tequilaOS/platform_system_sepolicy

Fork 0

Commit graph

Author	SHA1	Message	Date
Andreas Gampe	2a9eaecf9a	Sepolicy: Clean up moved files Coalesce statements to clean up policies. Test: m Change-Id: I3794d6bf1bce04e700d2d8e3365249cf75bd527d	2019-02-22 08:36:41 -08:00
Andreas Gampe	4abfe60215	Sepolicy: Move some parts from public to private Those should not have been public before, but were forced to by old neverallow rules. Test: m Change-Id: If8430b9c8d42b7cbcd28bbfbc79d579c69067edd	2019-02-22 05:11:08 -08:00
Alex Klyubin	f5446eb148	Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95	2017-03-24 07:54:00 -07:00

Author

SHA1

Message

Date

Andreas Gampe

2a9eaecf9a

Sepolicy: Clean up moved files

Coalesce statements to clean up policies.

Test: m
Change-Id: I3794d6bf1bce04e700d2d8e3365249cf75bd527d

2019-02-22 08:36:41 -08:00

Andreas Gampe

4abfe60215

Sepolicy: Move some parts from public to private

Those should not have been public before, but were forced to by
old neverallow rules.

Test: m
Change-Id: If8430b9c8d42b7cbcd28bbfbc79d579c69067edd

2019-02-22 05:11:08 -08:00

Alex Klyubin

f5446eb148

Vendor domains must not use Binder

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

2017-03-24 07:54:00 -07:00

3 commits