Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
Showing
- Android.mk 4 additions, 0 deletionsAndroid.mk
- private/adbd.te 1 addition, 0 deletionsprivate/adbd.te
- private/atrace.te 1 addition, 1 deletionprivate/atrace.te
- private/audioserver.te 2 additions, 0 deletionsprivate/audioserver.te
- private/binder_in_vendor_violators.te 1 addition, 0 deletionsprivate/binder_in_vendor_violators.te
- private/blkid.te 2 additions, 0 deletionsprivate/blkid.te
- private/blkid_untrusted.te 2 additions, 0 deletionsprivate/blkid_untrusted.te
- private/bluetooth.te 1 addition, 0 deletionsprivate/bluetooth.te
- private/bootanim.te 2 additions, 2 deletionsprivate/bootanim.te
- private/bootstat.te 2 additions, 2 deletionsprivate/bootstat.te
- private/bufferhubd.te 2 additions, 0 deletionsprivate/bufferhubd.te
- private/cameraserver.te 2 additions, 2 deletionsprivate/cameraserver.te
- private/charger.te 1 addition, 0 deletionsprivate/charger.te
- private/clatd.te 1 addition, 0 deletionsprivate/clatd.te
- private/cppreopts.te 2 additions, 2 deletionsprivate/cppreopts.te
- private/crash_dump.te 1 addition, 0 deletionsprivate/crash_dump.te
- private/dex2oat.te 1 addition, 0 deletionsprivate/dex2oat.te
- private/dexoptanalyzer.te 1 addition, 1 deletionprivate/dexoptanalyzer.te
- private/dhcp.te 2 additions, 2 deletionsprivate/dhcp.te
- private/dnsmasq.te 1 addition, 0 deletionsprivate/dnsmasq.te
private/binder_in_vendor_violators.te
0 → 100644
private/charger.te
0 → 100644
private/clatd.te
0 → 100644
private/crash_dump.te
0 → 100644
private/dex2oat.te
0 → 100644
private/dnsmasq.te
0 → 100644
Please register or sign in to comment