Drop back-compatibility for hiding ro.debuggable and ro.secure am: c6aec92b7c am: 60673b7437

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399373

Change-Id: I21eb7cfbbefe5e5986d374bce5b78925160ebb61
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Alessandra Loro 2023-01-25 19:33:01 +00:00 committed by Automerger Merge Worker
commit c6ed575842
10 changed files with 12 additions and 31 deletions

View file

@ -254,15 +254,3 @@ neverallow {
# Only privileged apps may find the incident service # Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find; neverallow all_untrusted_apps incident_service:service_manager find;
# Do not allow untrusted app to read hidden system proprerties
# We exclude older application for compatibility and we do not include in the exclusions other normally
# untrusted applications such as mediaprovider due to the specific logging use cases.
# Context: b/193912100
neverallow {
untrusted_app_all
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} { userdebug_or_eng_prop }:file read;

View file

@ -52,3 +52,6 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
# allow sending RTM_GETNEIGH{TBL} messages. # allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)

View file

@ -40,3 +40,6 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
# allow sending RTM_GETNEIGH{TBL} messages. # allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)

View file

@ -20,4 +20,4 @@ allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props # Allow hidden build props
get_prop(untrusted_app_29, userdebug_or_eng_prop) get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)

View file

@ -22,4 +22,4 @@ allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props # Allow hidden build props
get_prop(untrusted_app_30, userdebug_or_eng_prop) get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)

View file

@ -254,15 +254,3 @@ neverallow {
# Only privileged apps may find the incident service # Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find; neverallow all_untrusted_apps incident_service:service_manager find;
# Do not allow untrusted app to read hidden system proprerties
# We exclude older application for compatibility and we do not include in the exclusions other normally
# untrusted applications such as mediaprovider due to the specific logging use cases.
# Context: b/193912100
neverallow {
untrusted_app_all
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} { userdebug_or_eng_prop }:file read;

View file

@ -53,6 +53,5 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props # Allow hidden build props
get_prop(untrusted_app_25, userdebug_or_eng_prop) get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)

View file

@ -42,4 +42,4 @@ allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props # Allow hidden build props
get_prop(untrusted_app_27, userdebug_or_eng_prop) get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)

View file

@ -20,4 +20,4 @@ allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props # Allow hidden build props
get_prop(untrusted_app_29, userdebug_or_eng_prop) get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)

View file

@ -22,4 +22,4 @@ allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props # Allow hidden build props
get_prop(untrusted_app_30, userdebug_or_eng_prop) get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)