"iio_device", "radio_device" must not be accessed by coredomain on all
devices. And "tee_device" must not be accessed by coredomain on Treble
devices.
Bug: 110962171
Test: m selinux_policy
Test: mmma system/sepolicy
Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.
01-01 00:00:22.103 5831 5831 I auditd : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0
Test: build
Bug: 119596573
Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
According to go/sedenials (internal dogfooding), coredomain access to
following types is not exercised and can be removed:
iio_device
radio_device
tee_device
Access to audio_device is still needed since some ALSA interfaces
(/dev/snd/*) are directly used by system_server.
Bug: 110962171
Test: m selinux_policy
Change-Id: I740b99813e1f93136bfcaec087b74f0e03b259ad
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.
The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.
Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
to fail the device rebooted into the bootloader, as
expected.
Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
server_configurable_flags_data_file is used for storing server
configurable flags which have been reset during current booting.
system_server needs to read the data to perform related disaster
recovery actions.
For how the data is read, see SettingsToPropertiesMapper.java.
Test: build succeeds & manual on device
Change-Id: Ifa22aecc13af2c574579299d28433622abbe6b85
We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.
Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).
Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.
Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.
Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
This reverts commit 92bde4b941.
Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.
Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
This is used for querying the installed packages, as well as
coordinating the installations of packages.
Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
This is world-readable so it can be checked in libc's process init.
Test: m
Test: flash sailfish
Bug: 117821125
Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
system server reads this property to keep track of whether server
configurable flags have been reset during current boot.
system server needs this information to decide whether to perform
following disaster recovery actions on framework level.
the get_prop added in this cl in system_server.te is not grouped
in the same place as the set_prop in system_server.te in another
cl (https://android-review.googlesource.com/c/platform/system/sepolicy/+/828284).
This is because these 2 properties are serving for different purposes:
device_config_flags_health_check_prop is used to control features(so will be
all the future set_prop added by other feature teams under "# server configurable flags properties"),
while device_config_reset_performed_prop is used by our API's internal implementation.
So I feel like it might be clearer if I put this get_prop in a different place rather than
appending to "# server configurable flags properties".
Test: build suceeded.
Change-Id: I64379aa8f0bbe093969b98d62093696a32aabe59
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.
This change set SELinux rules for these properties and files.
For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).
This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.
Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.
Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".
Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.
Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
Add an InputFlinger service in system_server and allow SurfaceFlinger to
exchange sockets with it.
Test: None
Bug: 80101428
Bug: 113136004
Bug: 111440400
Change-Id: I1533ab7a1da0ca61d8a28037fffbc189d796f737
With Treble, cameraserver no longer depends on camera devices directly.
Moreover, pixel 3 doesn't have /dev/cam node.
We still keep "camera_device" type around since vendor policy uses it to
label its /dev nodes.
Bug: 110962171
Test: boot aosp_walleye
Test: camera app still works
Change-Id: If12d640c2a0006b9fc3c9f6704285eb8eb66c626
Changed the GPU service name back to be compatible with external
engines/tools' usage of vkjson cmd.
Bug: 118347356
Test: adb shell cmd gpu vkjson
Change-Id: Ie432fd8be63d33070ad037c509467c8367b42d39
Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.
Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
This CL adds rules to allow traced_probes to dup a pipe as the stderr
for atrace and also send a sigkill to atrace after a timeout.
This fixes b/119656920
Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.
Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6
Add xdp_socket to various other neverallow rules.
Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc8 has never triggered.
Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
We lose git history with this, but imo the rules being moved don't have
much reference material. Also, as we write more neverallow rules for
CKI, I'd like to consolidate them in private/coredomain.te
Test: m selinux_policy
Change-Id: I6d0c3d2af0c4dfe7dd3cb1d8836b4b5e00db37a4
Commit 619c1ef2ac ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.
Fixes the following denial:
audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android
Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.
Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)
Change-Id: I827a108bd118090542354360a8c90b295e6a0fef
This prevents denials while taking a bugreport.
Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I65dffda9806e0d627978ffdd392e3deb625149b7
There is now an incident section for statsd output data. These selinux
changes must be made for incident to call dump on statsd to get the
data.
Bug: 115678461
Test: adb shell incident -b 3023
and confirm that a valid statsd section is obtained
Change-Id: I761389c160ab3ab6c24556813a1a31088c0f5137
mtd_device does not label any /dev node present on walleye, and the only
permission to that type is:
allow hal_telephony_server mtd_device:dir search;
I suspect there is no need to keep mtd_device around.
Bug: 110962171
Test: boot aosp_walleye
Change-Id: If74b1258b21edeca38c8b7dc07a3a10b751a7e85
Test: ensure no build failures;
add RoleManagerService as a boot phase
ensure no SecurityException in logcat on boot
Change-Id: Ia0803c0fb084fe2b12f5c20f5e46354d0dd1aedf
system/sepolicy commit 619c1ef2ac started
enforcing ioctl whitelisting requirements for /dev/tun. Bluetooth needs
the ability to issue TUNSETIFF on /dev/tun, so allow access. We also
allow access to TUNGETIFF for good measure.
Addresses the following denial:
avc: denied { ioctl } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=20047 ioctlcmd=0x54ca scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0
Test: policy compiles
Change-Id: Ie4c138fc774373cec266c59de6663db147d60423
No coredomain domain has access to these types and corresponding /dev
nodes don't exist on the device:
audio_seq_device
audio_timer_device
full_device
i2c_device
vcs_device
Bug: 110962171
Test: m selinux_policy
Test: boot walleye
Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672
These rules mirror those for /vendor/overlay and /odm/overlay, including
the possilibity of a symlink like /system/vendor -> /vendor.
