dalvikcache_data_file:s0
|
||||
|
||||
# Lockscreen wallpaper
|
||||
/data/system/users/[0-9]+/keyguard_wallpaper u:object_r:wallpaper_file:s0
|
||||
|
||||
# Persistent properties
|
||||
/persist/properties(/.*)? u:object_r:persist_property_file:s0
|
||||
|
||||
# LiveDisplay
|
||||
/sys/devices/virtual/graphics/fb0/aco u:object_r:livedisplay_sysfs:s0
|
||||
/sys/devices/virtual/graphics/fb0/cabc u:object_r:livedisplay_sysfs:s0
|
||||
/sys/devices/virtual/graphics/fb0/hbm u:object_r:livedisplay_sysfs:s0
|
||||
/sys/devices/virtual/graphics/fb0/rgb u:object_r:livedisplay_sysfs:s0
|
||||
/sys/devices/virtual/graphics/fb0/sre u:object_r:livedisplay_sysfs:s0
|
||||
/sys/devices/virtual/graphics/fb0/color_enhance u:object_r:livedisplay_sysfs:s0
|
||||
|
||||
# fsck
|
||||
/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck\.exfat u:object_r:fsck_exec:s0
|
||||
|
||||
# bash
|
||||
/system/xbin/bash u:object_r:shell_exec:s0
|
||||
@ -1,2 +0,0 @@
|
||||
# External storage
|
||||
allow fsck_untrusted self:capability sys_admin;
|
||||
@ -1,3 +0,0 @@
|
||||
genfscon fuseblk / u:object_r:fuseblk:s0
|
||||
genfscon exfat / u:object_r:exfat:s0
|
||||
genfscon ntfs / u:object_r:ntfs:s0
|
||||
@ -1 +0,0 @@
|
||||
allow healthd self:capability { dac_override dac_read_search };
|
||||
@ -1 +0,0 @@
|
||||
allow hostapd netd:unix_dgram_socket sendto;
|
||||
@ -1,7 +0,0 @@
|
||||
# Allow formatting userdata or cache partitions
|
||||
allow init block_device:dir search;
|
||||
allow init userdata_block_device:blk_file rw_file_perms;
|
||||
allow init cache_block_device:blk_file rw_file_perms;
|
||||
|
||||
# Allow init to send class_* trigger events
|
||||
allow init property_socket:sock_file write;
|
||||
@ -1,8 +0,0 @@
|
||||
# Allow querying of asec size on SD card
|
||||
allow installd sdcard_type:dir { search };
|
||||
allow installd sdcard_type:file { getattr };
|
||||
|
||||
# Required for installd to create theme service's /data/data directory
|
||||
allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
|
||||
allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
|
||||
allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
|
||||
@ -1,2 +0,0 @@
|
||||
# used by sdcardfs to read package list
|
||||
allow kernel system_data_file:file open;
|
||||
@ -1,2 +0,0 @@
|
||||
# Various knobs used by LiveDisplay
|
||||
allow system_server livedisplay_sysfs:file rw_file_perms;
|
||||
@ -1,31 +0,0 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<policy>
|
||||
|
||||
<!-- Most Google-authored apps -->
|
||||
<signer signature="308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a" >
|
||||
<!-- This should probably be refined, but it's a ton of them -->
|
||||
<allow-all />
|
||||
<!-- We should only add the exact key + package name, rather then giving this to all gapps -->
|
||||
<seinfo value="release" />
|
||||
</signer>
|
||||
|
||||
<!-- Youtube -->
|
||||
