diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-12-12 13:09:51 +0100 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-12-12 13:09:51 +0100 |
commit | 1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9 (patch) | |
tree | 07790f46da5b1716448b576ce2b6d81e7a0ddca4 /sepolicy | |
parent | 076588cc654f9dbbc6e65a291dd85e8e8c096d1e (diff) | |
parent | dee68b3f6e1d78bb8dca56ef3ce64045edce4bfd (diff) | |
download | vendor_replicant-1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9.zip vendor_replicant-1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9.tar.gz vendor_replicant-1bbac0dbd1b4a7e64ecd42443a4e6e9b13af1fb9.tar.bz2 |
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/app.te | 4 | ||||
-rw-r--r-- | sepolicy/bootanim.te | 6 | ||||
-rw-r--r-- | sepolicy/drmserver.te | 2 | ||||
-rw-r--r-- | sepolicy/file.te | 2 | ||||
-rw-r--r-- | sepolicy/file_contexts | 10 | ||||
-rw-r--r-- | sepolicy/installd.te | 5 | ||||
-rw-r--r-- | sepolicy/kernel.te | 3 | ||||
-rw-r--r-- | sepolicy/mediaserver.te | 7 | ||||
-rw-r--r-- | sepolicy/platform_app.te | 7 | ||||
-rw-r--r-- | sepolicy/qcom/dumpstate.te | 13 | ||||
-rw-r--r-- | sepolicy/qcom/livedisplay.te | 3 | ||||
-rw-r--r-- | sepolicy/qcom/property_contexts | 2 | ||||
-rw-r--r-- | sepolicy/recovery.te | 1 | ||||
-rw-r--r-- | sepolicy/seapp_contexts | 1 | ||||
-rw-r--r-- | sepolicy/service.te | 4 | ||||
-rw-r--r-- | sepolicy/service_contexts | 4 | ||||
-rw-r--r-- | sepolicy/system.te | 4 | ||||
-rw-r--r-- | sepolicy/system_server.te | 6 | ||||
-rw-r--r-- | sepolicy/themeservice_app.te | 19 | ||||
-rw-r--r-- | sepolicy/uncrypt.te | 5 | ||||
-rw-r--r-- | sepolicy/vold.te | 1 | ||||
-rw-r--r-- | sepolicy/zygote.te | 4 |
22 files changed, 97 insertions, 16 deletions
diff --git a/sepolicy/app.te b/sepolicy/app.te index e590efe..6405e20 100644 --- a/sepolicy/app.te +++ b/sepolicy/app.te @@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms; allow appdomain sdcard_posix:file rw_file_perms; # Themed resources (i.e. composed icons) -allow appdomain theme_data_file:dir r_dir_perms; -allow appdomain theme_data_file:file r_file_perms; +allow appdomain themeservice_app_data_file:dir r_dir_perms; +allow appdomain themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te index 8739a87..91273bd 100644 --- a/sepolicy/bootanim.te +++ b/sepolicy/bootanim.te @@ -1,5 +1,5 @@ # Themed resources (bootanimation) -allow bootanim theme_data_file:dir search; -allow bootanim theme_data_file:file r_file_perms; +allow bootanim themeservice_app_data_file:dir search; +allow bootanim themeservice_app_data_file:file r_file_perms; allow bootanim self:process execmem; -allow bootanim ashmem_device:chr_file execute;
\ No newline at end of file +allow bootanim ashmem_device:chr_file execute; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te index 63f654f..508791f 100644 --- a/sepolicy/drmserver.te +++ b/sepolicy/drmserver.te @@ -1 +1 @@ -allow drmserver theme_data_file:file r_file_perms; +allow drmserver themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te index 1a00339..05e3c5d 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate; type auditd_log, file_type, data_file_type; # Themes -type theme_data_file, file_type, data_file_type; +type themeservice_app_data_file, file_type, data_file_type; # Performance settings type sysfs_devices_system_iosched, file_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7024d1e..bcc9217 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -7,7 +7,7 @@ /data/misc/audit(/.*)? u:object_r:auditd_log:s0 # Themes -/data/system/theme(/.*)? u:object_r:theme_data_file:s0 +/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0 /system/bin/sysinit u:object_r:sysinit_exec:s0 @@ -24,8 +24,8 @@ ############################# # performance-related sysfs files (CM) -/sys/devices/system/cpu.*/cpufreq(/.*)? -- u:object_r:sysfs_devices_system_cpu:s0 -/sys/block/mmcblk.*/queue/scheduler -- u:object_r:sysfs_devices_system_iosched:s0 +/sys/devices/system/cpu.*/cpufreq(/.*)? u:object_r:sysfs_devices_system_cpu:s0 +/sys/block/mmcblk.*/queue/scheduler u:object_r:sysfs_devices_system_iosched:s0 /data/hostapd(/.