| 49ac2a3d7a40d998e3b1be0b0172be8f651bc935 |
|
20-May-2016 |
Fyodor Kupolov <fkupolov@google.com> |
SELinux policies for /data/preloads directory
A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.
The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps
Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037
/system/sepolicy/platform_app.te
|
| 743969baeabcc50ff7db6c64b227780a15d2e510 |
|
06-Apr-2016 |
Ruben Brunk <rubenbrunk@google.com> |
Update selinux policy for VrManager AIDL.
Bug: 27884853
Change-Id: I097306a324bdc25c5d22868f0342e175ce0dbb9a
/system/sepolicy/platform_app.te
|
| 33fe4784c35b1c33d470e9bdfdf7d0f865561947 |
|
25-Feb-2016 |
Oleksandr Peletskyi <peletskyi@google.com> |
Modified security policy to allow user to get their own icon.
BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d
/system/sepolicy/platform_app.te
|
| 8f5a891ff8c394ae462632bd62dc42e4392d646f |
|
10-Feb-2016 |
dcashman <dcashman@google.com> |
Make voiceinteractionservice app_api_service.
Address the following denial from 3rd party voice interaction test:
SELinux : avc: denied { find } for service=voiceinteraction pid=30281 uid=10139 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0
Bug: 27105570
Change-Id: Ib87d364673cbc883df017bcda7fe1e854a76654f
/system/sepolicy/platform_app.te
|
| c3ba2e5130d28a0025f798f8b739ee86084fe9da |
|
03-Feb-2016 |
Marco Nelissen <marcone@google.com> |
selinux rules for codec process
Bug: 22775369
Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
/system/sepolicy/platform_app.te
|
| c8b21438c6c8576dd0fe85978b32ce9154f25e6a |
|
01-Feb-2016 |
dcashman <dcashman@google.com> |
Allow platform app to get handle to voiceinteraction service.
Address the following denial caused by systemui:
avc: denied { find } for service=voiceinteraction pid=10761 uid=10029 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0
Bug: 26842457
Change-Id: I8274d7f31a4390ccfb885389302e4fea9ce0e389
/system/sepolicy/platform_app.te
|
| b1bf83fd794c5863289edf459c8c05a906dac9f7 |
|
28-Jan-2016 |
Marco Nelissen <marcone@google.com> |
Revert "selinux rules for codec process"
This reverts commit 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd.
Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
/system/sepolicy/platform_app.te
|
| e0378303b5ec8a4440fcdea38cca7ebf695dc2b3 |
|
04-Dec-2015 |
Chien-Yu Chen <cychen@google.com> |
selinux: Update policies for cameraserver
Update policies for cameraserver so it has the same permissions
as mediaserver.
Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
/system/sepolicy/platform_app.te
|
| 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd |
|
17-Dec-2015 |
Marco Nelissen <marcone@google.com> |
selinux rules for codec process
Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44
/system/sepolicy/platform_app.te
|
| e97bd887ca353ae02dd1641687431786d7d60cd6 |
|
05-Jan-2016 |
Felipe Leme <felipeal@google.com> |
Creates a new permission for /cache/recovery am: 549ccf77e3
am: b16fc899d7
* commit 'b16fc899d718f91935932fb9b15de0a0b82835c8':
Creates a new permission for /cache/recovery
|
| 549ccf77e3fd23bb6c690da7023441c1007c4fd8 |
|
22-Dec-2015 |
Felipe Leme <felipeal@google.com> |
Creates a new permission for /cache/recovery
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
/system/sepolicy/platform_app.te
|
| b03831fe58be86cfd94c31b91def6ae53ebd614f |
|
09-Sep-2015 |
Marco Nelissen <marcone@google.com> |
Add rules for running audio services in audioserver
audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.
media.log moves to audioserver.
TBD: Pare down permissions.
Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
/system/sepolicy/platform_app.te
|
| d20a46ef175079d210da8320d8c8ce32cbe8207f |
|
04-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd
am: b476b95488
* commit 'b476b954882a48bf2c27da0227209c197dcfb666':
Create attribute for moving perms out of domain
|
| d22987b4daf02a8dae5bb10119d9ec5ec9f637cf |
|
03-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
/system/sepolicy/platform_app.te
|
| 0f754edf7b72582ed28d062a9c8f1b911d57a6f3 |
|
22-Sep-2015 |
Marco Nelissen <marcone@google.com> |
Update selinux policies for mediaextractor process
Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd
/system/sepolicy/platform_app.te
|
| c9036fb1c1d6a16c6686ada777e01cc1bf63d6fe |
|
18-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Grant platform apps access to /mnt/media_rw.
Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.
Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.
avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file
Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
/system/sepolicy/platform_app.te
|
| bd7f5803f924b0ca318c1d426b683c3f658754f9 |
|
09-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:
registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window
Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
/system/sepolicy/platform_app.te
|
| 03a6f64f9568e2c58eb043463a5b4ff1cf10bef6 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
/system/sepolicy/platform_app.te
|
| 91b7c67d1647b2a88b1547cc57b69fc685bbac18 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:
jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats
Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
/system/sepolicy/platform_app.te
|
| 3cc6fc5ffbd6e3d647f8c425e5298912d3733e45 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:
diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service
Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
/system/sepolicy/platform_app.te
|
| d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:
battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle
Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
/system/sepolicy/platform_app.te
|
| 4cdea7fc40ea29c8cf4134a71b67808d143ec9dc |
|
04-Apr-2015 |
dcashman <dcashman@google.com> |
Assign app_api_service attribute to services.
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.
Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
/system/sepolicy/platform_app.te
|
| b075338d0e335eb2dbd786ae4f8e033e78eeca37 |
|
03-Apr-2015 |
dcashman <dcashman@google.com> |
Assign app_api_service attribute to services.
