diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te deleted file mode 100644 index 80627d64..00000000 --- a/sepolicy/adbd.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(adbd, adbsecure_prop) diff --git a/sepolicy/app.te b/sepolicy/app.te deleted file mode 100644 index b2ad5535..00000000 --- a/sepolicy/app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Themed resources (i.e. composed icons) -allow appdomain themeservice_app_data_file:dir r_dir_perms; -allow appdomain themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te deleted file mode 100644 index e45a4342..00000000 --- a/sepolicy/bluetooth.te +++ /dev/null @@ -1 +0,0 @@ -r_dir_file(bluetooth, storage_stub_file); diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te deleted file mode 100644 index 29c20d5f..00000000 --- a/sepolicy/bootanim.te +++ /dev/null @@ -1,3 +0,0 @@ -# Themed resources (bootanimation) -allow bootanim themeservice_app_data_file:dir search; -allow bootanim themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/domain.te b/sepolicy/domain.te deleted file mode 100644 index e05768ee..00000000 --- a/sepolicy/domain.te +++ /dev/null @@ -1,4 +0,0 @@ -allow domain block_device:dir { search getattr }; -allow domain block_device:blk_file getattr; -allow domain cache_block_device:blk_file getattr; -allow domain userdata_block_device:blk_file getattr; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te deleted file mode 100644 index 508791f4..00000000 --- a/sepolicy/drmserver.te +++ /dev/null @@ -1 +0,0 @@ -allow drmserver themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te deleted file mode 100644 index 707f6400..00000000 --- a/sepolicy/file.te +++ /dev/null @@ -1,18 +0,0 @@ -# Support asec containers getting mounted -allow file_type rootfs:filesystem associate; - -# Themes -type themeservice_app_data_file, file_type, data_file_type; - -# Performance settings -type sysfs_devices_system_iosched, file_type, sysfs_type; - -# Persistent property storage -type persist_property_file, file_type; - -# Knobs for LiveDisplay -type livedisplay_sysfs, sysfs_type, file_type; - -# Filesystems -type exfat, sdcard_type, fs_type, mlstrustedobject; -type ntfs, sdcard_type, fs_type, mlstrustedobject; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts deleted file mode 100644 index 1e58f145..00000000 --- a/sepolicy/file_contexts +++ /dev/null @@ -1,52 +0,0 @@ -/cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 - -# Themes -/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0 - -/system/bin/sysinit u:object_r:sysinit_exec:s0 - -/system/etc/init\.d/90userinit u:object_r:userinit_exec:s0 -/data/local/userinit\.sh u:object_r:userinit_data_exec:s0 - -# For EXFAT/F2FS/NTFS partitions marked "formattable" -/system/bin/mkfs\.exfat u:object_r:mkfs_exec:s0 -/system/bin/mkfs\.f2fs u:object_r:mkfs_exec:s0 -/system/bin/mkfs\.ntfs u:object_r:mkfs_exec:s0 - -# For minivold in recovery -/sbin/minivold u:object_r:vold_exec:s0 - -############################# -# performance-related sysfs files (CM) -/sys/devices/system/cpu.*/cpufreq(/.*)? u:object_r:sysfs_devices_system_cpu:s0 -/sys/block/mmcblk.*/queue/scheduler u:object_r:sysfs_devices_system_iosched:s0 - -/data/hostapd(/.*)? u:object_r:wifi_data_file:s0 - -############# -# Superuser's control sockets -/dev/socket/su-daemon(/.*)? u:object_r:superuser_device:s0 - -# Expansion of these hooks is a bit unconventional -/cache/com\.cyanogenmod\.keyhandler\.dex u:object_r:dalvikcache_data_file:s0 - -# Lockscreen wallpaper -/data/system/users/[0-9]+/keyguard_wallpaper u:object_r:wallpaper_file:s0 - -# Persistent properties -/persist/properties(/.