Commit graph

19 commits

Author SHA1 Message Date
Nazanin
d65a7bf37e make ril.cdma.inecmmode system property internal
so that it cannot reveal a system api that requires
READ_PRIVILEGED_PHONE_STATE

Bug: 183410189
Test: adb shell getprop -Z
Change-Id: I65f4121fc300447af7d516676166bc8b0b53b727
2021-04-30 10:08:01 -07:00
Inseob Kim
4ae7ec1915 Remove exported3_radio_prop
It's renamed to radio_control_prop

Bug: 162214733
Test: boot
Change-Id: Idede1a1ab471a354a6f5df12b6889abc7c1ad869
2020-08-03 09:23:39 +00:00
Alan Stokes
81e4e877f3 Make cross-user apps mlstrustedsubject.
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).

This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.

Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).

This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.

A neverallow rule is added to ensure this remains true.

Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.

Test: builds, boots, no new denials.
Bug: 141677108

Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
2020-07-22 14:41:31 +01:00
Inseob Kim
ad6317018c Add contexts for exported telephony props
To remove bad context names, two contexts are added.

- telephony_config_prop
- telephony_status_prop

exported_radio_prop, exported2_radio_prop are removed. Cleaning up
exported3_radio_prop will be a follow-up task.

Exempt-From-Owner-Approval: cherry-pick

Bug: 152471138
Bug: 155844385
Test: boot and see no denials
Test: usim works on blueline
Change-Id: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
Merged-In: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
(cherry picked from commit 4d36eae8af)
2020-06-04 16:10:44 +09:00
Chi Zhang
3892e48eaa Merge "Allow radio to send pulled atoms to statsd." 2020-03-19 21:32:21 +00:00
Chi Zhang
9750836dca Allow radio to send pulled atoms to statsd.
Bug: 146066107
Bug: 141631489
Bug: 122371089
Bug: 149880090
Bug: 127666858
Bug: 142026991
Test: build and statsd_testdrive
Change-Id: Iaf70fb9a25e44e060d4945ffadf3b71aebfe8377
2020-03-18 20:27:23 +00:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Collin Fijalkovich
b1b15013e9 Use prefixes for binder cache SELinux properties.
Adds a context for telephony related cache properties and changes
the bluetooth and system_server properties to match off of prefix
instead of exact string matches.

Test: Flashed phone with PowerManager caches enabled and verified
that the phone boots.

Change-Id: I9110192a12bb6222e49a8fb6b266d6067ef2ea92
2020-02-21 15:25:46 -08:00
Hall Liu
d29fc6a99a Allow telephony access to platform_compat
Allow telephony to access platform_compat in order to log app failures
related to security fixes that we've made.

Bug: 144631034
Test: manual
Change-Id: Ibf783f0eb306061136fe0a57023d01344253eef0
2019-12-06 13:18:21 -08:00
Shuo Qian
9322cb088a Setting up SELinux policy for Emergency number database
Test: Manual; https://paste.googleplex.com/6222197494382592
Bug: 136027884
Change-Id: I29214de6b5b5a62bff246c1256567844f4ce55c7
2019-11-26 12:51:02 -08:00
Steven Moreland
20414effb6 Add uce service to core policy.
This service is requested by AOSP framework, but there is no context for
it defined.

Bug: 136023468
Test: N/A
Change-Id: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
Merged-In: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
(cherry picked from commit 67cb30fabf)
2019-08-19 12:42:56 -07:00
Neil Fuller
b794ad0f8d Add label for time (zone) system properties
This adds a label for system properties that will affect system-wide
time / time detection logic.

The first example will be something like:
persist.time.detection_impl_version

Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a
2018-06-25 17:59:56 +01:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Mark Salyzyn
d33a9a194b logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2017-01-31 15:50:15 +00:00
Nick Kralevich
b56e6ef894 Whitespace fix
Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
2016-12-09 20:14:31 -08:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00