Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
Commit dddbaaf1e8 ("update sepolicy
for fs notification hooks") updated global macros, and added
watch, watch_mount, watch_sb, watch_with_perm, and watch_reads
to r_file_perms and r_dir_perms.
In retrospect, the commit was overly permissive and some of the
permissions shouldn't be granted by default. In particular:
1) watch_with_perm: This is only used with fanotify and requires
CAP_SYS_ADMIN. fanotify has limited use cases, including virus scanning
and hierarchical storage management. Granting this by default makes it
harder to audit and understand this powerful capability. In particular,
anti-virus file like monitoring is something which inherently conflicts
with Android app privacy guarantees and would need to be carefully
reviewed.
2) watch_mount & watch_sb: Setting a watch on a mount (FAN_MARK_MOUNT)
or superblock (FAN_MARK_FILESYSTEM) should be extremely unusual.
Granting this by default makes it harder to audit and understand.
Both "watch" and "watch_reads" are retained for now.
References:
* https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ac5656d8a4cdd93cd2c74355ed12e5617817e0e7
* dddbaaf1e8
Test: compiles
Change-Id: Ib74e7119853eb991e0e9828645c7f9e076b919c4
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.
coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.
Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
These attributes are intended to be used w/ services using the system
copy of libbinder (for vendor, this is libbinder_ndk).
Switching vndservicemanager users using the libbinder copy of vendor to
be able to use the system copy of libbinder for registration is an open
problem.
Bug: 136027762
Test: N/A
Change-Id: I1d70380edcb39ca8ef2cb98c25617701b67ba7e1
Since non-full-Treble devices aren't guaranteed to have coredomain
applied to all system processes, this is breaking some downstream
non-Treble devices.
Bug: 140076135
Test: N/A
Change-Id: I2942506cb0cfd8096c631281389a16aa48b4da08
Since this service no longer exists.
Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
This reverts commit 6b2eaade82.
Reason for revert: reland original CL
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
