platform_system_sepolicy/private/compat/30.0/30.0.compat.cil

;; complement CIL file for compatibility between ToT policy and 30.0 vendors.
;; will be compiled along with other normal policy files, on 30.0 vendors.
;;

(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))

;; TODO: Once 30.0 is no longer supported for vendor images,
;; mlsvendorcompat can be completely from the system policy.
(typeattributeset mlsvendorcompat (and appdomain vendordomain))
(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
Add comments on compat files To prevent further confusion. Bug: 258029505 Test: manual Change-Id: Iaa145e4480833a224b1a07fc68adb7d3e8a36e4b 2023-01-30 08:27:37 +01:00			`;; complement CIL file for compatibility between ToT policy and 30.0 vendors.`
			`;; will be compiled along with other normal policy files, on 30.0 vendors.`
			`;;`

Exempt older vendor images from recent mls changes. We no longer allow apps with mlstrustedsubject access to app_data_file or privapp_data_file. For compatibility we grant access to all apps on vendor images for SDK <= 30, whether mlstrustedsubject or not. (The ones that are not already have access, but that is harmless.) Additionally we have started adding categories to system_data_file etc. We treat these older vendor apps as trusted for those types only. The result is that apps on older vendor images still have all the access they used to but no new access. We add a neverallow to prevent the compatibility attribute being abused. Test: builds Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad 2020-11-16 19:10:33 +01:00			`(typeattribute vendordomain)`
			`(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))`

Add a TODO to remove mlsvendorcompat. One day we won't need this mechanism any more & can remove all traces of it. Bug: 141677108 Test: builds Change-Id: I95525a163ab4f19d8ca411c02a3c06498c6777ef 2020-11-23 13:24:44 +01:00			`;; TODO: Once 30.0 is no longer supported for vendor images,`
			`;; mlsvendorcompat can be completely from the system policy.`
Exempt older vendor images from recent mls changes. We no longer allow apps with mlstrustedsubject access to app_data_file or privapp_data_file. For compatibility we grant access to all apps on vendor images for SDK <= 30, whether mlstrustedsubject or not. (The ones that are not already have access, but that is harmless.) Additionally we have started adding categories to system_data_file etc. We treat these older vendor apps as trusted for those types only. The result is that apps on older vendor images still have all the access they used to but no new access. We add a neverallow to prevent the compatibility attribute being abused. Test: builds Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad 2020-11-16 19:10:33 +01:00			`(typeattributeset mlsvendorcompat (and appdomain vendordomain))`
			`(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))`
			`(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))`
			`(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))`
			`(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))`