We are not forbidding system_writes_vendor_properties_violators in P,
i.e. this neverallow rule is not strictly enforced.
Bug: 80466516
Bug: 78598545
Test: build policy
Change-Id: Iaf0ebbd2b27adf8c48082caa874e53f32bf999fc
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.
Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.
Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.
In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.
Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.
Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.
Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
After https://android-review.googlesource.com/688488
BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR can now specify multiple
directories.
Bug: n/a
Test: build sepolicy
Change-Id: Ie2af81a4f9462cd05352db71fd1e515531d42334
The bug_map file is only used whitelisting known test failures. It
needs to change fairly often to fix new failures and it doesn't affect
users, so it shouldn't matter if it diverges from prebuilts.
Test: Enable this test and build with and without different bug_maps.
Change-Id: I9176a6c7e9f7852a0cd7802fd121b1e86b216b22
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
apns downloaded will enter a new directory that
TelephonyProvider can access.
Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
Merged-In: I1e7660adf020dc7052da94dfa03fd58d0386ac55
