pa-fazil
/
android_vendor_aospa
mirror of https://github.com/fazilsheik96/android_vendor_aospa.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,121 Commits 5 Branches 0 Tags 1.3 GiB
Commit Graph

66 Commits

Author SHA1 Message Date
Puneet Mishra 4e19732c40
pa: sepolicy: Allow platform apps to find the NFC service. 
* Several APIs on NFC require platform permissions,
   therefore, NFC test applications are equipped with them.

Change-Id: I35435b4aac0b0153c7847a8e02ab36985f54e774
 2020-12-31 17:17:44 -07:00
Alexander Koskovich 98af27b706 pa: sepolicy: Write some missing rules for FOD. 
Change-Id: I255a0b5e25461298d19e7f13a24e4262330b83cf
 2020-12-18 00:40:26 +00:00
LuK1337 d1d045c2bb pa: sepolicy: Add rules for FOD. 
Change-Id: I067ead0c2f60493a974bc220b67d7039acea4823
 2020-11-21 05:10:37 +00:00
Jake Weinstein 292d764015 vendor: move sepolicy to device/pa/sepolicy 
Change-Id: I0eda57cfd95d313d6cd544983504ed55a608d11b
 2019-07-31 12:44:21 +00:00
Hernán Castañón Álvarez ca2b717196 pa: sepolicy: move PA sepolicy to system. 
This is needed for QSSIs to be able to use our vendor/pa sepolicies.

This won´t cause any issues to device specific builds.

Signed-off-by: Hernán Castañón Álvarez <herna@paranoidandroid.co>
Change-Id: Ifb4057334110d1c7389f728cbaf573a5538a98d2
 2019-03-23 12:20:07 +00:00
TheStrix c60446fc2c Initial sepolicy changes for pie 
Change-Id: I0707ae85da0d153a8c383b9eaa08ef9c4057f8fd
 2018-09-20 04:52:13 +00:00
Jake Weinstein e7b25190d3 pa: Fix zygote denial 
Fixes the following denial
avc: denied { create } for pid=668 comm="main" name="tasks" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0

Change-Id: I4d001f3973e73a6dd4027e6a872688df68a0f4a8
 2018-02-18 08:14:32 +00:00
Lennart c86c71bbfa pa: fix denial to show the correct selinux mode 
Without this commit the settings always show permissive as selinux
status even it it was enforcing

Change-Id: Icd5003e67a725323a5445a936d5a38a3006c5456
 2018-02-17 00:31:43 +01:00
cj360 1b055f37a6 sepolicy: Fix mkfs sepolicy for Oreo 
Needs coredomain

a2718d3071

Change-Id: Ie612c590739cf88191b093f92087092d9e574a13
Signed-off-by: cj360 <ayunker551@gmail.com>
 2018-02-13 16:12:38 +00:00
Alex Naidis 2637516bfb pa: Initial 8.0 bringup 
- Update version number
- Cleanup sepolicy, remove theming support
- Initial pass at overlays
- Remove pa-services for now

Change-Id: I933a9fadc9d81da9454c5e369e841fcc22629932
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-11-11 08:24:50 -05:00
Alex Naidis 9f6515fd98 pa: Give system server full read access to user profiles 
Fixes denials such as
[ 1053.875830] type=1400 audit(1502291448.945:27): avc: denied { open } for pid=1389 comm="PackageManager" path="/data/misc/profiles/cur/0/foreign-dex" dev="sda15" ino=1945922 scontext=u:r:system_server:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=0

Change-Id: I9769df7bd7fd5167690acc182d187bb609b00c13
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-08-10 01:59:01 +00:00
Ícaro Hoff b0fefe82a5
pa: address profile picture "read" permission denial 
[ 8875.702197] type=1400 audit(1502056520.069:19): avc: denied { read } for pid=10749 comm="Binder:10227_6" path="/data/user_de/0/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="sda10" ino=65289 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0

