2017-04-14 04:05:27 +02:00
|
|
|
# HwBinder IPC from client to server, and callbacks
|
|
|
|
binder_call(hal_telephony_client, hal_telephony_server)
|
|
|
|
binder_call(hal_telephony_server, hal_telephony_client)
|
|
|
|
|
2018-06-06 18:30:18 +02:00
|
|
|
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
|
2017-04-14 04:05:27 +02:00
|
|
|
|
2018-03-12 18:12:09 +01:00
|
|
|
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
|
|
|
|
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
|
|
|
|
allow hal_telephony_server kernel:system module_request;
|
|
|
|
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
|
|
|
|
allow hal_telephony_server cgroup:dir create_dir_perms;
|
|
|
|
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
|
2021-02-12 00:18:11 +01:00
|
|
|
allow hal_telephony_server cgroup_v2:dir create_dir_perms;
|
|
|
|
allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
|
2018-03-12 18:12:09 +01:00
|
|
|
allow hal_telephony_server radio_device:chr_file rw_file_perms;
|
|
|
|
allow hal_telephony_server radio_device:blk_file r_file_perms;
|
|
|
|
allow hal_telephony_server efs_file:dir create_dir_perms;
|
|
|
|
allow hal_telephony_server efs_file:file create_file_perms;
|
|
|
|
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
|
|
|
|
allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
|
|
|
|
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
# property service
|
2020-06-05 03:40:16 +02:00
|
|
|
get_prop(hal_telephony_server, telephony_config_prop)
|
2020-07-28 08:17:24 +02:00
|
|
|
set_prop(hal_telephony_server, radio_control_prop)
|
2018-03-12 18:12:09 +01:00
|
|
|
set_prop(hal_telephony_server, radio_prop)
|
2020-05-14 14:47:43 +02:00
|
|
|
set_prop(hal_telephony_server, telephony_status_prop)
|
2018-03-12 18:12:09 +01:00
|
|
|
|
|
|
|
allow hal_telephony_server tty_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
# Allow hal_telephony_server to create and use netlink sockets.
|
|
|
|
allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
|
|
|
|
allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
|
|
|
|
# Access to wake locks
|
|
|
|
wakelock_use(hal_telephony_server)
|
|
|
|
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
r_dir_file(hal_telephony_server, proc_net_type)
|
2018-03-12 18:12:09 +01:00
|
|
|
r_dir_file(hal_telephony_server, sysfs_type)
|
|
|
|
|
|
|
|
# granting the ioctl permission for hal_telephony_server should be device specific
|
|
|
|
allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
|