Cross Reference: /system/sepolicy/private/app

History log of /system/sepolicy/private/app_neverallows.te
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
1f525e23fdf2c5d0af801277c15ddf9c13b454f7	14-Aug-2017	Sandeep Patil <sspatil@google.com>	DO NOT MERGE: use 'expandattribute' for untrusted_app_visible_hwservice Bug: 62658302 Test: Boot device and observe no new denials Change-Id: If9a21610897b14a419f276289818127412c29c55 Signed-off-by: Sandeep Patil <sspatil@google.com> /system/sepolicy/private/app_neverallows.te
b96864eb9beed52609c17776770fb2a4431d8a0f	14-Aug-2017	Sandeep Patil <sspatil@google.com>	DO NOT MERGE: Add a way to allow untrusted_apps to talk to halserver domains Vendor HAL extentsions are currently allowed to discover hardware services that are labelled with 'untrusted_app_visible_hwservice'. However, the policy doesn't allow these apps to talk to these services. This CL makes sure that is now possible via the 'untrusted_app_visible_halserver' attribute for vendor domains that host such a service. Bug: 64382381 Test: Boot device and observe no new denials. Change-Id: I1ffc1a62bdf7506a311f5a19acdab8c7caec902b Signed-off-by: Sandeep Patil <sspatil@google.com> /system/sepolicy/private/app_neverallows.te
c9d4a86d0ab87ab3ba3849ffc0baafc046518b0f	12-Aug-2017	Sandeep Patil <sspatil@google.com>	DO NOT MERGE: Revert "Revert "Remove neverallow preventing hwservice access for apps."" This reverts commit ceed720415bc9c4a431af5cfc86aef814c3a91cc. New HALs services that are added in the policy while the CL was reverted will are not made visible to applications by default. They are: hal_neuralnetworks_hwservice hal_wifi_offload_hwservice system_net_netd_hwservice thermalcallback_hwservice Bug: 64578796 Test: Boot device Change-Id: I84d65baddc757a5b0a38584430eff79a383aa8e0 Signed-off-by: Sandeep Patil <sspatil@google.com> /system/sepolicy/private/app_neverallows.te
39fe4c715c061e84715fffd570c326f5bcf89c73	10-Jul-2017	Ranjith Kagathi Ananda <ranjithkagathi@google.com>	Allow vendor domains to use the untrusted_app_all attribute Remove restriction to restrict only domains in AOSP to use the untrusted_app_all attribute BUG=63167163 Test: Sanity check Change-Id: I9e1b8605fad108f45f988d8198a9a1cadb8dfa5e /system/sepolicy/private/app_neverallows.te
5637587d37aa56407bf2ab708230dbecb54e3a95	10-Jul-2017	Dan Cashman <dcashman@google.com>	Split mediaprovider from priv_app. This CL was accidentally reverted a second time by commit: cb5129f9de195251aaab764b0bf343fb8da5700e. Submit it for the third, and final, time. Bug: 62102757 Test: Builds and boots. /system/sepolicy/private/app_neverallows.te
78e595deabc477b6363c5c24f0556472055b99dd	17-May-2017	Chong Zhang <chz@google.com>	cas: add CAS hal and switch to use hwservice bug: 22804304 Change-Id: I7162905d698943d127aa52804396e4765498d028 /system/sepolicy/private/app_neverallows.te
cb5129f9de195251aaab764b0bf343fb8da5700e	02-Jun-2017	Jerry Zhang <zhangjerry@google.com>	Revert "Split mediaprovider from priv_app." This reverts commit c147b592b88ae1e7268be64d5e3234c1829e0581. The new domain changed neverallows, breaking CTS compatability. Revert the domain now, with the intention to re-add for the next release. Bug: 62102757 Test: domain is set to priv_app Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005 /system/sepolicy/private/app_neverallows.te
5b3494ebc3d9d957c00ea6040bde8549ad428a3a	25-May-2017	Yifan Hong <elsk@google.com>	Update selinux policy for policyvers retrieval. Test: pass Bug: 62073522 Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792 /system/sepolicy/private/app_neverallows.te
bd64d7fba884160efc00956730b9d7a8e2e268b6	27-Apr-2017	Nick Kralevich <nnk@google.com>	Add untrusted_v2_app to all_untrusted_apps am: db5962cef5 am: eb710332cf am: 16eb632a7f Change-Id: Ifb5f7fd54973cf1de256404344bd8690a4f13c02
db5962cef514ad2cc49a56a3523659784f08fce2	27-Apr-2017	Nick Kralevich <nnk@google.com>	Add untrusted_v2_app to all_untrusted_apps This was accidentally omitted from all_untrusted_app While I'm here, split across mutiple lines and alphabetize. Test: policy compiles. Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51 /system/sepolicy/private/app_neverallows.te
7acd15174a940d91aed76d82fa62786804b364b3	26-Apr-2017	Nick Kralevich <nnk@google.com>	Merge "relax fuse_device neverallow rules" into oc-dev am: c78db706d4 Change-Id: I7b866f588980ebb068629e326155976629bf2223
c78db706d46db0ecfe730caa4a8eb6d3d11cbb50	26-Apr-2017	TreeHugger Robot <treehugger-gerrit@google.com>	Merge "relax fuse_device neverallow rules" into oc-dev
45766d4178e443b29fee8cd9c8917847ea3a4cf1	26-Apr-2017	Nick Kralevich <nnk@google.com>	relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d /system/sepolicy/private/app_neverallows.te
cdcfb552eebef2bb61b6db240a20251f31251c42	26-Apr-2017	Alex Klyubin <klyubin@google.com>	Merge "Assert ban on framework <-> vendor comms over VndBinder" into oc-dev am: a9d7b895da Change-Id: I040a1874e3a08510d9b7c9a107a149845dd1976c
