PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2456c37021
android_system_sepolicy/private/system_app.te

143 lines
3.8 KiB
Plaintext
Raw Normal View History

Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings. These are not as privileged as the system
### server.
###
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 14:27:32 -07:00
typeattribute system_app coredomain;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 11:23:34 -08:00
app_domain(system_app)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
net_domain(system_app)
binder_service(system_app)
domain_deprecated: remove rootfs access Grant audited permissions collected in logs. tcontext=platform_app avc: granted { getattr } for comm=496E666C6174657254687265616420 path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=system_app avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=update_engine avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0" ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file Bug: 28760354 Test: build Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
2017-07-10 20:39:50 -07:00
# android.ui and system.ui
allow system_app rootfs:dir getattr;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Read icon file.
allow system_app icon_file:file r_file_perms;
# Write to properties
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-08 20:07:32 -07:00
set_prop(system_app, bluetooth_a2dp_offload_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-08 20:07:32 -07:00
set_prop(system_app, exported_bluetooth_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported2_system_prop)
set_prop(system_app, exported3_system_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
set_prop(system_app, exported_system_radio_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
auditallow system_app exported_system_radio_prop:property_service set;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
# ctl interface
set_prop(system_app, ctl_default_prop)
set_prop(system_app, ctl_bugreport_prop)
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
Statsd allow shell in selinux policy CTS tests need to be able to call, from hostside: adb shell cmd stats dump-report (and others) On a user build, this will fail because of an selinux policy violation from shell. This cl fixes this by granting shell permission. Similarly, Settings needs to communicate with statsd, so system_app-statsd binder calls are given permission. Bug: 72961153 Bug: 73255014 Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests Test: manual confirmation Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 09:33:36 -08:00
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
Add incident command and incidentd daemon se policy. Test: adb shell incident Bug: 31122534 Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906
2016-11-20 23:23:04 -08:00
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
Game Driver: sepolicy update for plumbing GpuStats into GpuService Allow all the app process with GUI to send GPU health metrics stats to GpuService during the GraphicsEnvironment setup stage for the process. Bug: 123529932 Test: Build, flash and boot. No selinux denials. Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-07 15:00:55 -08:00
# Allow system apps to interact with gpuservice
binder_call(system_app, gpuservice)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
allow system_app {
service_manager_type
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 00:35:42 -07:00
-apex_service
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
-dnsresolver_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-dumpstate_service
-installd_service
iorapd: Add new binder service iorapd. This daemon is very locked down. Only system_server can access it. Bug: 72170747 Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-05 14:48:29 -07:00
-iorapd_service
Add sepolicy for IpMemoryStoreService Bug: 116512211 Test: Builds, boots, including upcoming changes needing this Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399
2018-12-04 21:47:51 -08:00
-ipmemorystore_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-netd_service
Restrict access to suspend control Test: m selinux_policy Change-Id: Ieccfd2aa059da065ace4f2db1b9634c52dd2cb24
2019-02-07 13:29:39 -08:00
-system_suspend_control_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-virtual_touchpad_service
-vold_service
-vr_hwc_service
}:service_manager find;
system_app: suppress denials for disallowed services Dontaudit denials for services that system_app may not use due to neverallow assertions. Bug: 67779088 Test: build Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
2017-10-13 13:33:46 -07:00
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
dnsresolver_service
system_app: suppress denials for disallowed services Dontaudit denials for services that system_app may not use due to neverallow assertions. Bug: 67779088 Test: build Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
2017-10-13 13:33:46 -07:00
dumpstate_service
installd_service
iorapd: Add new binder service iorapd. This daemon is very locked down. Only system_server can access it. Bug: 72170747 Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-05 14:48:29 -07:00
iorapd_service
system_app: suppress denials for disallowed services Dontaudit denials for services that system_app may not use due to neverallow assertions. Bug: 67779088 Test: build Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
2017-10-13 13:33:46 -07:00
netd_service
virtual_touchpad_service
vold_service
vr_hwc_service
}:service_manager find;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
allow system_app keystore:keystore_key {
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
user_changed
};
Remove proc and sysfs access from system_app and platform_app. Bug: 65643247 Test: manual Test: browse internet Test: take a picture Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-10 12:51:51 -08:00
# settings app reads /proc/version
Allow system settings to read /proc/version Used to display kernel version in settings app. avc: denied { read } for name="version" dev="proc" scontext=u:r:system_app:s0 tcontext=u:object_r:proc_version:s0 tclass=file permissive=0 Bug: 66985744 Test: kernel version now displayed in settings app. Change-Id: I53f92f63362b900347fd393a40d70ccf5d220d30
2017-09-27 12:27:03 -07:00
allow system_app {
proc_version
}:file r_file_perms;
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-25 16:43:49 -07:00
Constrain cgroups access. What changed: - Removed cgroup access from untrusted and priv apps. - Settings app writes to /dev/stune/foreground/tasks, so system_app domain retains access to cgroup. - libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used abundantly in native code. So added a blanket allow rule for (coredomain - apps) to access cgroups. - For now, only audit cgroup access from vendor domains. Ultimately, we want to either constrain vendor access to individual domains or, even better, remove vendor access and have platform manage cgroups exclusively. Changes from original aosp/692189 which was reverted: - There seem to be spurious denials from vendor-specific apps. So added back access from { appdomain -all_untrusted_apps -priv_app } to cgroup. Audit this access with intent to write explicit per-domain rules for it. Bug: 110043362 Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates /dev/memcg on a per app basis on a device that supports that. Test: aosp_sailfish, wahoo boot without cgroup denials This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a. Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-10 15:48:15 -07:00
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
control_logd(system_app)
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-07 15:11:39 -08:00
read_runtime_log_tags(system_app)
Allow system apps to read log props. This is needed to allow system apps to know whether security logging is enabled, so that they can in this case log additional audit events. Test: logged a security event from locally modified KeyChain app. Bug: 70886042 Change-Id: I9e18d59d72f40510f81d1840e4ac76a654cf6cbd
2018-01-18 09:22:28 -08:00
get_prop(system_app, device_logging_prop)
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-14 18:20:30 -08:00
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-03-27 06:34:54 -07:00
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-14 18:20:30 -08:00
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
###
### Neverallow rules
###
# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
Reference in New Issue Copy Permalink