Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.
Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts
Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
* commit 'f5f899c3c0f684ffba6950b343e652abd78d0fd9':
Rework the radio vs rild property split. Only label properties with the ril. prefix with rild_prop. Allow rild and system (and radio) to set radio_prop. Only rild can set rild_prop presently.
Allow apps to write to anr_data_file for /data/anr/traces.txt.
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
Allow adbd to access the qemu device and label /dev/eac correctly.
Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton.
Rewrite MLS constraints to only constrain open for app_data_file, not read/write.
Introduce a separate wallpaper_file type for the wallpaper file.
Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.
Allow the shell to create files on the sdcard.
Drop redundant rules.
Policy changes to support running the latest CTS.
Limit per-device policy files to a well-defined sepolicy prefix.
Add support for per-device .te and .fc files.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
