user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.
But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.
Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.
Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
com.android.virt is an APEX for virtual machine monitors like crosvm.
The APEX currently empty and isn't updatable.
Bug: 174633082
Test: m com.android.virt
Change-Id: I8acc8e147aadb1701dc65f6950b61701131f89d2
This should match policy for the system heap as they both map to
the ION system heap with the ION_FLAG_CACHED flag on or off.
Change-Id: Ib2929b84a2f8092adcf2f874ad6ccdfe068fe6dc
Signed-off-by: John Stultz <john.stultz@linaro.org>
During staged installation, we no longer create duplicate sessions for
verification purpose. Instead, we send the original files in
/data/app-staging folder to package verifiers for verification. That
means, Phonesky needs access to /data/app-staging folder to be able to
verify the apks inside it.
Bug: 175163376
Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir
Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps
Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
This is the service offered by Keystore 2.0 to provide APC service to
application. It was formerly part of the IKeystoreService interface.
Not it is an interface in ints own right.
Test: Keystore 2.0 can register the apc service interface.
Apps can lookup and call this interface.
Bug: 159341464
Change-Id: I058adf0021d9b89f4eac7534e366c29071f0f98b
For whatever reason, system/sepolicy/prebuilts/api/30.0 and rvc-dev's
system/sepolicy differ a little. This makes 30.0 prebuilts up-to-date
and also updates plat_pub_versioned.cil, built from aosp_arm64-eng
target on rvc-dev branch.
Bug: 168159977
Test: m selinux_policy
Change-Id: I03e8a40bf021966c32f0926972cc2a483458ce5b
We would like to assert that only PackageManager can make
modifications to /data/app. However, I first need to remove
some existing permissions that seem like they are no longer
used (as per jtinker@). Add audit statements to confirm.
Test: build
Change-Id: Ie5ec5199f7e2f862c4d16d8c86b9b0db6fbe481c
- Update policy for new system service, used for Launcher/Apps to
fetch and render search results in their UI.
Bug: 162234997
Test: manual verification ($ adb shell service list)
Reference CL: aosp/831251
Change-Id: If3ae22aa2ad1d13aeac3dfefc5244db4b1734d96
via opening/closing a PF_KEY socket (this mirrors netd's privs)
Bug: 173167302
Test: m
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia2c2cb52c4ec9149db29dc86a7927e3432bd2b9b
debugfs_tracing can only be accessed by tracing tools provided by the
platform.
Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
The updatable and non-updatable permission manager cannot share one
AIDL, so we need to create a new system service for the non-updatable
legacy one, and add the SELinux policy for it.
Bug: 158736025
Test: presubmit
Change-Id: Ief8da6335e5bfb17d915d707cf48f4a43332f6ae
