Disabling SELinux in Build Packages or Binaries
Please be aware that if a package or binary in your software build executes “setenforce 0”, it is considered as a PHA (Potentially Harmful Application) and may render the device into a state that is considered as a violation of the Android CDD section 9.7 [C-1-2] and [C-1-3] requirement(s).
SELinux is one of the critical pieces of the Android OS’s security. SELinux enforces mandatory access control (MAC) over all processes, even processes running with root/superuser privileges (a.k.a. Linux capabilities). If SELinux is disabled on Android, many Android protections are disabled: application sandboxes, preventing access to privileged functionality, and more. Partners should never be attempting to disable SELinux in their builds.
GPP (Google Play Protect) flags all apps that attempt to disable SELinux as the PHA (Potentially Harmful App) category warn_privilege_escalation [developer documentation]. This includes any binaries or apps that include code to run setenforce(permissive) or setenforce(0) API method, even if other Android protections prevent this attempt from being successful.
In the coming weeks, all software build submissions that contain a binary that disables SELinux will be automatically and systematically rejected in APFE. Apps that disable SELinux are already immediately rejected as soon as they’re detected/discovered.
Please reach out to your BD/TAM immediately with any questions on how to move forward.
Android Auto headless APK ready for beta testing
The Android Auto headless APK is ready for beta testing!
Testing instructions and link to APK are here. We’re also working on a stub APK to further reduce the space needed on the system partition in response to your feedback.
More on the stub APK in the coming weeks.
Using the vbmeta.img to disable AVB when flashing the GSI
There is an update to the fast boot instruction that should be used for disabling AVB when using vbmeta.img.
Going forward partners should use the following instruction: $ fastboot --disable-verification flash vbmeta vbmeta.img.
Using --disable-verification can let you put the special flag that is needed to disable AVB in runtime when flashing the vbmeta partition.