Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid
Instant apps should also be excluded from access.
Fixes: 92796393
Test: make -j cts_instant
cts-instant-tradefed run commandAndExit cts-instant-dev \
-m CtsPermissionTestCases \
--test android.permission.cts.FileSystemPermissionTest
Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
This was defined, but it had no users in the Android tree.
Because of this, ODM manifests required extra sepolicy to be applied
in vendor. Before this, there was no policy split, so that was okay,
but now it is impossible.
Bug: 91735839
Test: add an odm manifest for SE conditional on
a system property (ro.boot.product.hardware.sku)
and make sure it is read into the manifest (using
the vintf tool) and also that a client can get the
$ lshal | grep secure
Y android.hardware.secure_element@1.0::ISecureElement/SIM1 0/2 881 2262 567
Change-Id: I94a2928943be6a17416b8bbd78106809c0c21198
Merged-In: I94a2928943be6a17416b8bbd78106809c0c21198
This commit contains the changes needed to add the new
time detector system server service.
Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7
Clatd and zygote
are all overprivileged
as is storaged
Test: Verify no "granted" messages from dogfooders. Build flash
aosp_taimen-userdebug. Verify no denials.
Change-Id: I735adcffed553962ad12072716a7200883930dcf
This was defined, but it had no users in the Android tree.
Because of this, ODM manifests required extra sepolicy to be applied
in vendor. Before this, there was no policy split, so that was okay,
but now it is impossible.
Bug: 91735839
Test: add an odm manifest for SE conditional on
a system property (ro.boot.product.hardware.sku)
and make sure it is read into the manifest (using
the vintf tool) and also that a client can get the
$ lshal | grep secure
Y android.hardware.secure_element@1.0::ISecureElement/SIM1 0/2 881 2262 567
Change-Id: I94a2928943be6a17416b8bbd78106809c0c21198
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.
Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.
Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.
Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Merged-In: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
(cherry picked from commit c0f8f2f82a)
System properties can be abused to get around Treble requirements of
having a clean system/vendor split. This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.
Bug: 78598545
Test: build 2017 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
(cherry picked from commit cdb1624c27)
We are not forbidding system_writes_vendor_properties_violators in P,
i.e. this neverallow rule is not strictly enforced.
Bug: 80466516
Bug: 78598545
Test: build policy
Change-Id: Iaf0ebbd2b27adf8c48082caa874e53f32bf999fc
Before, it was possible to access a hwservice without declaring
that you were a client.
This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)
which makes sure the above implication holds using a neverallow rule.
Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.
Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.
Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.
In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.
Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.
Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.
Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da
