This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).
It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.
As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro. We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.
Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well. However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.
Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g. console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.
Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.
Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.
To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.
Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
Two new types are introduced:
sdcard_internal
sdcard_external
The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.
The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.
Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.
Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