Change-Id: I29cf861ade67b11b4cf0cf8b00b0960b77b62759
Signed-off-by: Ícaro Hoff <icarohoff@gmail.com>
 2017-08-06 19:07:53 -03:00
Chris Lahaye 6e07618a4e pa: Add selinux policy for pocket bridge 
Change-Id: I45b8eeab76833f5c95211da5d869b21cb72510c4
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-08-02 15:42:55 -04:00
Carlo Savignano 66580b14d2 pa: Add pocket judge selinux policy 
Ticket: NOUGAT-9

Change-Id: I46fa86a55389421f615e0af366bee9413617297c
Signed-off-by: Carlo Savignano <carlosavignano@aospa.co>
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-08-02 15:41:50 -04:00
thecrazyskull a0d58315db pa: sepolicy: Add Color Engine policy 
Change-Id: I9b9915c63326634f7f8c8e31a23efe93a07b8a42
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-08-02 15:41:42 -04:00
Jake Weinstein f23c100401 pa: Fix a user profile data denial 
Change-Id: I1a441c9a893edc3a5ccbb9d5ba373ceeed441a87
 2017-07-30 14:10:59 +00:00
Alex Naidis b544174dd1 pa: Fix audioserver's communication with boot animation 
Audioserver needs to communicate with boot animation
via binder.

Change-Id: Iafd3701f1cf741b30808fc1ad989f9c07cca7935
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-07-27 20:28:48 +00:00
Jake Weinstein a6fa8c8528 pa: fix denial when setting user profile picture 
[298887.878199] type=1400 audit(1500699998.019:640): avc: denied { write } for pid=6660 comm="Binder:6647_1" path="/data/user_de/0/com.android.settings/cache/CropEditUserPhoto.jpg" dev="sda15" ino=1866326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
[298887.910918] type=1400 audit(1500699998.049:641): avc: denied { write } for pid=15001 comm="Binder:6647_5" path="/data/user_de/0/com.android.settings/cache/CropEditUserPhoto.jpg" dev="sda15" ino=1866326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0

Change-Id: Ia416e69b561c2b656d00ed401abd4d7d67bfc0d4
 2017-07-24 02:42:36 +00:00
Surge Raval 017b3b4792
pa: Add policy to fix interfacer derp on boot 
05-29 08:40:17.200 10546 10600 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 10600 (POSIX timer 0)
05-29 08:40:17.200   428   428 W         : debuggerd: handling request: pid=10546 uid=1006 gid=1006 tid=10600
05-29 08:40:17.223 20058 20058 E         : debuggerd: Unable to connect to activity manager (connect failed: Connection refused)
05-29 08:40:17.225   580   580 E SELinux : SELinux: Could not set context for /data/data/projekt.interfacer:  Permission denied
05-29 08:40:17.226   580   580 E installd: Failed top-level restorecon for /data/data/projekt.interfacer: Permission denied
05-29 08:40:17.219   580   580 W installd: type=1400 audit(0.0:135): avc: denied { relabelto } for name="projekt.interfacer" dev="sda15" ino=61332 scontext=u:r:installd:s0 tcontext=u:object_r:theme_data_file:s0 tclass=dir permissive=0
05-29 08:40:17.226 19831 19831 E PackageManager: Failed to create app data for projekt.interfacer, but trying to recover: com.android.internal.os.InstallerConnection$InstallerException: Failed to execute create_app_data [null, projekt.interfacer, 0, 3, 1000, platform:privapp, 25]: -1
05-29 08:40:17.228   580   580 E         : Couldn't opendir /data/user_de/0/projekt.interfacer: No such file or directory
05-29 08:40:17.229 19831 19831 W PackageManager: com.android.internal.os.InstallerConnection$InstallerException: Failed to execute destroy_app_data [null, projekt.interfacer, 0, 3, 61332]: -2
05-29 08:40:17.229   580   580 E SELinux : SELinux: Could not set context for /data/data/projekt.interfacer:  Permission denied
05-29 08:40:17.229   580   580 E installd: Failed top-level restorecon for /data/data/projekt.interfacer: Permission denied
05-29 08:40:17.219   580   580 W installd: type=1400 audit(0.0:136): avc: denied { relabelto } for name="projekt.interfacer" dev="sda15" ino=61488 scontext=u:r:installd:s0 tcontext=u:object_r:theme_data_file:s0 tclass=dir permissive=0
05-29 08:40:17.230 19831 19831 D PackageManager: Recovery failed!
05-29 08:40:17.231   580   580 E SELinux : SELinux: Could not set context for /data/data/projekt.interfacer:  Permission denied
05-29 08:40:17.231   580   580 E installd: Failed top-level restorecon for /data/data/projekt.interfacer: Permission denied
05-29 08:40:17.232 19831 19831 E PackageManager: Failed to create app data for projekt.interfacer, but trying to recover: com.android.internal.os.InstallerConnection$InstallerException: Failed to execute create_app_data [null, projekt.interfacer, 0, 3, 1000, platform:privapp, 25]: -1
05-29 08:40:17.219   580   580 W installd: type=1400 audit(0.0:137): avc: denied { relabelto } for name="projekt.interfacer" dev="sda15" ino=61488 scontext=u:r:installd:s0 tcontext=u:object_r:theme_data_file:s0 tclass=dir permissive=0
05-29 08:40:17.233   580   580 E         : Couldn't opendir /data/user_de/0/projekt.interfacer: No such file or directory
05-29 08:40:17.233 19831 19831 W PackageManager: com.android.internal.os.InstallerConnection$InstallerException: Failed to execute destroy_app_data [null, projekt.interfacer, 0, 3, 61488]: -2
05-29 08:40:17.234   580   580 E SELinux : SELinux: Could not set context for /data/data/projekt.interfacer:  Permission denied
05-29 08:40:17.234   580   580 E installd: Failed top-level restorecon for /data/data/projekt.interfacer: Permission denied
05-29 08:40:17.234 19831 19831 D PackageManager: Recovery failed!
05-29 08:40:17.229   580   580 W installd: type=1400 audit(0.0:138): avc: denied { relabelto } for name="projekt.interfacer" dev="sda15" ino=61491 scontext=u:r:installd:s0 tcontext=u:object_r:theme_data_file:s0 tclass=dir permissive=0
05-29 08:40:17.274 20058 20058 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

