tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/priv_app.te

275 lines
11 KiB
Text
Raw Normal View History

Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
###
### A domain for further sandboxing privileged apps.
###
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute priv_app coredomain;
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 20:23:34 +01:00
app_domain(priv_app)
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Access the network.
net_domain(priv_app)
# Access bluetooth.
bluetooth_domain(priv_app)
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
drop priv_app app_data_file:file execute; system/sepolicy commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type called privapp_data_file. This type is used to label priv-app's /home files. For backwards compatibility, priv-app rules involving normal app_data_files were preserved. Subsequently, system/sepolicy commit 5d1755194a841ab727467a30757fd1606cef905b assigned the file label privapp_data_file to /home files owned by priv-apps. Because of the previous labeling of priv-app data files, priv-apps were granted the ability to mmap(PROT_EXEC) any other app's /home files, regardless of how trustworthy or untrustworthy those files were. Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c preserved the status quo. However, now that we have a more refined label for priv-app /home files, we no longer need to be as permissive. Drop the ability for priv-apps to map executable code from untrusted_apps home directories. "execute" is removed in this change, and "execute_no_trans" was previously removed in commit 8fb4cb8bc20b999d69210f6fc6b552c6e22b8e09. Add a neverallow assertion (compile time assertion + CTS test) to prevent regressions. Further clarify why we need to support priv-apps loading executable code from their own home directories, at least for now. b/112037137 covers further tightening we can do in this area. Bug: 112357170 Test: Device boots and no problems. Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
2018-10-28 00:20:38 +02:00
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
# 1) com.android.opengl.shaders_cache
# 2) com.android.skia.shaders_cache
# 3) com.android.renderscript.cache
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
Allow priv_app system_linker_exec:file execute_no_trans Chrome Crashpad uses the the dynamic linker to load native executables from an APK (b/112050209, crbug.com/928422) We made the equivalent change to untrusted_app_all in 9ea8c0701d162ec40d30b079778723d908e0edca but webview also runs in priv_app contexts. Bug: http://b/112050209 Test: treehugger Change-Id: I19bbadc7f9c9e668e2c6d932c7da24f18e7731bd
2021-02-10 19:07:45 +01:00
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
allow priv_app system_linker_exec:file execute_no_trans;
disallow priv-apps from following untrusted app symlinks. Untrustworthy symlinks dereferenced by priv-apps could cause those apps to access files they weren't intending to access. Trusted components such as priv-apps should never trust untrustworthy symlinks from untrusted apps. Modify the rules and add a neverallow assertion to prevent regressions. Bug: 123350324 Test: device boots and no obvious problems. Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 22:05:03 +01:00
allow priv_app privapp_data_file:lnk_file create_file_perms;
Clarify priv_app.te. No semantic changes. Just trying to make this easier to understand: - Separate out common bundles of services from individual services (the naming doesn't make this obvious). - Comment the common ones. - Put related binder_call and service_manager:find rules together. Test: Builds Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
2019-03-22 00:52:30 +01:00
# Priv apps can find services that expose both @SystemAPI and normal APIs.
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app app_api_service:service_manager find;
Clarify priv_app.te. No semantic changes. Just trying to make this easier to understand: - Separate out common bundles of services from individual services (the naming doesn't make this obvious). - Comment the common ones. - Put related binder_call and service_manager:find rules together. Test: Builds Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
2019-03-22 00:52:30 +01:00
allow priv_app system_api_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app mediametrics_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app mediaserver_service:service_manager find;