*)? u:object_r:persist_property_file:s0 - -# LiveDisplay -/sys/devices/virtual/graphics/fb0/aco u:object_r:livedisplay_sysfs:s0 -/sys/devices/virtual/graphics/fb0/cabc u:object_r:livedisplay_sysfs:s0 -/sys/devices/virtual/graphics/fb0/hbm u:object_r:livedisplay_sysfs:s0 -/sys/devices/virtual/graphics/fb0/rgb u:object_r:livedisplay_sysfs:s0 -/sys/devices/virtual/graphics/fb0/sre u:object_r:livedisplay_sysfs:s0 -/sys/devices/virtual/graphics/fb0/color_enhance u:object_r:livedisplay_sysfs:s0 - -# fsck -/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0 -/system/bin/fsck\.exfat u:object_r:fsck_exec:s0 - -# bash -/system/xbin/bash u:object_r:shell_exec:s0 diff --git a/sepolicy/fsck_untrusted.te b/sepolicy/fsck_untrusted.te deleted file mode 100644 index 5d12f768..00000000 --- a/sepolicy/fsck_untrusted.te +++ /dev/null @@ -1,2 +0,0 @@ -# External storage -allow fsck_untrusted self:capability sys_admin; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts deleted file mode 100644 index b5652a26..00000000 --- a/sepolicy/genfs_contexts +++ /dev/null @@ -1,3 +0,0 @@ -genfscon fuseblk / u:object_r:fuseblk:s0 -genfscon exfat / u:object_r:exfat:s0 -genfscon ntfs / u:object_r:ntfs:s0 diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te deleted file mode 100644 index 4711cf5c..00000000 --- a/sepolicy/healthd.te +++ /dev/null @@ -1 +0,0 @@ -allow healthd self:capability { dac_override dac_read_search }; diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te deleted file mode 100644 index 8a70f14b..00000000 --- a/sepolicy/hostapd.te +++ /dev/null @@ -1 +0,0 @@ -allow hostapd netd:unix_dgram_socket sendto; diff --git a/sepolicy/init.te b/sepolicy/init.te deleted file mode 100644 index eaf9cae8..00000000 --- a/sepolicy/init.te +++ /dev/null @@ -1,7 +0,0 @@ -# Allow formatting userdata or cache partitions -allow init block_device:dir search; -allow init userdata_block_device:blk_file rw_file_perms; -allow init cache_block_device:blk_file rw_file_perms; - -# Allow init to send class_* trigger events -allow init property_socket:sock_file write; diff --git a/sepolicy/installd.te b/sepolicy/installd.te deleted file mode 100644 index fc38117c..00000000 --- a/sepolicy/installd.te +++ /dev/null @@ -1,8 +0,0 @@ -# Allow querying of asec size on SD card -allow installd sdcard_type:dir { search }; -allow installd sdcard_type:file { getattr }; - -# Required for installd to create theme service's /data/data directory -allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto }; -allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto }; -allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te deleted file mode 100644 index b944a75e..00000000 --- a/sepolicy/kernel.te +++ /dev/null @@ -1,2 +0,0 @@ -# used by sdcardfs to read package list -allow kernel system_data_file:file open; diff --git a/sepolicy/livedisplay.te b/sepolicy/livedisplay.te deleted file mode 100644 index a260e079..00000000 --- a/sepolicy/livedisplay.te +++ /dev/null @@ -1,2 +0,0 @@ -# Various knobs used by LiveDisplay -allow system_server livedisplay_sysfs:file rw_file_perms; diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml deleted file mode 100644 index f70b7225..00000000 --- a/sepolicy/mac_permissions.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te deleted file mode 100644 index 62ed0b7b..00000000 --- a/sepolicy/mediaserver.te +++ /dev/null @@ -1,3 +0,0 @@ -# Themed resources (i.e. composed icons) -allow mediaserver themeservice_app_data_file:dir r_dir_perms; -allow mediaserver themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/mkfs.te b/sepolicy/mkfs.te deleted file mode 100644 index fe7c61bb..00000000 --- a/sepolicy/mkfs.te +++ /dev/null @@ -1,9 +0,0 @@ -type mkfs, domain; -type mkfs_exec, exec_type, file_type; - -init_daemon_domain(mkfs) - -# Allow formatting userdata or cache partitions -allow mkfs block_device:dir search; -allow mkfs userdata_block_device:blk_file rw_file_perms; -allow mkfs cache_block_device:blk_file