From a7920442527a4ab9ae6ed617178774eb4eedce75 Mon Sep 17 00:00:00 2001 From: Sooraj S Date: Mon, 13 Jul 2020 13:05:57 +0530 Subject: [PATCH 1/7] sepolicy: allow platform_app to create named pipes --- common/private/platform_app.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/private/platform_app.te b/common/private/platform_app.te index 07183e7..ef16b76 100644 --- a/common/private/platform_app.te +++ b/common/private/platform_app.te @@ -9,3 +9,7 @@ hal_client_domain(platform_app, hal_lineage_livedisplay) # Allow PowerShare HAL service to be found hal_client_domain(platform_app, hal_lineage_powershare) + +# allow platform_app to create named pipes (used for realm support) +allow platform_app fuse:fifo_file create; +allow platform_app app_data_file:fifo_file create_file_perms; -- GitLab From faaae00b26380385c63470dcc93a6db3546b1bdf Mon Sep 17 00:00:00 2001 From: Sooraj S Date: Wed, 11 Nov 2020 17:46:53 +0530 Subject: [PATCH 2/7] sepolicy: allow platform_app rs_exec:file rx_file_perms foundation.e.camera depend on being able to execute /system/bin/bcc. Allow it. --- common/private/platform_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/private/platform_app.te b/common/private/platform_app.te index ef16b76..6e42d15 100644 --- a/common/private/platform_app.te +++ b/common/private/platform_app.te @@ -13,3 +13,5 @@ hal_client_domain(platform_app, hal_lineage_powershare) # allow platform_app to create named pipes (used for realm support) allow platform_app fuse:fifo_file create; allow platform_app app_data_file:fifo_file create_file_perms; +allow platform_app app_data_file:fifo_file open; +allow platform_app rs_exec:file rx_file_perms; -- GitLab From 9f97483f642f9cf3b83caa913d60fca0cddcd100 Mon Sep 17 00:00:00 2001 From: Alexandre Roux Date: Fri, 7 Aug 2020 07:41:32 +0000 Subject: [PATCH 3/7] sepolicy: allow platform_app access app_data_file --- common/private/platform_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/private/platform_app.te b/common/private/platform_app.te index 6e42d15..9c14c8f 100644 --- a/common/private/platform_app.te +++ b/common/private/platform_app.te @@ -15,3 +15,6 @@ allow platform_app fuse:fifo_file create; allow platform_app app_data_file:fifo_file create_file_perms; allow platform_app app_data_file:fifo_file open; allow platform_app rs_exec:file rx_file_perms; + +# Allow platform apps to execute files in /data +allow platform_app app_data_file:file execute; -- GitLab From 331a9e78be5b233504c4329c80b06c68200a96b8 Mon Sep 17 00:00:00 2001 From: Jonathan Klee Date: Wed, 23 Feb 2022 11:03:58 +0100 Subject: [PATCH 4/7] Revert "Remove unused weather service policy" This reverts commit 44fd376702bfbb8648b5fa63137da576d391deb1. --- common/private/service.te | 1 + common/private/service_contexts | 1 + common/private/untrusted_app.te | 1 + 3 files changed, 3 insertions(+) diff --git a/common/private/service.te b/common/private/service.te index 053d448..00de95a 100644 --- a/common/private/service.te +++ b/common/private/service.te @@ -4,3 +4,4 @@ type lineage_globalactions_service, system_api_service, system_server_service, s type lineage_livedisplay_service, system_api_service, system_server_service, service_manager_type; type lineage_profile_service, system_api_service, system_server_service, service_manager_type; type lineage_trust_service, system_api_service, system_server_service, service_manager_type; +type lineage_weather_service, system_api_service, system_server_service, service_manager_type; diff --git a/common/private/service_contexts b/common/private/service_contexts index 633c6ac..c859222 100644 --- a/common/private/service_contexts +++ b/common/private/service_contexts @@ -2,6 +2,7 @@ lineageglobalactions u:object_r:lineage_globalactions_servi lineagehardware u:object_r:lineage_hardware_service:s0 lineagelivedisplay u:object_r:lineage_livedisplay_service:s0 lineagetrust u:object_r:lineage_trust_service:s0 +lineageweather u:object_r:lineage_weather_service:s0 profile u:object_r:lineage_profile_service:s0 adbroot_service u:object_r:adbroot_service:s0 diff --git a/common/private/untrusted_app.te b/common/private/untrusted_app.te index 77959f6..39d2b4b 100644 --- a/common/private/untrusted_app.te +++ b/common/private/untrusted_app.te @@ -1 +1,2 @@ allow untrusted_app_all lineage_profile_service:service_manager find; +allow untrusted_app_all lineage_weather_service:service_manager find; -- GitLab From 5cd3e6b9b5c058578a7dc78630764ef02edd613c Mon Sep 17 00:00:00 2001 From: TheScarastic Date: Mon, 7 Mar 2022 14:53:27 +0530 Subject: [PATCH 5/7] sepolicy: Add rules for tracker blocker --- common/private/netd.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 common/private/netd.te diff --git a/common/private/netd.te b/common/private/netd.te new file mode 100644 index 0000000..bc71718 --- /dev/null +++ b/common/private/netd.te @@ -0,0 +1 @@ +allow netd platform_app:unix_stream_socket connectto; -- GitLab From bb536b4c46a8213de43f6345d505178c9b53bee5 Mon Sep 17 00:00:00 2001 From: TheScarastic Date: Wed, 21 Sep 2022 07:21:05 +0000 Subject: [PATCH 6/7] sepolicy: Updater: Add support for systemUpdatermanager --- common/private/updater_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/common/private/updater_app.te b/common/private/updater_app.te index 91b63a0..373c97a 100644 --- a/common/private/updater_app.te +++ b/common/private/updater_app.te @@ -9,6 +9,7 @@ binder_call(updater_app, update_engine) allow updater_app app_api_service:service_manager find; allow updater_app recovery_service:service_manager find; allow updater_app system_api_service:service_manager find; +allow updater_app system_update_service:service_manager find; allow updater_app update_engine_service:service_manager find; allow updater_app app_data_file:dir create_dir_perms; -- GitLab From 7fbe7dc6cf7c24cce4d2a311d733eacfa6543c72 Mon Sep 17 00:00:00 2001 From: TheScarastic Date: Fri, 7 Oct 2022 07:34:14 +0000 Subject: [PATCH 7/7] sepolicy: All platform app to create sockets --- common/private/platform_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/private/platform_app.te b/common/private/platform_app.te index 9c14c8f..acbc623 100644 --- a/common/private/platform_app.te +++ b/common/private/platform_app.te @@ -18,3 +18,5 @@ allow platform_app rs_exec:file rx_file_perms; # Allow platform apps to execute files in /data allow platform_app app_data_file:file execute; + +allow platform_app app_data_file:{ lnk_file sock_file fifo_file } create_file_perms; -- GitLab