Change-Id: I39def485bbeea25e2b32baa30e575779afd50ce4
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-06-01 22:34:54 +02:00
Alex Naidis 874527426a
pa: sepolicy: Fix substratum related denial 
Part of 780277a592

The other part is in system/sepolicy already.

Change-Id: I351d48e564b8844474a15ee961aa139252adbfaa
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-03-27 16:33:06 +02:00
Evan Anderson 582bd50276
Revert "pa: allow system server to change hw buttons prop" 
* This breaks building for Nexus devices since they do not use the qcom
common sepolicy

This reverts commit ccc59715e0.

Change-Id: Ie7b93f4455b13d3db2386c6c8e8f103a51458b72
Signed-off-by: Evan Anderson <evananderson@aospa.co>
 2017-03-16 13:43:21 -04:00
thecrazyskull e1dafe3a42 pa: sepolicy: extend for our keyhandler extension 
Change-Id: I05146b35f80b62f5a6fac4588bf99526c4720c86
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2017-03-15 00:59:37 +09:00
Thecrazyskull ccc59715e0 pa: allow system server to change hw buttons prop 
* Needed for buttons code

Change-Id: I057c26f66c1932c5ea2ed5ac75c678331f665f89
 2017-03-15 00:59:09 +09:00
George G 4f34278ed0 pa: sepolicy: fix themed sounds 
02-08 17:26:48.011 18259-18259/? W/SoundPoolThread: type=1400 audit(0.0:31): avc: denied { read } for path="/data/system/theme/audio/ui/Lock.ogg" dev="dm-0" ino=1006317 scontext=u:r:drmserver:s0 tcontext=u:object_r:theme_data_file:s0 tclass=file permissive=0

