summaryrefslogtreecommitdiffstats
path: root/sepolicy
Commit message (Collapse)AuthorAgeFilesLines
* cm: sepolicy: fix denials for external storagecodeworkx2016-01-014-0/+11
| | | | Change-Id: I784a859671c69370cab0118a88a5fb0190352af9
* sepolicy: label exfat and ntfs mkfs executablescodeworkx2015-12-291-1/+3
| | | | Change-Id: Ic5e32818bc54993f4e8c2377cbec64f9444f6d8a
* sepolicy: Set the context for fsck.exfat/ntfs to fsck_execdhacker292015-12-171-0/+4
| | | | | | | This matches the policy for fsck.f2fs, although it still needs to run as fsck_untrusted for public volumes Change-Id: Ia04e7f8902e53a9926a87f0c99e603611cc39c5d
* SELinux: Use custom ADB over network propertyEthan Chen2015-12-163-3/+1
| | | | | | | * Use a custom system property to trigger the real one, so we avoid running afoul of any SELinux CTS requirements. Change-Id: If5e7a275f492631a673284408f1e430a12358380
* sepolicy: Add permission for formatting user/cache partitionKeith Mok2015-12-161-0/+4
| | | | | | | If the "formattable" fstab flag is set, init will tries to format that partition, added the required policy to allow it. Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
* sepolicy: Add domain for mkfs binariesKeith Mok2015-12-162-0/+12
| | | | | | | | | The init binary must transition to another domain when calling out to executables. Create the mkfs domain for mkfs.f2fs such that init can transition to it when formatting userdata/cache partitions if the "formattable" flag is set. Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
* sepolicy: Allow adb pull of executables without rootSteve Kondik2015-11-291-0/+14
| | | | | | * Because we aren't actually jerks, contrary to popular belief. Change-Id: Ie39cce65ecc6a2861547865ff554b108b8b534fa
* sepolicy: qcom: Allow reading PSU sysfs by system_serverDiogo Ferreira2015-11-271-0/+4
| | | | | | | | | BatteryService queries the usb state to check whether the usb type is HVDCP. This patch adds a rule to allow that. For more context check BatteryService#Led#isHvdcpPresent. Change-Id: Ifacf13dde4b1df81c92bf5d92196e504e61dd402
* sepolicy: Allow recovery to create links in the rootfsSteve Kondik2015-11-261-0/+1
| | | | | | * Needed to support vold and other new code. Change-Id: I25a0b1cc6461eced7112dd4b3974a71423f7957b
* sepolicy: Rule for CM's perfd extensionSteve Kondik2015-11-231-0/+2
| | | | | | | | | | Manual apply and refactor of cm-12.1 patch: e04329df88211264e7a9c8f1d6b87a16d8d5639b Use the unix_socket_connect macro and switch to the new perfd domain. Change-Id: Ibb83220b32bad7805653140751c978e629f87ffb
* sepolicy: fix denial for sudaemoncodeworkx2015-11-221-0/+1
| | | | | | fixes root access for apps Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
* sepolicy: add persist_block_device typeDan Pasanen2015-11-171-0/+1
| | | | | | | | * This is likely defined in several device trees, but not all remove it from your device trees if we're going to write rules for it here. Change-Id: I1dda04647d36db52525a3d57b485860dfe3eeb30
* sepolicy: Remove some denialsSteve Kondik2015-11-163-0/+10
| | | | | | | * Allow apps to run the "df" command to look at disk usage. * Allow thermal engine to check/set battery limits. Change-Id: I67c863a82a94007e7a5e8ccfde9c095b7277ab84
* sepolicy: Add policy for thermal engine changesSteve Kondik2015-11-141-0/+4
| | | | | | * Cyngn devices will need this. Change-Id: I1e7528e92d0d4ed8c4029667d7ef3cf9081a6575
* sepolicy: qcom: Remove duplicate entrymyfluxi2015-11-101-1/+0
| | | | | | We have this in qcom/sepolicy/common already. Change-Id: Ibe6ada531f77d3ec00ff61081d21b3d36a1fe7a7
* sepolicy: Make superuser_device and sudaemon mlstrustedobjectsmyfluxi2015-11-051-1/+3
