We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).
This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.
Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).
This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.
A neverallow rule is added to ensure this remains true.
Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.
Test: builds, boots, no new denials.
Bug: 141677108
Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
Since this service no longer exists.
Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.
Addresses:
avc: denied { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
Rules in clients of NFC HAL due to the HAL running (or previously
running) in passthrough mode are now targeting hal_nfc. Domains which
are clients of NFC HAL are associated with hal_nfc only the the HAL
runs in passthrough mode. NFC HAL server domains are always associated
with hal_nfc and thus get these rules unconditionally.
This commit also moves the policy of nfc domain to private. The only
thing remaining in the public policy is the existence of this domain.
This is needed because there are references to this domain in public
and vendor policy.
Test: Open a URL in Chrome, NFC-tap Android to another Android and
observe that the same URL is opened in a web browser on the
destination device. Do the same reversing the roles of the two
Androids.
Test: Install an NFC reader app, tap a passive NFC tag with the
Android and observe that the app is displaying information about
the tag.
Test: No SELinux denials to do with NFC before and during and after
the above tests on sailfish, bullhead, and angler.
Bug: 34170079
Change-Id: I29fe43f63d64b286c28eb19a3a9fe4f630612226
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea019)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
