diff options
| -rw-r--r-- | prebuilts/api/29.0/private/app.te | 16 | ||||
| -rw-r--r-- | prebuilts/api/29.0/private/priv_app.te | 6 | ||||
| -rw-r--r-- | prebuilts/api/29.0/private/untrusted_app_all.te | 6 | ||||
| -rw-r--r-- | private/app.te | 16 | ||||
| -rw-r--r-- | private/priv_app.te | 6 | ||||
| -rw-r--r-- | private/untrusted_app_all.te | 6 |
6 files changed, 32 insertions, 24 deletions
diff --git a/prebuilts/api/29.0/private/app.te b/prebuilts/api/29.0/private/app.te index 0d9a2b46..7f06d29e 100644 --- a/prebuilts/api/29.0/private/app.te +++ b/prebuilts/api/29.0/private/app.te @@ -2,6 +2,22 @@ # the implementation of ActivityManager.isDeviceInTestHarnessMode() get_prop(appdomain, test_harness_prop) +# Prevent apps from causing presubmit failures. +# Apps can cause selinux denials by accessing CE storage +# and/or external storage. In either case, the selinux denial is +# not the cause of the failure, but just a symptom that +# storage isn't ready. Many apps handle the failure appropriately. +# +# Apps cannot access external storage before it becomes available. +dontaudit appdomain storage_stub_file:dir getattr; +# Attempts to write to system_data_file is generally a sign +# that apps are attempting to access encrypted storage before +# the ACTION_USER_UNLOCKED intent is delivered. Apps are not +# allowed to write to CE storage before it's available. +# Attempting to do so will be blocked by both selinux and unix +# permissions. +dontaudit appdomain system_data_file:dir write; + neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind relabelfrom relabelto setattr shutdown }; diff --git a/prebuilts/api/29.0/private/priv_app.te b/prebuilts/api/29.0/private/priv_app.te index ab3847b4..1bff418e 100644 --- a/prebuilts/api/29.0/private/priv_app.te +++ b/prebuilts/api/29.0/private/priv_app.te @@ -186,12 +186,6 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent apps from spamming the logs. -dontaudit priv_app system_data_file:dir write; - ### ### neverallow rules ### diff --git a/prebuilts/api/29.0/private/untrusted_app_all.te b/prebuilts/api/29.0/private/untrusted_app_all.te index 3c20c082..89fb6cb2 100644 --- a/prebuilts/api/29.0/private/untrusted_app_all.te +++ b/prebuilts/api/29.0/private/untrusted_app_all.te @@ -173,12 +173,6 @@ dontaudit untrusted_app_all proc_uptime:file read; # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm create_pty(untrusted_app_all) -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent third party apps from spamming the logs. -dontaudit untrusted_app_all system_data_file:dir write; - # Allow access to kcov via its ioctl interface for coverage # guided kernel fuzzing. userdebug_or_eng(` diff --git a/private/app.te b/private/app.te index 0d9a2b46..7f06d29e 100644 --- a/private/app.te +++ b/private/app.te @@ -2,6 +2,22 @@ # the implementation of ActivityManager.isDeviceInTestHarnessMode() get_prop(appdomain, test_harness_prop) +# Prevent apps from causing presubmit failures. +# Apps can cause selinux denials by accessing CE storage +# and/or external storage. In either case, the selinux denial is +# not the cause of the failure, but just a symptom that +# storage isn't ready. Many apps handle the failure appropriately. +# +# Apps cannot access external storage before it becomes available. +dontaudit appdomain storage_stub_file:dir getattr; +# Attempts to write to system_data_file is generally a sign +# that apps are attempting to access encrypted storage before +# the ACTION_USER_UNLOCKED intent is delivered. Apps are not +# allowed to write to CE storage before it's available. +# Attempting to do so will be blocked by both selinux and unix +# permissions. +dontaudit appdomain system_data_file:dir write; + neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind relabelfrom relabelto setattr shutdown }; diff --git a/private/priv_app.te b/private/priv_app.te index ab3847b4..1bff418e 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -186,12 +186,6 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent apps from spamming the logs. -dontaudit priv_app system_data_file:dir write; - ### ### neverallow rules ### diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index 3c20c082..89fb6cb2 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -173,12 +173,6 @@ dontaudit untrusted_app_all proc_uptime:file read; # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm create_pty(untrusted_app_all) -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent third party apps from spamming the logs. -dontaudit untrusted_app_all system_data_file:dir write; - # Allow access to kcov via its ioctl interface for coverage # guided kernel fuzzing. userdebug_or_eng(` |