platform_system_sepolicy/public/hal_telephony.te

45 lines
2.1 KiB
Text
Raw Normal View History

Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
# HwBinder IPC from client to server, and callbacks
binder_call(hal_telephony_client, hal_telephony_server)
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
allow hal_telephony_server cgroup_v2:dir create_dir_perms;
allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
allow hal_telephony_server efs_file:file create_file_perms;
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
# property service
get_prop(hal_telephony_server, telephony_config_prop)
set_prop(hal_telephony_server, radio_control_prop)
set_prop(hal_telephony_server, radio_prop)
set_prop(hal_telephony_server, telephony_status_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
# Allow hal_telephony_server to create and use netlink sockets.
allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Access to wake locks
wakelock_use(hal_telephony_server)
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
r_dir_file(hal_telephony_server, proc_net_type)
r_dir_file(hal_telephony_server, sysfs_type)
# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket create_socket_perms_no_ioctl;