00657834b8a0200f9000a81237b7f45d6ea966d9	25-Apr-2017	Alex Klyubin <klyubin@google.com>	Assert ban on framework <-> vendor comms over VndBinder This adds neverallow rules which enforce the prohibition on communication between framework and vendor components over VendorBinder. This prohibition is similar in spirit to the one for Binder communications. Most changes consist of adding neverallow rules, which do not affect runtime behavior. The only change which does affect runtime behavior is the change which takes away the right of servicemanager domain to transfer Binder tokens to hwservicemanager and vndservicemanager. This grant was there by accident (because it was overly broad) and is not expected to be needed: servicemanager, hwservicemanager, and vndservicemanager are not supposed to be communicating with each other. P. S. The new neverallow rules in app_neverallows.te are covered by the new rules in domain.te. The rules were nevertheless added to app_neverallows.te for consistency with other *Binder rules there. Test: mmm system/sepolicy Bug: 37663632 Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329 /system/sepolicy/private/app_neverallows.te
3b1307672c2472c331d9aee6b3833a846f7ef90b	25-Apr-2017	Alex Klyubin <klyubin@google.com>	Merge "Assert untrusted apps can't add or list hwservicemanager" into oc-dev am: f84989e519 Change-Id: I4391c7b44d495efadf39b8f14cfccfe2d966b419
5c5b6263584e7cfe15abda0ed377113727212e6d	25-Apr-2017	Alex Klyubin <klyubin@google.com>	Assert untrusted apps can't add or list hwservicemanager This adds a neverallow rules which checks that SELinux app domains which host arbitrary code are not allowed to access hwservicemanager operations other than "find" operation for which there already are strict neverallow rules in the policy. Test: mmm system/sepolicy -- neverallow-only change Bug: 34454312 Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7 /system/sepolicy/private/app_neverallows.te
7b021be44bfbda7432c71eeaae58fe7c75aba3ec	24-Apr-2017	Alex Klyubin <klyubin@google.com>	Assert apps can access only approved HwBinder services am: 2a7f4fb069 Change-Id: Ia77557e2ef5aa124cb0d4a9e5f05300005a97bfd
2a7f4fb069a574fb9bd34acbf27ba86cd804005b	22-Apr-2017	Alex Klyubin <klyubin@google.com>	Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d /system/sepolicy/private/app_neverallows.te
061174fb2352dbcbab772e37744ccfdf5588227b	21-Apr-2017	Sandeep Patil <sspatil@google.com>	Merge "Do not allow untrusted apps any access to kernel configuration" into oc-dev am: 393c8e9438 Change-Id: I82e1a41e1bd5c9195b5c4c21e7aa0848bc270ee5
2da9cfdff73536d741a1d171a1b156155a4124ae	21-Apr-2017	Sandeep Patil <sspatil@google.com>	Do not allow untrusted apps any access to kernel configuration Bug: 37541374 Test: Build and boot sailfish Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc Signed-off-by: Sandeep Patil <sspatil@google.com> /system/sepolicy/private/app_neverallows.te
9f152d98eaab9f85993a638394f280abc98e0d79	11-Apr-2017	Jerry Zhang <zhangjerry@google.com>	Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9 /system/sepolicy/private/app_neverallows.te
92c44a578cbcb6ec7cdf8b304f1738cc75074379	22-Mar-2017	Nick Kralevich <nnk@google.com>	app.te: prevent locks of files on /system Prevent app domains (processes spawned by zygote) from acquiring locks on files in /system. In particular, /system/etc/xtables.lock must never be lockable by applications, as it will block future iptables commands from running. Test: device boots and no obvious problems. Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b /system/sepolicy/private/app_neverallows.te
b238fe666212ce86fe3fe1521e9692a361a53047	14-Mar-2017	Fyodor Kupolov <fkupolov@google.com>	Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446 /system/sepolicy/private/app_neverallows.te
2b291121b92f44971e702929d7ae4cc7d5e35078	04-Mar-2017	Calin Juravle <calin@google.com>	SElinux: Clean up code related to foreign dex use We simplified the way we track whether or not a dex file is used by other apps. DexManager in the framework keeps track of the data and we no longer need file markers on disk. Test: device boots, foreign dex markers are not created anymore Bug: 32871170 Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62 /system/sepolicy/private/app_neverallows.te
a782a816271e48e357faf93a61b4fde259da1e3b	06-Feb-2017	Chad Brubaker <cbrubaker@google.com>	Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2 /system/sepolicy/private/app_neverallows.te
bacb6d79360f3591680b215177602dcdc3181bf3	13-Feb-2017	Jeff Vander Stoep <jeffv@google.com>	untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083 /system/sepolicy/private/app_neverallows.te
4921085d9c7a188596914de415b3d2346ac44fda	06-Feb-2017	Stephen Smalley <sds@tycho.nsa.gov>	Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/private/app_neverallows.te
46e5a060f66dc585f2b2319ba1f19f1c6ecc3c98	28-Jan-2017	Chad Brubaker <cbrubaker@google.com>	Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b /system/sepolicy/private/app_neverallows.te