summaryrefslogtreecommitdiffstats
path: root/sepolicy
Commit message (Collapse)AuthorAgeFilesLines
* sepolicy: set fsck_untrusted to permissive in recoveryWolfgang Wiedmeyer2017-06-161-0/+3
| | | | | | Breaks installation from SD card in some cases otherwise. Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* readd mac_permissions.xml from LineageOSWolfgang Wiedmeyer2017-05-021-0/+31
| | | | Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Merge branch 'cm-13.0' of https://github.com/LineageOS/android_vendor_cm ↵Wolfgang Wiedmeyer2017-05-021-2/+2
|\ | | | | | | into replicant-6.0
| * sepolicy: com.cyanogenmod.updater -> org.lineageos.updaterSean McCreary2017-03-262-3/+3
| | | | | | | | | | | | | | Update seapp_contexts and mac_permissions.xml for the new LineageOS updater Change-Id: I171b35ad5578202724efc3f823f7e7a461e5e5cd
* | Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm ↵Wolfgang Wiedmeyer2016-12-1222-16/+97
|\ \ | |/ | | | | into replicant-6.0
| * themes: allow system_server to relabel them dird34d2016-09-201-0/+4
| | | | | | | | | | | | | | | | | | On a fresh install the theme service broker creates the initial theme directory which needs to be relabeled to a themeservice_app_data_File in order for the brokered theme service to write to this directory Change-Id: Ifd689a0c619c0e954192749b83a0cacaa945468f TICKET: NIGHTLIES-3349
| * cm: Allow LiveDisplay to write to display misc dirSteve Kondik2016-08-151-1/+1
| | | | | | | | | | | | * Need write permission to create file containing the current mode. Change-Id: I4ed26412e7ec38861156110c7eb51ef707a0999f
| * sepolicy: Move new QCOM-specific policy to the right placeSteve Kondik2016-08-092-4/+3
| | | | | | | | | | | | | | * Don't wanna break the build for anyone again :( The native stuff is very QCOM specific and won't work elsewhere. Change-Id: Id5dbba1a46dc12cbd5914cf3072ed92a72039b31
| * sepolicy: Additional policy for LiveDisplaySteve Kondik2016-08-071-0/+4
| | | | | | | | | | | | | | | | * LiveDisplay needs to store the user-selected default mode somewhere in the case where we are mixing local sysfs-style modes with QDCM modes. Add a rule for this. Change-Id: I42b80df7c0ee3c2815594c8a6feea3dc078c6ae2
| * cm: sepolicy: Fix the vold blkid.tab denial from recoveryAdrian DC2016-08-051-0/+1
| | | | | | | | | | | | | | | | * denied { link } for pid=190 comm="minivold" name="vold_blkid.tab" dev="tmpfs" scontext=u:r:vold:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file Change-Id: I0b3e47dd00c5a32261691f51838a8d9af9778faa
| * sepolicy: Put theme service in its own contextd34d2016-08-0213-15/+48
| | | | | | | | | | | | | | Allow the theme manager and its data to be sandboxed in its own context Change-Id: I7898663d1c196bfe04fa4c539d20191a43fde284
| * sepolicy: More IOP rulesSteve Kondik2016-08-011-0/+1
| | | | | | | | Change-Id: I6d6cfd7202c94135344eb718e0c6ac5347a0ece7
| * sepolicy: Fix MTP for sdcardfsdianlujitao2016-07-291-0/+1
| | | | | | | | Change-Id: I8fe011140798925ee5b5926355868febd595a788
| * sepolicy: Let the IO prefetcher look at sdcardfsSteve Kondik2016-07-291-1/+2
| | | | | | | | Change-Id: Ie618887fbf292c702df720f04840ab3c8ff222f7
| * cm: sepolicy: Allow system_server dir read accessLuca Stefani2016-07-281-0/+2
| | | | | | | | Change-Id: Ia6fc26781c1cb576c2feee3e941d7206e7878bb5
| * sepolicy: Allow media_rw write to fix camcorder denialsSteve Kondik2016-07-271-0/+3
| | | | | | | | Change-Id: Icc892d8b2c34950431564738b66d8e8baefc62be
| * sepolicy: Revert custom sdcardfs policy in favor of AOSPSteve Kondik2016-07-264-14/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Upstream policy showed up in AOSP this morning. Dropping ours in favor of AOSP. Revert "sepolicy: A few more denials" This reverts commit 522c421f6623be6437e444454cac58f7bbd5bc32. Revert "sepolicy: More policy for sdcardfs" This reverts commit 4a24ffeb6a44b2a044c2c3ce4e5aad8956e7157a. Revert "sepolicy: Add sdcardfs support" This reverts commit ba87877dd0b193a29a7b5293e4889c310dcdfc8a. Change-Id: I4f066b9bd5d8c899137fcaa12999f2547f9e0ec0
| * sepolicy: A few more denialsSteve Kondik2016-07-261-0/+4
| | | | | | | | | | | | * Hopefully the last of the sdcardfs denials Change-Id: I2a9fbc33696d2517fd2596f64f55656a14d66c2c
