tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public
History
Alex Klyubin 20151072a7 Restrict access to ro.serialno and ro.boot.serialno 
This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.

The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.

Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-22 11:38:29 -08:00
..
adbd.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
app.te Allow binder IPC between ephemeral app and appdomain 2016-12-14 21:06:57 +00:00
atrace.te Fix build. 2016-12-06 16:49:25 -08:00
attributes hal_health: express the sepolicy as attribute 2016-12-17 16:17:36 +00:00
audioserver.te clean up hal types 2016-10-26 09:50:04 -07:00
binderservicedomain.te
blkid.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
blkid_untrusted.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
bluetooth.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
bluetoothdomain.te
boot_control_hal.te
bootanim.te Add sepolicy for hwcomposer HAL 2016-11-14 01:54:33 +00:00
bootstat.te Assign a label to the ro.boottime.* properties 2016-12-14 13:45:01 -08:00
cameraserver.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
charger.te healthd: create SEPolicy for 'charger' and reduce healthd's scope 2016-12-15 18:17:13 -08:00
clatd.te
cppreopts.te
debuggerd.te debuggerd.te: remove domain_deprecated 2016-12-09 19:17:16 -08:00
device.te /dev/port does not seem to be used, adding in rules to confirm. 2016-12-04 16:46:11 -08:00
dex2oat.te Label ephemeral APKs and handle their install/uninstall 2016-11-12 00:27:28 +00:00
dhcp.te
dnsmasq.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
domain.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
domain_deprecated.te domain_deprecated.te: remove /proc/net access 2016-11-30 15:23:26 -08:00
drmserver.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
dumpstate.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
ephemeral_app.te Allow binder IPC between ephemeral app and appdomain 2016-12-14 21:06:57 +00:00
file.te Move MediaProvider to its own domain, add new MtpServer permissions 2016-12-12 11:05:33 -08:00
fingerprintd.te Add directory read permissions to certain domains. 2016-11-28 17:03:41 +00:00
fsck.te
fsck_untrusted.te
gatekeeperd.te Add directory read permissions to certain domains. 2016-11-28 17:03:41 +00:00
global_macros
hal_audio.te Allow hal_audio to set scheduling policy for its threads 2016-12-22 09:26:41 -08:00
hal_boot.te Add permissions for hal_boot 2016-11-21 10:09:40 -08:00
hal_dumpstate.te Add hal_dumpstate attribute. 2016-12-16 10:48:32 -08:00
hal_graphics_allocator.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_graphics_composer.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_health.te hal_health: express the sepolicy as attribute 2016-12-17 16:17:36 +00:00
hal_ir.te Add sepolicy for consumerir HIDL HAL 2016-12-13 15:23:13 -08:00
hal_light.te Move hal_light to attribute. 2016-11-18 08:40:04 -08:00
hal_memtrack.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_nfc.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_power.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_thermal.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_vibrator.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_vr.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
hal_wifi.te All hal policies expressed as attributes. 2016-12-13 17:18:27 -08:00
healthd.te Remove 'net_admin' capability from healthd 2016-12-16 11:45:22 -08:00
hostapd.te
hwservicemanager.te hwbinder_use: allow for hwservicemanager callbacks. 2016-12-15 14:17:27 -08:00
idmap.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
init.te logcat: introduce split to logd and logpersist domains 2016-12-20 20:31:03 +00:00
inputflinger.te Remove domain_deprecated from some domains. 2016-11-25 17:37:30 -08:00
install_recovery.te
installd.te Allow installd to measure size of dexopt links. 2016-12-16 15:05:03 -07:00
ioctl_defines
ioctl_macros Add TCSETS to unpriv_tty_ioctls 2016-12-07 15:59:34 -08:00
isolated_app.te isolated_app.te: Give permissions for using sdcardfs 2016-12-12 13:16:24 -08:00
kernel.te kernel.te: tighten entrypoint / execute_no_trans neverallow 2016-10-30 18:46:44 -07:00
keystore.te
lmkd.te Remove domain_deprecated from some domains. 2016-11-25 17:37:30 -08:00
logd.te init: only allowed to transition to logpersist or logd 2016-12-21 07:40:30 -08:00
logpersist.te init: permit logpersist transition for the time being (STOPSHIP) 2016-12-21 14:37:24 -08:00
mdnsd.te
mediaanalytics.te Allow access to mediaanalytics service 2016-12-03 00:06:20 +00:00
mediacodec.te Allow access to mediaanalytics service 2016-12-03 00:06:20 +00:00
mediadrmserver.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
mediaextractor.te Allow access to mediaanalytics service 2016-12-03 00:06:20 +00:00
mediaserver.te Allow access to mediaanalytics service 2016-12-03 00:06:20 +00:00
mtp.te
net.te Allow ephemeral apps network connections 2016-11-14 12:24:51 -08:00
netd.te domain_deprecated.te: remove /proc/net access 2016-11-30 15:23:26 -08:00
neverallow_macros
nfc.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
otapreopt_chroot.te
otapreopt_slot.te
perfprofd.te Fix build. 2016-12-06 16:49:25 -08:00
platform_app.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
postinstall.te
postinstall_dexopt.te
ppp.te domain_deprecated.te: remove /proc/net access 2016-11-30 15:23:26 -08:00
preopt2cachename.te
priv_app.te priv_app.te: drop app_data_file:file execute_no_trans; 2016-12-19 13:48:50 -08:00
profman.te profman/debuggerd: allow libart_file:file r_file_perms 2016-11-08 09:28:28 -08:00
property.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
racoon.te racoon: remove domain_deprecated attribute 2016-10-15 17:15:25 -07:00
radio.te Whitespace fix 2016-12-09 20:14:31 -08:00
recovery.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
recovery_persist.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
recovery_refresh.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
rild.te SEPolicy changes for radio hal. 2016-12-04 22:50:15 +00:00
roles sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
runas.te
sdcardd.te Allow sdcardd to remount sdcardfs 2016-11-28 16:10:27 -08:00
service.te Add coverage service. 2016-12-19 11:04:33 -08:00
servicemanager.te Remove domain_deprecated from some domains. 2016-11-25 17:37:30 -08:00
sgdisk.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
shared_relro.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
shell.te logcat: introduce split to logd and logpersist domains 2016-12-20 20:31:03 +00:00
slideshow.te
su.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
surfaceflinger.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
system_app.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
system_server.te Restrict access to ro.serialno and ro.boot.serialno 2016-12-22 11:38:29 -08:00
te_macros Remove ENABLE_TREBLE from sepolicy. 2016-12-21 12:29:02 -08:00
tee.te
toolbox.te
tzdatacheck.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
ueventd.te Revert "ueventd.te: auditallow device:chr_file" 2016-12-05 17:29:25 +00:00
uncrypt.te
untrusted_app.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
update_engine.te Add permissions for hal_boot 2016-11-21 10:09:40 -08:00
update_engine_common.te
update_verifier.te Add permissions for hal_boot 2016-11-21 10:09:40 -08:00
vdc.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
vold.te Removing file system remount permission from vold 2016-12-13 15:37:33 -08:00
watchdogd.te
webview_zygote.te Allow webview_zygote to read/execute installed APKs. 2016-12-06 18:14:46 +00:00
wificond.te hal_wifi: Allow system_server to access wifi HIDL services 2016-12-12 10:40:14 -08:00
wpa.te hal_wifi: Allow system_server to access wifi HIDL services 2016-12-12 10:40:14 -08:00
zygote.te zygote: drop braces on single item rule 2016-11-28 08:07:25 -08:00