sepolicy: More cleanups for N

* Fix up recovery stuff * Disable themes until ready * Disable CMUpdater until ready Change-Id: I99073b91fbd1ec16e59602da644727a0d019f330
8 years ago · 5b98d78fa9
parent a3765ca9ef
commit 5b98d78fa9
7 changed files with 24 additions and 29 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -7,9 +7,6 @@ type themeservice_app_data_file, file_type, data_file_type;
 # Performance settings
 type sysfs_devices_system_iosched, file_type, sysfs_type;

-# Recovery's "cache"
-type recovery_cache_file, file_type, mlstrustedobject;
-
 # Persistent property storage
 type persist_property_file, file_type;

--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -1,7 +1,5 @@
 /cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

-/cache/recovery(/.*)?     u:object_r:recovery_cache_file:s0
-
 # Themes
 /data/system/theme(/.*)?  u:object_r:themeservice_app_data_file:s0

--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@ -11,12 +11,12 @@ unix_socket_connect(recovery, vold, vold)
 allow recovery tmpfs:sock_file create_file_perms;

 # Read packages.xml
-allow recovery system_data_file:file r_file_perms;
+#allow recovery system_data_file:file r_file_perms;

 # Manage fstab and /adb_keys
-allow recovery rootfs:file create_file_perms;
-allow recovery rootfs:file link;
-allow recovery rootfs:dir { write create rmdir add_name remove_name };
+#allow recovery rootfs:file create_file_perms;
+#allow recovery rootfs:file link;
+#allow recovery rootfs:dir { write create rmdir add_name remove_name };

 # Read storage files and directories
 allow recovery tmpfs:dir mounton;
@ -34,19 +34,19 @@ allow recovery recovery_prop:property_service set;
 allow recovery ffs_prop:property_service set;

 # recursive rm for wipes... :(
-allow app_data_file self:filesystem associate;
-allow recovery app_data_file:file { read open create write };
-allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };
+#allow app_data_file self:filesystem associate;
+#allow recovery app_data_file:file { read open create write };
+#allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };

-allow recovery file_type:dir { rw_dir_perms rmdir };
-allow recovery file_type:notdevfile_class_set { unlink getattr };
+#allow recovery file_type:dir { rw_dir_perms rmdir };
+#allow recovery file_type:notdevfile_class_set { unlink getattr };
 # wipe saves and restores the layout version
-allow recovery install_data_file:file create_file_perms;
-allow recovery system_data_file:file create_file_perms;
+#allow recovery install_data_file:file create_file_perms;
+#allow recovery system_data_file:file create_file_perms;

 # /cache/recovery things: command and logs
-allow recovery recovery_cache_file:dir create_dir_perms;
-allow recovery recovery_cache_file:file create_file_perms;
+allow recovery cache_recovery_file:dir create_dir_perms;
+allow recovery cache_recovery_file:file create_file_perms;

 # set system properties for various things
 allow recovery system_prop:property_service set;
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@ -1,4 +1,4 @@
 user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
-user=theme_man domain=system_app type=system_data_file
-user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
-user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
+#user=theme_man domain=system_app type=system_data_file
+#user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
+user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -1,6 +1,6 @@
 # For the updaters
-allow system_app recovery_cache_file:dir create_dir_perms;
-allow system_app recovery_cache_file:file create_file_perms;
+allow system_app cache_recovery_file:dir create_dir_perms;
+allow system_app cache_recovery_file:file create_file_perms;
 allow system_app media_rw_data_file:dir create_dir_perms;
 allow system_app media_rw_data_file:file create_file_perms;

--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -1,6 +1,6 @@
-allow system_server recovery_cache_file:dir rw_dir_perms;
-allow system_server recovery_cache_file:file create_file_perms;
-allow system_server recovery_cache_file:fifo_file create_file_perms;
+allow system_server cache_recovery_file:dir rw_dir_perms;
+allow system_server cache_recovery_file:file create_file_perms;
+allow system_server cache_recovery_file:fifo_file create_file_perms;

 # Persistent properties
 allow system_server persist_property_file:dir rw_dir_perms;
--- a/sepolicy/uncrypt.te
+++ b/sepolicy/uncrypt.te
@ -1,7 +1,7 @@
 r_dir_file(uncrypt, media_rw_data_file)
-allow uncrypt recovery_cache_file:dir create_dir_perms;
-allow uncrypt recovery_cache_file:file create_file_perms;
-allow uncrypt recovery_cache_file:fifo_file rw_file_perms;
+allow uncrypt cache_recovery_file:dir create_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+allow uncrypt cache_recovery_file:fifo_file rw_file_perms;

 allow uncrypt storage_file:dir r_dir_perms;
 allow uncrypt storage_stub_file:dir r_dir_perms;