Add sepolicy for music recognition service. Denial when not listed in priv_app.te: E SELinux : avc: denied { find } for pid=3213 uid=10170 name=music_recognition scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:music_recognition_service:s0 tclass=service_manager permissive=0 Bug: 158194857 Test: patched and tested on internal master Change-Id: I30e9ea79a57d9c353b732b629bd5a829c89bbcb0
2020-09-18 09:47:05 +02:00
allow priv_app music_recognition_service:service_manager find;
Add network watchlist service SELinux policy rules Bug: 63908748 Test: built, flashed, able to boot Change-Id: I3cfead1d687112b5f8cd485c8f84083c566fbce2
2017-11-13 18:52:05 +01:00
allow priv_app network_watchlist_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app nfc_service:service_manager find;
SE Linux policies for OemLockService Bug: 34766843 Test: gts-tradefed run gts -m GtsBootloaderServiceTestCases -t \ com.google.android.bootloader.gts.BootloaderServiceTest Change-Id: I8b939e0dbe8351a54f20c303921f606c3462c17d
2017-02-17 14:51:32 +01:00
allow priv_app oem_lock_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app persistent_data_block_service:service_manager find;
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app radio_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app recovery_service:service_manager find;
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app stats_service:service_manager find;
Game Driver: sepolicy update for plumbing GpuStats into GpuService Allow all the app process with GUI to send GPU health metrics stats to GpuService during the GraphicsEnvironment setup stage for the process. Bug: 123529932 Test: Build, flash and boot. No selinux denials. Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-08 00:00:55 +01:00
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
priv_app: allow reading /cache symlink Addresses the following denial: avc: denied { read } for name="cache" dev="dm-0" ino=2755 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0 which occurs when a priv-app attempts to follow the /cache symlink. This symlink occurs on devices which don't have a /cache partition, but rather symlink /cache to /data/cache. Bug: 34644911 Test: Policy compiles. Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc
2017-01-24 07:19:06 +01:00
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow priv_app cache_file:lnk_file r_file_perms;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
Adding ability for priv apps to read traceur fd Only untrusted apps had privilegs to read file descriptors passed in from traceur, which was an oversight. This fixes the policy so that priv apps can also access file descriptors from traceur in order to read reports shared from traceur. Bug: 74435522 Test: better bug has access to reports shared from traceur Change-Id: I591872cdac31eec62edbc81d95f1220f1152427f
2018-03-13 17:56:27 +01:00
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
Allow betterbug to read profile reports generated by profcollect Test: presubmit Change-Id: I833c0ebaa27a0c8feddf23e4b648ee067c41ae2b
2021-03-17 18:45:52 +01:00
# Allow betterbug to read profile reports generated by profcollect.
userdebug_or_eng(`
allow priv_app profcollectd_data_file:file r_file_perms;
')
Allow dumpstate to snapshot traces and attach them to bug reports Feature description: if a background trace is happening at the time dumpstate is invoked, the tracing daemon will snapshot the trace into a fixed path (/data/misc/perfetto-traces/bugreport/). Dumpstate will attach the trace, if present, to the bugreport. From a SELinux viewpoint this involves the following permissions: - Allow dumpstate to exec+trans perfetto --save-for-bugreport (this will just send an IPC to traced, which will save the trace). - Allow dumpstate to list, read and unlink the trace file. - Create a dedicated label for bugreport traces, to prevent that dumpstate gets access to other traces not meant for bug reporting. Note that this does NOT allow dumpstate to serialze arbitary traces. Traces must be marked as "eligible for bugreport" upfront in the trace config (which is not under dumpstate control), by setting bugreport_score > 0. Design doc: go/perfetto-betterbug Bug: 170334305 Test: manual: 1. start a perfetto trace with bugreport_score > 0 2. adb shell dumpstate 3. check that the bugreport zip contains the trace Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-07 18:12:21 +01:00
