Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
(cherry picked from commit e01654f982)
For Retail Demo mode, we need to preload photos in
/data/preloads and allow regular apps to access the
photos returned by the media provider from the preloads
directory.
Bug: 29940807
Change-Id: Ic1061dac55ace1b125ae04b5b0c70aae9aa0c732
untrusted_app lost all of the domain_deprecated permissions in N,
including the ability to read asec_apk_file dirs. This is used for
forward locked apps.
Addresses the following denials:
avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
(cherry-pick of internal commit: addd3c9fba)
Bug: 30082229
Change-Id: I87758f1daee19197d9299bca261f0324e01af5e0
am: f77bc23
* commit 'f77bc233ad7d3c7d3792d58ae96da1a522aeb73b':
Further restrict socket ioctls available to apps
Change-Id: I22e9e935d6cc4805e80f44de71aa7622a8f2bf1b
(cherry picked from commit 6ba383c575)
Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.
Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.
Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.
Bug: 18340553
Bug: 27853304
(cherry picked from commit 369cf8cde5)
Change-Id: Ib33e7ea0342ad28e5a89dfffdd9bc16fe54d8b3d
Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.
Bug: 18340553
Bug: 27853304
Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5
Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries. Mark it as an app_api_service so
that all applications may use this API. Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties. As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.
(cherry-picked from commit: 9ed71eff4b)
Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9
Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries. Mark it as an app_api_service so
that all applications may use this API. Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties. As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.
Bug: 27442760
Change-Id: I5c0f9d7992ff2ec64adaeef22356e88fd0e8169c
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
(cherry-pick from internal commit: 85c0f8affa)
Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
It's unlikely we'll get /proc locked down for the N release, so
delete the auditallow to avoid spamming the logs. Mark this
commit as DO NOT MERGE so we can continue to make progress on this
for future Android releases.
Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.
Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.
Bug: 27334750
Bug: 26080105
Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
Bluetooth uses the tun device for tethering. Allow access.
STEPS TO REPRODUCE:
0. Have two devices to test on, say Device A and Device B
1. On Device A, Go to settings ->Bluetooth .
2. Turn on the Bluetooth .
3. Pair it with device B
4. Tap on the paired device
OBSERVED RESULTS:
-Bluetooth share crash is observed with "Bluetooth share has stopped"
error message
-Unable to use Bluetooth tethering due to this issue
EXPECTED RESULTS:
No crash and Bluetooth devices should be able to connect for tethering
Addresses the following denial:
com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0
Bug: 27372573
(cherry picked from commit 9a1347eee6)
Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
Bluetooth uses the tun device for tethering. Allow access.
STEPS TO REPRODUCE:
0. Have two devices to test on, say Device A and Device B
1. On Device A, Go to settings ->Bluetooth .
2. Turn on the Bluetooth .
3. Pair it with device B
4. Tap on the paired device
OBSERVED RESULTS:
-Bluetooth share crash is observed with "Bluetooth share has stopped"
error message
-Unable to use Bluetooth tethering due to this issue
EXPECTED RESULTS:
No crash and Bluetooth devices should be able to connect for tethering
Addresses the following denial:
com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0
Bug: 27372573
Change-Id: I07724d8d68ffcdda691f1179787a4f40a0ab1c73
Part of media security hardening
This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.
bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
Access to proc is being removed but there are still some consumers. Add
an auditallow to identify them and adjust labels appropriately before
removal.
Change-Id: I853b79bf0f22a71ea5c6c48641422c2daf247df5
untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.
Keep untrusted_app file creation to sandbox, sdcard and media
locations.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
(cherry picked from commit bd0768cc93)
Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887
untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.
Keep untrusted_app file creation to sandbox, sdcard and media
locations.
Change-Id: Ife680cb9425dad8223651f16b9be8a3179839ec3
Signed-off-by: William Roberts <william.c.roberts@intel.com>