Test: builds, boots
Change-Id: I323e48fcc13c4ac7779902506539c2600708cc88
Historically GPU service lives in SurfaceFlinger as a convenient hack.
Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU
capability, and shouldn't know about anything about GPU. This patch moves GPU
service out of SurfaceFlinger.
GPU service is a service that accesses to GPU driver, queries GPU capabilities
and reports back. Currently we use this information in CTS and some benchmarks.
BUG: 118347356
Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify
Change-Id: I007989e0f3f73b5caf80277979986820dd127c32
In earlier kernel versions (<4.0), the loopback driver issues
requests from a kernel thread. Therefore, the kernel needs access
to APEX file descriptors and data files (which are loopback
mounted).
Bug: 119220815
Test: mounting works on sailfish
Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
apexd_prop is also defined in private/propery_contexts in order to make
the type to exist even when PRODUCT_COMPATIBLE_PROPERTY is false (i.e.,
Pixel 1).
Bug: 119220815
Test: m plat_property_contexts for sailfish
the built plat_property_contexts has apexd_prop defined
Change-Id: I9ef71410533c1f64fc6a3112cfcb199d23aaf3db
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.
Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
These /dev nodes are device-specific and should be labeled from device
policy. Moreover, pixels don't have these /dev nodes.
Bug: 110962171
Test: boot pixel 3
Change-Id: I37ca9a956130eb4763c75f5e8a0decbd4f7b97a7
As b/116344577 is fixed, we no longer need the compatbility mapping any
more.
Test: build passed. Boot succeeded.
Change-Id: I0d7f02c59853d34bdabaad6841d87e9ca1ee25d7
A sysprop apexd.status is set by apexd, to that other components (i.e.
init) can determine whether APEXs are all successfully mounted or no
(i.e., being mounted).
The sysprop is only writable by apexd.
Bug: 117403679
Test: adb shell getprop apexd.status returns 'ready'.
Change-Id: I81bcb96e6c5cb9d899f29ffa84f91eab3820be25
Update access_vectors to support newer kernel functionality.
This change does not grant any new access.
Inspired by the following refpolicy commits:
* 25a5b24274
* 109ab3296b
* 437e48ac53
Bug: 118843234
Test: policy compiles
Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.
Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.
Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.
The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
11cee2be0c%5E%21
Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.
Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.
Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.
Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.
Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
This reverts commit 0dd738d810.
Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.
Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b
untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.
Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.
untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.
seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.
Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
system/sepolicy commit 23c9d91b46
introduced a new type called privapp_data_file. This type is used to
label priv-app's /home files. For backwards compatibility, priv-app
rules involving normal app_data_files were preserved. Subsequently,
system/sepolicy commit 5d1755194a
assigned the file label privapp_data_file to /home files owned
by priv-apps.
Because of the previous labeling of priv-app data files, priv-apps were
granted the ability to mmap(PROT_EXEC) any other app's /home files,
regardless of how trustworthy or untrustworthy those files were. Commit
23c9d91b46 preserved the status quo.
However, now that we have a more refined label for priv-app /home files,
we no longer need to be as permissive.
Drop the ability for priv-apps to map executable code from
untrusted_apps home directories. "execute" is removed in this change,
and "execute_no_trans" was previously removed in commit
8fb4cb8bc2. Add a neverallow assertion
(compile time assertion + CTS test) to prevent regressions.
Further clarify why we need to support priv-apps loading executable code
from their own home directories, at least for now. b/112037137 covers
further tightening we can do in this area.
Bug: 112357170
Test: Device boots and no problems.
Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
The current rule is missing mmap. r_file_perm implicitly adds mmap, so
we should just use that instead.
Test: policy compiles.
Change-Id: I4051d1eb4c36a2b6ff2b5f26ce53355287cbe2b4
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.
Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)
Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)
Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
apexd is using following additional ioctl cmds to mount the mini
filesystem inside APEXs:
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot
/apex/com.android.example.apex exists
Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc
/dev/tegra.* is not used in android platform and is device-specific
Bug: 110962171
Test: boot walleye
Change-Id: I4cc790d28457b429a3ed9829de223dae357eb498
Historically, vendor-init-actionable was created since the various
property_contexts files were not yet available when init parses its
scripts. Since then, the property_contexts files are now always
available when init parses its scripts, so we can collapse these two
categories.
Specifically, this change ensures that all of the properties in the
previous 'stable_properties.h' file in init, which contained the
vendor-init-actionable properties, are able to be read by init
according to SEPolicy.
Bug: 71814576
Test: vendor_init fails to use non-readable properties as a trigger
Test: vendor_init successfully uses readable properties as a trigger
Change-Id: Ic6d9919b6047f3076a1a19fc26295c6a77aca627
Copied from device/google/crosshatch-sepolicy.
Test: diff files in system/etc/selinux before and after for aosp_marlin
Change-Id: I518c43af9c217483bdab02424e4aef0270aad366
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.
Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.
Bug: 117961216
[Android Version]:
android_p_mr0_r0
[Kernel Version]:
4.19.0-rc8
[CTS Version]:
cts-9.0_r1
[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies
[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0
[Test Result With This Patch]:
PASS
Change-Id: I45efacabe64af36912a53df60ac059889fde1629
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.
Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.
Access for most third party applications was removed in commit
d78e07cbb7. This change applies the same
constraints to priv-apps that we apply to normal apps.
Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3
apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.
The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.
Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists
Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67
Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").
However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important
Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.
Bug: 111407413
Bug: 117290290
Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.
Bug: 117762471
Bug: 117761873
Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4
same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.
Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.
Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0
Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.
Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.
Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