<signer signature="30820252308201bb02044934987e300d06092a864886f70d01010405003070310b3009060355040613025553310b3009060355040813024341311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c652c20496e6331143012060355040b130b476f6f676c652c20496e633110300e06035504031307556e6b6e6f776e301e170d3038313230323032303735385a170d3336303431393032303735385a3070310b3009060355040613025553310b3009060355040813024341311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c652c20496e6331143012060355040b130b476f6f676c652c20496e633110300e06035504031307556e6b6e6f776e30819f300d06092a864886f70d010101050003818d00308189028181009f48031990f9b14726384e0453d18f8c0bbf8dc77b2504a4b1207c4c6c44babc00adc6610fa6b6ab2da80e33f2eef16b26a3f6b85b9afaca909ffbbeb3f4c94f7e8122a798e0eba75ced3dd229fa7365f41516415aa9c1617dd583ce19bae8a0bbd885fc17a9b4bd2640805121aadb9377deb40013381418882ec52282fc580d0203010001300d06092a864886f70d0101040500038181004086669ed631da4384ddd061d226e073b98cc4b99df8b5e4be9e3cbe97501e83df1c6fa959c0ce605c4fd2ac6d1c84cede20476cbab19be8f2203aff7717ad652d8fcc890708d1216da84457592649e0e9d3c4bb4cf58da19db1d4fc41bcb9584f64e65f410d0529fd5b68838c141d0a9bd1db1191cb2a0df790ea0cb12db3a4" >
|
||||
<allow-all />
|
||||
<seinfo value="release" />
|
||||
</signer>
|
||||
|
||||
<!-- CMUpdater -->
|
||||
<signer signature="@RELEASE" >
|
||||
<package name="com.cyanogenmod.updater" >
|
||||
<seinfo value="cmupdater" />
|
||||
</package>
|
||||
</signer>
|
||||
|
||||
<!-- ThemeManagerService -->
|
||||
<signer signature="@RELEASE" >
|
||||
<package name="org.cyanogenmod.themeservice" >
|
||||
<seinfo value="themeservice" />
|
||||
</package>
|
||||
</signer>
|
||||
</policy>
|
||||
@ -1,3 +0,0 @@
|
||||
# Themed resources (i.e. composed icons)
|
||||
allow mediaserver themeservice_app_data_file:dir r_dir_perms;
|
||||
allow mediaserver themeservice_app_data_file:file r_file_perms;
|
||||
@ -1,9 +0,0 @@
|
||||
type mkfs, domain;
|
||||
type mkfs_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(mkfs)
|
||||
|
||||
# Allow formatting userdata or cache partitions
|
||||
allow mkfs block_device:dir search;
|
||||
allow mkfs userdata_block_device:blk_file rw_file_perms;
|
||||
allow mkfs cache_block_device:blk_file rw_file_perms;
|
||||
@ -1,8 +0,0 @@
|
||||
allow netd self:capability { setuid sys_module setgid };
|
||||
allow netd self:packet_socket create_socket_perms;
|
||||
allow netd radio_data_file:dir rw_dir_perms;
|
||||
allow netd radio_data_file:file create_file_perms;
|
||||
allow netd wpa_socket:dir rw_dir_perms;
|
||||
allow netd wpa_socket:sock_file create_file_perms;
|
||||
allow netd system_wpa_socket:sock_file create_file_perms;
|
||||
allow netd hostapd:unix_dgram_socket sendto;
|
||||
@ -1 +0,0 @@
|
||||
allow priv_app system_app_data_file:file rw_file_perms;
|
||||
@ -1,4 +0,0 @@
|
||||
type adbtcp_prop, property_type;
|
||||
type recovery_prop, property_type;
|
||||
type userinit_prop, property_type;
|
||||
type adbsecure_prop, property_type;
|
||||
@ -1,4 +0,0 @@
|
||||
adb.network.port u:object_r:adbtcp_prop:s0
|
||||
recovery.perf.mode u:object_r:recovery_prop:s0
|
||||
ro.adb.secure u:object_r:adbsecure_prop:s0
|
||||
cm.userinit.active u:object_r:userinit_prop:s0
|
||||
@ -1,14 +0,0 @@
|
||||
# Allow pulling various binaries without root
|
||||
# (cause we're awesome like that)
|
||||
|
||||
allow adbd adsprpcd_exec:file r_file_perms;
|
||||
allow adbd location_exec:file r_file_perms;
|
||||
allow adbd mm-qcamerad_exec:file r_file_perms;
|
||||
allow adbd mpdecision_exec:file r_file_perms;
|
||||
allow adbd perfd_exec:file r_file_perms;
|
||||
allow adbd rfs_access_exec:file r_file_perms;
|
||||
allow adbd rmt_storage_exec:file r_file_perms;
|
||||
allow adbd sensors_exec:file r_file_perms;
|
||||
allow adbd tee_exec:file r_file_perms;
|
||||
allow adbd thermal-engine_exec:file r_file_perms;