rw_file_perms; diff --git a/sepolicy/netd.te b/sepolicy/netd.te deleted file mode 100644 index 9a0de3f3..00000000 --- a/sepolicy/netd.te +++ /dev/null @@ -1,8 +0,0 @@ -allow netd self:capability { setuid sys_module setgid }; -allow netd self:packet_socket create_socket_perms; -allow netd radio_data_file:dir rw_dir_perms; -allow netd radio_data_file:file create_file_perms; -allow netd wpa_socket:dir rw_dir_perms; -allow netd wpa_socket:sock_file create_file_perms; -allow netd system_wpa_socket:sock_file create_file_perms; -allow netd hostapd:unix_dgram_socket sendto; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te deleted file mode 100644 index 40a90e4b..00000000 --- a/sepolicy/priv_app.te +++ /dev/null @@ -1 +0,0 @@ -allow priv_app system_app_data_file:file rw_file_perms; \ No newline at end of file diff --git a/sepolicy/property.te b/sepolicy/property.te deleted file mode 100644 index ca257a3b..00000000 --- a/sepolicy/property.te +++ /dev/null @@ -1,4 +0,0 @@ -type adbtcp_prop, property_type; -type recovery_prop, property_type; -type userinit_prop, property_type; -type adbsecure_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts deleted file mode 100644 index 98c863ea..00000000 --- a/sepolicy/property_contexts +++ /dev/null @@ -1,4 +0,0 @@ -adb.network.port u:object_r:adbtcp_prop:s0 -recovery.perf.mode u:object_r:recovery_prop:s0 -ro.adb.secure u:object_r:adbsecure_prop:s0 -cm.userinit.active u:object_r:userinit_prop:s0 diff --git a/sepolicy/qcom/adbd.te b/sepolicy/qcom/adbd.te deleted file mode 100644 index d6109174..00000000 --- a/sepolicy/qcom/adbd.te +++ /dev/null @@ -1,14 +0,0 @@ -# Allow pulling various binaries without root -# (cause we're awesome like that) - -allow adbd adsprpcd_exec:file r_file_perms; -allow adbd location_exec:file r_file_perms; -allow adbd mm-qcamerad_exec:file r_file_perms; -allow adbd mpdecision_exec:file r_file_perms; -allow adbd perfd_exec:file r_file_perms; -allow adbd rfs_access_exec:file r_file_perms; -allow adbd rmt_storage_exec:file r_file_perms; -allow adbd sensors_exec:file r_file_perms; -allow adbd tee_exec:file r_file_perms; -allow adbd thermal-engine_exec:file r_file_perms; -allow adbd time_daemon_exec:file r_file_perms; diff --git a/sepolicy/qcom/bootanim.te b/sepolicy/qcom/bootanim.te deleted file mode 100644 index 4b4ca71f..00000000 --- a/sepolicy/qcom/bootanim.te +++ /dev/null @@ -1,8 +0,0 @@ -allow bootanim mpctl_socket:dir search; -unix_socket_connect(bootanim, mpctl, perfd) -unix_socket_send(bootanim, mpctl, perfd) - -allow bootanim mpdecision:dir search; -allow bootanim mpdecision:file r_file_perms; -unix_socket_connect(bootanim, mpctl, mpdecision) -unix_socket_send(bootanim, mpctl, mpdecision) diff --git a/sepolicy/qcom/device.te b/sepolicy/qcom/device.te deleted file mode 100644 index 9e49627b..00000000 --- a/sepolicy/qcom/device.te +++ /dev/null @@ -1 +0,0 @@ -type persist_block_device, dev_type; diff --git a/sepolicy/qcom/domain.te b/sepolicy/qcom/domain.te deleted file mode 100644 index 5af099fe..00000000 --- a/sepolicy/qcom/domain.te +++ /dev/null @@ -1,2 +0,0 @@ -allow domain persist_file:dir getattr; -allow domain persist_block_device:blk_file getattr; diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te deleted file mode 100644 index 560ad1e8..00000000 --- a/sepolicy/qcom/dumpstate.te +++ /dev/null @@ -1,11 +0,0 @@ -# For prefetcher to read themes -allow dumpstate dalvikcache_data_file:dir r_dir_perms; -allow dumpstate dalvikcache_data_file:file r_file_perms; -allow dumpstate resourcecache_data_file:dir r_dir_perms; -allow dumpstate resourcecache_data_file:file r_file_perms; -allow dumpstate fuse:dir r_dir_perms; -allow dumpstate fuse:file r_file_perms; -allow dumpstate themeservice_app_data_file:dir r_dir_perms; -allow dumpstate themeservice_app_data_file:file