tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/hwservicemanager.te

33 lines
1.1 KiB
Text
Raw Normal View History

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute hwservicemanager coredomain;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
init_daemon_domain(hwservicemanager)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
sepolicy for lazy starting HIDL services Now hwservicemanager can send ctl.interface_start messages to init. Note that 'set_prop(ctl.*, "foo")' maps to property context for ctl.foo. Bug: 64678982 Test: hwservicemanager can start interfaces Change-Id: I9ab0bacd0c33edb0dcc4186fa0b7cc28fd8d2f30
2017-10-06 03:49:23 +02:00
Finer grained permissions for ctl. properties Currently, permissions for ctl. property apply to each action verb, so if a domain has permissions for controlling service 'foo', then it can start, stop, and restart foo. This change implements finer grainer permissions such that permission can be given to strictly start a given service, but not stop or restart it. This new permission scheme is mandatory for the new control functions, sigstop_on, sigstop_off, interface_start, interface_stop, interface_restart. Bug: 78511553 Test: see appropriate successes and failures based on permissions Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa (cherry picked from commit 2208f96e9e6264553fcc8a58b86f4f21a092468c)
2018-05-04 02:00:16 +02:00
set_prop(hwservicemanager, ctl_interface_start_prop)
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
set_prop(hwservicemanager, hwservicemanager_prop)
Allow (hw)servicemanager use bootstrap bionic Bug: 237672865 Test: m && boot Change-Id: I436cf97c4c8e852e36cd1faa9da646c9f8a4d0a4
2022-07-14 04:31:03 +02:00
# hwservicemanager is using bootstrap bionic
use_bootstrap_libs(hwservicemanager)
Allow service managers access to apex data. VintfObject will monitor for /apex directory for VINTF data. Add permissions for service managers to read this data. Bug: 239055387 Test: m && boot Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
2022-07-28 18:23:42 +02:00
# hwservicemanager is using apex_info via libvintf
use_apex_info(hwservicemanager)
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
# Additionally, it initiates binder IPC calls to
# clients who request service notifications. The permission
# to do this is granted in the hwbinder_use macro.
allow hwservicemanager self:binder set_context_mgr;
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
# Read hwservice_contexts
allow hwservicemanager hwservice_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(hwservicemanager)
Reference in a new issue Copy permalink