|
||||
allow adbd time_daemon_exec:file r_file_perms;
|
||||
@ -1,8 +0,0 @@
|
||||
allow bootanim mpctl_socket:dir search;
|
||||
unix_socket_connect(bootanim, mpctl, perfd)
|
||||
unix_socket_send(bootanim, mpctl, perfd)
|
||||
|
||||
allow bootanim mpdecision:dir search;
|
||||
allow bootanim mpdecision:file r_file_perms;
|
||||
unix_socket_connect(bootanim, mpctl, mpdecision)
|
||||
unix_socket_send(bootanim, mpctl, mpdecision)
|
||||
@ -1 +0,0 @@
|
||||
type persist_block_device, dev_type;
|
||||
@ -1,2 +0,0 @@
|
||||
allow domain persist_file:dir getattr;
|
||||
allow domain persist_block_device:blk_file getattr;
|
||||
@ -1,11 +0,0 @@
|
||||
# For prefetcher to read themes
|
||||
allow dumpstate dalvikcache_data_file:dir r_dir_perms;
|
||||
allow dumpstate dalvikcache_data_file:file r_file_perms;
|
||||
allow dumpstate resourcecache_data_file:dir r_dir_perms;
|
||||
allow dumpstate resourcecache_data_file:file r_file_perms;
|
||||
allow dumpstate fuse:dir r_dir_perms;
|
||||
allow dumpstate fuse:file r_file_perms;
|
||||
allow dumpstate themeservice_app_data_file:dir r_dir_perms;
|
||||
allow dumpstate themeservice_app_data_file:file r_file_perms;
|
||||
allow dumpstate media_rw_data_file:dir search;
|
||||
allow dumpstate wcnss_service_exec:file rx_file_perms;
|
||||
@ -1,3 +0,0 @@
|
||||
# Storage of default mode by native API
|
||||
allow system_server display_misc_file:dir rw_dir_perms;
|
||||
allow system_server display_misc_file:file create_file_perms;
|
||||
@ -1,5 +0,0 @@
|
||||
allow mpdecision sysfs_devices_system_iosched:file rw_file_perms;
|
||||
unix_socket_connect(mpdecision, thermal, thermal-engine)
|
||||
|
||||
# read /proc/pid files
|
||||
r_dir_file(mpdecision, domain)
|
||||
@ -1,7 +0,0 @@
|
||||
allow perfd sysfs_devices_system_iosched:file rw_file_perms;
|
||||
|
||||
# read mediaserver status
|
||||
allow perfd mediaserver:file { read open };
|
||||
|
||||
#cm extra opts
|
||||
unix_socket_connect(perfd, thermal, thermal-engine)
|
||||
@ -1,5 +0,0 @@
|
||||
# perfprofd disables mpdecision temporarily via setprop ctl.stop,
|
||||
# then re-enables afterwards with setprop ctl.start
|
||||
userdebug_or_eng(`
|
||||
set_prop(perfprofd, mpdecision_prop)
|
||||
')
|
||||
@ -1,2 +0,0 @@
|
||||
persist.dbg u:object_r:radio_prop:s0
|
||||
persist.data u:object_r:radio_prop:s0
|
||||
@ -1,2 +0,0 @@
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
vendor/lineage/sepolicy/qcom
|
||||
@ -1,10 +0,0 @@
|
||||
# LiveDisplay access to color calibration
|
||||
allow system_server pps_socket:sock_file rw_file_perms;
|
||||
allow system_server mm-pp-daemon:unix_stream_socket connectto;
|
||||
|
||||
# Time services
|
||||
allow system_server time_daemon:unix_stream_socket connectto;
|
||||
|
||||
#allow reading of usb sysfs to query hvdcp state
|
||||
allow system_server sysfs_usb_supply:dir { search };
|
||||
allow system_server sysfs_usb_supply:file r_file_perms;
|
||||
@ -1,7 +0,0 @@
|
||||
allow thermal-engine self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
r_dir_file(thermal-engine, sysfs_rqstats);
|
||||
|
||||
allow thermal-engine sysfs_battery_supply:file rw_file_perms;
|
||||
allow thermal-engine sysfs_battery_supply:dir r_dir_perms;
|
||||
|
||||
allow thermal-engine self:capability { net_admin } ;
|
||||
@ -1 +0,0 @@
|
||||
allow vold persist_file:dir { getattr read open ioctl };
