Ethan Chen
909343f3df
SELinux: Use custom ADB over network property
...
* Use a custom system property to trigger the real one, so we avoid
running afoul of any SELinux CTS requirements.
Change-Id: If5e7a275f492631a673284408f1e430a12358380
9 years ago
Keith Mok
6bc84be525
sepolicy: Add permission for formatting user/cache partition
...
If the "formattable" fstab flag is set, init will tries
to format that partition, added the required policy to allow it.
Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
9 years ago
Keith Mok
fcfc13ac6f
sepolicy: Add domain for mkfs binaries
...
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.
Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
9 years ago
Steve Kondik
e01646719a
sepolicy: Allow adb pull of executables without root
...
* Because we aren't actually jerks, contrary to popular belief.
Change-Id: Ie39cce65ecc6a2861547865ff554b108b8b534fa
9 years ago
Diogo Ferreira
140305db6d
sepolicy: qcom: Allow reading PSU sysfs by system_server
...
BatteryService queries the usb state to check whether the usb type
is HVDCP. This patch adds a rule to allow that.
For more context check BatteryService#Led#isHvdcpPresent.
Change-Id: Ifacf13dde4b1df81c92bf5d92196e504e61dd402
9 years ago
Steve Kondik
aeec0ac261
sepolicy: Allow recovery to create links in the rootfs
...
* Needed to support vold and other new code.
Change-Id: I25a0b1cc6461eced7112dd4b3974a71423f7957b
9 years ago
Steve Kondik
48149d05a1
sepolicy: Rule for CM's perfd extension
...
Manual apply and refactor of cm-12.1 patch:
e04329df88211264e7a9c8f1d6b87a16d8d5639b
Use the unix_socket_connect macro and switch to the new
perfd domain.
Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
9 years ago
codeworkx
01490eface
sepolicy: fix denial for sudaemon
...
fixes root access for apps
Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
9 years ago
Dan Pasanen
a90b69e921
sepolicy: add persist_block_device type
...
* This is likely defined in several device trees, but not all
remove it from your device trees if we're going to write rules
for it here.
Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
9 years ago
Steve Kondik
2c3b5d353e
sepolicy: Remove some denials
...
* Allow apps to run the "df" command to look at disk usage.
* Allow thermal engine to check/set battery limits.
Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
9 years ago
Steve Kondik
7d3eca93f4
sepolicy: Add policy for thermal engine changes
...
* Cyngn devices will need this.
Change-Id: I1e7528e92d0d4ed8c4029667d7ef3cf9081a6575
9 years ago
myfluxi
98df019cb4
sepolicy: qcom: Remove duplicate entry
...
We have this in qcom/sepolicy/common already.
Change-Id: Ibe6ada531f77d3ec00ff61081d21b3d36a1fe7a7
9 years ago
myfluxi
8501771607
sepolicy: Make superuser_device and sudaemon mlstrustedobjects
...
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0
avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0
And thus fix su.
Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
9 years ago
Steve Kondik
aeea5ad7a3
perf: Moving PerformanceManager to CMSDK
...
* Devices will need to update their configurations!
Change-Id: I22cf4ec96656b98f515cf28fef95443cf6adb397
9 years ago
Steve Kondik
714a761061
cm: Remove duplicate SEPolicy items
...
* These are handled by the master SEPolicy now due to neverallow
exceptions which occur on non-production builds.
Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
9 years ago
Dan Pasanen
9ca9d95a76
sepolicy: remove sudaemon type declaration
...
* this is already defined in external/sepolicy
Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
9 years ago
Adnan Begovic
c3d3969971
vendor/cm: Fix up service contexts for sepolicy.
...
Change-Id: Ibb04e967bd027c6d1118b8b471ec328c3b034d9d
9 years ago
Dan Pasanen
6ac91cb6d3
sepolicy: remove BOARD_SEPOLICY_UNION
...
* this is a no-op now
Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
9 years ago
Ricardo Cerqueira
b026605629
sepolicy: Underp the context for persistent storage
...
The dir's context need love, too
TICKET: CYNGNOS-1185
Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
9 years ago
Ed Falk
95682234f1
sepolicy: allow vold to trim persist
...
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
9 years ago
myfluxi
688479223e
sepolicy: Allow system app to set boot anim property
...
Addresses denials observerd when using QuickBoot:
<4>[ 224.756971] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
<3>[ 224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039
<4>[ 226.306456] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service
Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
9 years ago
Steve Kondik
e2f23f0e91
cm: Fix a few denials
...
* Missed a few things when cleaning up devices.
Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
9 years ago
Steve Kondik
b5c2cf0408
cm: sepolicy: Create central place for QC-specific policy
...
* We have a number of policy items due to changes in our BSPs or for
other things which interact with the QC sepolicy. Add a place
for us to store this stuff so we don't need to copy it around to
every device.
Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
9 years ago
Steve Kondik
b5dbbdf9cb
cm: sepolicy: Create standard policy for LiveDisplay
...
Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
9 years ago
herriojr
c6d40c01f7
Enable The AppSuggestService
...
We need to enable our custom AppSuggestService in order to show
possible suggestions.
Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
9 years ago
Adnan Begovic
c37c2313cf
vendor/cm: cmsettings -> cmpartnerinterface
...
Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
9 years ago
Steve Kondik
a385501738
cm: SELinux policy for persistent properties API
...
* Set up persistent properties for devices with a /persist partition.