| * sepolicy: More policy for sdcardfsSteve Kondik2016-07-252-0/+9
| | | | | | | | Change-Id: Iddc6f86bd1e4b9942139acf9b7e75279b3865b8a
| * sepolicy: Add rule to allow sdcardfs to read package listSteve Kondik2016-07-241-0/+2
| | | | | | | | | | | | * Do not carry forward into N release. Change-Id: I1f90695c48ac5a19848efafb146eabdff1ca4b6a
| * sepolicy: Add sdcardfs supportSteve Kondik2016-07-241-0/+1
| | | | | | | | Change-Id: Ib9486b0ad7ed0e4c53494271e6fd35bcfedba40a
| * sepolicy: Allow batterymanager and batteryproperties services to be foundBruno Martins2016-07-231-0/+4
| | | | | | | | Change-Id: Ia2a1734a74c4bba0bc09f150442aec573d769370
| * sepolicy: put bash in shell contextDan Pasanen2016-06-211-0/+3
| | | | | | | | | | | | | | * Necessary for being able to execute commands such as 'su' from a non-root shell Change-Id: Icbaaa6ff7447add65441011944bdc5d13b788c86
| * persist.dbg/data for radio to control QC prop'sDeepak Kundra2016-06-031-0/+2
| | | | | | | | | | | | Issue-id:FEIJ-679 Change-Id: Iafe0405fd4a83c8f22e1af7152c1c3a009cd2e71
| * sepolicy: Allow uncrypt additional accessPat Erley2016-05-161-0/+5
| | | | | | | | | | | | | | Uncrypt may need access to additional selinux contexts for devices with created storage solutions. Change-Id: Ie90f130ff6bafdd195379f7d57504b2fce4ef830
| * cm: Extend policy for IOPSteve Kondik2016-05-141-0/+4
| | | | | | | | | | | | * IO prefetcher needs to dig into themes and media as well. Change-Id: I72cd7fca3a7cacf28764023a73c66e4ea8a58be5
| * cm: Add SE policy for iop serviceSteve Kondik2016-05-061-0/+6
| | | | | | | | Change-Id: I14338a03c469cd71a6d5c7fecc71eb2290b2e6c4
| * cm: Allow LiveDisplay to write to color_enhanceZhao Wei Liew2016-04-301-0/+1
| | | | | | | | | | | | | | | | | | The proper permissions for the color_enhance sysfs node weren't being set, rendering the color enhancement switch useless. Set the proper permissions for LiveDisplay to toggle color enhancement. Change-Id: Ic8dba8953b73a497cb01a645834c0e7934092b38
| * cm: Remove garbage from sepolicySteve Kondik2016-04-301-2/+2
| | | | | | | | | | | | * Not sure how the -- got here but it causes the rules to be invalid. Change-Id: Ib17217d14f844d7aa27bb554346183e32ff5ae13
| * cm: Add CMAudioService the platformSteve Kondik2016-04-262-0/+2
| | | | | | | | | | | | * Also brings JNI to CMSDK Change-Id: I599964a1f9200a8d2ecdad0bb8c4d8593e6d7415
| * sepolicy: Allow recovery to mount on tmpfsPat Erley2016-04-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | /storage is a tmpfs volume, and is where updater stores its zip when downloading updates. Devices with emmc partitions that are used as 'sdcard' volumes will end up with paths like: /storage/UUID/...../update.zip where UUID is the mount point for the partition and update.zip is the downloaded update. With this change, minivold can create the UUID folder and mount onto it, fixing the application of updates. Change-Id: I4fa84fd590f5ff0f91e38c49cef0c179728fdf43
| * cm: Moving LiveDisplay to CMSDKSteve Kondik2016-04-132-0/+2
| | | | | | | | | | | | * Also alphabetized the list of feature xmls, you filthy pigs. Change-Id: I094a46c313be4531c6dd1af1e007a26b2476d60e
| * cm: sepolicy: allow platform apps to execute render scriptsMatthias Yzusqui2016-04-051-0/+3
| | | | | | | | | | | | | | * Needed by Gallery3D Photo Editor to apply effects like: Vignette and Graduated. Change-Id: I7b07a974fbdb77abbaba1c15a21e918406d2175b
| * Add Weather Content Provider [3/5]Luis Vidal2016-03-312-1/+3
| | | | | | | | | | | | | | | | | | | | Introduce the weather system feature, which will be used to identify if the Weather Content Provider/Weather services are available in the device. Add SELinux entries for the cmweather service Change-Id: Ibe862903095276f87f23c0d7dae54733eeeb5638
| * LLS: Add live lock screen service [3/4]d34d2016-03-302-0/+2
| | | | | | | | Change-Id: I9136e9c9c1413c45aa300f0c92fd69b0c409a052
* | Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm ↵Wolfgang Wiedmeyer2016-03-185-0/+12
|\ \ | |/ | | | | into replicant-6.0