|
||||
@ -1,53 +0,0 @@
|
||||
recovery_only(`
|
||||
|
||||
# Secure adb (setup_adbd)
|
||||
allow adbd adb_keys_file:dir search;
|
||||
allow recovery adb_keys_file:dir r_dir_perms;
|
||||
allow recovery adb_keys_file:file r_file_perms;
|
||||
allow recovery shell_prop:property_service set;
|
||||
|
||||
# Recovery dialogs
|
||||
unix_socket_connect(recovery, vold, vold)
|
||||
allow recovery tmpfs:sock_file create_file_perms;
|
||||
|
||||
# Read packages.xml
|
||||
#allow recovery system_data_file:file r_file_perms;
|
||||
|
||||
# Manage fstab and /adb_keys
|
||||
#allow recovery rootfs:file create_file_perms;
|
||||
#allow recovery rootfs:file link;
|
||||
#allow recovery rootfs:dir { write create rmdir add_name remove_name };
|
||||
|
||||
# Read storage files and directories
|
||||
allow recovery tmpfs:dir mounton;
|
||||
allow recovery media_rw_data_file:dir r_dir_perms;
|
||||
allow recovery media_rw_data_file:file r_file_perms;
|
||||
allow recovery vfat:dir r_dir_perms;
|
||||
allow recovery vfat:file r_file_perms;
|
||||
allow recovery sdcard_type:dir r_dir_perms;
|
||||
allow recovery sdcard_type:file r_file_perms;
|
||||
|
||||
# Control properties
|
||||
allow recovery recovery_prop:property_service set;
|
||||
|
||||
# Set property sys.usb.ffs.ready
|
||||
allow recovery ffs_prop:property_service set;
|
||||
|
||||
# recursive rm for wipes... :(
|
||||
#allow app_data_file self:filesystem associate;
|
||||
#allow recovery app_data_file:file { read open create write };
|
||||
#allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };
|
||||
|
||||
#allow recovery file_type:dir { rw_dir_perms rmdir };
|
||||
#allow recovery file_type:notdevfile_class_set { unlink getattr };
|
||||
# wipe saves and restores the layout version
|
||||
#allow recovery install_data_file:file create_file_perms;
|
||||
#allow recovery system_data_file:file create_file_perms;
|
||||
|
||||
# /cache/recovery things: command and logs
|
||||
allow recovery cache_recovery_file:dir create_dir_perms;
|
||||
allow recovery cache_recovery_file:file create_file_perms;
|
||||
|
||||
# set system properties for various things
|
||||
allow recovery system_prop:property_service set;
|
||||
')
|
||||
@ -1,3 +0,0 @@
|
||||
#user=theme_man domain=system_app type=system_data_file
|
||||
#user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
|
||||
user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
|
||||
@ -1,7 +0,0 @@
|
||||
#
|
||||
# This policy configuration will be used by all products that
|
||||
# inherit from CM
|
||||
#
|
||||
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
vendor/lineage/sepolicy
|
||||
@ -1,17 +0,0 @@
|
||||
type edge_gesture_service, system_api_service, system_server_service, service_manager_type;
|
||||
type themes_service, system_api_service, system_server_service, service_manager_type;
|
||||
type torch_service, system_api_service, system_server_service, service_manager_type;
|
||||