*)? u:object_r:wifi_data_file:s0 @@ -47,7 +47,11 @@ /sys/devices/virtual/graphics/fb0/cabc u:object_r:livedisplay_sysfs:s0 /sys/devices/virtual/graphics/fb0/rgb u:object_r:livedisplay_sysfs:s0 /sys/devices/virtual/graphics/fb0/sre u:object_r:livedisplay_sysfs:s0 +/sys/devices/virtual/graphics/fb0/color_enhance u:object_r:livedisplay_sysfs:s0 # fsck /system/bin/fsck\.ntfs u:object_r:fsck_exec:s0 /system/bin/fsck\.exfat u:object_r:fsck_exec:s0 + +# bash +/system/xbin/bash u:object_r:shell_exec:s0 diff --git a/sepolicy/installd.te b/sepolicy/installd.te index 65f471a..c240599 100644 --- a/sepolicy/installd.te +++ b/sepolicy/installd.te @@ -1,3 +1,8 @@ # Allow querying of asec size on SD card allow installd sdcard_external:dir { search }; allow installd sdcard_external:file { getattr }; + +# Required for installd to create theme service's /data/data directory +allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto }; +allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto }; +allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..2984b77 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,3 @@ +# used by sdcardfs to read package list +allow kernel system_data_file:file open; +allow kernel media_rw_data_file:file rw_file_perms; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index ea26cdf..c380ce9 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1,3 +1,6 @@ # Themed resources (i.e. composed icons) -allow mediaserver theme_data_file:dir r_dir_perms; -allow mediaserver theme_data_file:file r_file_perms; +allow mediaserver themeservice_app_data_file:dir r_dir_perms; +allow mediaserver themeservice_app_data_file:file r_file_perms; + +# For camera +allow mediaserver media_rw_data_file:file write; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index bbd4dd4..3e0eb57 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -5,3 +5,10 @@ allow platform_app sdcard_posix:file create_file_perms; # Allow Gallery3D to crop user images allow platform_app system_app_data_file:file rw_file_perms; + +# Allow Gallery3D to execute render scripts +allow platform_app app_data_file:file execute; + +# Allow batterymanager and batteryproperties services to be found +allow platform_app battery_service:service_manager find; +allow platform_app healthd_service:service_manager find; diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te new file mode 100644 index 0000000..d2844a6 --- /dev/null +++ b/sepolicy/qcom/dumpstate.te @@ -0,0 +1,13 @@ +# For prefetcher to read themes +allow dumpstate dalvikcache_data_file:dir r_dir_perms; +allow dumpstate dalvikcache_data_file:file r_file_perms; +allow dumpstate resourcecache_data_file:dir r_dir_perms; +allow dumpstate resourcecache_data_file:file r_file_perms; +allow dumpstate fuse:dir r_dir_perms; +allow dumpstate fuse:file r_file_perms; +allow dumpstate themeservice_app_data_file:dir r_dir_perms; +allow dumpstate themeservice_app_data_file:file r_file_perms; +allow dumpstate media_rw_data_file:dir search; +allow dumpstate sdcardfs:file getattr; +allow dumpstate sdcardfs:dir search; + diff --git a/sepolicy/qcom/livedisplay.te b/sepolicy/qcom/livedisplay.te new file mode 100644 index 0000000..394caa3 --- /dev/null +++ b/sepolicy/qcom/livedisplay.te @@ -0,0 +1,3 @@ +# Storage of default mode by native API +allow system_server display_misc_file:dir rw_dir_perms; +allow system_server display_misc_file:file create_file_perms; diff --git a/sepolicy/qcom/property_contexts b/sepolicy/qcom/property_contexts new file mode 100644 index 0000000..9bf4898 --- /dev/null +++ b/sepolicy/qcom/property_contexts @@ -0,0 +1,2 @@ +persist.dbg u:object_r:radio_prop:s0 +persist.data u:object_r:radio_prop:s0 diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te index da6ddac..c5f58c6 100644 --- a/sepolicy/recovery.te +++ b/sepolicy/recovery.te @@ -19,6 +19,7 @@ allow recovery rootfs:file link; allow recovery rootfs:dir { write create rmdir add_name remove_name }; # Read storage files and directories +allow recovery tmpfs:dir mounton; allow recovery media_rw_data_file:dir r_dir_perms; allow recovery media_rw_data_file:file r_file_perms; allow recovery vfat:dir r_dir_perms; diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts index 06c96d4..11c8f00 100644 --- a/sepolicy/seapp_contexts +++ b/sepolicy/seapp_contexts @@ -1,3 +1,4 @@ user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file user=theme_man domain=system_app type=system_data_file user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file +user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
