summaryrefslogtreecommitdiffstats
path: root/sepolicy
diff options
context:
space:
mode:
authorWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2016-12-12 13:09:51 +0100
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2016-12-12 13:09:51 +0100
commit1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9 (patch)
tree07790f46da5b1716448b576ce2b6d81e7a0ddca4 /sepolicy
parent076588cc654f9dbbc6e65a291dd85e8e8c096d1e (diff)
parentdee68b3f6e1d78bb8dca56ef3ce64045edce4bfd (diff)
downloadvendor_replicant-1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9.zip
vendor_replicant-1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9.tar.gz
vendor_replicant-1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9.tar.bz2
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/app.te4
-rw-r--r--sepolicy/bootanim.te6
-rw-r--r--sepolicy/drmserver.te2
-rw-r--r--sepolicy/file.te2
-rw-r--r--sepolicy/file_contexts10
-rw-r--r--sepolicy/installd.te5
-rw-r--r--sepolicy/kernel.te3
-rw-r--r--sepolicy/mediaserver.te7
-rw-r--r--sepolicy/platform_app.te7
-rw-r--r--sepolicy/qcom/dumpstate.te13
-rw-r--r--sepolicy/qcom/livedisplay.te3
-rw-r--r--sepolicy/qcom/property_contexts2
-rw-r--r--sepolicy/recovery.te1
-rw-r--r--sepolicy/seapp_contexts1
-rw-r--r--sepolicy/service.te4
-rw-r--r--sepolicy/service_contexts4
-rw-r--r--sepolicy/system.te4
-rw-r--r--sepolicy/system_server.te6
-rw-r--r--sepolicy/themeservice_app.te19
-rw-r--r--sepolicy/uncrypt.te5
-rw-r--r--sepolicy/vold.te1
-rw-r--r--sepolicy/zygote.te4
22 files changed, 97 insertions, 16 deletions
diff --git a/sepolicy/app.te b/sepolicy/app.te
index e590efe..6405e20 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms;
allow appdomain sdcard_posix:file rw_file_perms;
# Themed resources (i.e. composed icons)
-allow appdomain theme_data_file:dir r_dir_perms;
-allow appdomain theme_data_file:file r_file_perms;
+allow appdomain themeservice_app_data_file:dir r_dir_perms;
+allow appdomain themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
index 8739a87..91273bd 100644
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -1,5 +1,5 @@
# Themed resources (bootanimation)
-allow bootanim theme_data_file:dir search;
-allow bootanim theme_data_file:file r_file_perms;
+allow bootanim themeservice_app_data_file:dir search;
+allow bootanim themeservice_app_data_file:file r_file_perms;
allow bootanim self:process execmem;
-allow bootanim ashmem_device:chr_file execute; \ No newline at end of file
+allow bootanim ashmem_device:chr_file execute;
diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
index 63f654f..508791f 100644
--- a/sepolicy/drmserver.te
+++ b/sepolicy/drmserver.te
@@ -1 +1 @@
-allow drmserver theme_data_file:file r_file_perms;
+allow drmserver themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 1a00339..05e3c5d 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate;
type auditd_log, file_type, data_file_type;
# Themes
-type theme_data_file, file_type, data_file_type;
+type themeservice_app_data_file, file_type, data_file_type;
# Performance settings
type sysfs_devices_system_iosched, file_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7024d1e..bcc9217 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -7,7 +7,7 @@
/data/misc/audit(/.*)? u:object_r:auditd_log:s0
# Themes
-/data/system/theme(/.*)? u:object_r:theme_data_file:s0
+/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0
/system/bin/sysinit u:object_r:sysinit_exec:s0
@@ -24,8 +24,8 @@
#############################
# performance-related sysfs files (CM)
-/sys/devices/system/cpu.*/cpufreq(/.*)? -- u:object_r:sysfs_devices_system_cpu:s0
-/sys/block/mmcblk.*/queue/scheduler -- u:object_r:sysfs_devices_system_iosched:s0
+/sys/devices/system/cpu.*/cpufreq(/.*)? u:object_r:sysfs_devices_system_cpu:s0
+/sys/block/mmcblk.*/queue/scheduler u:object_r:sysfs_devices_system_iosched:s0
/data/hostapd(/.*)? u:object_r:wifi_data_file:s0
@@ -47,7 +47,11 @@
/sys/devices/virtual/graphics/fb0/cabc u:object_r:livedisplay_sysfs:s0
/sys/devices/virtual/graphics/fb0/rgb u:object_r:livedisplay_sysfs:s0
/sys/devices/virtual/graphics/fb0/sre u:object_r:livedisplay_sysfs:s0
+/sys/devices/virtual/graphics/fb0/color_enhance u:object_r:livedisplay_sysfs:s0
# fsck
/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat u:object_r:fsck_exec:s0
+
+# bash
+/system/xbin/bash u:object_r:shell_exec:s0
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