type kill_switch_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_status_bar_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_profile_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_partner_interface, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_telephony_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_hardware_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_app_suggest_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_performance_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_themes_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_iconcache_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_livelockscreen_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_weather_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_livedisplay_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cm_audio_service, system_api_service, system_server_service, service_manager_type;
|
||||
@ -1,17 +0,0 @@
|
||||
edgegestureservice u:object_r:edge_gesture_service:s0
|
||||
themes u:object_r:themes_service:s0
|
||||
torch u:object_r:torch_service:s0
|
||||
killswitch u:object_r:kill_switch_service:s0
|
||||
cmstatusbar u:object_r:cm_status_bar_service:s0
|
||||
profile u:object_r:cm_profile_service:s0
|
||||
cmpartnerinterface u:object_r:cm_partner_interface:s0
|
||||
cmtelephonymanager u:object_r:cm_telephony_service:s0
|
||||
cmhardware u:object_r:cm_hardware_service:s0
|
||||
cmappsuggest u:object_r:cm_app_suggest_service:s0
|
||||
cmperformance u:object_r:cm_performance_service:s0
|
||||
cmthemes u:object_r:cm_themes_service:s0
|
||||
cmiconcache u:object_r:cm_iconcache_service:s0
|
||||
cmlivelockscreen u:object_r:cm_livelockscreen_service:s0
|
||||
cmweather u:object_r:cm_weather_service:s0
|
||||
cmlivedisplay u:object_r:cm_livedisplay_service:s0
|
||||
cmaudio u:object_r:cm_audio_service:s0
|
||||
@ -1,72 +0,0 @@
|
||||
type superuser_device, file_type, mlstrustedobject;
|
||||
|
||||
## Perms for the daemon
|
||||
|
||||
userdebug_or_eng(`
|
||||
domain_trans(init, su_exec, sudaemon)
|
||||
|
||||
typeattribute sudaemon domain, mlstrustedsubject;
|
||||
|
||||
type_transition sudaemon socket_device:sock_file superuser_device;
|
||||
# The userspace app uses /dev sockets to control per-app access
|
||||
allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
|
||||
allow sudaemon superuser_device:sock_file { create setattr unlink write };
|
||||
|
||||
# sudaemon is also permissive to permit setenforce.
|
||||
permissive sudaemon;
|
||||
|
||||
# Add sudaemon to various domains
|
||||
net_domain(sudaemon)
|
||||
app_domain(sudaemon)
|
||||
|
||||
dontaudit sudaemon self:capability_class_set *;
|
||||
dontaudit sudaemon kernel:security *;
|
||||
dontaudit sudaemon kernel:system *;
|
||||
dontaudit sudaemon self:memprotect *;
|
||||
dontaudit sudaemon domain:process *;
|
||||
dontaudit sudaemon domain:fd *;
|
||||
dontaudit sudaemon domain:dir *;
|
||||
dontaudit sudaemon domain:lnk_file *;
|
||||
dontaudit sudaemon domain:{ fifo_file file } *;
|
||||
dontaudit sudaemon domain:socket_class_set *;
|
||||
dontaudit sudaemon domain:ipc_class_set *;
|
||||
dontaudit sudaemon domain:key *;
|
||||
dontaudit sudaemon fs_type:filesystem *;
|
||||
dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
|
||||
dontaudit sudaemon node_type:node *;
|
||||
dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
|
||||
dontaudit sudaemon netif_type:netif *;
|
||||
dontaudit sudaemon port_type:socket_class_set *;
|
||||
dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
|
||||
dontaudit sudaemon domain:peer *;
|
||||
dontaudit sudaemon domain:binder *;
|
||||
dontaudit sudaemon property_type:property_service *;
|
||||
dontaudit sudaemon appops_service:service_manager *;
|
||||
')