| * cm: sepolicy: allow platform apps to crop user imagescodeworkx2016-03-161-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Needed for gallery3d when setting contact pics avc: denied { write } for comm=4173796E635461736B202334 path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p50" ino=65849 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0 03-05 13:07:40.741 22060-22207/com.android.gallery3d W/System.err﹕ java.io.IOException: write failed: EACCES (Permission denied) Change-Id: Iaa7f75abfd41c86e1a321d5f35b950f9dc7eb930
| * Themes: Refactor themes to CMSDK [3/6]d34d2016-03-012-0/+4
| | | | | | | | | | Change-Id: Ia8f3a5080f2ca2cecc3474058db4970c5661c89c TICKET: CYNGNOS-2126
| * recovery: Add new rule for sys.usb.ffs.readyAdrianDC2016-02-231-0/+3
| | | | | | | | | | | | | | | | init: avc: denied { set } for property=sys.usb.ffs.ready scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0 tclass=property_service Change-Id: Id3441ccc3c6a8915a5fdf50efd8c617d1242868a
| * cm: sepolicy: allow kernel to read storageFrozenCow2016-02-201-0/+2
| | | | | | | | | | | | | | | | This fixes issues where the kernel would need to read and write files from internal or external storage. More specifically, the kernel needs these rules for USB mass storage to work correctly. Change-Id: I8cb0307727bc0c464d5470e55275ad808e748ee0
| * sepolicy: Allow system server and uncrypt access pipePat Erley2016-02-092-0/+2
| | | | | | | | | | | | | | | | System server needs to be able to create a pipe in the cache partition for uncrypting OTAs. Uncrypt needs to be able to read and write the pipe. Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
* | sepolicy: remove mac_permissions for proprietary google apps and cmupdaterWolfgang Wiedmeyer2016-02-171-24/+0
| | | | | | | | Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* | sepolicy: allow bootanim and surfaceflinger execmem and access to ashmemWolfgang Wiedmeyer2016-02-162-0/+4
| | | | | | | | | | | | | | This allows the device to boot with software rendering using build/target/board/generic/sepolicy as reference Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* | sepolicy: Allow system server and uncrypt access pipePat Erley2016-02-162-0/+2
| | | | | | | | | | | | | | | | System server needs to be able to create a pipe in the cache partition for uncrypting OTAs. Uncrypt needs to be able to read and write the pipe. Change-Id: Ie03ee7d637eaecff8fe38bf03dc733b3915cd336
* | Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm ↵Wolfgang Wiedmeyer2016-02-033-0/+13
|\ \ | |/ | | | | | | | | | | | | | | | | | | | | into replicant-6.0 Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> Conflicts: overlay/common/frameworks/base/core/res/res/drawable-nodpi/default_wallpaper.jpg overlay/common/frameworks/base/core/res/res/drawable-sw600dp-nodpi/default_wallpaper.jpg overlay/common/frameworks/base/core/res/res/drawable-sw720dp-nodpi/default_wallpaper.jpg overlay/common/frameworks/base/core/res/res/drawable-xhdpi/default_wallpaper.jpg
| * recovery: Add new rules for recursive wipePat Erley2016-01-281-0/+4
| | | | | | | | | | | | | | We now use a temporary context when mounting /data, so add permissions to do that, and add permissions necessary to do the recursive wipe. Change-Id: Ic925c70f1cf01c8b19a6ac48a9468d6eb9205321
| * Grant platform apps access to /mnt/media_rw with sdcard_posix labelJani Lusikka2016-01-242-0/+9
| | | | | | | | | | | | | | | | | | Also allow apps to read the contents of mounted OBBs. See AOSP Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad and Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa Change-Id: I757a2a8831c69d41c0496025a39eaf79ceb0e65f
* | Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm ↵Wolfgang Wiedmeyer2016-01-141-0/+5
|\ \ | |/ | | | | into replicant-6.0-toolchain
| * sepolicy: Add perfprofd with set_prop macromyfluxi2016-01-121-0/+5
| | | | | | | | | | | | | | | | Addresses: avc: denied { write } for pid=293 comm="perfprofd" name="property_service" dev="tmpfs" ino=9229 scontext=u:r:perfprofd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Change-Id: I5a88722eda4d0751fd9a081c434d385ac1c785ef
* | Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_vendor_cm ↵Wolfgang Wiedmeyer2016-01-024-0/+12
|\ \ | |/ | | | | into replicant-6.0
generated by cgit v1.1 at 2024-05-12 23:10:54 +0000