ConnectivityService is going to become mainline and can not
access hidden APIs. Telephony and Settings were both accessing
the hidden API ConnectivityManager#getMobileProvisioningUrl.
Moving #getMobileProvisioningUrl method into telephony means
that there is one less access to a hidden API within the overall
framework since the Connectivity stack never needed this value.
Thus, move getMobileProvisioningUrl parsing to telephony surface
and provide the corresponding sepolicy permission for its access.
The exsting radio_data_file is an app data type and may allow
more permission than necessary. Thus create a new type and give
the necessary read access only.
Bug: 175177794
Test: verify that the radio process could read
/data/misc/radio/provisioning_urls.xml successfully
Change-Id: I191261a57667dc7936c22786d75da971f94710ef
This macro creates the necessary neverallow to assert the
hal_can_*_{client,server} attribute has exclusive ownership of
the service.
Bug: 176180039
Test: build/TH
Change-Id: I876b50e4184ef787117d5ca67c7fbd522d82687c
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.
This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.
Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666
Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
Revert "Add android.hardware.memtrack-unstable-ndk_platform"
Revert submission 1518702-memtrack-aidl
Reason for revert: Broken tests and boot time regressions
Reverted Changes:
Ic4dd70e2c:Add android.hardware.memtrack-unstable-ndk_platfor...
Iaf99d0ca4:Add stable aidl memtrack HAL to product packages
Iac54ae2ba:Add stable aidl memtrack hal to vndk list
If310210a3:libmemtrack: Add support for AIDL memtrack HAL
Ib6c634def:Memtrack HAL: Add stable AIDL implementation
I5e1d0e006:Memtrack HAL stable aidl sepolicy
Change-Id: I0c55ee100c7fd8d09a5b188a39b17c95c8a43c39
This service manager is registered by Keystore 2.0 to lookup legacy
wrapper services.
Keystore 2.0 is now written in rust. We have AIDL binding for rust but
no HIDL binding. Keystore 2.0 has to support legacy HIDL based
interfaces. So we implement the AIDL KeyMint interface in terms of the
legacy HIDL Keymaster <= V4.1 devices in C++. This wrapper is linked
into the Keystore 2.0 process but it cannot be called directly but must
be treated like a remote binder instead. However, we cannot register
these wrappers directly, because a) we are not a vendor component, and
b) it would conflict with genuine KeyMint devices on newer devices. So
Instead we register Keystore 2.0 itself as a legacy service provider.
Which it can query itself for the legacy wrappers if it does not find
a genuine KeyMint implementation to connect to.
Bug: 171351607
Test: Keystore 2.0 can register this Service and lookup legacy wrapper
services.
Change-Id: I935f23837721ce126531236f4920dba469a47be4
16d61d0383
Bug: 175345910
Bug: 171429297
Exempt-From-Owner-Approval: re-landing topic with no changes in this CL.
Change-Id: I1352c6b46b007dba3448b3c9cbdf454d7862a176
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.
But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.
Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.
Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
This should match policy for the system heap as they both map to
the ION system heap with the ION_FLAG_CACHED flag on or off.
Change-Id: Ib2929b84a2f8092adcf2f874ad6ccdfe068fe6dc
Signed-off-by: John Stultz <john.stultz@linaro.org>
During staged installation, we no longer create duplicate sessions for
verification purpose. Instead, we send the original files in
/data/app-staging folder to package verifiers for verification. That
means, Phonesky needs access to /data/app-staging folder to be able to
verify the apks inside it.
Bug: 175163376
Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir
Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps
Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
This is the service offered by Keystore 2.0 to provide APC service to
application. It was formerly part of the IKeystoreService interface.
Not it is an interface in ints own right.
Test: Keystore 2.0 can register the apc service interface.
Apps can lookup and call this interface.
Bug: 159341464
Change-Id: I058adf0021d9b89f4eac7534e366c29071f0f98b
- Update policy for new system service, used for Launcher/Apps to
fetch and render search results in their UI.
Bug: 162234997
Test: manual verification ($ adb shell service list)
Reference CL: aosp/831251
Change-Id: If3ae22aa2ad1d13aeac3dfefc5244db4b1734d96
via opening/closing a PF_KEY socket (this mirrors netd's privs)
Bug: 173167302
Test: m
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia2c2cb52c4ec9149db29dc86a7927e3432bd2b9b
