This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.
Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.
Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.
Test: Setup Wizard (incl. adding a Google Account) completes fine with
Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079
Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
The 'overlay' service is the Overlay Manager Service, which tracks
packages and their Runtime Resource Overlay overlay packages.
Change-Id: I897dea6a32c653d31be88a7b3fc56ee4538cf178
Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com>
Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com>
Bug: 31052947
Test: boot the Android framework
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.
Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.
NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.
Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079
Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.
This is not currently hooked up to anything.
Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.
Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.
Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.
Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.
Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.
Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
Add a label to /proc/config.gz, so we can distinguish this file from
other /proc files in security policy.
For now, only init is allowed read access. All others are denied.
TODO: clarify exactly who needs access. Further access will be granted
in a future commit.
Bug: 35126415
Test: policy compiles and no device boot problems.
Change-Id: I8b480890495ce5b8aa3f8c7eb00e14159f177860
CAP_SYS_PTRACE is no longer used by crash_dump. There's no reason to
exclude it from the neverallow compile time assertion.
Test: policy compiles.
Change-Id: Ib2dced19091406553c16e6ce538cfb68bbc1e5aa
Much like audio, the camera HAL may need to have key threads running
in SCHED_FIFO or similar priority. Allow system_server to raise
thread priority for camera HALs to make this possible.
Test: Video recording works, with EIS. No logspam about EIS failure.
Bug: 35389145
Change-Id: I1d92f9f10dc3aff22ce56b8b9cc57db043631919
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
against the hal_foo attribute. This policy is granted to domains
which offer the Foo HAL service over HwBinder and, if Foo HAL runs
in the so-called passthrough mode (inside the process of each
client), also granted to all domains which are clients of Foo HAL.
hal_foo is there to avoid duplicating the rules for hal_foo_client
and hal_foo_server to cover the passthrough/in-process Foo HAL and
binderized/out-of-process Foo HAL cases.
A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.
This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
hal_*_default daemons whose policy is in common/device-agnostic policy
are provided by the vendor image (see vendor/file_contexts). Thus,
their policy should also reside in the vendor image, rather than in
the system image. This means their policy should live in the vendor
subdirectory of this project.
Test: Device boots and appears to work
Bug: 34135607
Bug: 34170079
Change-Id: I6613e43733e03d4a3d4726f849732d903e024016
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.
Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.
Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.
When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.
Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue
Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.
See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103
The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.
The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.
Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .
This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.
Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
Use the default filesystem label from genfs_contexts for the directory
/sys/kernel/debug/tracing and /sys/kernel/tracing, instead of explicitly
attempting to relabel it.
There are three cases we need to consider:
1) Old-style tracing functionality is on debugfs
2) tracing functionality is on tracefs, but mounted under debugfs
3) tracefs is mounted at /sys/kernel/tracing
For #1, the label on /sys/kernel/debug/tracing will be debugfs, and all
processes are allowed debugfs:dir search, so having the label be debugfs
instead of debugfs_tracing will not result in any permission change.
For #2, the label on /sys/kernel/debug/tracing will be debugfs_tracing,
which is the same as it is today. The empty directory
/sys/kernel/tracing wlll retain the sysfs label, avoiding the denial
below.
For #3, /sys/kernel/debug/tracing won't exist, and /sys/kernel/tracing
will have the debugfs_tracing label, where processes are allowed search
access.
Addresses the following denial:
avc: denied { associate } for pid=1 comm="init" name="tracing"
dev="sysfs" ino=95 scontext=u:object_r:debugfs_tracing:s0
tcontext=u:object_r:sysfs:s0 tclass=filesystem permissive=0
Bug: 31856701
Bug: 35197529
Test: no denials on boot
Change-Id: I7233ea92c6987b8edfce9c2f1d77eb25c7df820f
There is only a single systemapi at the moment that is callable, and it is
protected by a signature/preinstalled permission.
(cherry picked from commit I778864afc9d02f8b2bfcf6b92a9f975ee87c4724)
Bug: 35059826,33297721
Test: manually on a marlin
Change-Id: I3789ce8238f5a52ead8f466dfa3045fbcef1958e
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.
Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:
* system_server
* system_app (apps which run as UID=system)
* netmgrd
* radio
This change:
1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.
In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.
Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
This leaves only the existence of binderservicedomain attribute as
public API. All other rules are implementation details of this
attribute's policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with *_current targets
referenced in binderservicedomain.te.
Bug: 31364497
Change-Id: Ic830bcc5ffb6d624e0b3aec831071061cccc513c
This leaves only the existence of blkid and blkid_untrusted domains as
public API. All other rules are implementation details of these
domains' policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with blkid_current and
blkid_untrusted_current (as expected).
