From 80c26d25240fc9923e7dce8ed30e71a442a206f4 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Mon, 21 Aug 2023 17:31:29 +0900 Subject: [PATCH] Start tracking vendor seapp coredomain violations As part of Treble, enforce that vendor's seapp_contexts can't label apps using coredomains. Apps installed to system/system_ext/product should be labeled with platform side sepolicy. This change marks violating domains that need to be fixed. Bug: 296512193 Test: build oriole and see build log Change-Id: I7d5b91014362a64f3d66b3913d4d1bc773d922c8 --- ambient/exo_app.te | 3 +++ whitechapel/vendor/google/con_monitor.te | 3 +++ whitechapel/vendor/google/hbmsvmanager_app.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/ambient/exo_app.te b/ambient/exo_app.te index 3a88eebb..9b4fd0b6 100644 --- a/ambient/exo_app.te +++ b/ambient/exo_app.te @@ -1,5 +1,8 @@ type exo_app, coredomain, domain; +# TODO(b/296512193): move exo_app out of vendor sepolicy +typeattribute exo_app vendor_seapp_assigns_coredomain_violators; + app_domain(exo_app) net_domain(exo_app) diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te index 8695ccaa..ab17c826 100644 --- a/whitechapel/vendor/google/con_monitor.te +++ b/whitechapel/vendor/google/con_monitor.te @@ -1,6 +1,9 @@ # ConnectivityMonitor app type con_monitor_app, domain, coredomain; +# TODO(b/296512193): move con_monitor_app out of vendor sepolicy +typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators; + app_domain(con_monitor_app) set_prop(con_monitor_app, radio_prop) diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te index b7058090..2acbaa8a 100644 --- a/whitechapel/vendor/google/hbmsvmanager_app.te +++ b/whitechapel/vendor/google/hbmsvmanager_app.te @@ -1,5 +1,8 @@ type hbmsvmanager_app, domain, coredomain; +# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy +typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators; + app_domain(hbmsvmanager_app); allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;