Change-Id: I78974dd4e25831338462c91fc25e36e343795510
9 years ago
Steve Kondik
587a3cff83
cm: Moving CMHW to CMSDK
...
Change-Id: I4dae95dbe68c472ba3703fea588b542758ec8036
9 years ago
Joao Figueiredo
d0f6b187ae
cmsdk: Dual SIM support on CM SDK
...
Change-Id: I209245e1a3165f329ed8a17a942340d96783ca13
9 years ago
Matt Garnes
874defe2bc
Add SettingsManagerService from cmsdk as a system service.
...
Change-Id: I0909a5fd49e8e042293719de93ebc8fbaaa1a196
9 years ago
Steve Kondik
74891faea9
sepolicy: Allow recovery to set system properties
...
* This is used by extremely critical things.
Change-Id: Ie529851469408adac1e081fe4f6dc5daa9002933
9 years ago
Brandon McAnsh
f208523054
sepolicy: system_app: Remove performace setting related entries
...
* Performance Settings has been removed/refactored so these are no longer neccessary.
Change-Id: I5933700815d0037735fc48f8640b37d1f350ea91
Signed-off-by: Brandon McAnsh <brandon.mcansh@gmail.com>
9 years ago
Adnan Begovic
4c4e428da8
vendor/cm: overlay start for ProfileService in external framework.
...
Change-Id: Ib1f8c6d00c2a66cfd8dac2b73ccd1bd053a3a497
9 years ago
Adnan Begovic
b53c503fee
Build CM Platform Library
...
Change-Id: If62e6b1d2ac41730ff2a8d562173abd2cb768f93
Add cmstatusbar service to system server services context
Change-Id: I77c5de75722cc5f36a5326e3da57ab661b89d189
Build Platform resource package.
Change-Id: Id60f66b6db23989db1472a19bcb079b0083f7393
vendor/cm: Lock cm platform library/cmsdk to non-release builds.
Change-Id: I01c1c3fe559d438e28339ce426d7ba7e42724002
9 years ago
Roman Birg
785c50ad3f
vendor: add sepolicy entry for killswitch service
...
Change-Id: Ib3c44c50138f5715d92addbf8df7ed591785b550
Signed-off-by: Roman Birg <roman@cyngn.com>
(cherry picked from commit 2ca5d3999b35d328f0969a264009bffe0faf889d)
9 years ago
Emerson Pinter
dc699fb190
sepolicy: Permissions for userinit
...
Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296
9 years ago
Tom Marshall
b4bf950060
sepolicy: recovery: Allow data file write
...
Needed to preserve /data/.layout_version (aka nesting bug fix).
Change-Id: Iaae982223e80ad10479cf1ca3db09da7ada5663e
9 years ago
Scott Mertz
69c2e7f721
[3/3] CmHardwareService: add sepolicy
...
Change-Id: I551f61f40225a679593e94dbd47bb2fb0025da7e
9 years ago
dhacker29
c552843f1a
sepolicy: Allow CMUpdater/uncrypt access to recovery_cache_file
...
Change-Id: I514d128160ed4e04564077d7a2e2ad297af92e28
10 years ago
Christopher R. Palmer
da48ab89ac
sepolicy: Allow vold to create tmpfs files for asec containers
...
Change-Id: Ic8f1641928840774204099453b74dc1b52b3c6f8
10 years ago
Brint E. Kriebel
ac15eaedf9
sepolicy: Allow system apps to write cache and media files
...
Updaters need to be able to read and write to these locations.
Change-Id: I928a5f73ec29ab4fecb717072532d449192f3ca9
10 years ago
dhacker29
b4878d4cf1
sepolicy: Fix denails for flash_recovery service
...
Needed when option is checked to update cm recovery
Change-Id: I0b2fbfd7c141ae03ce14b9afeffd3a027d791c80
10 years ago
Ricardo Cerqueira
c75446d072
sepolicy: Split off /cache/recovery's permissions
...
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
10 years ago
Georg Veichtlbauer
2ccd36c73f
sepolicy: allow userinit to set its property
...
Change-Id: I9d8270d889566d169077a1b1fdaee43059d11ee1
10 years ago
Adam Farden
7b865eb046
sepolicy: actually include mediaserver.te
...
Added in patch e9c2de0679
but not included
Change-Id: I2ae901a7c80fceb33dba2ed4122d2aa47bff5a51
10 years ago
Roman Birg
c71cc6c4a8
cm: add torch service sepolicy entry
...
Change-Id: I6e6feae5fe6b4092c137ee2337c4a15b390df45e
Signed-off-by: Roman Birg <roman@cyngn.com>
10 years ago
Steve Kondik
998f53679b
sepolicy: Let drmserver scan themes
...
Change-Id: I7675b302723ef8700067ae9ef237daf6346a6627
10 years ago
Steve Kondik
77cabf5188
sepolicy: Fix policy for keyhandler
...
Change-Id: I2860f469480b082511e30530aed8a9027e9fe4b9
10 years ago
dhacker29
381a6501fa
sepolicy: Allow cmupdater/uncrypt access to media_rw_data_file
...
Change-Id: I800584af2919e3397b19d229fc28ad50cc4b2730
10 years ago
Steve Kondik
c6eb71e57a
cm: sepolicy: Allow use of dexclassloader by systemserver
...
* Needed for custom keyhandler.
Change-Id: Ifa57ad81951f9e1009eb291726cd8dfe36a3482e
10 years ago