Restrict access to ro.serialno and ro.boot.serialno
This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
Showing
- private/property_contexts 2 additions, 0 deletionsprivate/property_contexts
- public/adbd.te 3 additions, 0 deletionspublic/adbd.te
- public/domain.te 12 additions, 0 deletionspublic/domain.te
- public/dumpstate.te 3 additions, 0 deletionspublic/dumpstate.te
- public/mediadrmserver.te 3 additions, 0 deletionspublic/mediadrmserver.te
- public/property.te 1 addition, 0 deletionspublic/property.te
- public/recovery.te 3 additions, 0 deletionspublic/recovery.te
- public/system_server.te 3 additions, 0 deletionspublic/system_server.te
Loading
Please register or sign in to comment