commit d3359a0263fe2a0020173f98a055139d8182d5a4
author Alberto97 <albertop2197@gmail.com> Sun Nov 30 17:20:55 2014 +0100
committer Alberto97 <albertop2197@gmail.com> Sun Nov 30 17:20:55 2014 +0100
tree c18d95f9a3b0f4c435daf91b2a9f0e9b7dde560c

Initial Vendor Commit

Based on CyanogenMod Vendor

Signed-off-by: Alberto97 <albertop2197@gmail.com>

sepolicy/auditd.te

diff --git a/sepolicy/auditd.te b/sepolicy/auditd.te
new file mode 100644
index 0000000..01d5a06
--- /dev/null
+++ b/sepolicy/auditd.te
@@ -0,0 +1,3 @@
+allow logd auditd_log:dir rw_dir_perms;
+allow logd auditd_log:file create_file_perms;
+

sepolicy/file.te

diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..3a20199
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,4 @@
+# Support asec containers getting mounted
+allow file_type rootfs:filesystem associate;
+
+type auditd_log, file_type;

sepolicy/file_contexts

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..ee47c75
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,16 @@
+/cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+
+# Auditd is a logging daemon. Put it into logd's context
+/system/bin/auditd        u:object_r:logd_exec:s0
+/data/misc/audit(/.*)?    u:object_r:auditd_log:s0
+
+/system/bin/sysinit       u:object_r:sysinit_exec:s0
+
+#############################
+# performance-related sysfs files (CM)
+/sys/kernel/mm/ksm(/.*)?       --          u:object_r:sysfs_writable:s0
+/sys/devices/system/cpu.*/cpufreq(/.*)? --  u:object_r:sysfs_devices_system_cpu:s0
+/sys/block/mmcblk0/queue/scheduler  --    u:object_r:sysfs_writable:s0
+
+/data/hostapd(/.*)?         u:object_r:wifi_data_file:s0
+/data/misc/radio(/.*)?      u:object_r:radio_data_file:s0

sepolicy/genfs_contexts

diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..cec9f01
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1 @@
+genfscon fuseblk / u:object_r:sdcard_external:s0

sepolicy/installd.te

diff --git a/sepolicy/installd.te b/sepolicy/installd.te
new file mode 100644
index 0000000..65f471a
--- /dev/null
+++ b/sepolicy/installd.te
@@ -0,0 +1,3 @@
+# Allow querying of asec size on SD card
+allow installd sdcard_external:dir { search };
+allow installd sdcard_external:file { getattr };

sepolicy/mac_permissions.xml

diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml
new file mode 100644
index 0000000..e91c6f4
--- /dev/null
+++ b/sepolicy/mac_permissions.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!-- Most Google-authored apps -->
+  <signer signature="308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a" >
+    <!-- This should probably be refined, but it's a ton of them -->
+    <allow-all />
+    <!-- We should only add the exact key + package name, rather then giving this to all gapps -->
+    <seinfo value="release" />
+  </signer>
+
+  <!-- Youtube -->
+  <signer signature="30820252308201bb02044934987e300d06092a864886f70d01010405003070310b3009060355040613025553310b3009060355040813024341311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c652c20496e6331143012060355040b130b476f6f676c652c20496e633110300e06035504031307556e6b6e6f776e301e170d3038313230323032303735385a170d3336303431393032303735385a3070310b3009060355040613025553310b3009060355040813024341311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c652c20496e6331143012060355040b130b476f6f676c652c20496e633110300e06035504031307556e6b6e6f776e30819f300d06092a864886f70d010101050003818d00308189028181009f48031990f9b14726384e0453d18f8c0bbf8dc77b2504a4b1207c4c6c44babc00adc6610fa6b6ab2da80e33f2eef16b26a3f6b85b9afaca909ffbbeb3f4c94f7e8122a798e0eba75ced3dd229fa7365f41516415aa9c1617dd583ce19bae8a0bbd885fc17a9b4bd2640805121aadb9377deb40013381418882ec52282fc580d0203010001300d06092a864886f70d0101040500038181004086669ed631da4384ddd061d226e073b98cc4b99df8b5e4be9e3cbe97501e83df1c6fa959c0ce605c4fd2ac6d1c84cede20476cbab19be8f2203aff7717ad652d8fcc890708d1216da84457592649e0e9d3c4bb4cf58da19db1d4fc41bcb9584f64e65f410d0529fd5b68838c141d0a9bd1db1191cb2a0df790ea0cb12db3a4" >
+    <allow-all />
+    <seinfo value="release" />
+  </signer>
+</policy>

