Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes
This reverts commit aa8bb3a29b.
Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
a54bed6907
Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery
Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.
Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files
Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
MediaPlayer cannot load a video from RRO packages.
So, add allow rules which is necessary to play the video.
Bug: b/154795779
Test: check if MediaPlayer can load a video in RRO
Change-Id: I06eed146b6e70a548b6b4f4faf56ba2bccd68140
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
Bug: http://b/135139675
Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type). Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.
Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.
Test: Build 32-bit cuttlefish with coverage:
m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
and verify that there are no selinux denials in kernel log and
logcat.
Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
Make mediaextractor use hidl memory allocated by
hidl allocator, instead of constructing hidl memory
from IMemory.
bug: 112766913
bug: 111407253
Change-Id: I7902f18768005c995925bc9a7947299e9988b68a
(Needed for internal commit I39e131718ea41f9cb23177c28213ddf7b7741338)
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.
Bug: 111407413
Bug: 117290290
Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
This is an experimental feature only on userdebug and eng build.
Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
so we can dlopen the libraries that are there
Test: build&run
Merged-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855
Change-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855
Mediaextractor should only be operating on data passed directly to it.
It shouldn't be attempting to open /data files on it's own.
Add a neverallow statement (compile time assertion + CTS test) to ensure
this is the case.
Bug: 67454004
Test: policy compiles. No runtime impact.
Change-Id: Ie94d4cb9aece7e72fbd13321f339dcf9d44d5d77
These denials are expected and the code has fallbacks to handle this
case.
Test: policy compiles.
Bug: 67454004
Change-Id: I787625494d0a7c9945318428b6fd3f668a8a2564
Needed to allow lower power Play Music of downloaded files.
05-24 10:12:49.331 24025 24025 W generic : type=1400
audit(0.0:1259): avc: denied { read } for
path="/data/data/com.google.android.music/files/music/925.mp3"
dev="sda35" ino=2179256 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
permissive=0
Test: Play Music
Bug: 62059834
Change-Id: I97bdb1d175dba8f7a8ec6cd9084323cfcd3660bd
Permit mediaextractor its own file source for apk and ringtone files.
Previously we fall back to the mediaserver file source.
This does not affect behavior as the fallback works fine; however,
the log messages may cause confusion.
[73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read }
for pid=18381 comm="generic"
path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35"
ino=2490374 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
[73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read }
for pid=18383 comm="generic"
path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35"
ino=2490376 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
Test: Ringtone and CTS
Bug: 37500781
Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.
Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
