Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm into replicant-6.0

22 files changed, 97 insertions, 16 deletions

diff --git a/sepolicy/app.te b/sepolicy/app.te
index e590efe..6405e20 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms;
 allow appdomain sdcard_posix:file rw_file_perms;
 
 # Themed resources (i.e. composed icons)
-allow appdomain theme_data_file:dir r_dir_perms;
-allow appdomain theme_data_file:file r_file_perms;
+allow appdomain themeservice_app_data_file:dir r_dir_perms;
+allow appdomain themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
index 8739a87..91273bd 100644
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -1,5 +1,5 @@
 # Themed resources (bootanimation)
-allow bootanim theme_data_file:dir search;
-allow bootanim theme_data_file:file r_file_perms;
+allow bootanim themeservice_app_data_file:dir search;
+allow bootanim themeservice_app_data_file:file r_file_perms;
 allow bootanim self:process execmem;
-allow bootanim ashmem_device:chr_file execute;
\ No newline at end of file
+allow bootanim ashmem_device:chr_file execute;
diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
index 63f654f..508791f 100644
--- a/sepolicy/drmserver.te
+++ b/sepolicy/drmserver.te
@@ -1 +1 @@
-allow drmserver theme_data_file:file r_file_perms;
+allow drmserver themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 1a00339..05e3c5d 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate;
 type auditd_log, file_type, data_file_type;
 
 # Themes
-type theme_data_file, file_type, data_file_type;
+type themeservice_app_data_file, file_type, data_file_type;
 
 # Performance settings
 type sysfs_devices_system_iosched, file_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7024d1e..bcc9217 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -7,7 +7,7 @@
 /data/misc/audit(/.*)?    u:object_r:auditd_log:s0
 
 # Themes
-/data/system/theme(/.*)?  u:object_r:theme_data_file:s0
+/data/system/theme(/.*)?  u:object_r:themeservice_app_data_file:s0
 
 /system/bin/sysinit       u:object_r:sysinit_exec:s0
 
@@ -24,8 +24,8 @@
 
 #############################
 # performance-related sysfs files (CM)
-/sys/devices/system/cpu.*/cpufreq(/.*)? --  u:object_r:sysfs_devices_system_cpu:s0
-/sys/block/mmcblk.*/queue/scheduler  --    u:object_r:sysfs_devices_system_iosched:s0
+/sys/devices/system/cpu.*/cpufreq(/.*)?   u:object_r:sysfs_devices_system_cpu:s0
+/sys/block/mmcblk.*/queue/scheduler       u:object_r:sysfs_devices_system_iosched:s0
 
 /data/hostapd(/.*)?         u:object_r:wifi_data_file:s0
 
@@ -47,7 +47,11 @@
 /sys/devices/virtual/graphics/fb0/cabc          u:object_r:livedisplay_sysfs:s0
 /sys/devices/virtual/graphics/fb0/rgb           u:object_r:livedisplay_sysfs:s0
 /sys/devices/virtual/graphics/fb0/sre           u:object_r:livedisplay_sysfs:s0
+/sys/devices/virtual/graphics/fb0/color_enhance u:object_r:livedisplay_sysfs:s0
 
 # fsck
 /system/bin/fsck\.ntfs                          u:object_r:fsck_exec:s0
 /system/bin/fsck\.exfat                         u:object_r:fsck_exec:s0
+
+# bash
+/system/xbin/bash                               u:object_r:shell_exec:s0
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
index 65f471a..c240599 100644
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te
@@ -1,3 +1,8 @@
 # Allow querying of asec size on SD card
 allow installd sdcard_external:dir { search };
 allow installd sdcard_external:file { getattr };
+
+# Required for installd to create theme service's /data/data directory
+allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..2984b77
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,3 @@
+# used by sdcardfs to read package list
+allow kernel system_data_file:file open;
+allow kernel media_rw_data_file:file rw_file_perms;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index ea26cdf..c380ce9 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,3 +1,6 @@
 # Themed resources (i.e. composed icons)
-allow mediaserver theme_data_file:dir r_dir_perms;
-allow mediaserver theme_data_file:file r_file_perms;
+allow mediaserver themeservice_app_data_file:dir r_dir_perms;
+allow mediaserver themeservice_app_data_file:file r_file_perms;
+
+# For camera
+allow mediaserver media_rw_data_file:file write;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index bbd4dd4..3e0eb57 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -5,3 +5,10 @@ allow platform_app sdcard_posix:file create_file_perms;
 
