aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xoverlay/frameworks/base/core/res/res/values/config.xml2
-rw-r--r--selinux/adbd.te1
-rw-r--r--selinux/debuggerd.te1
-rw-r--r--selinux/dex2oat.te2
-rw-r--r--selinux/init.te6
-rw-r--r--selinux/mediaserver.te2
-rw-r--r--selinux/platform_app.te1
-rw-r--r--selinux/radio.te2
-rw-r--r--selinux/sdcardd.te1
-rw-r--r--selinux/secril.te4
-rw-r--r--selinux/shared_relro.te1
-rw-r--r--selinux/shell.te4
-rw-r--r--selinux/system_app.te2
-rw-r--r--selinux/system_server.te5
-rw-r--r--selinux/untrusted_app.te2
-rw-r--r--selinux/wpa.te1
-rw-r--r--selinux/zygote.te1
17 files changed, 32 insertions, 6 deletions
diff --git a/overlay/frameworks/base/core/res/res/values/config.xml b/overlay/frameworks/base/core/res/res/values/config.xml
index 417da82..b6d3d5f 100755
--- a/overlay/frameworks/base/core/res/res/values/config.xml
+++ b/overlay/frameworks/base/core/res/res/values/config.xml
@@ -24,7 +24,7 @@
<bool name="config_disableMenuKeyInLockScreen">true</bool>
<!-- Workaround for devices with broken keyboards -->
- <bool name="config_forceDisableHardwareKeyboard">false</bool>
+ <!-- <bool name="config_forceDisableHardwareKeyboard">false</bool> -->
<!-- Boolean to enable stylus gestures -->
<!--<bool name="config_stylusGestures">true</bool>-->
diff --git a/selinux/adbd.te b/selinux/adbd.te
new file mode 100644
index 0000000..8776373
--- /dev/null
+++ b/selinux/adbd.te
@@ -0,0 +1 @@
+allow adbd kernel:system module_request;
diff --git a/selinux/debuggerd.te b/selinux/debuggerd.te
new file mode 100644
index 0000000..f60e6e3
--- /dev/null
+++ b/selinux/debuggerd.te
@@ -0,0 +1 @@
+allow debuggerd log_device:chr_file { read open };
diff --git a/selinux/dex2oat.te b/selinux/dex2oat.te
new file mode 100644
index 0000000..52e724a
--- /dev/null
+++ b/selinux/dex2oat.te
@@ -0,0 +1,2 @@
+allow dex2oat kernel:system module_request;
+allow dex2oat log_device:chr_file { write open };
diff --git a/selinux/init.te b/selinux/init.te
index 5b87e48..62841da 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -4,3 +4,9 @@ allow init init:tcp_socket { read write create };
allow init port:tcp_socket name_connect;
allow init self:tcp_socket { read write getopt connect };
allow init kernel:system syslog_read;
+allow init kernel:system module_request;
+allow init log_device:chr_file write;
+allow init property_socket:sock_file write;
+allow init ril_device:chr_file write;
+allow init sdcardd_exec:file { read execute open getattr execute_no_trans };
+allow init system_file:file execute_no_trans;
diff --git a/selinux/mediaserver.te b/selinux/mediaserver.te
index d2c07f4..0a3970e 100644
--- a/selinux/mediaserver.te
+++ b/selinux/mediaserver.te
@@ -6,4 +6,4 @@ allow mediaserver camera_data_file:file rw_file_perms;
allow mediaserver volume_data_file:file create_file_perms;
allow mediaserver volume_data_file:dir create_dir_perms;
allow mediaserver mfc_device:chr_file rw_file_perms;
-allow mediaserver system_data_file:file { write open }; \ No newline at end of file
+# allow mediaserver system_data_file:file { write open };
diff --git a/selinux/platform_app.te b/selinux/platform_app.te
new file mode 100644
index 0000000..717139a
--- /dev/null
+++ b/selinux/platform_app.te
@@ -0,0 +1 @@
+allow platform_app log_device:chr_file write;
diff --git a/selinux/radio.te b/selinux/radio.te