# Allow the bug reporting frontend to read the presence and timestamp of the
# trace attached to the bugreport (but not its contents, which will go in the
# usual bugreport .zip file). This is used by the bug reporting UI to tell if
# the bugreport will contain a system trace or not while the bugreport is still
# in progress.
Grant BetterBug access ot WM traces attributes Currently BetterBug (privileged app) cannot access the details form /data/misc/wmtrace. Test: access a trace from /data/misc/wmtrace/ in betterbug Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
2021-11-25 14:57:24 +01:00
allow priv_app wm_trace_data_file:dir r_dir_perms;
allow priv_app wm_trace_data_file:file getattr;
Allow dumpstate to snapshot traces and attach them to bug reports Feature description: if a background trace is happening at the time dumpstate is invoked, the tracing daemon will snapshot the trace into a fixed path (/data/misc/perfetto-traces/bugreport/). Dumpstate will attach the trace, if present, to the bugreport. From a SELinux viewpoint this involves the following permissions: - Allow dumpstate to exec+trans perfetto --save-for-bugreport (this will just send an IPC to traced, which will save the trace). - Allow dumpstate to list, read and unlink the trace file. - Create a dedicated label for bugreport traces, to prevent that dumpstate gets access to other traces not meant for bug reporting. Note that this does NOT allow dumpstate to serialze arbitary traces. Traces must be marked as "eligible for bugreport" upfront in the trace config (which is not under dumpstate control), by setting bugreport_score > 0. Design doc: go/perfetto-betterbug Bug: 170334305 Test: manual: 1. start a perfetto trace with bugreport_score > 0 2. adb shell dumpstate 3. check that the bugreport zip contains the trace Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-07 18:12:21 +01:00
allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
Allow shell + priv_app to traverse /data/misc/perfetto-traces This is a follow-up to r.android.com/1542764. 1. In order to allow priv_app to stat(/data/misc/perfetto-traces/bugreport/*) we need also the `search` permission to traverse the parent directory /data/misc/perfetto-traces. 2. Allow shell to read the new bugreport/ directory. shell can read bugreports anyways and this is needed for CTS tests. Bug: 177761174 Bug: 177684571 Test: manual (changpa@) Change-Id: I39d6a1c7941bcdcdc314a7538c0accfd37c52ca2
2021-01-18 10:26:57 +01:00
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
Allow dumpstate to snapshot traces and attach them to bug reports Feature description: if a background trace is happening at the time dumpstate is invoked, the tracing daemon will snapshot the trace into a fixed path (/data/misc/perfetto-traces/bugreport/). Dumpstate will attach the trace, if present, to the bugreport. From a SELinux viewpoint this involves the following permissions: - Allow dumpstate to exec+trans perfetto --save-for-bugreport (this will just send an IPC to traced, which will save the trace). - Allow dumpstate to list, read and unlink the trace file. - Create a dedicated label for bugreport traces, to prevent that dumpstate gets access to other traces not meant for bug reporting. Note that this does NOT allow dumpstate to serialze arbitary traces. Traces must be marked as "eligible for bugreport" upfront in the trace config (which is not under dumpstate control), by setting bugreport_score > 0. Design doc: go/perfetto-betterbug Bug: 170334305 Test: manual: 1. start a perfetto trace with bugreport_score > 0 2. adb shell dumpstate 3. check that the bugreport zip contains the trace Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-07 18:12:21 +01:00
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
# the framework (i.e. TracingServiceProxy) and sendfile them into their private
# directories for reporting when network and battery conditions are
# appropriate.
allow priv_app perfetto:fd use;
allow priv_app perfetto_traces_data_file:file { read getattr };
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
priv_app: remove access to 'proc' and 'sysfs' types. Bug: 65643247 Test: walleye boots with no denials from priv_app. Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2017-12-09 00:37:01 +01:00
# /proc access
allow priv_app {
proc_vmstat
}:file r_file_perms;
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(priv_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(priv_app, sysfs_zram)
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
r_dir_file(priv_app, rootfs)
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
priv_app.te: Remove auditallow for statsd From go/sedenials, we see that com.android.vending needs this permission. The auditallow was in place to see if any priv-apps other than GMS core need this, and now we know. Bug: 142672293 Test: Treehugger Change-Id: Iad6caeb648bc23e85571b758a35649924cdeec69
2019-12-13 22:30:53 +01:00
# Allow com.android.vending to communicate with statsd.
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
binder_call(priv_app, statsd)
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
# Access to /data/preloads
allow priv_app preloads_data_file:file r_file_perms;
allow priv_app preloads_data_file:dir r_dir_perms;
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 19:42:03 +01:00
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-08 00:11:39 +01:00
read_runtime_log_tags(priv_app)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-08 17:15:14 +02:00
perfetto_producer(priv_app)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
Allow incidentd to communicate with clients over pipes. Previously we dumped the data into dropbox. This improves a couple things: - We write into dropbox via the fd, so dropbox doesn't pull from the incidentd directory anymore. - There is a new API to for priv apps to explicitly read incident reports. That gives incidentd finer grained control over who can read it (specifically, it only allows apps to access the incident reports they requested, or were requested for them via statsd, instead of getting DUMP and reading whatever they want from dropbox). Test: bit incident_test:* GtsIncidentManagerTestCases:* Bug: 123543706 Change-Id: I9a323e372c4ff95d91419a61e8a20ea5a3a860a5
2019-03-16 23:45:45 +01:00
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow priv_app incident_service:service_manager find;
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
initial policy for traced_perf daemon (perf profiler) The steps involved in setting up profiling and stack unwinding are described in detail at go/perfetto-perf-android. To summarize the interesting case: the daemon uses cpu-wide perf_event_open, with userspace stack and register sampling on. For each sample, it identifies whether the process is profileable, and obtains the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the bionic signal handler handing over the FDs over a dedicated socket). It then uses libunwindstack to unwind & symbolize the stacks, sending the results to the central tracing daemon (traced). This patch covers the app profiling use-cases. Splitting out the "profile most things on debug builds" into a separate patch for easier review. Most of the exceptions in domain.te & coredomain.te come from the "vendor_file_type" allow-rule. We want a subset of that (effectively all libraries/executables), but I believe that in practice it's hard to use just the specific subtypes, and we're better off allowing access to all vendor_file_type files. Bug: 137092007 Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 20:16:13 +01:00
