The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.
Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.
Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: I32ebb407b8dde1c872f53a1bc3c1ec20b9a5cb49
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
This reverts commit a1aa2210a9.
Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission
Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
Apps now all share the appdomain_tmpfs type.
Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: I5eac0adc7ecd10d19aa1bdf5f72efc7ed2a3a548
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.
Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.
Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from untrusted_domain_current
attribute (as expected).
Bug: 31364497
Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.
Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:
1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive
While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.
Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea019)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.
Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.
It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).
Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
