On Full Treble devices, servicemanager should only service
services from the platform service_contexts file.
Created new type to separate plat_ and nonplat_service_contexts,
and added new type to mapping (although I don't think this type
should have been used by vendors).
Bug: 36866029
Test: Marlin/Taimen boot
Change-Id: Ied112c64f22f8486a7415197660faa029add82d9
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.
Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.
P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.
Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
So we can limit vndservicemanager access to
just vndservice_contexts.
Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.
Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospServiceContexts
Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>
No denials showing up in collected audit logs.
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
