tequilaOS/platform_device_qcom_sepolicy_vndr-sm8450
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sepolicy: Replace vendor label DMA-BUF system heap

Browse source 
AOSP now restricts coredomains from access DMA-BUF heaps outside of
"system" and "system-secure". This extends to some domains contained
in {app - isolated_app}. So, restrict the set of apps that can access
our system heap to {app - isolated_app - coredomain}.

Separately, mark the vendor DMA-BUF heap devices with the
dmabuf_heap_device_type attribute - all DMA-BUF heap devices must be
given this attribute, so as to enforce the constraint that only
approved heaps can be accessed by framework processes.

Change-Id: Ib06edaa633e6163c3983cbf726ef93756a661347
This commit is contained in:
Chris Goldsworthy 2021-01-28 11:07:09 -08:00
parent 028782e45f
commit 42cf4910cf
3 changed files with 14 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
generic/vendor/common/app.te vendored
View file

@ -35,6 +35,6 @@ get_prop(appdomain, vendor_adsprpc_prop)
allow appdomain vendor_npu_device:chr_file r_file_perms;
# Allow all apps to access /dev/dma_heap/qcom,system
allow { appdomain -isolated_app } vendor_dmabuf_system_heap_device:chr_file r_file_perms;
allow { appdomain -isolated_app -coredomain } vendor_dmabuf_system_heap_device:chr_file r_file_perms;
dontaudit appdomain vendor_hal_qspmhal_hwservice:hwservice_manager find;

26
generic/vendor/common/device.te vendored
View file

@ -46,19 +46,19 @@ type vendor_modem_efs_partition_device, dev_type;
type vendor_mdtp_device, dev_type;
type vendor_persist_block_device, dev_type;
type vendor_dmabuf_system_heap_device, dev_type, mlstrustedobject;
type vendor_dmabuf_secure_pixel, dev_type;
type vendor_dmabuf_secure_non_pixel, dev_type;
type vendor_dmabuf_adsp_heap_device, dev_type;
type vendor_dmabuf_secure_cdsp_heap_device, dev_type;
type vendor_dmabuf_sp_hlos_heap_device, dev_type;
type vendor_dmabuf_secure_sp_modem_heap_device, dev_type;
type vendor_dmabuf_secure_sp_tz_heap_device, dev_type;
type vendor_dmabuf_user_contig_heap_device, dev_type;
type vendor_dmabuf_qseecom_heap_device, dev_type;
type vendor_dmabuf_qseecom_ta_heap_device, dev_type;
type vendor_dmabuf_display_heap_device, dev_type;
type vendor_dmabuf_audio_ml_heap_device, dev_type;
type vendor_dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type vendor_dmabuf_secure_pixel, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_secure_non_pixel, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_adsp_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_secure_cdsp_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_sp_hlos_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_secure_sp_modem_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_secure_sp_tz_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_user_contig_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_qseecom_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_qseecom_ta_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_display_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_dmabuf_audio_ml_heap_device, dmabuf_heap_device_type, dev_type;
type vendor_membuf_dev, dev_type;

3
generic/vendor/common/system_server.te vendored
View file

@ -31,9 +31,6 @@ binder_call(system_server, hal_camera_default)
binder_call(system_server, hal_graphics_composer)
# Access to /dev/dma_heap/qcom,system
allow system_server vendor_dmabuf_system_heap_device:chr_file r_file_perms;
# vendor_location
binder_call(system_server, vendor_location);
allow system_server vendor_wlan_device:chr_file rw_file_perms;