index 65f471a..c240599 100644
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te
@@ -1,3 +1,8 @@
# Allow querying of asec size on SD card
allow installd sdcard_external:dir { search };
allow installd sdcard_external:file { getattr };
+
+# Required for installd to create theme service's /data/data directory
+allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..2984b77
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,3 @@
+# used by sdcardfs to read package list
+allow kernel system_data_file:file open;
+allow kernel media_rw_data_file:file rw_file_perms;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index ea26cdf..c380ce9 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,3 +1,6 @@
# Themed resources (i.e. composed icons)
-allow mediaserver theme_data_file:dir r_dir_perms;
-allow mediaserver theme_data_file:file r_file_perms;
+allow mediaserver themeservice_app_data_file:dir r_dir_perms;
+allow mediaserver themeservice_app_data_file:file r_file_perms;
+
+# For camera
+allow mediaserver media_rw_data_file:file write;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index bbd4dd4..3e0eb57 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -5,3 +5,10 @@ allow platform_app sdcard_posix:file create_file_perms;
# Allow Gallery3D to crop user images
allow platform_app system_app_data_file:file rw_file_perms;
+
+# Allow Gallery3D to execute render scripts
+allow platform_app app_data_file:file execute;
+
+# Allow batterymanager and batteryproperties services to be found
+allow platform_app battery_service:service_manager find;
+allow platform_app healthd_service:service_manager find;
diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te
new file mode 100644
index 0000000..d2844a6
--- /dev/null
+++ b/sepolicy/qcom/dumpstate.te
@@ -0,0 +1,13 @@
+# For prefetcher to read themes
+allow dumpstate dalvikcache_data_file:dir r_dir_perms;
+allow dumpstate dalvikcache_data_file:file r_file_perms;
+allow dumpstate resourcecache_data_file:dir r_dir_perms;
+allow dumpstate resourcecache_data_file:file r_file_perms;
+allow dumpstate fuse:dir r_dir_perms;
+allow dumpstate fuse:file r_file_perms;
+allow dumpstate themeservice_app_data_file:dir r_dir_perms;
+allow dumpstate themeservice_app_data_file:file r_file_perms;
+allow dumpstate media_rw_data_file:dir search;
+allow dumpstate sdcardfs:file getattr;
+allow dumpstate sdcardfs:dir search;
+
diff --git a/sepolicy/qcom/livedisplay.te b/sepolicy/qcom/livedisplay.te
new file mode 100644
index 0000000..394caa3
--- /dev/null
+++ b/sepolicy/qcom/livedisplay.te
@@ -0,0 +1,3 @@
+# Storage of default mode by native API
+allow system_server display_misc_file:dir rw_dir_perms;
+allow system_server display_misc_file:file create_file_perms;
diff --git a/sepolicy/qcom/property_contexts b/sepolicy/qcom/property_contexts
new file mode 100644
index 0000000..9bf4898
--- /dev/null
+++ b/sepolicy/qcom/property_contexts
@@ -0,0 +1,2 @@
+persist.dbg u:object_r:radio_prop:s0
+persist.data u:object_r:radio_prop:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index da6ddac..c5f58c6 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -19,6 +19,7 @@ allow recovery rootfs:file link;
allow recovery rootfs:dir { write create rmdir add_name remove_name };
# Read storage files and directories
+allow recovery tmpfs:dir mounton;
allow recovery media_rw_data_file:dir r_dir_perms;
allow recovery media_rw_data_file:file r_file_perms;
allow recovery vfat:dir r_dir_perms;
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index 06c96d4..11c8f00 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1,3 +1,4 @@
user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
user=theme_man domain=system_app type=system_data_file
user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
+user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file \ No newline at end of file
diff --git a/sepolicy/service.te b/sepolicy/service.te
index 1a6559f..c7ad50f 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -11,3 +11,7 @@ type cm_app_suggest_service, system_api_service, system_server_service, service_
type cm_performance_service, system_api_service, system_server_service, service_manager_type;
type cm_themes_service, system_api_service, system_server_service, service_manager_type;
type cm_iconcache_service, system_api_service, system_server_service, service_manager_type;
+type cm_livelockscreen_service, system_api_service, system_server_service, service_manager_type;