| | | | | | | | | | | | | | | Address: avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0 tclass=sock_file permissive=0 avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0 tclass=unix_stream_socket permissive=0 And thus fix su. Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
* perf: Moving PerformanceManager to CMSDKSteve Kondik2015-11-032-0/+2
| | | | | | * Devices will need to update their configurations! Change-Id: I22cf4ec96656b98f515cf28fef95443cf6adb397
* cm: Remove duplicate SEPolicy itemsSteve Kondik2015-10-311-4/+0
| | | | | | | * These are handled by the master SEPolicy now due to neverallow exceptions which occur on non-production builds. Change-Id: Id50d9e41e1c8b0b1f26df7921def9e7a201f49d9
* sepolicy: remove sudaemon type declarationDan Pasanen2015-10-171-2/+0
| | | | | | * this is already defined in external/sepolicy Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
* vendor/cm: Fix up service contexts for sepolicy.Adnan Begovic2015-10-163-12/+20
| | | | Change-Id: Ibb04e967bd027c6d1118b8b471ec328c3b034d9d
* sepolicy: remove BOARD_SEPOLICY_UNIONDan Pasanen2015-10-071-33/+0
| | | | | | * this is a no-op now Change-Id: I3703a9670285017ce7aec9ac20c63a6f733b8ffa
* sepolicy: Underp the context for persistent storageRicardo Cerqueira2015-10-051-1/+1
| | | | | | | The dir's context need love, too TICKET: CYNGNOS-1185 Change-Id: I659b3ba06079825fe850cf66858a9d98b5f61c46
* sepolicy: allow vold to trim persistEd Falk2015-09-301-0/+1
| | | | | Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090 Issue-id: SYSTEMS-62
* sepolicy: Allow system app to set boot anim propertymyfluxi2015-09-211-0/+3
| | | | | | | | | | Addresses denials observerd when using QuickBoot: <4>[ 224.756971] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service <3>[ 224.757094] init: sys_prop: Unable to start service ctl [bootanim] uid:1000 gid:1000 pid:6039 <4>[ 226.306456] avc: denied { set } for property=ctl.bootanim scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_bootanim_prop:s0 tclass=property_service Change-Id: I338a0a1d5fa12c10e413769ea9638c10ed137000
* cm: Fix a few denialsSteve Kondik2015-09-193-0/+12
| | | | | | * Missed a few things when cleaning up devices. Change-Id: Ib71afd696a564aeeaa80c34ca9744a39891f4b63
* cm: sepolicy: Create central place for QC-specific policySteve Kondik2015-09-154-0/+17
| | | | | | | | | * We have a number of policy items due to changes in our BSPs or for other things which interact with the QC sepolicy. Add a place for us to store this stuff so we don't need to copy it around to every device. Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
* cm: sepolicy: Create standard policy for LiveDisplaySteve Kondik2015-09-154-0/+12
| | | | Change-Id: Icb0047f261861c8fae99ffa4e9053de8d3aa8c73
* Enable The AppSuggestServiceherriojr2015-09-141-0/+1
| | | | | | | We need to enable our custom AppSuggestService in order to show possible suggestions. Change-Id: I9489723dfec315c7ff4ab414ebe88c3880876bd3
* vendor/cm: cmsettings -> cmpartnerinterfaceAdnan Begovic2015-09-091-1/+1
| | | | Change-Id: I9d9b30da37f243f77647c6d41cf0e0159968b8e2
* cm: SELinux policy for persistent properties APISteve Kondik2015-09-093-0/+10
| | | | | | * Set up persistent properties for devices with a /persist partition. Change-Id: I78974dd4e25831338462c91fc25e36e343795510
* cm: Moving CMHW to CMSDKSteve Kondik2015-08-191-0/+1
| | | | Change-Id: I4dae95dbe68c472ba3703fea588b542758ec8036
* cmsdk: Dual SIM support on CM SDKJoao Figueiredo2015-08-071-1/+2
| | | | Change-Id: I209245e1a3165f329ed8a17a942340d96783ca13