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.
Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
/system/sepolicy/platform_app.te
|
| d12993f0846744ae8188a299cb1bb135014f626a |
|
03-Apr-2015 |
dcashman <dcashman@google.com> |
Add system_api_service and app_api_service attributes.
System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.
Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
/system/sepolicy/platform_app.te
|
| 8af4e9cb0032244b0a356eb236ea97379956fa52 |
|
01-Apr-2015 |
dcashman <dcashman@google.com> |
Record observed service accesses.
Get ready to switch system_server service lookups into enforcing.
Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
/system/sepolicy/platform_app.te
|
| e8064afb5e8adc96d1becc7b31a8a92f77e284d9 |
|
23-Mar-2015 |
John Reck <jreck@google.com> |
Add graphicsstats service
Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
/system/sepolicy/platform_app.te
|
| 23f336156daf61ba07c024af2fe96994605f46eb |
|
03-Mar-2015 |
dcashman <dcashman@google.com> |
Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
/system/sepolicy/platform_app.te
|
| 566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63 |
|
17-Jan-2015 |
dcashman <dcashman@google.com> |
Record service accesses.
Reduce logspam and record further observed service connections.
Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
/system/sepolicy/platform_app.te
|
| c631ede7dc7cb131b1bdd03ce296eeac53dc9add |
|
16-Jan-2015 |
dcashman <dcashman@google.com> |
Remove known system_server service accesses from auditing.
Address observed audit logs of the form:
granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager
in order to record existing relationships with services.
Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
/system/sepolicy/platform_app.te
|
| 4a89cdfa89448c8660308a31bfcb517fffaa239e |
|
17-Dec-2014 |
dcashman <dcashman@google.com> |
Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
/system/sepolicy/platform_app.te
|
| 3fbeb180db7ac652f651b3724806b784c8604c50 |
|
23-Dec-2014 |
dcashman <dcashman@google.com> |
Allow find access to drmserver_service from nfc and
platform_app.
Address the following denials:
SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manage
SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
Bug: 18831075
Change-Id: I2c162f58f4adae9f6c544f9d9c6a9300877b4f36
/system/sepolicy/platform_app.te
|
| cd82557d4069c20bda8e18aa7f72fc0521a3ae32 |
|
12-Dec-2014 |
dcashman <dcashman@google.com> |
Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
/system/sepolicy/platform_app.te
|
| b8511e0d98880a683c276589ab7d8d7666b7f8c1 |
|
07-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
/system/sepolicy/platform_app.te
|
| d33568264f0843feafc2d17c38e863f914f1fc57 |
|
09-Jul-2014 |
Jeff Sharkey <jsharkey@android.com> |
Let DCS read staged APK clusters.
DCS is DefaultContainerService.
avc: denied { getattr } for path="/data/app/vmdl2.tmp"
dev="mmcblk0p28" ino=162910 scontext=u:r:platform_app:s0
tcontext=u:object_r:apk_tmp_file:s0 tclass=dir
Bug: 14975160
Change-Id: Ifca9afb4e74ebbfbeb8c01e1e9ea65f5b55e9375
/system/sepolicy/platform_app.te
|
| 8429c9b365dfc09e900e58f33346a073b92a25d9 |
|
10-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Make platform_app enforcing.
Change-Id: Ib4cbaee280628845d026e827d7e16f347594fc26
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| 778520650a6b3e9a1ce587da996bf50e6265d8be |
|
05-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove platform_app shell_data_file:lnk_file read access.
Not sure what denial originally motivated adding this
access, but drop it and see if it resurfaces. platform_app
is still permissive_or_unconfined() so this should not break
anything.
Change-Id: Ia4418080e3477346fa48d23b4bb5d53396ed5593
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| 9ba844fea12a0b08770e870d63f3d3c375c7c9b5 |
|
04-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Coalesce shared_app, media_app, release_app into untrusted_app.
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).
It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.
As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro. We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.
Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well. However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.
Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| f9c3257fbaa16dbbffe3493b103d0b16ada1c0b5 |
|
12-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Get rid of separate download_file type.
This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file. Now that platform_app_data_file
is gone, there is no benefit to having this type.
Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.
This change depends on:
https://android-review.googlesource.com/#/c/87801/
Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| b0db712bf048dc634363b658a647b1f1897d8433 |
|
06-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.
Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.
Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.
Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:
avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| 623975fa5aece708032aaf29689d73e1f3a615e7 |
|
11-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.
Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.
This will ensure that all SELinux domains have at least a
minimal level of protection.
Unconditionally enable this flag for all user builds.
Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/system/sepolicy/platform_app.te
|
| 527316a21b80c2a70d8ed23351299a4dce0c77bf |
|
23-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow use of art as the Android runtime.
system_server and app domains need to map dalvik-cache files with PROT_EXEC.
type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.
type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file
Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| e13fabd75a1adb47abdaa115a793d2f1ad247af7 |
|
17-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Label /data/media with its own type and allow access.
/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.
We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system. We should not have to allow it to untrusted_app.
Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.
Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| 5637099a252c7ef647ca22d1d1094d67f54bb916 |
|
23-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Confine all app domains, but make them permissive for now.
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.
Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/platform_app.te
|
| 353c72e3b0b4d7d729af20f0c9a13c976baa8753 |
|
21-Oct-2013 |
Nick Kralevich <nnk@google.com> |
Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
/system/sepolicy/platform_app.te
|
| 748fdef626d1dda2a0a727ea35d85d04363f5307 |
|
13-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Move *_app into their own file
app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.
Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.
No functional change.
Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
/system/sepolicy/platform_app.te
|