+type cm_weather_service, system_api_service, system_server_service, service_manager_type;
+type cm_livedisplay_service, system_api_service, system_server_service, service_manager_type;
+type cm_audio_service, system_api_service, system_server_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 04efc6f..90f21c9 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -11,3 +11,7 @@ cmappsuggest u:object_r:cm_app_suggest_service:s0
cmperformance u:object_r:cm_performance_service:s0
cmthemes u:object_r:cm_themes_service:s0
cmiconcache u:object_r:cm_iconcache_service:s0
+cmlivelockscreen u:object_r:cm_livelockscreen_service:s0
+cmweather u:object_r:cm_weather_service:s0
+cmlivedisplay u:object_r:cm_livedisplay_service:s0
+cmaudio u:object_r:cm_audio_service:s0
diff --git a/sepolicy/system.te b/sepolicy/system.te
index 7b202eb..a9831b6 100644
--- a/sepolicy/system.te
+++ b/sepolicy/system.te
@@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms;
allow system_server dhcp_data_file:file r_file_perms;
# Themes
-allow system_server theme_data_file:dir create_dir_perms;
-allow system_server theme_data_file:file create_file_perms;
+allow system_server themeservice_app_data_file:dir create_dir_perms;
+allow system_server themeservice_app_data_file:file create_file_perms;
allow system_server resourcecache_data_file:dir create_dir_perms;
allow system_server resourcecache_data_file:file create_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 6aaf50c..5ae809c 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -7,3 +7,9 @@ allow system_server persist_property_file:dir rw_dir_perms;
allow system_server persist_property_file:file { create_file_perms unlink };
allow system_server storage_stub_file:dir { getattr };
+
+allow system_server media_rw_data_file:dir r_dir_perms;
+
+# Allow system_server to relabel newly created theme directory for
+# use by the proxied theme service
+allow system_server themeservice_app_data_file:dir relabelto;
diff --git a/sepolicy/themeservice_app.te b/sepolicy/themeservice_app.te
new file mode 100644
index 0000000..aaa84ab
--- /dev/null
+++ b/sepolicy/themeservice_app.te
@@ -0,0 +1,19 @@
+# Add themeservice_app to appdomain
+type themeservice_app, domain;
+app_domain(themeservice_app)
+
+# Theme manager service
+allow themeservice_app activity_service:service_manager find;
+allow themeservice_app cm_status_bar_service:service_manager find;
+allow themeservice_app cm_themes_service:dir search;
+allow themeservice_app connectivity_service:service_manager find;
+allow themeservice_app display_service:service_manager find;
+allow themeservice_app mount_service:service_manager find;
+allow themeservice_app notification_service:service_manager find;
+allow themeservice_app system_app_data_file:dir search;
+allow themeservice_app user_service:service_manager find;
+allow themeservice_app wallpaper_service:service_manager find;
+
+# Allow full access to themeservice_app_data_file
+allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
+allow themeservice_app themeservice_app_data_file:file create_file_perms;
diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te
index 978f9e1..2697595 100644
--- a/sepolicy/uncrypt.te
+++ b/sepolicy/uncrypt.te
@@ -2,3 +2,8 @@ r_dir_file(uncrypt, media_rw_data_file)
allow uncrypt recovery_cache_file:dir create_dir_perms;
allow uncrypt recovery_cache_file:file create_file_perms;
allow uncrypt recovery_cache_file:fifo_file rw_file_perms;
+
+allow uncrypt storage_file:dir r_dir_perms;
+allow uncrypt storage_stub_file:dir r_dir_perms;
+allow uncrypt fuse:dir r_dir_perms;
+allow uncrypt fuse:file r_file_perms;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 0c50c71..d00fcec 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -14,6 +14,7 @@ allow vold self:capability { setgid setuid };
recovery_only(`
allow vold rootfs:dir { add_name write };
allow vold rootfs:file execute_no_trans;
+ allow vold vold_tmpfs:file link;
')
# External storage
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
index a93d90e..951f414 100644
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@@ -1,5 +1,5 @@
-allow zygote theme_data_file:file r_file_perms;
-allow zygote theme_data_file:dir r_dir_perms;
+allow zygote themeservice_app_data_file:file r_file_perms;
+allow zygote themeservice_app_data_file:dir r_dir_perms;
# ps command may do this
allow untrusted_app zygote:process getsched;