r_file_perms; -allow dumpstate media_rw_data_file:dir search; -allow dumpstate wcnss_service_exec:file rx_file_perms; diff --git a/sepolicy/qcom/livedisplay.te b/sepolicy/qcom/livedisplay.te deleted file mode 100644 index 394caa30..00000000 --- a/sepolicy/qcom/livedisplay.te +++ /dev/null @@ -1,3 +0,0 @@ -# Storage of default mode by native API -allow system_server display_misc_file:dir rw_dir_perms; -allow system_server display_misc_file:file create_file_perms; diff --git a/sepolicy/qcom/mpdecision.te b/sepolicy/qcom/mpdecision.te deleted file mode 100644 index 9399b326..00000000 --- a/sepolicy/qcom/mpdecision.te +++ /dev/null @@ -1,5 +0,0 @@ -allow mpdecision sysfs_devices_system_iosched:file rw_file_perms; -unix_socket_connect(mpdecision, thermal, thermal-engine) - -# read /proc/pid files -r_dir_file(mpdecision, domain) diff --git a/sepolicy/qcom/perfd.te b/sepolicy/qcom/perfd.te deleted file mode 100644 index dd11d848..00000000 --- a/sepolicy/qcom/perfd.te +++ /dev/null @@ -1,7 +0,0 @@ -allow perfd sysfs_devices_system_iosched:file rw_file_perms; - -# read mediaserver status -allow perfd mediaserver:file { read open }; - -#cm extra opts -unix_socket_connect(perfd, thermal, thermal-engine) diff --git a/sepolicy/qcom/perfprofd.te b/sepolicy/qcom/perfprofd.te deleted file mode 100644 index 09756251..00000000 --- a/sepolicy/qcom/perfprofd.te +++ /dev/null @@ -1,5 +0,0 @@ -# perfprofd disables mpdecision temporarily via setprop ctl.stop, -# then re-enables afterwards with setprop ctl.start -userdebug_or_eng(` - set_prop(perfprofd, mpdecision_prop) -') diff --git a/sepolicy/qcom/property_contexts b/sepolicy/qcom/property_contexts deleted file mode 100644 index 9bf48989..00000000 --- a/sepolicy/qcom/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -persist.dbg u:object_r:radio_prop:s0 -persist.data u:object_r:radio_prop:s0 diff --git a/sepolicy/qcom/sepolicy.mk b/sepolicy/qcom/sepolicy.mk deleted file mode 100644 index d0e851fc..00000000 --- a/sepolicy/qcom/sepolicy.mk +++ /dev/null @@ -1,2 +0,0 @@ -BOARD_SEPOLICY_DIRS += \ - vendor/lineage/sepolicy/qcom diff --git a/sepolicy/qcom/system_server.te b/sepolicy/qcom/system_server.te deleted file mode 100644 index 3239c2dc..00000000 --- a/sepolicy/qcom/system_server.te +++ /dev/null @@ -1,10 +0,0 @@ -# LiveDisplay access to color calibration -allow system_server pps_socket:sock_file rw_file_perms; -allow system_server mm-pp-daemon:unix_stream_socket connectto; - -# Time services -allow system_server time_daemon:unix_stream_socket connectto; - -#allow reading of usb sysfs to query hvdcp state -allow system_server sysfs_usb_supply:dir { search }; -allow system_server sysfs_usb_supply:file r_file_perms; diff --git a/sepolicy/qcom/thermal-engine.te b/sepolicy/qcom/thermal-engine.te deleted file mode 100644 index 8f8967e2..00000000 --- a/sepolicy/qcom/thermal-engine.te +++ /dev/null @@ -1,7 +0,0 @@ -allow thermal-engine self:netlink_kobject_uevent_socket create_socket_perms; -r_dir_file(thermal-engine, sysfs_rqstats); - -allow thermal-engine sysfs_battery_supply:file rw_file_perms; -allow thermal-engine sysfs_battery_supply:dir r_dir_perms; - -allow thermal-engine self:capability { net_admin } ; diff --git a/sepolicy/qcom/vold.te b/sepolicy/qcom/vold.te deleted file mode 100644 index 98931084..00000000 --- a/sepolicy/qcom/vold.te +++ /dev/null @@ -1 +0,0 @@ -allow vold persist_file:dir { getattr read open ioctl }; diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te deleted file mode 100644 index 708d9b62..00000000 --- a/sepolicy/recovery.te +++ /dev/null @@ -1,53 +0,0 @@ -recovery_only(` - -# Secure adb (setup_adbd) -allow adbd adb_keys_file:dir search; -allow recovery adb_keys_file:dir r_dir_perms; -allow recovery adb_keys_file:file r_file_perms; -allow recovery shell_prop:property_service