Change-Id: If96d784d4a79e7c7f7d21d191c2e0795c366e03a
 2017-03-09 18:45:16 +00:00
bigrushdog 1727ae20f8 pa: sepolicy: fix themed boot animation 
W BootAnimation: type=1400 audit(0.0:42): avc: denied { open } for uid=1003 path="/data/system/theme/bootanimation.zip" dev="mmcblk0p42" ino=1657697 scontext=u:r:bootanim:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

W         : Unable to open '/data/system/theme/bootanimation.zip': Permission denied

W zipro   : Error opening archive /data/system/theme/bootanimation.zip: I/O Error

Change-Id: I1440bd967d7a06ee64ea861a2544b54caf909f23
 2017-03-09 18:45:06 +00:00
d34d 2ef1577fda pa: Introduce sepolicy exceptions for theme assets 
Assets such as composed icons and ringtones need to be accessed
by apps. This patch adds the policy needed to facilitate this.

Change-Id: I0420de579aed0cff5add181cd0a8bf0f2b05d723
 2017-03-09 18:44:50 +00:00
Mårten Kongstad 41d323a141 pa: OMS7-N: Add service 'overlay' to service_contexts 
The 'overlay' service is the Overlay Manager Service, which tracks
packages and their Runtime Resource Overlay overlay packages.

Bug: 31052947

Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com>
Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com>

Change-Id: Ie996707dd02166325271bee49163ac263e560a1d
 2017-02-24 21:53:21 +00:00
Christopher N. Hesse a9dfdafe59 pa: sepolicy: Move IOP rules to qcom common tree 
Change-Id: Ie3a3c555ebe11375dcd95b094d05e069158dab52
 2017-02-22 16:34:45 +00:00
Thecrazyskull ae74d700c5 pa: Allow iop to search sdcardfs dirs 
Change-Id: I88b36d943fde2057765e5c978412db704866e79d
 2017-01-21 15:09:48 +00:00
Luca Stefani 884980a0a5 pa: sepolicy: Allow system_server dir read access 
Change-Id: Ia6fc26781c1cb576c2feee3e941d7206e7878bb5
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
 2017-01-14 07:48:18 +09:00
Alex Naidis b5b198f2ce
pa: sepolicy: address new denial 
Change-Id: I6fdf9c06591a44c115e0c1005e9cd03c6457f5f5
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2016-12-18 20:13:54 +01:00
thecrazyskull 08029e68cb vendor: sepolicy: adress IOP denials 
Change-Id: I6e30574c3cece5f8d95d2a58290d80c872f24656
 2016-11-19 07:51:40 -05:00
Alex Naidis 4bea9a136d pa: sepolicy: update and reenable for N 
This commit updates the sepolicy items for N.
Unneeded policies are removed and CMTE related
policies are removed too (for now).

Change-Id: I733ab8861fad6d8eb0cbb6bf256e726b17eaab76
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2016-11-09 21:09:01 +01:00
Evan Anderson 38bcb0cb79 sepolicy: Revert sdcard permission adds 
These aren't needed anymore

Revert "sepolicy: treat fuseblk as sdcard_external"

This reverts commit 4bd767096f.

Change-Id: Ibf5e272a328dff29e7642b0cce744ff2584eaba5
Signed-off-by: Evan Anderson <evananderson@aospa.co>

Revert "sepolicy: allow installd to query ASEC size"

This reverts commit baaf6d248c.

Change-Id: I4ad3cd353fcfe2996a501299c4a21b7bccc1b894
Signed-off-by: Evan Anderson <evananderson@aospa.co>

Revert "sepolicy: allow vold to create files on external sdcard"

This reverts commit ff639e9bcb.

Change-Id: Ib09bfc8c547383a2628c51d21198da4efbb3ce76

Revert "sepolicy: allow vold to mount ext4 sdcard"

This reverts commit 8fb531bd7f.

Change-Id: Ib87eb218b6467563214cc03bf5ff4228da58dbb3
 2016-08-30 16:57:04 -04:00
Alexis Rico 07f879ab5f Merge remote-tracking branch 'aospa/marshmallow-caf' into HEAD 2016-08-09 18:19:36 -04:00
Ricardo Cerqueira a4209009f3 selinux: Fix healthd's access to /dev nodes 
Our healthd's support for power-on alarms adds some steps that imply
reading files its user doesn't own. Let it.

