Remove levelFrom=none from vendor apps.
(This is the same as https://r.android.com/1458479, for
crosshatch-sepolicy, but with minor modifications due to different
base policy. I've checked again that these changes should be safe with
the local sepolicy and updated the explanation below.)
Set levelFrom=user or levelFrom=all explicitly on the apps that were
implicitly using levelFrom=none before. This provides better isolation
for app data files and unblocks future policy changes.
These changes should be safe even if the apps create files with
their new level:
- ssr_detector_app has write access to system_app_data_file and
cgroup, but they are mlstrustedobject.
- data_service_app has write access to system_app_data_file, but it is
mlstrustedobject.
- ril_config_service_app has write access to vendor_radio_data_file,
but it is mlstrustedobject.
- timeservice_app connects to time_daemon:unix_stream_socket, but it
is mlstrustedsubject.
Test: presubmits
Bug: 170622707
Change-Id: I70e0c6f43bd50dc7933e39f123f1232d9b4c6fa1
diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts
index 9736cf5..e8d550f 100644
--- a/vendor/google/seapp_contexts
+++ b/vendor/google/seapp_contexts
@@ -1,5 +1,5 @@
# Domain for Ramdump
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file
+user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
# Domain for grilservice
diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts
index a0c9524..6871b88 100644
--- a/vendor/qcom/common/seapp_contexts
+++ b/vendor/qcom/common/seapp_contexts
@@ -1,11 +1,11 @@
#TODO(b/126137625): moving dataservice app from system to radio process
#user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file
-user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file
+user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file levelFrom=user
# Hardware Info Collection
user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
-user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
+user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all
user=_app seinfo=platform name=.qtidataservices domain=qtidataservices_app type=app_data_file levelFrom=all
@@ -24,7 +24,7 @@
user=_app seinfo=googlepulse name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
#Needed for time service apk
-user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all
#Add new domain for ims app
user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=qtelephony type=app_data_file levelFrom=all