set; - -# Recovery dialogs -unix_socket_connect(recovery, vold, vold) -allow recovery tmpfs:sock_file create_file_perms; - -# Read packages.xml -#allow recovery system_data_file:file r_file_perms; - -# Manage fstab and /adb_keys -#allow recovery rootfs:file create_file_perms; -#allow recovery rootfs:file link; -#allow recovery rootfs:dir { write create rmdir add_name remove_name }; - -# Read storage files and directories -allow recovery tmpfs:dir mounton; -allow recovery media_rw_data_file:dir r_dir_perms; -allow recovery media_rw_data_file:file r_file_perms; -allow recovery vfat:dir r_dir_perms; -allow recovery vfat:file r_file_perms; -allow recovery sdcard_type:dir r_dir_perms; -allow recovery sdcard_type:file r_file_perms; - -# Control properties -allow recovery recovery_prop:property_service set; - -# Set property sys.usb.ffs.ready -allow recovery ffs_prop:property_service set; - -# recursive rm for wipes... :( -#allow app_data_file self:filesystem associate; -#allow recovery app_data_file:file { read open create write }; -#allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount }; - -#allow recovery file_type:dir { rw_dir_perms rmdir }; -#allow recovery file_type:notdevfile_class_set { unlink getattr }; -# wipe saves and restores the layout version -#allow recovery install_data_file:file create_file_perms; -#allow recovery system_data_file:file create_file_perms; - -# /cache/recovery things: command and logs -allow recovery cache_recovery_file:dir create_dir_perms; -allow recovery cache_recovery_file:file create_file_perms; - -# set system properties for various things -allow recovery system_prop:property_service set; -') diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts deleted file mode 100644 index 215f1088..00000000 --- a/sepolicy/seapp_contexts +++ /dev/null @@ -1,3 +0,0 @@ -#user=theme_man domain=system_app type=system_data_file -#user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file -user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk deleted file mode 100644 index a2ac9998..00000000 --- a/sepolicy/sepolicy.mk +++ /dev/null @@ -1,7 +0,0 @@ -# -# This policy configuration will be used by all products that -# inherit from CM -# - -BOARD_SEPOLICY_DIRS += \ - vendor/lineage/sepolicy diff --git a/sepolicy/service.te b/sepolicy/service.te deleted file mode 100644 index c7ad50fc..00000000 --- a/sepolicy/service.te +++ /dev/null @@ -1,17 +0,0 @@ -type edge_gesture_service, system_api_service, system_server_service, service_manager_type; -type themes_service, system_api_service, system_server_service, service_manager_type; -type torch_service, system_api_service, system_server_service, service_manager_type; -type kill_switch_service, system_api_service, system_server_service, service_manager_type; -type cm_status_bar_service, system_api_service, system_server_service, service_manager_type; -type cm_profile_service, system_api_service, system_server_service, service_manager_type; -type cm_partner_interface, system_api_service, system_server_service, service_manager_type; -type cm_telephony_service, system_api_service, system_server_service, service_manager_type; -type cm_hardware_service, system_api_service, system_server_service, service_manager_type; -type cm_app_suggest_service, system_api_service, system_server_service, service_manager_type; -type cm_performance_service, system_api_service, system_server_service, service_manager_type; -type cm_themes_service, system_api_service, system_server_service, service_manager_type; -type cm_iconcache_service, system_api_service, system_server_service, service_manager_type; -type cm_livelockscreen_service, system_api_service, system_server_service, service_manager_type; -type cm_weather_service, system_api_service, system_server_service, service_manager_type; -type