Change-Id: I3d4735aaab8fbec7acc460f812bc21f1dfa516ab
 2016-08-07 21:45:59 -04:00
Steve Kondik 240b53d3c6 PA: Fix remaining IOP denials 
Change-Id: I1731cd1c85918522a7981ea623b648a811dd9881
 2016-07-25 19:20:50 -04:00
Jake Weinstein b3ab692480 sepolicy: more IOP denial fixes 
Change-Id: I0e2914b976c29f13200cde0ac6169f2408224a1a
 2016-07-25 01:44:35 -04:00
Alex Naidis 54e34596b1 sepolicy: adress IOP related denials globally 
* these denials happen globally on all caf devices using IOP
* move the fixes here

Change-Id: If59df8f7d8e74fd1a11436b4d1e1e9caa7527f17
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2016-07-19 19:20:37 +02:00
Alex Naidis a12feb30c9 sepolicy: app: extend sepolicy for sockets 
Change-Id: I7369060d42d973c90f2a8e6242fd3e3f6dbf50a1
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
 2016-07-06 15:01:29 +02:00
thecrazyskull cfc3800a16 Merge remote-tracking branch 'aospa/cmte-refactor' into HEAD 
Change-Id: I30c0a2b82e5fe919a486c8d6af27e136b07bc5f6
 2016-06-11 16:04:44 -04:00
Matthias Yzusqui 5a71678161 cm: sepolicy: allow platform apps to execute render scripts 
* Needed by Gallery3D Photo Editor to apply effects like:
  Vignette and Graduated.

Change-Id: I7b07a974fbdb77abbaba1c15a21e918406d2175b
 2016-06-09 09:49:48 -04:00
codeworkx fa2d439ccc cm: sepolicy: allow platform apps to crop user images 
Needed for gallery3d when setting contact pics

avc: denied { write } for comm=4173796E635461736B202334
path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p50" ino=65849
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file
permissive=0

03-05 13:07:40.741  22060-22207/com.android.gallery3d W/System.err﹕ java.io.IOException: write
failed: EACCES (Permission denied)

Change-Id: Iaa7f75abfd41c86e1a321d5f35b950f9dc7eb930
 2016-06-09 09:49:44 -04:00
Ed Falk a70395ab97 sepolicy: allow vold to trim persist 
Change-Id: I6441c00bfd173f1f3fd4c09a67c678c5bd4f8090
Issue-id: SYSTEMS-62
 2016-06-09 09:24:18 -04:00
codeworkx de4ad91867 sepolicy: label exfat and ntfs mkfs executables 
Change-Id: Ic5e32818bc54993f4e8c2377cbec64f9444f6d8a
 2016-06-09 09:21:59 -04:00
dhacker29 69b1d43ac4 sepolicy: Set the context for fsck.exfat/ntfs to fsck_exec 
This matches the policy for fsck.f2fs, although it still needs to run
as fsck_untrusted for public volumes

Change-Id: Ia04e7f8902e53a9926a87f0c99e603611cc39c5d
 2016-06-09 09:21:32 -04:00
Keith Mok fcc1e5d356 sepolicy: Add permission for formatting user/cache partition 
If the "formattable" fstab flag is set, init will tries
to format that partition, added the required policy to allow it.

Change-Id: I858b06aa3ff3ce775cf7676b09b9960f2558f7f6
 2016-06-09 09:21:01 -04:00
Keith Mok bafad0fab1 sepolicy: Add domain for mkfs binaries 
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.

Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
 2016-06-09 09:20:50 -04:00
thecrazyskull f43ebf7bc2 sepolicy: fix derp 
Change-Id: Ieb37aaad9451a6f021561d41d44b7a2fc064c0c9
 2016-04-04 07:58:31 -04:00
d34d e591018925 Themes: Refactor themes to vendor/theme [3/5] 
Change-Id: I6abea6ead1eb1980ec25f4184996cb234de21788
 2016-03-13 02:55:11 +01:00