|
||||
|
||||
## Perms for the app
|
||||
|
||||
userdebug_or_eng(`
|
||||
# Translate user apps to the shell domain when using su
|
||||
#
|
||||
# PR_SET_NO_NEW_PRIVS blocks this :(
|
||||
# we need to find a way to narrow this down to the actual exec.
|
||||
# typealias shell alias suclient;
|
||||
# domain_auto_trans(untrusted_app, su_exec, suclient)
|
||||
|
||||
allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
|
||||
allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
|
||||
allow untrusted_app superuser_device:dir { r_dir_perms };
|
||||
allow untrusted_app superuser_device:sock_file { write };
|
||||
|
||||
|
||||
# For Settings control of access
|
||||
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
|
||||
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
|
||||
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
|
||||
|
||||
allow kernel sudaemon:fd { use };
|
||||
|
||||
')
|
||||
|
||||
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app -init -sudaemon') } su_exec:file no_x_file_perms;
|
||||
@ -1,23 +0,0 @@
|
||||
type sysinit, domain;
|
||||
type sysinit_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(sysinit)
|
||||
|
||||
#============= sysinit ==============
|
||||
allow sysinit devpts:chr_file { rw_file_perms };
|
||||
allow sysinit shell_exec:file { rx_file_perms };
|
||||
allow sysinit system_file:file { rx_file_perms };
|
||||
allow sysinit system_file:dir { r_dir_perms };
|
||||
allow sysinit toolbox_exec:file { rx_file_perms };
|
||||
allow sysinit self:process setcurrent;
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow sysinit userinit_data_exec:file { r_file_perms relabelto };
|
||||
allow sysinit property_socket:sock_file write;
|
||||
allow sysinit init:unix_stream_socket connectto;
|
||||
allow sysinit userinit_prop:property_service set;
|
||||
allow sysinit sysfs:file rw_file_perms;
|
||||
allow sysinit sysfs_devices_system_cpu:file write;
|
||||
allow sysinit self:capability dac_override;
|
||||
allow sysinit userinit_exec:file { rx_file_perms };
|
||||
')
|
||||
@ -1,13 +0,0 @@
|
||||
allow system_server wallpaper_file:file relabelto;
|
||||
|
||||
# allow adb related properties to be set
|
||||
allow system_server adbtcp_prop:property_service set;
|
||||
|
||||
allow system_server dhcp_data_file:dir r_dir_perms;
|
||||
allow system_server dhcp_data_file:file r_file_perms;
|
||||
|
||||
# Themes
|
||||
allow system_server themeservice_app_data_file:dir create_dir_perms;
|
||||
allow system_server themeservice_app_data_file:file create_file_perms;
|
||||
allow system_server resourcecache_data_file:dir create_dir_perms;
|
||||
allow system_server resourcecache_data_file:file create_file_perms;
|
||||
@ -1,11 +0,0 @@
|
||||
# For the updaters
|
||||
allow system_app cache_recovery_file:dir create_dir_perms;
|
||||
allow system_app cache_recovery_file:file create_file_perms;
|
||||
allow system_app media_rw_data_file:dir create_dir_perms;
|
||||
allow system_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Boot animation
|
||||
allow system_app ctl_bootanim_prop:property_service set;
|
||||
|
||||
# Settings app wants to read ro.adb.secure
|
||||
get_prop(system_app, adbsecure_prop)
|
||||
@ -1,17 +0,0 @@
|
||||
allow system_server cache_recovery_file:dir rw_dir_perms;
|
||||
allow system_server cache_recovery_file:file create_file_perms;
|
||||
allow system_server cache_recovery_file:fifo_file create_file_perms;
|
||||
|
||||
# Persistent properties
|
||||
allow system_server persist_property_file:dir rw_dir_perms;
|
||||
allow system_server persist_property_file:file { create_file_perms unlink };
|
||||
|
||||
allow system_server storage_stub_file:dir { getattr };
|
||||
|
||||
allow system_server media_rw_data_file:dir r_dir_perms;
|
||||
|
||||
get_prop(system_server, adbsecure_prop)
|
||||
|
||||
