Commit graph

10 commits

Author SHA1 Message Date
Inseob Kim
09b27c7109 Add "DO NOT ADD statements" comments to public
For visibility

Bug: 232023812
Test: N/A
Change-Id: I0bc6dc568210b81ba1f52acb18afd4bcc454ea1c
2024-03-28 11:27:43 +09:00
Alan Stokes
5b73b80b0d Make shared_relro policy private.
Nothing should be depending on the details.

I haven't removed public/shared_relro.te entirely - there's a reference to shared_relro in public/app.te, and at least one reference to the domain outside of system policy.

Fix: 175867372
Test: Presubmits
Change-Id: I5fd4090f4b445520c4fa767c1835a5bb4e9cb146
2021-01-05 09:48:10 +00:00
Alan Stokes
c18e79e90c Add shared_relro dontaudit.
Use of StrictMode in framework code running in the app process can
generate a denial:

avc:  denied  { find } for pid=4050 uid=1037 name=network_management
 scontext=u:r:shared_relro:s0:c13,c260,c512,c768
 tcontext=u:object_r:network_management_service:s0
 tclass=service_manager permissive=0

But the code handles the failure properly so we suppress this.

Bug: 174750397
Test: Manual
Change-Id: I7b334db0dde4365ff19a7cf42a5139f35b5e6512
2020-12-17 14:10:07 +00:00
Jeff Vander Stoep
3b9fad192a Remove unused *_tmpfs types
Apps now all share the appdomain_tmpfs type.

Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: I5eac0adc7ecd10d19aa1bdf5f72efc7ed2a3a548
2019-01-30 21:54:40 +00:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Torne (Richard Coles)
0f326f3c47 Allow shared_relro to access PackageManager.
Allow the shared_relro creation process to make calls to PackageManager,
so that it can create a classloader corresponding to the current WebView
implementation. This avoids needing to pass an absolute path to the
native library to the process, which required that the calling code
duplicate existing logic in the framework to find the library and
resulted in bugs and inconsistencies.

Bug: 110790153
Test: WebView-related CTS and GTS tests
Change-Id: I9902bb0400e2a800021dac06278151c8541d458f
2018-09-11 16:26:56 -04:00
Torne (Richard Coles)
75a41c5951 Allow shared_relro to connect to activity_service.
The comment in the policy implied this was already the case, but it
wasn't actually being used and appears to have been removed. This will
now be required by a framework change, so actually add the rule to allow
it.

Bug: 19061358
Test: verify that WebViewLoader process doesn't die from selinux denial
Change-Id: Ib1ed9138a83660ae343e0b665cdfadccdd0c6c97
2017-07-24 17:38:40 -04:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from shared_relro.te (Browse further)