sepolicy/netd.te

diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..4ad0b3e
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,4 @@
+allow netd self:capability { setuid sys_module setgid };
+allow netd self:packet_socket create_socket_perms;
+allow netd radio_data_file:dir rw_dir_perms;
+allow netd radio_data_file:file create_file_perms;

sepolicy/seapp_contexts

diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
new file mode 100644
index 0000000..f39256a
--- /dev/null
+++ b/sepolicy/seapp_contexts
@@ -0,0 +1 @@
+user=theme_man domain=system_app type=system_data_file

sepolicy/sepolicy.mk

diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
new file mode 100644
index 0000000..865be3b
--- /dev/null
+++ b/sepolicy/sepolicy.mk
@@ -0,0 +1,22 @@
+#
+# This policy configuration will be used by all products that
+# inherit from CM
+#
+
+BOARD_SEPOLICY_DIRS += \
+    vendor/aosp/sepolicy
+
+BOARD_SEPOLICY_UNION += \
+    file.te \
+    file_contexts \
+    genfs_contexts \
+    seapp_contexts \
+    service_contexts \
+    auditd.te \
+    installd.te \
+    netd.te \
+    sysinit.te \
+    system.te \
+    ueventd.te \
+    vold.te \
+    mac_permissions.xml

sepolicy/service_contexts

diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 0000000..09640f8
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1 @@
+edgegestureservice                        u:object_r:system_server_service:s0

sepolicy/sysinit.te

diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
new file mode 100644
index 0000000..dea539e
--- /dev/null
+++ b/sepolicy/sysinit.te
@@ -0,0 +1,11 @@
+type sysinit, domain;
+type sysinit_exec, exec_type, file_type;
+
+init_daemon_domain(sysinit)
+
+#============= sysinit ==============
+allow sysinit devpts:chr_file { rw_file_perms };
+allow sysinit shell_exec:file { rx_file_perms };
+allow sysinit system_file:file { rx_file_perms };
+allow sysinit self:process setcurrent;
+

sepolicy/system.te

diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..4c6de38
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1 @@
+allow system_server wallpaper_file:file relabelto;

sepolicy/ueventd.te

diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..396e266
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1,13 @@
+# ueventd needs to relabel files that pop in and out of sysfs
+allow ueventd sysfs:file relabelfrom;
+
+# ueventd will set permissions on cpufreq nodes
+allow ueventd sysfs_devices_system_cpu:file setattr;
+
+# ueventd loads wifi firmware on a ton of devices
+allow ueventd wifi_data_file:dir r_dir_perms;
+allow ueventd wifi_data_file:file r_file_perms;
+
+# ueventd loads audio firmware on many devices
+allow ueventd audio_data_file:dir r_dir_perms;
+allow ueventd audio_data_file:file r_file_perms;

sepolicy/vold.te

diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..ae52a5f
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,12 @@
+# Allow vold to manage ASEC
+allow vold sdcard_external:file create_file_perms;
+
+# Allow vold to change context for mounted ext4 sdcard
+allow vold labeledfs:filesystem { relabelfrom };
+allow vold sdcard_external:filesystem { relabelfrom };
+
+# Allow vold to access fuse for fuse-based fs
+allow vold fuse_device:chr_file rw_file_perms;
+
+# NTFS-3g wants to drop permission
+allow vold self:capability { setgid setuid };