From: LuK1337 Date: Wed, 8 Mar 2017 14:41:25 +0000 (+0100) Subject: Update OMS patches X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a30e6401afcc313ee569c19ba3f81714d7ee66de;p=GitHub%2FStricted%2Fandroid_vendor_extra.git Update OMS patches --- diff --git a/patches/system/sepolicy/0001-OMS-N-Add-service-overlay-to-service_contexts.patch b/patches/system/sepolicy/0001-OMS-N-Add-service-overlay-to-service_contexts.patch index 5f7e652..5a73714 100644 --- a/patches/system/sepolicy/0001-OMS-N-Add-service-overlay-to-service_contexts.patch +++ b/patches/system/sepolicy/0001-OMS-N-Add-service-overlay-to-service_contexts.patch @@ -1,7 +1,7 @@ -From 43af1b1a13305dc31c65b57f8873725b39ea7a09 Mon Sep 17 00:00:00 2001 +From c3851a5abf045ea3d41f64990fc017a5c25d5f36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Kongstad?= Date: Mon, 22 Jun 2015 09:31:25 +0200 -Subject: [PATCH 1/9] OMS-N: Add service 'overlay' to service_contexts +Subject: [PATCH 01/10] OMS-N: Add service 'overlay' to service_contexts The 'overlay' service is the Overlay Manager Service, which tracks packages and their Runtime Resource Overlay overlay packages. @@ -55,5 +55,5 @@ index 03a7ef3..3ca8182 100644 allow system_server system_server_service:service_manager { add find }; allow system_server surfaceflinger_service:service_manager find; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0002-Introduce-sepolicy-exceptions-for-theme-assets.patch b/patches/system/sepolicy/0002-Introduce-sepolicy-exceptions-for-theme-assets.patch index 7974587..53965bf 100644 --- a/patches/system/sepolicy/0002-Introduce-sepolicy-exceptions-for-theme-assets.patch +++ b/patches/system/sepolicy/0002-Introduce-sepolicy-exceptions-for-theme-assets.patch @@ -1,7 +1,7 @@ -From 24ba87c1ec82d440abff46133b27162b43842273 Mon Sep 17 00:00:00 2001 +From 3ed524feda787229cef8076048e00c7933218ced Mon Sep 17 00:00:00 2001 From: d34d Date: Wed, 4 Jan 2017 10:29:34 -0800 -Subject: [PATCH 2/9] Introduce sepolicy exceptions for theme assets +Subject: [PATCH 02/10] Introduce sepolicy exceptions for theme assets Assets such as composed icons and ringtones need to be accessed by apps. This patch adds the policy needed to facilitate this. @@ -100,5 +100,5 @@ index c6b343c..c650c17 100644 +allow zygote theme_data_file:file r_file_perms; +allow zygote theme_data_file:dir r_dir_perms; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0003-sepolicy-fix-themed-boot-animation.patch b/patches/system/sepolicy/0003-sepolicy-fix-themed-boot-animation.patch index 47e477d..a0ec8be 100644 --- a/patches/system/sepolicy/0003-sepolicy-fix-themed-boot-animation.patch +++ b/patches/system/sepolicy/0003-sepolicy-fix-themed-boot-animation.patch @@ -1,7 +1,7 @@ -From e619ebc5b228930b19159bef7c4f1a293a097cc5 Mon Sep 17 00:00:00 2001 +From 9aa0995284f8eda8450d51963d813efcb1183c99 Mon Sep 17 00:00:00 2001 From: bigrushdog Date: Wed, 4 Jan 2017 10:31:29 -0800 -Subject: [PATCH 3/9] sepolicy: fix themed boot animation +Subject: [PATCH 03/10] sepolicy: fix themed boot animation W BootAnimation: type=1400 audit(0.0:42): avc: denied { open } for uid=1003 path="/data/system/theme/bootanimation.zip" dev="mmcblk0p42" ino=1657697 scontext=u:r:bootanim:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 @@ -24,5 +24,5 @@ index 3ae9478..2356d81 100644 allow bootanim theme_data_file:file r_file_perms; +allow bootanim system_data_file:file open; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0004-sepolicy-fix-themed-sounds.patch b/patches/system/sepolicy/0004-sepolicy-fix-themed-sounds.patch index 595da0b..3939a78 100644 --- a/patches/system/sepolicy/0004-sepolicy-fix-themed-sounds.patch +++ b/patches/system/sepolicy/0004-sepolicy-fix-themed-sounds.patch @@ -1,7 +1,7 @@ -From abc55e52d2ed586db46134e666b03f7ba9fe26f9 Mon Sep 17 00:00:00 2001 +From a6bc3717484d734ff09769887438fe7d6afd57fa Mon Sep 17 00:00:00 2001 From: George G Date: Wed, 8 Feb 2017 17:22:44 +0200 -Subject: [PATCH 4/9] sepolicy: fix themed sounds +Subject: [PATCH 04/10] sepolicy: fix themed sounds 02-08 17:26:48.011 18259-18259/? W/SoundPoolThread: type=1400 audit(0.0:31): avc: denied { read } for path="/data/system/theme/audio/ui/Lock.ogg" dev="dm-0" ino=1006317 scontext=u:r:drmserver:s0 tcontext=u:object_r:theme_data_file:s0 tclass=file permissive=0 @@ -23,5 +23,5 @@ index 9130e0b..6d3883f 100644 +allow drmserver theme_data_file:dir r_dir_perms; +allow drmserver theme_data_file:file r_file_perms; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0005-initial-policy-edits-for-masquerade-to-operate-rootl.patch b/patches/system/sepolicy/0005-initial-policy-edits-for-masquerade-to-operate-rootl.patch index f5b3f24..a470c47 100644 --- a/patches/system/sepolicy/0005-initial-policy-edits-for-masquerade-to-operate-rootl.patch +++ b/patches/system/sepolicy/0005-initial-policy-edits-for-masquerade-to-operate-rootl.patch @@ -1,7 +1,7 @@ -From e1905bc1ed00099aa296b7a8a169ccf4bb4890ce Mon Sep 17 00:00:00 2001 +From 9cc52df64fe73ce52fc81b63895e69c8be0fca3c Mon Sep 17 00:00:00 2001 From: Surge1223 Date: Sat, 18 Feb 2017 08:46:15 -0600 -Subject: [PATCH 5/9] initial policy edits for masquerade to operate rootless +Subject: [PATCH 05/10] initial policy edits for masquerade to operate rootless Change-Id: Iddfc408f206033772b9d49d335ca94e63b5e5210 --- @@ -126,5 +126,5 @@ index b9a72ed..c2a5320 100644 ### neverallow rules ### -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0006-sepolicy-rename-masquerade-domain-and-allow-JobServi.patch b/patches/system/sepolicy/0006-sepolicy-rename-masquerade-domain-and-allow-JobServi.patch index ba6bb49..73389ac 100644 --- a/patches/system/sepolicy/0006-sepolicy-rename-masquerade-domain-and-allow-JobServi.patch +++ b/patches/system/sepolicy/0006-sepolicy-rename-masquerade-domain-and-allow-JobServi.patch @@ -1,7 +1,7 @@ -From da2fe9e937c56243d86fffa553be7c99e1fa3876 Mon Sep 17 00:00:00 2001 +From 45afc298e2f4bb658ac810c3aa3672d1ebee5571 Mon Sep 17 00:00:00 2001 From: Surge1223 Date: Tue, 21 Feb 2017 12:28:05 -0600 -Subject: [PATCH 6/9] sepolicy: rename masquerade domain and allow JobService +Subject: [PATCH 06/10] sepolicy: rename masquerade domain and allow JobService in system_server This attempts to address the issue of JobService being unable to process @@ -188,5 +188,5 @@ index 3ca8182..5e2a3a8 100644 allow system_server mediaextractor_service:service_manager find; allow system_server mediacodec_service:service_manager find; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0007-sepolicy-allow-masquerade-to-read-and-write-theme-as.patch b/patches/system/sepolicy/0007-sepolicy-allow-masquerade-to-read-and-write-theme-as.patch index 405c3b2..8cb78bd 100644 --- a/patches/system/sepolicy/0007-sepolicy-allow-masquerade-to-read-and-write-theme-as.patch +++ b/patches/system/sepolicy/0007-sepolicy-allow-masquerade-to-read-and-write-theme-as.patch @@ -1,7 +1,8 @@ -From 08ce7639e5995fda422c3b3f3f0548a240077967 Mon Sep 17 00:00:00 2001 +From d265922f6a29e129ac222e323707dc0bd195d312 Mon Sep 17 00:00:00 2001 From: Surge1223 Date: Wed, 22 Feb 2017 20:45:04 -0600 -Subject: [PATCH 7/9] sepolicy: allow masquerade to read and write theme assets +Subject: [PATCH 07/10] sepolicy: allow masquerade to read and write theme + assets Fix for masquerade to handle theme assets including fonts and bootanimation, also takes into account when /data/system/theme doesnt exist @@ -35,5 +36,5 @@ index 949699c..2f17030 100644 +allow masquerade connectivity_service:service_manager find; +allow masquerade display_service:service_manager find; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0008-sepolicy-Fix-application-of-bootanimation.patch b/patches/system/sepolicy/0008-sepolicy-Fix-application-of-bootanimation.patch index 88816ec..a8c64c7 100644 --- a/patches/system/sepolicy/0008-sepolicy-Fix-application-of-bootanimation.patch +++ b/patches/system/sepolicy/0008-sepolicy-Fix-application-of-bootanimation.patch @@ -1,7 +1,7 @@ -From 8644e2d8e88630abf338767b2dd9608b1d68ca1b Mon Sep 17 00:00:00 2001 +From 56099a5e7d5ccb4b9f38dd865be5fb43c4b6f247 Mon Sep 17 00:00:00 2001 From: Miccia Date: Mon, 27 Feb 2017 12:36:21 +0100 -Subject: [PATCH 8/9] sepolicy: Fix application of bootanimation +Subject: [PATCH 08/10] sepolicy: Fix application of bootanimation Change-Id: I7365d28fecf18b4d1aa42b2210e023b202dd97a5 --- @@ -33,5 +33,5 @@ index 5e2a3a8..c544803 100644 + +allow system_server theme_data_file:dir search; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0009-sepolicy-Redo-masquerade-rules.patch b/patches/system/sepolicy/0009-sepolicy-Redo-masquerade-rules.patch index b14f98e..f98ab83 100644 --- a/patches/system/sepolicy/0009-sepolicy-Redo-masquerade-rules.patch +++ b/patches/system/sepolicy/0009-sepolicy-Redo-masquerade-rules.patch @@ -1,7 +1,7 @@ -From ea4fd1f19e8c37427e0b350faad177e8ccba1689 Mon Sep 17 00:00:00 2001 +From c75924e4334f4ac14a4bf7bce15cc2a93b191998 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Wed, 1 Mar 2017 23:11:49 +0100 -Subject: [PATCH 9/9] sepolicy: Redo masquerade rules +Subject: [PATCH 09/10] sepolicy: Redo masquerade rules * Use macros * Label custom properties @@ -140,5 +140,5 @@ index c544803..5262a79 100644 - -allow system_server theme_data_file:dir search; -- -2.9.3 +2.11.1 diff --git a/patches/system/sepolicy/0010-Welcome-to-Theme-Interfacer-2-2.patch b/patches/system/sepolicy/0010-Welcome-to-Theme-Interfacer-2-2.patch new file mode 100644 index 0000000..ebcdbbf --- /dev/null +++ b/patches/system/sepolicy/0010-Welcome-to-Theme-Interfacer-2-2.patch @@ -0,0 +1,257 @@ +From acece0611d57e0467c65af1fdbabe1ad7d793b4d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 4 Mar 2017 19:20:10 -0700 +Subject: [PATCH 10/10] Welcome to Theme Interfacer! [2/2] + +Change-Id: I4a28c8840957d385338529540e081eabd3135cc1 +Signed-off-by: Nathan Chancellor +--- + app.te | 2 +- + domain.te | 4 ++-- + interfacer.te | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + masquerade.te | 63 -------------------------------------------------------- + seapp_contexts | 2 +- + service.te | 2 +- + service_contexts | 2 +- + system_server.te | 2 +- + 8 files changed, 70 insertions(+), 70 deletions(-) + create mode 100644 interfacer.te + delete mode 100644 masquerade.te + +diff --git a/app.te b/app.te +index e6180e3..93fe3a4 100644 +--- a/app.te ++++ b/app.te +@@ -374,7 +374,7 @@ neverallow appdomain exec_type:file + # This is the default type for anything under /data not otherwise + # specified in file_contexts. Define a different type for portions + # that should be writable by apps. +-neverallow { appdomain -masquerade } system_data_file:dir_file_class_set ++neverallow { appdomain -interfacer } system_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + + # Write to various other parts of /data. +diff --git a/domain.te b/domain.te +index 5bc5fcb..634f3bf 100644 +--- a/domain.te ++++ b/domain.te +@@ -381,7 +381,7 @@ neverallow { + -init # TODO: limit init to relabelfrom for files + -zygote + -installd +- -masquerade ++ -interfacer + -postinstall_dexopt + -cppreopts + -dex2oat +@@ -488,7 +488,7 @@ neverallow { + -system_server + -system_app + -init +- -masquerade ++ -interfacer + -installd # for relabelfrom and unlink, check for this in explicit neverallow + } system_data_file:file no_w_file_perms; + # do not grant anything greater than r_file_perms and relabelfrom unlink +diff --git a/interfacer.te b/interfacer.te +new file mode 100644 +index 0000000..45dcd6b +--- /dev/null ++++ b/interfacer.te +@@ -0,0 +1,63 @@ ++# ++# Theme Interfacer needs additional permissions when not running with system_server ++# projekt.interfacer. ++# ++# ++type interfacer, domain; ++ ++# Add Theme Interfacer to domains ++net_domain(interfacer) ++app_domain(interfacer) ++binder_service(interfacer) ++ ++# Modify system dalvik-cache ++allow