 # Allow Gallery3D to crop user images
 allow platform_app system_app_data_file:file rw_file_perms;
+
+# Allow Gallery3D to execute render scripts
+allow platform_app app_data_file:file execute;
+
+# Allow batterymanager and batteryproperties services to be found
+allow platform_app battery_service:service_manager find;
+allow platform_app healthd_service:service_manager find;
diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te
new file mode 100644
index 0000000..d2844a6
--- /dev/null
+++ b/sepolicy/qcom/dumpstate.te
@@ -0,0 +1,13 @@
+# For prefetcher to read themes
+allow dumpstate dalvikcache_data_file:dir r_dir_perms;
+allow dumpstate dalvikcache_data_file:file r_file_perms;
+allow dumpstate resourcecache_data_file:dir r_dir_perms;
+allow dumpstate resourcecache_data_file:file r_file_perms;
+allow dumpstate fuse:dir r_dir_perms;
+allow dumpstate fuse:file r_file_perms;
+allow dumpstate themeservice_app_data_file:dir r_dir_perms;
+allow dumpstate themeservice_app_data_file:file r_file_perms;
+allow dumpstate media_rw_data_file:dir search;
+allow dumpstate sdcardfs:file getattr;
+allow dumpstate sdcardfs:dir search;
+
diff --git a/sepolicy/qcom/livedisplay.te b/sepolicy/qcom/livedisplay.te
new file mode 100644
index 0000000..394caa3
--- /dev/null
+++ b/sepolicy/qcom/livedisplay.te
@@ -0,0 +1,3 @@
+# Storage of default mode by native API
+allow system_server display_misc_file:dir rw_dir_perms;
+allow system_server display_misc_file:file create_file_perms;
diff --git a/sepolicy/qcom/property_contexts b/sepolicy/qcom/property_contexts
new file mode 100644
index 0000000..9bf4898
--- /dev/null
+++ b/sepolicy/qcom/property_contexts
@@ -0,0 +1,2 @@
+persist.dbg                   u:object_r:radio_prop:s0
+persist.data                  u:object_r:radio_prop:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index da6ddac..c5f58c6 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -19,6 +19,7 @@ allow recovery rootfs:file link;
 allow recovery rootfs:dir { write create rmdir add_name remove_name };
 
 # Read storage files and directories
+allow recovery tmpfs:dir mounton;
 allow recovery media_rw_data_file:dir r_dir_perms;
 allow recovery media_rw_data_file:file r_file_perms;
 allow recovery vfat:dir r_dir_perms;
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index 06c96d4..11c8f00 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1,3 +1,4 @@
 user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
 user=theme_man domain=system_app type=system_data_file
 user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
+user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
\ No newline at end of file
diff --git a/sepolicy/service.te b/sepolicy/service.te
index 1a6559f..c7ad50f 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -11,3 +11,7 @@ type cm_app_suggest_service, system_api_service, system_server_service, service_
 type cm_performance_service, system_api_service, system_server_service, service_manager_type;
 type cm_themes_service, system_api_service, system_server_service, service_manager_type;
 type cm_iconcache_service, system_api_service, system_server_service, service_manager_type;
+type cm_livelockscreen_service, system_api_service, system_server_service, service_manager_type;
+type cm_weather_service, system_api_service, system_server_service, service_manager_type;
+type cm_livedisplay_service, system_api_service, system_server_service, service_manager_type;
+type cm_audio_service, system_api_service, system_server_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 04efc6f..90f21c9 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -11,3 +11,7 @@ cmappsuggest                              u:object_r:cm_app_suggest_service:s0
 cmperformance                             u:object_r:cm_performance_service:s0
 cmthemes                                  u:object_r:cm_themes_service:s0
 cmiconcache                               u:object_r:cm_iconcache_service:s0
+cmlivelockscreen                          u:object_r:cm_livelockscreen_service:s0
+cmweather                                 u:object_r:cm_weather_service:s0
+cmlivedisplay                             u:object_r:cm_livedisplay_service:s0               
+cmaudio                                   u:object_r:cm_audio_service:s0
diff --git a/sepolicy/system.te b/sepolicy/system.te
index 7b202eb..a9831b6 100644
--- a/sepolicy/system.te
+++ b/sepolicy/system.te
@@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms;
 allow system_server dhcp_data_file:file r_file_perms;
 