# Allow profiling if the app opts in by being marked profileable/debuggable.
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
can_profile_heap(priv_app)
initial policy for traced_perf daemon (perf profiler) The steps involved in setting up profiling and stack unwinding are described in detail at go/perfetto-perf-android. To summarize the interesting case: the daemon uses cpu-wide perf_event_open, with userspace stack and register sampling on. For each sample, it identifies whether the process is profileable, and obtains the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the bionic signal handler handing over the FDs over a dedicated socket). It then uses libunwindstack to unwind & symbolize the stacks, sending the results to the central tracing daemon (traced). This patch covers the app profiling use-cases. Splitting out the "profile most things on debug builds" into a separate patch for easier review. Most of the exceptions in domain.te & coredomain.te come from the "vendor_file_type" allow-rule. We want a subset of that (effectively all libraries/executables), but I believe that in practice it's hard to use just the specific subtypes, and we're better off allowing access to all vendor_file_type files. Bug: 137092007 Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 20:16:13 +01:00
can_profile_perf(priv_app)
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
Sepolicy: add dynamic_system_prop and allow shell and system_app (Settings) to set it to enable Dynamic System Update. Also allow priv_app (user of the API) to read it. Bug: 119647479 Bug: 129060539 Test: run the following command on crosshatch-user: adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1 Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8 Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
2019-04-26 10:14:52 +02:00
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
Suppress denials for non-API access avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 17:55:02 +01:00
# suppress denials for non-API accesses.
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
dontaudit priv_app exec_type:file getattr;
priv_app: move logspam suppression to core policy No sign of these denials getting cleaned up, so supress them in core policy. Test: build Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c
2017-10-20 22:35:42 +02:00
dontaudit priv_app device:dir read;
Remove some priv_app logspam. avc: denied { search } for name="/" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:fs_bpf:s0 tclass=dir permissive=0 Bug: 72749888 Test: Boot without seeing the denial. Change-Id: Iaf3559928473c68066e6a42ba71655a683861901
2018-04-21 00:27:21 +02:00
dontaudit priv_app fs_bpf:dir search;
priv_app: remove more logspam avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
2018-04-04 23:36:13 +02:00
dontaudit priv_app net_dns_prop:file read;
priv_app: remove access to 'proc' and 'sysfs' types. Bug: 65643247 Test: walleye boots with no denials from priv_app. Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2017-12-09 00:37:01 +01:00
dontaudit priv_app proc:file read;
priv_app: move logspam suppression to core policy No sign of these denials getting cleaned up, so supress them in core policy. Test: build Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c
2017-10-20 22:35:42 +02:00
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
priv_app: suppress denials to proc_net avc: denied { read } for comm="UserFacing3" name="arp" dev="proc" ino=4026532043 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.google.android.googlequicksearchbox Bug: 132376360 Test: m selinux_policy Change-Id: I6ebe8b6806268f31885026a81ebea0ed15b532d2
2019-05-10 01:14:04 +02:00
dontaudit priv_app proc_net:file read;
priv_app: suppress denials for /proc/stat Bug: 72668919 Test: build Change-Id: Id156b40a572dc0dbfae4500865400939985949d9
2018-01-30 05:50:59 +01:00
dontaudit priv_app proc_stat:file read;
Suppress denials for non-API access avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 17:55:02 +01:00
dontaudit priv_app proc_version:file read;
priv_app: remove more logspam avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
2018-04-04 23:36:13 +02:00
dontaudit priv_app sysfs:dir read;
priv_app: dontaudit read access to default sysfs label Suppress selinux logspam for non-API files in /sys. Bug: 110914297 Test: build Change-Id: I9b3bcf2dbf80f282ae5c74b61df360c85d02483c
2018-06-29 20:04:24 +02:00
dontaudit priv_app sysfs:file read;
priv_app: remove more logspam avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
2018-04-04 23:36:13 +02:00
dontaudit priv_app sysfs_android_usb:file read;
priv_app: supress more snet selinux denial on sysfs Bug: 143294492 Test: build Change-Id: I55c9baf7f55d9ab36bf1509ca466e0747c49567d
2019-10-25 11:01:40 +02:00
dontaudit priv_app sysfs_dm:file r_file_perms;
Add wifi_hal_prop and remove exported_wifi_prop To remove bad context names "exported*_prop" Bug: 155844385 Test: boot and see no denials Change-Id: Icd30be64355699618735d4012461835eca8cd651 Merged-In: Icd30be64355699618735d4012461835eca8cd651 (cherry picked from commit 37c2d4d0c9669f3c7590f3dfccfac3c9725d1b5a) (cherry picked from commit 3b66e9b9f855ad0694efed405a30d64265854784)