cm_livedisplay_service, system_api_service, system_server_service, service_manager_type; -type cm_audio_service, system_api_service, system_server_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts deleted file mode 100644 index 90f21c94..00000000 --- a/sepolicy/service_contexts +++ /dev/null @@ -1,17 +0,0 @@ -edgegestureservice u:object_r:edge_gesture_service:s0 -themes u:object_r:themes_service:s0 -torch u:object_r:torch_service:s0 -killswitch u:object_r:kill_switch_service:s0 -cmstatusbar u:object_r:cm_status_bar_service:s0 -profile u:object_r:cm_profile_service:s0 -cmpartnerinterface u:object_r:cm_partner_interface:s0 -cmtelephonymanager u:object_r:cm_telephony_service:s0 -cmhardware u:object_r:cm_hardware_service:s0 -cmappsuggest u:object_r:cm_app_suggest_service:s0 -cmperformance u:object_r:cm_performance_service:s0 -cmthemes u:object_r:cm_themes_service:s0 -cmiconcache u:object_r:cm_iconcache_service:s0 -cmlivelockscreen u:object_r:cm_livelockscreen_service:s0 -cmweather u:object_r:cm_weather_service:s0 -cmlivedisplay u:object_r:cm_livedisplay_service:s0 -cmaudio u:object_r:cm_audio_service:s0 diff --git a/sepolicy/su.te b/sepolicy/su.te deleted file mode 100644 index 1a2a2b3d..00000000 --- a/sepolicy/su.te +++ /dev/null @@ -1,72 +0,0 @@ -type superuser_device, file_type, mlstrustedobject; - -## Perms for the daemon - -userdebug_or_eng(` - domain_trans(init, su_exec, sudaemon) - - typeattribute sudaemon domain, mlstrustedsubject; - - type_transition sudaemon socket_device:sock_file superuser_device; - # The userspace app uses /dev sockets to control per-app access - allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink }; - allow sudaemon superuser_device:sock_file { create setattr unlink write }; - - # sudaemon is also permissive to permit setenforce. - permissive sudaemon; - - # Add sudaemon to various domains - net_domain(sudaemon) - app_domain(sudaemon) - - dontaudit sudaemon self:capability_class_set *; - dontaudit sudaemon kernel:security *; - dontaudit sudaemon kernel:system *; - dontaudit sudaemon self:memprotect *; - dontaudit sudaemon domain:process *; - dontaudit sudaemon domain:fd *; - dontaudit sudaemon domain:dir *; - dontaudit sudaemon domain:lnk_file *; - dontaudit sudaemon domain:{ fifo_file file } *; - dontaudit sudaemon domain:socket_class_set *; - dontaudit sudaemon domain:ipc_class_set *; - dontaudit sudaemon domain:key *; - dontaudit sudaemon fs_type:filesystem *; - dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *; - dontaudit sudaemon node_type:node *; - dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *; - dontaudit sudaemon netif_type:netif *; - dontaudit sudaemon port_type:socket_class_set *; - dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *; - dontaudit sudaemon domain:peer *; - dontaudit sudaemon domain:binder *; - dontaudit sudaemon property_type:property_service *; - dontaudit sudaemon appops_service:service_manager *; -') - -## Perms for the app - -userdebug_or_eng(` - # Translate user apps to the shell domain when using su - # - # PR_SET_NO_NEW_PRIVS blocks this :( - # we need to find a way to narrow this down to the actual exec. - # typealias shell alias suclient; - # domain_auto_trans(untrusted_app, su_exec, suclient) - - allow untrusted_app su_exec:file { execute_no_trans getattr open read execute }; - allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl }; - allow untrusted_app superuser_device:dir { r_dir_perms }; - allow untrusted_app superuser_device:sock_file { write }; - - - # For Settings control of access - allow system_app superuser_device:sock_file { read write create setattr unlink getattr }; - allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl }; - allow system_app superuser_device:dir { create rw_dir_perms setattr unlink }; - - allow kernel sudaemon:fd { use }; - -') - -neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app -init -sudaemon') } su_exec:file no_x_file_perms; diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te deleted file mode 100644 index 1a451a38..00000000 --- a/sepolicy/sysinit.te +++ /dev/null @@ -1,23 +0,0 @@ -type sysinit, domain; -type sysinit_exec, exec_type, file_type; - -init_daemon_domain(sysinit) - -#============= sysinit ============== -allow sysinit devpts:chr_file { rw_file_perms }; -allow sysinit shell_exec:file { rx_file_perms }; -allow sysinit system_file:file { rx_file_perms }; -allow sysinit system_file:dir { r_dir_perms }; -allow sysinit toolbox_exec:file { rx_file_perms }; -allow sysinit self:process setcurrent; - -userdebug_or_eng(` - allow sysinit userinit_data_exec:file { r_file_perms relabelto }; - allow sysinit property_socket:sock_file write; - allow sysinit init:unix_stream_socket connectto; - allow sysinit userinit_prop:property_service set; - allow sysinit sysfs:file rw_file_perms; - allow sysinit sysfs_devices_system_cpu:file write; - allow sysinit self:capability dac_override; - allow sysinit userinit_exec:file { rx_file_perms }; -') diff --git a/sepolicy/system.te b/sepolicy/system.te deleted file mode 100644 index a9831b68..00000000 --- a/sepolicy/system.te +++ /dev/null @@ -1,13 +0,0 @@ -allow system_server wallpaper_file:file relabelto; - -# allow adb related properties to be set -allow system_server adbtcp_prop:property_service set; - -allow system_server dhcp_data_file:dir r_dir_perms; -allow system_server dhcp_data_file:file r_file_perms; - -# Themes -allow system_server themeservice_app_data_file:dir create_dir_perms; -allow system_server themeservice_app_data_file:file create_file_perms; -allow system_server resourcecache_data_file:dir create_dir_perms; -allow system_server resourcecache_data_file:file create_file_perms; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te deleted file mode 100644 index d24b10e3..00000000 --- a/sepolicy/system_app.te +++ /dev/null @@ -1,11 +0,0 @@ -# For the updaters -allow system_app cache_recovery_file:dir create_dir_perms; -allow system_app cache_recovery_file:file create_file_perms; -allow system_app media_rw_data_file:dir create_dir_perms; -allow system_app media_rw_data_file:file create_file_perms; - -# Boot animation -allow system_app ctl_bootanim_prop:property_service set; - -# Settings app wants to read ro.adb.secure -get_prop(system_app, adbsecure_prop) diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te deleted file mode 100644 index f88353aa..00000000 --- a/sepolicy/system_server.te +++ /dev/null @@ -1,17 +0,0 @@ -allow system_server cache_recovery_file:dir rw_dir_perms; -allow system_server cache_recovery_file:file create_file_perms; -allow system_server cache_recovery_file:fifo_file create_file_perms; - -# Persistent properties -allow system_server persist_property_file:dir rw_dir_perms; -allow system_server persist_property_file:file { create_file_perms unlink }; - -allow system_server storage_stub_file:dir { getattr }; - -allow system_server media_rw_data_file:dir r_dir_perms; - -get_prop(system_server, adbsecure_prop) - -# Allow system_server to relabel newly created theme directory for -# use by the proxied theme service -allow system_server themeservice_app_data_file:dir relabelto; diff --git a/sepolicy/themeservice_app.te b/sepolicy/themeservice_app.te deleted file mode 100644 index aaa84ab4..00000000 --- a/sepolicy/themeservice_app.te +++ /dev/null @@ -1,19 +0,0 @@ -# Add themeservice_app to appdomain -type themeservice_app, domain; -app_domain(themeservice_app) - -# Theme manager service -allow themeservice_app activity_service:service_manager find; -allow themeservice_app cm_status_bar_service:service_manager find; -allow