# Allow system_server to relabel newly created theme directory for
|
||||
# use by the proxied theme service
|
||||
allow system_server themeservice_app_data_file:dir relabelto;
|
||||
@ -1,19 +0,0 @@
|
||||
# Add themeservice_app to appdomain
|
||||
type themeservice_app, domain;
|
||||
app_domain(themeservice_app)
|
||||
|
||||
# Theme manager service
|
||||
allow themeservice_app activity_service:service_manager find;
|
||||
allow themeservice_app cm_status_bar_service:service_manager find;
|
||||
allow themeservice_app cm_themes_service:dir search;
|
||||
allow themeservice_app connectivity_service:service_manager find;
|
||||
allow themeservice_app display_service:service_manager find;
|
||||
allow themeservice_app mount_service:service_manager find;
|
||||
allow themeservice_app notification_service:service_manager find;
|
||||
allow themeservice_app system_app_data_file:dir search;
|
||||
allow themeservice_app user_service:service_manager find;
|
||||
allow themeservice_app wallpaper_service:service_manager find;
|
||||
|
||||
# Allow full access to themeservice_app_data_file
|
||||
allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
|
||||
allow themeservice_app themeservice_app_data_file:file create_file_perms;
|
||||
@ -1,13 +0,0 @@
|
||||
# ueventd needs to relabel files that pop in and out of sysfs
|
||||
allow ueventd sysfs:file relabelfrom;
|
||||
|
||||
# ueventd will set permissions on cpufreq nodes
|
||||
allow ueventd sysfs_devices_system_cpu:file setattr;
|
||||
|
||||
# ueventd loads wifi firmware on a ton of devices
|
||||
allow ueventd wifi_data_file:dir r_dir_perms;
|
||||
allow ueventd wifi_data_file:file r_file_perms;
|
||||
|
||||
# ueventd loads audio firmware on many devices
|
||||
allow ueventd audio_data_file:dir r_dir_perms;
|
||||
allow ueventd audio_data_file:file r_file_perms;
|
||||
@ -1,9 +0,0 @@
|
||||
r_dir_file(uncrypt, media_rw_data_file)
|
||||
allow uncrypt cache_recovery_file:dir create_dir_perms;
|
||||
allow uncrypt cache_recovery_file:file create_file_perms;
|
||||
allow uncrypt cache_recovery_file:fifo_file rw_file_perms;
|
||||
|
||||
allow uncrypt storage_file:dir r_dir_perms;
|
||||
allow uncrypt storage_stub_file:dir r_dir_perms;
|
||||
allow uncrypt fuse:dir r_dir_perms;
|
||||
allow uncrypt fuse:file r_file_perms;
|
||||
@ -1,3 +0,0 @@
|
||||
allow untrusted_app cm_weather_service:service_manager find;
|
||||
allow untrusted_app cm_status_bar_service:service_manager find;
|
||||
allow untrusted_app cm_profile_service:service_manager find;
|
||||
@ -1,4 +0,0 @@
|
||||
type userinit_exec, exec_type, file_type;
|
||||
type userinit_data_exec, file_type;
|
||||
|
||||
allow userinit_exec userinit_prop:property_service set;
|
||||
@ -1,23 +0,0 @@
|
||||
domain_trans(init, rootfs, vold)
|
||||
|
||||
# Allow vold to manage ASEC
|
||||
allow vold sdcard_type:file create_file_perms;
|
||||
allow vold vold_tmpfs:file create_file_perms;
|
||||
|
||||
# Allow vold to access fuse for fuse-based fs
|
||||
allow vold fuseblk:chr_file rw_file_perms;
|
||||
|
||||
# NTFS-3g wants to drop permission
|
||||
allow vold self:capability { setgid setuid };
|
||||
|
||||
# Vold can also run as minivold in the rootfs
|
||||
recovery_only(`
|
||||
allow vold rootfs:dir { add_name write };
|
||||
allow vold rootfs:file execute_no_trans;
|
||||
allow vold vold_tmpfs:file link;
|
||||
')
|
||||
|
||||
# External storage
|
||||
allow vold storage_stub_file:dir { rw_file_perms search add_name };
|
||||
allow vold mnt_media_rw_stub_file:dir r_dir_perms;
|
||||
allow vold mkfs_exec:file { execute read open getattr execute_no_trans };
|
||||
@ -1,5 +0,0 @@
|
||||
allow zygote themeservice_app_data_file:file r_file_perms;
|
||||
allow zygote themeservice_app_data_file:dir r_dir_perms;
|
||||
|
||||
# ps command may do this
|
||||
allow untrusted_app zygote:process getsched;
|
||||
Loading…
Reference in new issue