\ No newline at end of file diff --git a/sepolicy/service.te b/sepolicy/service.te index 1a6559f..c7ad50f 100644 --- a/sepolicy/service.te +++ b/sepolicy/service.te @@ -11,3 +11,7 @@ type cm_app_suggest_service, system_api_service, system_server_service, service_ type cm_performance_service, system_api_service, system_server_service, service_manager_type; type cm_themes_service, system_api_service, system_server_service, service_manager_type; type cm_iconcache_service, system_api_service, system_server_service, service_manager_type; +type cm_livelockscreen_service, system_api_service, system_server_service, service_manager_type; +type cm_weather_service, system_api_service, system_server_service, service_manager_type; +type cm_livedisplay_service, system_api_service, system_server_service, service_manager_type; +type cm_audio_service, system_api_service, system_server_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 04efc6f..90f21c9 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -11,3 +11,7 @@ cmappsuggest u:object_r:cm_app_suggest_service:s0 cmperformance u:object_r:cm_performance_service:s0 cmthemes u:object_r:cm_themes_service:s0 cmiconcache u:object_r:cm_iconcache_service:s0 +cmlivelockscreen u:object_r:cm_livelockscreen_service:s0 +cmweather u:object_r:cm_weather_service:s0 +cmlivedisplay u:object_r:cm_livedisplay_service:s0 +cmaudio u:object_r:cm_audio_service:s0 diff --git a/sepolicy/system.te b/sepolicy/system.te index 7b202eb..a9831b6 100644 --- a/sepolicy/system.te +++ b/sepolicy/system.te @@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms; allow system_server dhcp_data_file:file r_file_perms; # Themes -allow system_server theme_data_file:dir create_dir_perms; -allow system_server theme_data_file:file create_file_perms; +allow system_server themeservice_app_data_file:dir create_dir_perms; +allow system_server themeservice_app_data_file:file create_file_perms; allow system_server resourcecache_data_file:dir create_dir_perms; allow system_server resourcecache_data_file:file create_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 6aaf50c..5ae809c 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -7,3 +7,9 @@ allow system_server persist_property_file:dir rw_dir_perms; allow system_server persist_property_file:file { create_file_perms unlink }; allow system_server storage_stub_file:dir { getattr }; + +allow system_server media_rw_data_file:dir r_dir_perms; + +# Allow system_server to relabel newly created theme directory for +# use by the proxied theme service +allow system_server themeservice_app_data_file:dir relabelto; diff --git a/sepolicy/themeservice_app.te b/sepolicy/themeservice_app.te new file mode 100644 index 0000000..aaa84ab --- /dev/null +++ b/sepolicy/themeservice_app.te @@ -0,0 +1,19 @@ +# Add themeservice_app to appdomain +type themeservice_app, domain; +app_domain(themeservice_app) + +# Theme manager service +allow themeservice_app activity_service:service_manager find; +allow themeservice_app cm_status_bar_service:service_manager find; +allow themeservice_app cm_themes_service:dir search; +allow themeservice_app connectivity_service:service_manager find; +allow themeservice_app display_service:service_manager find; +allow themeservice_app mount_service:service_manager find; +allow themeservice_app notification_service:service_manager find; +allow themeservice_app system_app_data_file:dir search; +allow themeservice_app user_service:service_manager find; +allow themeservice_app wallpaper_service:service_manager find; + +# Allow full access to themeservice_app_data_file +allow themeservice_app themeservice_app_data_file:dir create_dir_perms; +allow themeservice_app themeservice_app_data_file:file create_file_perms; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te index 978f9e1..2697595 100644 --- a/sepolicy/uncrypt.te +++ b/sepolicy/uncrypt.te @@ -2,3 +2,8 @@ r_dir_file(uncrypt, media_rw_data_file) allow uncrypt recovery_cache_file:dir create_dir_perms; allow uncrypt recovery_cache_file:file create_file_perms; allow uncrypt recovery_cache_file:fifo_file rw_file_perms; + +allow uncrypt storage_file:dir r_dir_perms; +allow uncrypt storage_stub_file:dir r_dir_perms; +allow uncrypt fuse:dir r_dir_perms; +allow uncrypt fuse:file r_file_perms; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index 0c50c71..d00fcec 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -14,6 +14,7 @@ allow vold self:capability { setgid setuid }; recovery_only(` allow vold rootfs:dir { add_name write }; allow vold rootfs:file execute_no_trans; + allow vold vold_tmpfs:file link; ') # External storage diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te index a93d90e..951f414 100644 --- a/sepolicy/zygote.te +++ b/sepolicy/zygote.te @@ -1,5 +1,5 @@ -allow zygote theme_data_file:file r_file_perms; -allow zygote theme_data_file:dir r_dir_perms; +allow zygote themeservice_app_data_file:file r_file_perms; +allow zygote themeservice_app_data_file:dir r_dir_perms; # ps command may do this allow untrusted_app zygote:process getsched; |