 # Themes
-allow system_server theme_data_file:dir create_dir_perms;
-allow system_server theme_data_file:file create_file_perms;
+allow system_server themeservice_app_data_file:dir create_dir_perms;
+allow system_server themeservice_app_data_file:file create_file_perms;
 allow system_server resourcecache_data_file:dir create_dir_perms;
 allow system_server resourcecache_data_file:file create_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 6aaf50c..5ae809c 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -7,3 +7,9 @@ allow system_server persist_property_file:dir rw_dir_perms;
 allow system_server persist_property_file:file { create_file_perms unlink };
 
 allow system_server storage_stub_file:dir { getattr };
+
+allow system_server media_rw_data_file:dir r_dir_perms;
+
+# Allow system_server to relabel newly created theme directory for
+# use by the proxied theme service
+allow system_server themeservice_app_data_file:dir relabelto;
diff --git a/sepolicy/themeservice_app.te b/sepolicy/themeservice_app.te
new file mode 100644
index 0000000..aaa84ab
--- /dev/null
+++ b/sepolicy/themeservice_app.te
@@ -0,0 +1,19 @@
+# Add themeservice_app to appdomain
+type themeservice_app, domain;
+app_domain(themeservice_app)
+
+# Theme manager service
+allow themeservice_app activity_service:service_manager find;
+allow themeservice_app cm_status_bar_service:service_manager find;
+allow themeservice_app cm_themes_service:dir search;
+allow themeservice_app connectivity_service:service_manager find;
+allow themeservice_app display_service:service_manager find;
+allow themeservice_app mount_service:service_manager find;
+allow themeservice_app notification_service:service_manager find;
+allow themeservice_app system_app_data_file:dir search;
+allow themeservice_app user_service:service_manager find;
+allow themeservice_app wallpaper_service:service_manager find;
+
+# Allow full access to themeservice_app_data_file
+allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
+allow themeservice_app themeservice_app_data_file:file create_file_perms;
diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te
index 978f9e1..2697595 100644
--- a/sepolicy/uncrypt.te
+++ b/sepolicy/uncrypt.te
@@ -2,3 +2,8 @@ r_dir_file(uncrypt, media_rw_data_file)
 allow uncrypt recovery_cache_file:dir create_dir_perms;
 allow uncrypt recovery_cache_file:file create_file_perms;
 allow uncrypt recovery_cache_file:fifo_file rw_file_perms;
+
+allow uncrypt storage_file:dir r_dir_perms;
+allow uncrypt storage_stub_file:dir r_dir_perms;
+allow uncrypt fuse:dir r_dir_perms;
+allow uncrypt fuse:file r_file_perms;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 0c50c71..d00fcec 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -14,6 +14,7 @@ allow vold self:capability { setgid setuid };
 recovery_only(`
   allow vold rootfs:dir { add_name write };
   allow vold rootfs:file execute_no_trans;
+  allow vold vold_tmpfs:file link;
 ')
 
 # External storage
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
index a93d90e..951f414 100644
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@@ -1,5 +1,5 @@
-allow zygote theme_data_file:file r_file_perms;
-allow zygote theme_data_file:dir r_dir_perms;
+allow zygote themeservice_app_data_file:file r_file_perms;
+allow zygote themeservice_app_data_file:dir r_dir_perms;
 
 # ps command may do this
 allow untrusted_app zygote:process getsched;