new file mode 100644
index 0000000..427a4c6
--- /dev/null
+++ b/selinux/radio.te
@@ -0,0 +1,2 @@
+allow radio kernel:system module_request;
+allow radio log_device:chr_file { write open };
diff --git a/selinux/sdcardd.te b/selinux/sdcardd.te
new file mode 100644
index 0000000..223cbfa
--- /dev/null
+++ b/selinux/sdcardd.te
@@ -0,0 +1 @@
+allow sdcardd kernel:system module_request;
diff --git a/selinux/secril.te b/selinux/secril.te
index 7761d80..e025a04 100644
--- a/selinux/secril.te
+++ b/selinux/secril.te
@@ -12,7 +12,7 @@ unix_socket_connect(secril-daemon, rild, rild)
allow secril-daemon { efs_file }:file rw_file_perms;
allow secril-daemon system_data_file:dir create_dir_perms;
-allow secril-daemon system_data_file:file unlink;
+# allow secril-daemon system_data_file:file unlink;
allow secril-daemon radio_data_file:file { create_file_perms };
allow secril-daemon kernel:system module_request;
allow secril-daemon self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
@@ -22,4 +22,4 @@ allow secril-daemon shell_exec:file rx_file_perms;
allow secril-daemon app_data_file:file rw_file_perms;
allow secril-daemon app_data_file:dir search;
allow secril-daemon zygote_exec:file rx_file_perms;
-allow secril-daemon ashmem_device:chr_file x_file_perms; \ No newline at end of file
+allow secril-daemon ashmem_device:chr_file x_file_perms;
diff --git a/selinux/shared_relro.te b/selinux/shared_relro.te
new file mode 100644
index 0000000..1c319ce
--- /dev/null
+++ b/selinux/shared_relro.te
@@ -0,0 +1 @@
+allow shared_relro log_device:chr_file write;
diff --git a/selinux/shell.te b/selinux/shell.te
index f528d9c..aff526f 100644
--- a/selinux/shell.te
+++ b/selinux/shell.te
@@ -1 +1,3 @@
-allow shell dalvikcache_data_file:file write;
+# allow shell dalvikcache_data_file:file write;
+allow shell kernel:system module_request;
+
diff --git a/selinux/system_app.te b/selinux/system_app.te
new file mode 100644
index 0000000..8422942
--- /dev/null
+++ b/selinux/system_app.te
@@ -0,0 +1,2 @@
+allow system_app log_device:chr_file write;
+allow system_app sysfs:file write;
diff --git a/selinux/system_server.te b/selinux/system_server.te
index f017b31..f1456dc 100644
--- a/selinux/system_server.te
+++ b/selinux/system_server.te
@@ -1,2 +1,5 @@
allow system_server efs_file:dir search;
-allow system_server default_prop:property_service set;
+# allow system_server default_prop:property_service set;
+allow system_server dex2oat_exec:file { read execute open execute_no_trans };
+allow system_server log_device:chr_file { write open };
+allow system_server system_file:file execmod;
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
index c81150b..b4f8b51 100644
--- a/selinux/untrusted_app.te
+++ b/selinux/untrusted_app.te
@@ -1,2 +1,4 @@
allow untrusted_app unlabeled:file getattr;
allow untrusted_app efs_file:dir getattr;
+allow untrusted_app kernel:system module_request;
+allow untrusted_app log_device:chr_file { write open };
diff --git a/selinux/wpa.te b/selinux/wpa.te
new file mode 100644
index 0000000..09bbb8f
--- /dev/null
+++ b/selinux/wpa.te
@@ -0,0 +1 @@
+allow wpa log_device:chr_file { write open };
diff --git a/selinux/zygote.te b/selinux/zygote.te
new file mode 100644
index 0000000..04fc7d3
--- /dev/null
+++ b/selinux/zygote.te
@@ -0,0 +1 @@
+allow zygote kernel:system module_request;