No longer necessary after android.process.media moved to the
priv_app domain. Verified no new denials via audit2allow rule.
Bug: 25085347
Change-Id: I2d9498d5d92e79ddabd002b4a5c6f918e1eb9bcc
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.
Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.
Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.
Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.
Strengthen the neverallow on opening tun_device to include all Apps.
Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.
Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.
(cherry picked from commit 89765083f7)
Bug: 22846070
Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
This allows apps to find the healthd service which is used to query
battery properties.
Bug: 24759218
Change-Id: I72ce5a28b2ffd57aa424faeb2d039b6c92f9597d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.
Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
neverallow access to untrusted_app and isolated app
Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.
Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.
Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be
Third party vpn apps must receive open tun fd from the framework
for device traffic.
neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.
Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
CTS relies on the ability to see all services on the system to make sure
the dump permission is properly enforced on all services. Allow this.
Bug: 23476772
Change-Id: I144b825c3a637962aaca59565c9f567953a866e8
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls
Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.
Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider. The actual
access control is still managed by POSIX permissions on that
directory.
avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
Programs routinely scan through /system, looking at the files there.
Don't generate an SELinux denial when it happens.
Bug: 21120228
Change-Id: I85367406e7ffbb3e24ddab6f97448704df990603
MAC address access is no longer allowed via the java API. Deny access
from native code.
Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.
(cherry picked from commit effcac7d7e)
Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.
Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
Move the following services from tmp_system_server_service to appropriate
attributes:
jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats
Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