interfacer dalvikcache_data_file:dir r_dir_perms; ++allow interfacer dalvikcache_data_file:file rw_file_perms; ++ ++# Read and write /data/data subdirectory. ++allow interfacer system_app_data_file:dir create_dir_perms; ++allow interfacer system_app_data_file:{ file lnk_file } create_file_perms; ++ ++# /data/resource-cache ++r_dir_file(interfacer, resourcecache_data_file) ++ ++# Read wallpaper file. ++allow interfacer wallpaper_file:file r_file_perms; ++ ++# Read icon file. ++allow interfacer icon_file:file r_file_perms; ++ ++# Set bootanimation ++allow interfacer bootanim:process { getsched setsched }; ++ ++# Backup of wallpaper imagery uses temporary hard links to avoid data churn ++allow interfacer { system_data_file wallpaper_file }:file link; ++ ++# Manage ringtones. ++allow interfacer ringtone_file:dir { create_dir_perms relabelto }; ++allow interfacer ringtone_file:file create_file_perms; ++ ++# System file accesses. ++allow interfacer kernel:system module_request; ++allow interfacer system_data_file:dir create_dir_perms; ++allow interfacer system_data_file:file create_file_perms; ++allow interfacer system_file:dir { r_dir_perms rmdir }; ++ ++# Allow handling of theme assets ++allow interfacer theme_data_file:dir create_dir_perms; ++allow interfacer theme_data_file:file create_file_perms; ++ ++# Modify system properties ++set_prop(interfacer, theme_prop) ++ ++# Edit files in /sdcard ++allow interfacer media_rw_data_file:dir rw_dir_perms; ++allow interfacer media_rw_data_file:file rw_file_perms; ++ ++# Services ++allow interfacer activity_service:service_manager find; ++allow interfacer connectivity_service:service_manager find; ++allow interfacer display_service:service_manager find; ++allow interfacer mount_service:service_manager find; ++allow interfacer network_management_service:service_manager find; ++allow interfacer overlay_service:service_manager find; +diff --git a/masquerade.te b/masquerade.te +deleted file mode 100644 +index 6fbc5e1..0000000 +--- a/masquerade.te ++++ /dev/null +@@ -1,63 +0,0 @@ +-# +-# Masquerade needs additional permissions when not running with system_server +-# masquerade.substratum. +-# +-# +-type masquerade, domain; +- +-# Add masquerade to domains +-net_domain(masquerade) +-app_domain(masquerade) +-binder_service(masquerade) +- +-# Modify system dalvik-cache +-allow masquerade dalvikcache_data_file:dir r_dir_perms; +-allow masquerade dalvikcache_data_file:file rw_file_perms; +- +-# Read and write /data/data subdirectory. +-allow masquerade system_app_data_file:dir create_dir_perms; +-allow masquerade system_app_data_file:{ file lnk_file } create_file_perms; +- +-# /data/resource-cache +-r_dir_file(masquerade, resourcecache_data_file) +- +-# Read wallpaper file. +-allow masquerade wallpaper_file:file r_file_perms; +- +-# Read icon file. +-allow masquerade icon_file:file r_file_perms; +- +-# Set bootanimation +-allow masquerade bootanim:process { getsched setsched }; +- +-# Backup of wallpaper imagery uses temporary hard links to avoid data churn +-allow masquerade { system_data_file wallpaper_file }:file link; +- +-# Manage ringtones. +-allow masquerade ringtone_file:dir { create_dir_perms relabelto }; +-allow masquerade ringtone_file:file create_file_perms; +- +-# System file accesses. +-allow masquerade kernel:system module_request; +-allow masquerade system_data_file:dir create_dir_perms; +-allow masquerade system_data_file:file create_file_perms; +-allow masquerade system_file:dir { r_dir_perms rmdir }; +- +-# Allow handling of theme assets +-allow masquerade theme_data_file:dir create_dir_perms; +-allow masquerade theme_data_file:file create_file_perms; +- +-# Modify system properties +-set_prop(masquerade, theme_prop) +- +-# Edit files in /sdcard +-allow masquerade media_rw_data_file:dir rw_dir_perms; +-allow masquerade media_rw_data_file:file rw_file_perms; +- +-# Services +-allow masquerade activity_service:service_manager