Merge changes from topic 'sefiles_relabel' into oc-dev
* changes:
mac_permissions: explicitly label all mac_permissions files
sepolicy: explicitly label all sepolicy files
seapp_context: explicitly label all seapp context files
file_context: explicitly label all file context files
service_contexts: label service_contexts explicitly
prop_context: correctly label all property_context files
diff --git a/private/tee.te b/private/tee.te
index 01a52de..c29bee6 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,7 +1,5 @@
-typeattribute tee coredomain;
-
init_daemon_domain(tee)
-# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
-# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/domain.te b/public/domain.te
index 2febffb..97d6a11 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -451,11 +451,11 @@
##
# On full TREBLE devices core android components and vendor components may
- # not directly access each other's data types. All communication must occur
+ # not directly access each other data types. All communication must occur
# over HW binder. Open file descriptors may be passed and read/write/stat
# operations my be performed on those FDs. Disallow all other operations.
#
- # do not allow vendor component access to coredomains' data types
+ # do not allow vendor component access to coredomains data types
neverallow {
domain
-coredomain
@@ -464,7 +464,7 @@
} core_data_file_type:{
file_class_set
} ~{ append getattr ioctl read write };
- # do not allow vendor component access to coredomains' data directories.
+ # do not allow vendor component access to coredomains data directories.
# /data has the system_data_file type. Allow all domains to have dir
# search permissions which allows path traversal.
neverallow {
@@ -656,10 +656,17 @@
# respect system_app sandboxes
neverallow {
domain
- -system_app # its own sandbox
+ -appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
# Services should respect app sandboxes
neverallow {
diff --git a/public/file.te b/public/file.te
index c19005d..d7a82bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -180,7 +180,7 @@
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type, core_data_file_type;
+type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index 5e66c8a..d50812c 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,6 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
allow hal_keymaster tee:unix_stream_socket connectto;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/tee.te b/public/tee.te
index 4524281..84e6492 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -13,5 +13,8 @@
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
allow tee ion_device:chr_file r_file_perms;
r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
allow tee system_data_file:file { getattr read };
allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index c779711..ad1762f 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -7,8 +7,6 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
-# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
-typeattribute hal_drm_default socket_between_core_and_vendor_violators;
# TODO (b/36601695) remove hal_drm's access to /data or move to
# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
# attribute.
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 2fd5b44..32df262 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,6 +3,3 @@
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
-
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
-typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;