2020-06-25 14:20:42 +02:00
dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-15 03:20:30 +01:00
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-03-27 15:34:54 +02:00
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-15 03:20:30 +01:00
permissions for incremental control file === for mounting and create file === 02-12 21:09:41.828 593 593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.841 1429 1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === for reading signature from file === 02-12 21:09:47.931 8972 8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:47.994 1429 1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 02-12 21:09:50.034 8972 8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:52.914 1429 1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === data loader app reading from log file === 02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 Test: manual with incremental installation BUG: 133435829 Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
2020-02-13 17:38:36 +01:00
# allow apps like Phonesky to check the file signature of an apk installed on
[selinux] allow priv_app to get incremental progress This allows phonesky to get incremental install progress. Addresses denial message like below: W/BlockingExecuto: type=1400 audit(0.0:5582): avc: denied { ioctl } for path="/data/incremental/MT_data_app_vmdl133/mount/.index/04abf89d12c3fe8f6fe9b381a670255c" dev="incremental-fs" ino=52957 ioctlcmd=0x6722 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.android.vending Test: builds BUG: 172965880 Change-Id: Ibecd4e07746e7bb3ca6bdf762382744b38f677cb
2021-02-09 23:33:24 +01:00
# the Incremental File System, fill missing blocks and get the app status and loading progress
IncFS: update SE policies for the new API IncFS in S adds a bunch of new ioctls, and requires the users to read its features in sysfs directory. This change adds all the features, maps them into the processes that need to call into them, and allows any incfs user to query the features Bug: 170231230 Test: incremental unit tests Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
2021-01-15 06:01:25 +01:00
allowxperm priv_app apk_data_file:file ioctl {
INCFS_IOCTL_READ_SIGNATURE
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
[selinux] allow priv_app to get incremental progress This allows phonesky to get incremental install progress. Addresses denial message like below: W/BlockingExecuto: type=1400 audit(0.0:5582): avc: denied { ioctl } for path="/data/incremental/MT_data_app_vmdl133/mount/.index/04abf89d12c3fe8f6fe9b381a670255c" dev="incremental-fs" ino=52957 ioctlcmd=0x6722 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.android.vending Test: builds BUG: 172965880 Change-Id: Ibecd4e07746e7bb3ca6bdf762382744b38f677cb
2021-02-09 23:33:24 +01:00
INCFS_IOCTL_GET_FILLED_BLOCKS
IncFS: update SE policies for the new API IncFS in S adds a bunch of new ioctls, and requires the users to read its features in sysfs directory. This change adds all the features, maps them into the processes that need to call into them, and allows any incfs user to query the features Bug: 170231230 Test: incremental unit tests Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
2021-01-15 06:01:25 +01:00
};
permissions for incremental control file === for mounting and create file === 02-12 21:09:41.828 593 593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.841 1429 1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === for reading signature from file === 02-12 21:09:47.931 8972 8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:47.994 1429 1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 02-12 21:09:50.034 8972 8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:52.914 1429 1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === data loader app reading from log file === 02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 Test: manual with incremental installation BUG: 133435829 Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
2020-02-13 17:38:36 +01:00
allow priv_apps to read from incremental_control_file Denial messages: 02-21 20:19:41.817 1439 1439 I Binder:1439_3: type=1400 audit(0.0:1851): avc: denied { read } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-21 20:19:41.817 20337 20337 I Binder:20337_2: type=1400 audit(0.0:1852): avc: denied { getattr } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending Test: manual Change-Id: Ie188f294ea2a6aff71a49a6f17679c3cf810b69d
2020-02-22 02:41:40 +01:00
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