themeservice_app cm_themes_service:dir search; -allow themeservice_app connectivity_service:service_manager find; -allow themeservice_app display_service:service_manager find; -allow themeservice_app mount_service:service_manager find; -allow themeservice_app notification_service:service_manager find; -allow themeservice_app system_app_data_file:dir search; -allow themeservice_app user_service:service_manager find; -allow themeservice_app wallpaper_service:service_manager find; - -# Allow full access to themeservice_app_data_file -allow themeservice_app themeservice_app_data_file:dir create_dir_perms; -allow themeservice_app themeservice_app_data_file:file create_file_perms; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te deleted file mode 100644 index 396e266c..00000000 --- a/sepolicy/ueventd.te +++ /dev/null @@ -1,13 +0,0 @@ -# ueventd needs to relabel files that pop in and out of sysfs -allow ueventd sysfs:file relabelfrom; - -# ueventd will set permissions on cpufreq nodes -allow ueventd sysfs_devices_system_cpu:file setattr; - -# ueventd loads wifi firmware on a ton of devices -allow ueventd wifi_data_file:dir r_dir_perms; -allow ueventd wifi_data_file:file r_file_perms; - -# ueventd loads audio firmware on many devices -allow ueventd audio_data_file:dir r_dir_perms; -allow ueventd audio_data_file:file r_file_perms; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te deleted file mode 100644 index ca4f8ad9..00000000 --- a/sepolicy/uncrypt.te +++ /dev/null @@ -1,9 +0,0 @@ -r_dir_file(uncrypt, media_rw_data_file) -allow uncrypt cache_recovery_file:dir create_dir_perms; -allow uncrypt cache_recovery_file:file create_file_perms; -allow uncrypt cache_recovery_file:fifo_file rw_file_perms; - -allow uncrypt storage_file:dir r_dir_perms; -allow uncrypt storage_stub_file:dir r_dir_perms; -allow uncrypt fuse:dir r_dir_perms; -allow uncrypt fuse:file r_file_perms; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te deleted file mode 100644 index 2372f162..00000000 --- a/sepolicy/untrusted_app.te +++ /dev/null @@ -1,3 +0,0 @@ -allow untrusted_app cm_weather_service:service_manager find; -allow untrusted_app cm_status_bar_service:service_manager find; -allow untrusted_app cm_profile_service:service_manager find; diff --git a/sepolicy/userinit.te b/sepolicy/userinit.te deleted file mode 100644 index 74072877..00000000 --- a/sepolicy/userinit.te +++ /dev/null @@ -1,4 +0,0 @@ -type userinit_exec, exec_type, file_type; -type userinit_data_exec, file_type; - -allow userinit_exec userinit_prop:property_service set; diff --git a/sepolicy/vold.te b/sepolicy/vold.te deleted file mode 100644 index 63e72d77..00000000 --- a/sepolicy/vold.te +++ /dev/null @@ -1,23 +0,0 @@ -domain_trans(init, rootfs, vold) - -# Allow vold to manage ASEC -allow vold sdcard_type:file create_file_perms; -allow vold vold_tmpfs:file create_file_perms; - -# Allow vold to access fuse for fuse-based fs -allow vold fuseblk:chr_file rw_file_perms; - -# NTFS-3g wants to drop permission -allow vold self:capability { setgid setuid }; - -# Vold can also run as minivold in the rootfs -recovery_only(` - allow vold rootfs:dir { add_name write }; - allow vold rootfs:file execute_no_trans; - allow vold vold_tmpfs:file link; -') - -# External storage -allow vold storage_stub_file:dir { rw_file_perms search add_name }; -allow vold mnt_media_rw_stub_file:dir r_dir_perms; -allow vold mkfs_exec:file { execute read open getattr execute_no_trans }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te deleted file mode 100644 index 951f4143..00000000 --- a/sepolicy/zygote.te +++ /dev/null @@ -1,5 +0,0 @@ -allow zygote themeservice_app_data_file:file r_file_perms; -allow zygote themeservice_app_data_file:dir r_dir_perms; - -# ps command may do this -allow untrusted_app zygote:process getsched;