Bug: 31364497
Change-Id: I0dda2feeb64608b204006eecd8a7c9b9c7bb2b81
This leaves only the existence of system_server domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
system_server_current except those created by other domains'
allow rules referencing system_server domain from public and
vendor policies.
Bug: 31364497
Change-Id: Ifd76fa83c046b9327883eb6f0bbcd2113f2dd1a4
atrace and its atrace_exec now exist only in private policy.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with atrace_current
which is expected now that atrace cannot be referenced from
public or vendor policy.
Bug: 31364497
Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
This leaves only the existence of audioserver domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with audioserver_current
except those created by other domains' allow rules referencing
audioserver domain from public and vendor policies.
Bug: 31364497
Change-Id: I6662394d8318781de6e3b0c125435b66581363af
This leaves only the existence of surfaceflinger domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
surfaceflinger_current except those created by other domains'
allow rules referencing surfaceflinger domain from public and
vendor policies.
Bug: 31364497
Change-Id: I177751afad82ec27a5b6d2440cf0672cb5b9dfb8
This leaves only the existence of adbd domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with adbd_current except
those created by other domains' allow rules referencing adbd
domain from public and vendor policies.
Bug: 31364497
Change-Id: Icdce8b89f67c70c6c4c116471aaa412e55028cd8
This leaves only the existence of bluetoothdomain attribute as public
API. All other rules are implementation details of this attribute's
policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow bluetoothdomain bluetooth_current
rule (as expected).
Bug: 31364497
Change-Id: I0edfc30d98e1cd9fb4f41a2900954d9cdbb4db14
This leaves only the existence of bluetooth domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with bluetooth_current
except those created by other domains' allow rules referencing
bluetooth domain from public and vendor policy.
Bug: 31364497
Change-Id: I3521b74a1a9f6c5a5766b358e944dc5444e3c536
This leaves only the existence of mdnsd domain as public API. All
other rules are implementation details of this domains's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with mdnsd_current (as
expected).
Bug: 31364497
Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4
This leaves only the existence of netdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with netdomain_current
and *_current attributes targeted when netdomain rules reference
public types.
Bug: 31364497
Change-Id: I102e649374681ce1dd9e1e5ccbaaa5cb754e00a0
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.
Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.
Test: policy builds
Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class. The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class. Add
definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.
Allowing access by specific domains to the new socket security
classes is left to future commits. Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.
The kernel support will be included upstream in Linux 4.11. The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").
This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled. This commit is already in
AOSP master.
Test: policy builds
Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f
(selinux: distinguish non-init user namespace capability checks)
introduced support for distinguishing capability
checks against a target associated with the init user namespace
versus capability checks against a target associated with a non-init
user namespace by defining and using separate security classes for the
latter. This support is needed on Linux to support e.g. Chrome usage of
user namespaces for the Chrome sandbox without needing to allow Chrome to
also exercise capabilities on targets in the init user namespace.
Define the new security classes and access vectors for the Android policy.
Refactor the original capability and capability2 access vector definitions
as common declarations to allow reuse by the new cap_userns and cap2_userns
classes.
This change does not allow use of the new classes by any domain; that
is deferred to future changes as needed if/when Android enables user
namespaces and the Android version of Chrome starts using them.
The kernel support went upstream in Linux 4.7.
Based on the corresponding refpolicy patch by Chris PeBenito, but
reworked for the Android policy.
Test: policy builds
Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.
This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.
Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.
Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.
Bug: 34314793
Test: build & run
Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964
Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
(cherry picked from commit 5ff0f178ba)
Required for I0aeb653afd65e4adead13ea9c7248ec20971b04a
Test: Together with I0aeb653afd65e4adead13ea9c7248ec20971b04a, ensure that the
system service works
Bug: b/30932767
Change-Id: I994b1c74763c073e95d84222e29bfff5483c6a07
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.
The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.
Test: devices boots and everything works as expected
no more auditallow logs
Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.
Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f324)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: Device boots, with Multiproces WebView developer setting
enabled, apps with WebView work fine. No new denials.
Bug: 31364497
Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
Bug: 31015010
cherry-pick from b6e4d4bdf1
Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
This leaves only the existence of zygote domain and its
executable's zygote_exec file label as public API. All other rules are
implementation details of this domain's policy and are thus now
private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie37128531be841b89ecd602992d83d77e26533bc
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.
Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
This CLs adds SElinux policies necessary to compile secondary dex files.
When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).
What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.
Test: devices boots
compilation of secondary dex files works without selinux denials
cmd package compile --secondary-dex -f -m speed
com.google.android.gms
Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