[selinux] permissions on new ioctls for filling blocks (Cherry-picking) Denial messages: 03-17 20:30:54.274 1445 1445 I PackageInstalle: type=1400 audit(0.0:6): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313134353234353836342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 03-17 20:30:54.274 1445 1445 I PackageInstalle: type=1400 audit(0.0:7): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_1145245864/mount/.index/2b300000000000000000000000000000" dev="incremental-fs" ino=6794 ioctlcmd=0x6720 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:13): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3537383539353635322F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending 03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:14): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_578595652/mount/.index/626173652e61706b0000000000000000" dev="incremental-fs" ino=5810 ioctlcmd=0x6720 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending Test: manual BUG: 150809360 Merged-In: If43fa9edad0848a59c0712b124adfcdbbd0c99a4 Change-Id: I10e95caba43e1e1c272b59b7191b36b1cff4ff67
2020-03-18 02:30:34 +01:00
allow priv_app incremental_control_file:file { read getattr ioctl };
# allow apps like Phonesky to request permission to fill blocks of an apk file
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
allow priv_apps to read from incremental_control_file Denial messages: 02-21 20:19:41.817 1439 1439 I Binder:1439_3: type=1400 audit(0.0:1851): avc: denied { read } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-21 20:19:41.817 20337 20337 I Binder:20337_2: type=1400 audit(0.0:1852): avc: denied { getattr } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending Test: manual Change-Id: Ie188f294ea2a6aff71a49a6f17679c3cf810b69d
2020-02-22 02:41:40 +01:00
Allow dataloaders (priv_app) access to IncFs enabled property. Bug: 179395351 Test: install an app incrementally using dev phonesky Change-Id: I47496622ecef3f5552126a96d88cc0732cdf5dce
2021-02-04 23:41:41 +01:00
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
get_prop(priv_app, incremental_prop)
Allow priv_app to search apex_data_file and read staging_data_file This changes are necessary to make files under /data/apex/active be readable by Phonesky. Test: builds Bug: 154635217 Merged-In: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 Change-Id: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 (cherry picked from commit 89d43a51bae00bd805db222508e42021b432c414)
2020-04-22 01:04:04 +02:00
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
Allow priv_app read access to /data/app-staging directory During staged installation, we no longer create duplicate sessions for verification purpose. Instead, we send the original files in /data/app-staging folder to package verifiers for verification. That means, Phonesky needs access to /data/app-staging folder to be able to verify the apks inside it. Bug: 175163376 Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
2020-12-10 22:48:51 +01:00
# Required for Phonesky to be able to read staged files under /data/app-staging.
allow priv_app staging_data_file:dir r_dir_perms;
Allow priv_app to search apex_data_file and read staging_data_file This changes are necessary to make files under /data/apex/active be readable by Phonesky. Test: builds Bug: 154635217 Merged-In: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 Change-Id: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 (cherry picked from commit 89d43a51bae00bd805db222508e42021b432c414)
2020-04-22 01:04:04 +02:00
Allow private app to access system app data file for ContentProvider For ContentProvider case, private app can not access system app data. So we added this rule to solve this issue. Bug: 157448040 Test: <Before modifying the rules, when the private app accesses files in the app-specific directory shared by the system app through the ContentProvider, the system will report selinux permission issue. After modifying the rules and compiling the new version, the private app can access the files in the app-specific directory shared by the system app through the ContentProvider without any permission issues.> Change-Id: I2433a6808d899c3729c6aa37c6c2d955e91e54a3
2020-06-17 11:57:25 +02:00
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
Allow priv_app to run the renderscript compiler. Bug: 157478854 Test: manual test and check selinux log in logcat. Change-Id: I0bebcc6b8e4ad7dfeeb0d1c20b3d093fd48891de
2021-06-09 18:36:39 +02:00
# Allow the renderscript compiler to be run.
domain_auto_trans(priv_app, rs_exec, rs)
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
###
### neverallow rules
###
# Receive or send uevent messages.
neverallow priv_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow priv_app domain:netlink_socket *;
Make kmsg_device mlstrustedobject. Few domains are granted access to this, but they should have access from any user. Also add some neverallows to prevent misuse. Bug: 170622707 Test: presubmits Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
2020-10-27 12:28:00 +01:00
# Read or write kernel printk buffer
neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow priv_app debugfs:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow priv_app service_manager_type:service_manager add;
# Do not allow privileged apps to connect to the property service
# or set properties. b/10243159
neverallow priv_app property_socket:sock_file write;
neverallow priv_app init:unix_stream_socket connectto;
neverallow priv_app property_type:property_service set;
# Do not allow priv_app to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and priv_app is allowed fork permission to itself.
