This fixes issues where the kernel would need to read and write
files from internal or external storage. More specifically, the
kernel needs these rules for USB mass storage to work correctly.
Change-Id: I8cb0307727bc0c464d5470e55275ad808e748ee0
System server needs to be able to create a pipe in the cache partition
for uncrypting OTAs. Uncrypt needs to be able to read and write the
pipe.
Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
We now use a temporary context when mounting /data, so add permissions
to do that, and add permissions necessary to do the recursive wipe.
Change-Id: Ic925c70f1cf01c8b19a6ac48a9468d6eb9205321
Also allow apps to read the contents of mounted OBBs.
See AOSP Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
and Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
Change-Id: I757a2a8831c69d41c0496025a39eaf79ceb0e65f
After assimilating minivold into /sbin/recovery, we need to allow the
minivold service (a symlink to the recovery binary) to transition from
the recovery to the vold domain.
Change-Id: I112e6d371a8da8fc55a06967852c869105190616
This matches the policy for fsck.f2fs, although it still needs to run
as fsck_untrusted for public volumes
Change-Id: Ia04e7f8902e53a9926a87f0c99e603611cc39c5d
* Use a custom system property to trigger the real one, so we avoid
running afoul of any SELinux CTS requirements.
Change-Id: If5e7a275f492631a673284408f1e430a12358380
If the "formattable" fstab flag is set, init will tries
to format that partition, added the required policy to allow it.
Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.
Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
BatteryService queries the usb state to check whether the usb type
is HVDCP. This patch adds a rule to allow that.
For more context check BatteryService#Led#isHvdcpPresent.
Change-Id: Ifacf13dde4b1df81c92bf5d92196e504e61dd402
Manual apply and refactor of cm-12.1 patch:
e04329df88211264e7a9c8f1d6b87a16d8d5639b
Use the unix_socket_connect macro and switch to the new
perfd domain.
Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
* This is likely defined in several device trees, but not all
remove it from your device trees if we're going to write rules
for it here.
Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
* Allow apps to run the "df" command to look at disk usage.
* Allow thermal engine to check/set battery limits.
Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
* These are handled by the master SEPolicy now due to neverallow
exceptions which occur on non-production builds.
Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
* We have a number of policy items due to changes in our BSPs or for
other things which interact with the QC sepolicy. Add a place
for us to store this stuff so we don't need to copy it around to
every device.
Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
* Performance Settings has been removed/refactored so these are no longer neccessary.
Change-Id: I5933700815d0037735fc48f8640b37d1f350ea91
Signed-off-by: Brandon McAnsh <brandon.mcansh@gmail.com>
Change-Id: If62e6b1d2ac41730ff2a8d562173abd2cb768f93
Add cmstatusbar service to system server services context
Change-Id: I77c5de75722cc5f36a5326e3da57ab661b89d189
Build Platform resource package.
Change-Id: Id60f66b6db23989db1472a19bcb079b0083f7393
vendor/cm: Lock cm platform library/cmsdk to non-release builds.
Change-Id: I01c1c3fe559d438e28339ce426d7ba7e42724002
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
Assets such as composed icons and ringtones need to be accessed
by apps. This patch adds the policy needed to facilitate this.
Change-Id: If47920b2cc5dbafe8d71a621782bb4a3351bd68c
CM12 doesn't have a KSM setting in performance settings anymore.
KSM should be configured and enabled on device basis.
Change-Id: I98a0cbe1b01a659eb28bcd459be55d78a88bda86
- New theme_data_file context for files under /data/system/theme
- Permit systemserver to create files/dirs under /data/resource-cache
- Permit systemserver to create files/dirs under /data/system/theme
Change-Id: Id597fc20b477ea395a8631623f26a7edde280799
the filemanager doesn't need to be in platform_app. Put it in untrusted_app,
especially since it's a possible su client
Change-Id: I164853f2c8721d86b5b90677cb33032a3b491ff5
PR_SET_NO_NEW_PRIVS blocks domain transitions from within app_process,
unless the new domain is bounded by the app's context. So we can't
switch to a domain that has perms not available to untrusted_app :(
This means any app can talk to the daemon, bypassing the su executable
client. That's not a good thing, and needs to be resolved.
Change-Id: I85b74f90b8737caaa193a0555b5262e7392519b2
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket)
- Allow platform_app to use su (fixes CM File Manager)
Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
This makes the rule more specific by overriding the upstream sepolicy.
Also adds the adbd context which is necessary for "adb tcpip".
Change-Id: Ia17eb56fc1682ab248764329e88eebd2a4075c97
Required due to CAF's abc9c0f4fe574ee9847f118e5d2ae8c530bac650 in
system/netd
Fixes showing how many devices are connected to the tethered hotspot
Change-Id: I1d83f7ac0b28efa6973e0baf429de2a398c471e3
Our healthd's support for power-on alarms adds some steps that imply
reading files its user doesn't own. Let it.
Change-Id: I3d4735aaab8fbec7acc460f812bc21f1dfa516ab
These should be treated as regular dex cache files, but they're
expanded outside of the normal cache dir
Change-Id: Id046e1b90116b35d2e7817ed4717fcef78135f08
When vold mounts an ext4 sdcard, it needs to force the context to
sdcard_external.
avc: denied { relabelfrom } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem
avc: denied { relabelto } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
avc: denied { relabelfrom } for pid=190 comm=vold scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
Change-Id: I80f42fbdf738dee10958ce1bdc1893a41234f0d9
This is required for ASEC support. Vold can already create and
access directories, but do not yet have the permission for files.
Change-Id: I5082bbff692e5dc53c7000e4b3a293e42d33f901
installd need to query ASEC size on sdcard_external
to show on the Settings -> Apps page correctly.
Change-Id: I2d9a49b8f0652f05d73d0ff464a3835595e2cc3c