tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Drop back-compatibility for hiding ro.debuggable and ro.secure

Browse source 
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Test: N/A for cherry-pick
Change-Id: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
Merged-In: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
This commit is contained in:
Alessandra Loro 2022-08-18 13:09:36 +00:00
parent 0d68fc3525
commit c6aec92b7c
10 changed files with 12 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
prebuilts/api/33.0/private/app_neverallows.te
View file

@ -254,15 +254,3 @@ neverallow {
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
# Do not allow untrusted app to read hidden system proprerties
# We exclude older application for compatibility and we do not include in the exclusions other normally
# untrusted applications such as mediaprovider due to the specific logging use cases.
# Context: b/193912100
neverallow {
untrusted_app_all
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} { userdebug_or_eng_prop }:file read;

3
prebuilts/api/33.0/private/untrusted_app_25.te
View file

@ -52,3 +52,6 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)

3
prebuilts/api/33.0/private/untrusted_app_27.te
View file

@ -40,3 +40,6 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)

2
prebuilts/api/33.0/private/untrusted_app_29.te
View file

@ -20,4 +20,4 @@ allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop(untrusted_app_29, userdebug_or_eng_prop)
get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)

2
prebuilts/api/33.0/private/untrusted_app_30.te
View file

@ -22,4 +22,4 @@ allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop(untrusted_app_30, userdebug_or_eng_prop)
get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)

12
private/app_neverallows.te
View file

@ -254,15 +254,3 @@ neverallow {
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
# Do not allow untrusted app to read hidden system proprerties
# We exclude older application for compatibility and we do not include in the exclusions other normally
# untrusted applications such as mediaprovider due to the specific logging use cases.
# Context: b/193912100
neverallow {
untrusted_app_all
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} { userdebug_or_eng_prop }:file read;

3
private/untrusted_app_25.te
View file

@ -53,6 +53,5 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop(untrusted_app_25, userdebug_or_eng_prop)
get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)

2
private/untrusted_app_27.te
View file

@ -42,4 +42,4 @@ allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop(untrusted_app_27, userdebug_or_eng_prop)
get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)

2
private/untrusted_app_29.te
View file

@ -20,4 +20,4 @@ allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop(untrusted_app_29, userdebug_or_eng_prop)
get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)

2
private/untrusted_app_30.te
View file

@ -22,4 +22,4 @@ allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop(untrusted_app_30, userdebug_or_eng_prop)
get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)