* Add SettingsManagerService from cmsdk as a system service.Matt Garnes2015-08-061-0/+1
| | | | Change-Id: I0909a5fd49e8e042293719de93ebc8fbaaa1a196
* sepolicy: Allow recovery to set system propertiesSteve Kondik2015-08-051-0/+2
| | | | | | * This is used by extremely critical things. Change-Id: Ie529851469408adac1e081fe4f6dc5daa9002933
* sepolicy: system_app: Remove performace setting related entriesBrandon McAnsh2015-07-141-4/+0
| | | | | | | * Performance Settings has been removed/refactored so these are no longer neccessary. Change-Id: I5933700815d0037735fc48f8640b37d1f350ea91 Signed-off-by: Brandon McAnsh <brandon.mcansh@gmail.com>
* vendor/cm: overlay start for ProfileService in external framework.Adnan Begovic2015-06-291-0/+1
| | | | Change-Id: Ib1f8c6d00c2a66cfd8dac2b73ccd1bd053a3a497
* Build CM Platform LibraryAdnan Begovic2015-05-121-0/+1
| | | | | | | | | | | | | | | | Change-Id: If62e6b1d2ac41730ff2a8d562173abd2cb768f93 Add cmstatusbar service to system server services context Change-Id: I77c5de75722cc5f36a5326e3da57ab661b89d189 Build Platform resource package. Change-Id: Id60f66b6db23989db1472a19bcb079b0083f7393 vendor/cm: Lock cm platform library/cmsdk to non-release builds. Change-Id: I01c1c3fe559d438e28339ce426d7ba7e42724002
* vendor: add sepolicy entry for killswitch serviceRoman Birg2015-04-201-0/+1
| | | | | | Change-Id: Ib3c44c50138f5715d92addbf8df7ed591785b550 Signed-off-by: Roman Birg <roman@cyngn.com> (cherry picked from commit 2ca5d3999b35d328f0969a264009bffe0faf889d)
* sepolicy: Permissions for userinitEmerson Pinter2015-03-173-0/+12
| | | | Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296
* sepolicy: recovery: Allow data file writeTom Marshall2015-03-101-1/+1
| | | | | | Needed to preserve /data/.layout_version (aka nesting bug fix). Change-Id: Iaae982223e80ad10479cf1ca3db09da7ada5663e
* [3/3] CmHardwareService: add sepolicyScott Mertz2015-03-071-0/+1
| | | | Change-Id: I551f61f40225a679593e94dbd47bb2fb0025da7e
* sepolicy: Allow CMUpdater/uncrypt access to recovery_cache_filedhacker292015-02-213-0/+10
| | | | Change-Id: I514d128160ed4e04564077d7a2e2ad297af92e28
* sepolicy: Allow vold to create tmpfs files for asec containersChristopher R. Palmer2015-02-191-0/+1
| | | | Change-Id: Ic8f1641928840774204099453b74dc1b52b3c6f8
* sepolicy: Allow system apps to write cache and media filesBrint E. Kriebel2015-02-171-2/+4
| | | | | | Updaters need to be able to read and write to these locations. Change-Id: I928a5f73ec29ab4fecb717072532d449192f3ca9
* sepolicy: Fix denails for flash_recovery servicedhacker292015-02-152-0/+3
| | | | | | Needed when option is checked to update cm recovery Change-Id: I0b2fbfd7c141ae03ce14b9afeffd3a027d791c80
* sepolicy: Split off /cache/recovery's permissionsRicardo Cerqueira2015-02-114-0/+13
| | | | | | | /cache/recovery is used by 2 domains: recovery and updater apps. Separate its perms from the rest of /cache and grant them to those 2 clients Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
* sepolicy: allow userinit to set its propertyGeorg Veichtlbauer2015-02-095-0/+8
| | | | Change-Id: I9d8270d889566d169077a1b1fdaee43059d11ee1
* sepolicy: actually include mediaserver.teAdam Farden2015-02-041-0/+1
| | | | | | Added in patch e9c2de0679f16a8ba7291aaf2cd4286bef8b2886 but not included Change-Id: I2ae901a7c80fceb33dba2ed4122d2aa47bff5a51
* cm: add torch service sepolicy entryRoman Birg2015-02-021-0/+1
| | | | | Change-Id: I6e6feae5fe6b4092c137ee2337c4a15b390df45e Signed-off-by: Roman Birg <roman@cyngn.com>
* sepolicy: Let drmserver scan themesSteve Kondik2015-01-252-0/+2
| | | | Change-Id: I7675b302723ef8700067ae9ef237daf6346a6627