This can be used as a side channel to observe when an application
is launched.
Gate this restriction on the application's targetSdkVersion to
avoid breaking existing apps. Only apps targeting 34 and above will
see the new restriction.
Remove duplicate permissions from public/shell.te. Shell is
already appdomain, so these permissions are already granted to it.
Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: Ic7577884e9d994618a38286a42a8047516548782
The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.
Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
ro.secure and ro.debuggable system properties are not intended
to be visible via Android SDK. This change blocks untrusted
apps from reading these properties.
Test: android.security.SELinuxTargetSdkTest
Bug: 193912100
Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.
Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: I32ebb407b8dde1c872f53a1bc3c1ec20b9a5cb49