find; +-allow masquerade connectivity_service:service_manager find; +-allow masquerade display_service:service_manager find; +-allow masquerade mount_service:service_manager find; +-allow masquerade network_management_service:service_manager find; +-allow masquerade overlay_service:service_manager find; +diff --git a/seapp_contexts b/seapp_contexts +index bbf8b78..5dc518d 100644 +--- a/seapp_contexts ++++ b/seapp_contexts +@@ -97,4 +97,4 @@ user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user + user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all + user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user + user=_app domain=untrusted_app type=app_data_file levelFrom=user +-user=system isPrivApp=true domain=masquerade seinfo=platform name=masquerade.substratum type=system_app_data_file ++user=system isPrivApp=true domain=interfacer seinfo=platform name=projekt.interfacer type=system_app_data_file +diff --git a/service.te b/service.te +index efa08e7..5818897 100644 +--- a/service.te ++++ b/service.te +@@ -63,12 +63,12 @@ type hardware_properties_service, app_api_service, system_server_service, servic + type hdmi_control_service, system_api_service, system_server_service, service_manager_type; + type input_method_service, app_api_service, system_server_service, service_manager_type; + type input_service, app_api_service, system_server_service, service_manager_type; ++type interfacer_service, app_api_service, system_server_service, service_manager_type; + type imms_service, app_api_service, system_server_service, service_manager_type; + type jobscheduler_service, app_api_service, system_server_service, service_manager_type; + type launcherapps_service, app_api_service, system_server_service, service_manager_type; + type location_service, app_api_service, system_server_service, service_manager_type; + type lock_settings_service, system_api_service, system_server_service, service_manager_type; +-type masquerade_service, app_api_service, system_server_service, service_manager_type; + type media_projection_service, app_api_service, system_server_service, service_manager_type; + type media_router_service, app_api_service, system_server_service, service_manager_type; + type media_session_service, app_api_service, system_server_service, service_manager_type; +diff --git a/service_contexts b/service_contexts +index b831312..c38c017 100644 +--- a/service_contexts ++++ b/service_contexts +@@ -57,6 +57,7 @@ iphonesubinfo2 u:object_r:radio_service:s0 + iphonesubinfo u:object_r:radio_service:s0 + ims u:object_r:radio_service:s0 + imms u:object_r:imms_service:s0 ++interfacer u:object_r:interfacer_service:s0 + isms_msim u:object_r:radio_service:s0 + isms2 u:object_r:radio_service:s0 + isms u:object_r:radio_service:s0 +@@ -65,7 +66,6 @@ jobscheduler u:object_r:jobscheduler_service:s0 + launcherapps u:object_r:launcherapps_service:s0 + location u:object_r:location_service:s0 + lock_settings u:object_r:lock_settings_service:s0 +-masquerade u:object_r:masquerade_service:s0 + media.audio_flinger u:object_r:audioserver_service:s0 + media.audio_policy u:object_r:audioserver_service:s0 + media.camera u:object_r:cameraserver_service:s0 +diff --git a/system_server.te b/system_server.te +index 5262a79..a30a09e 100644 +--- a/system_server.te ++++ b/system_server.te +@@ -438,7 +438,7 @@ allow system_server batteryproperties_service:service_manager find; + allow system_server keystore_service:service_manager find; + allow system_server gatekeeper_service:service_manager find; + allow system_server fingerprintd_service:service_manager find; +-allow system_server masquerade_service:service_manager find; ++allow system_server interfacer_service:service_manager find; + allow system_server mediaserver_service:service_manager find; + allow system_server mediaextractor_service:service_manager find; + allow system_server mediacodec_service:service_manager find; +-- +2.11.1 +