neverallow priv_app mlstrustedsubject:process fork;
# Do not allow priv_app to hard link to any files.
# In particular, if priv_app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure priv_app never has this
# capability.
neverallow priv_app file_type:file link;
Adding ability for priv apps to read traceur fd Only untrusted apps had privilegs to read file descriptors passed in from traceur, which was an oversight. This fixes the policy so that priv apps can also access file descriptors from traceur in order to read reports shared from traceur. Bug: 74435522 Test: better bug has access to reports shared from traceur Change-Id: I591872cdac31eec62edbc81d95f1220f1152427f
2018-03-13 17:56:27 +01:00
# priv apps should not be able to open trace data files, they should depend
# upon traceur to pass a file descriptor which they can then read
neverallow priv_app trace_data_file:dir *;
neverallow priv_app trace_data_file:file { no_w_file_perms open };
Constrain cgroups access. What changed: - Removed cgroup access from untrusted and priv apps. - Settings app writes to /dev/stune/foreground/tasks, so system_app domain retains access to cgroup. - libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used abundantly in native code. So added a blanket allow rule for (coredomain - apps) to access cgroups. - For now, only audit cgroup access from vendor domains. Ultimately, we want to either constrain vendor access to individual domains or, even better, remove vendor access and have platform manage cgroups exclusively. Changes from original aosp/692189 which was reverted: - There seem to be spurious denials from vendor-specific apps. So added back access from { appdomain -all_untrusted_apps -priv_app } to cgroup. Audit this access with intent to write explicit per-domain rules for it. Bug: 110043362 Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates /dev/memcg on a per app basis on a device that supports that. Test: aosp_sailfish, wahoo boot without cgroup denials This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a. Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-11 00:48:15 +02:00
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
sepolicy: rules for uid/pid cgroups v2 hierarchy Bug: 168907513 Test: verified the correct working of the v2 uid/pid hierarchy in normal and recovery modes This reverts commit aa8bb3a29b92a342c42c802edac269da5984d1df. Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-12 00:18:11 +01:00
neverallow priv_app cgroup_v2:file *;
drop priv_app app_data_file:file execute; system/sepolicy commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type called privapp_data_file. This type is used to label priv-app's /home files. For backwards compatibility, priv-app rules involving normal app_data_files were preserved. Subsequently, system/sepolicy commit 5d1755194a841ab727467a30757fd1606cef905b assigned the file label privapp_data_file to /home files owned by priv-apps. Because of the previous labeling of priv-app data files, priv-apps were granted the ability to mmap(PROT_EXEC) any other app's /home files, regardless of how trustworthy or untrustworthy those files were. Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c preserved the status quo. However, now that we have a more refined label for priv-app /home files, we no longer need to be as permissive. Drop the ability for priv-apps to map executable code from untrusted_apps home directories. "execute" is removed in this change, and "execute_no_trans" was previously removed in commit 8fb4cb8bc20b999d69210f6fc6b552c6e22b8e09. Add a neverallow assertion (compile time assertion + CTS test) to prevent regressions. Further clarify why we need to support priv-apps loading executable code from their own home directories, at least for now. b/112037137 covers further tightening we can do in this area. Bug: 112357170 Test: Device boots and no problems. Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
2018-10-28 00:20:38 +02:00
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app app_data_file:file no_x_file_perms;
disallow priv-apps from following untrusted app symlinks. Untrustworthy symlinks dereferenced by priv-apps could cause those apps to access files they weren't intending to access. Trusted components such as priv-apps should never trust untrustworthy symlinks from untrusted apps. Modify the rules and add a neverallow assertion to prevent regressions. Bug: 123350324 Test: device boots and no obvious problems. Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 22:05:03 +01:00
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
Allow priv-app to report off body events to keystore. Bug: 183564407 Test: the selinux error is gone. Change-Id: I6783528a0ca6c94781b6c12d96ffebbfe8b25594 Merged-In: If40c2883edd39bee8e49e8e958eb12e9b29a0fe0
2022-02-04 23:15:50 +01:00
# Allow reporting off body events to keystore.
allow priv_app keystore:keystore2 report_off_body;
Reference in a new issue Copy permalink