platform_system_sepolicy/public/hal_configstore.te

65 lines
2.4 KiB
Text
Raw Normal View History

# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
# As opposed to the rules of most other HALs, the different services exposed by
# this HAL should be restricted to different clients. Thus, the allow rules for
# clients are defined in the .te files of the clients.
# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
crash_dump_fallback(hal_configstore_server)
###
### neverallow rules
###
# Should never execute an executable without a domain transition
neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
# Should never need network access. Disallow sockets except for
# for unix stream/dgram sockets used for logging/debugging.
neverallow hal_configstore_server domain:{
rawip_socket tcp_socket udp_socket
netlink_route_socket netlink_selinux_socket
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
neverallow hal_configstore_server {
domain
-hal_configstore_server
-logd
userdebug_or_eng(`-su')
-tombstoned
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
neverallow hal_configstore_server {
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
# No privileged capabilities
neverallow hal_configstore_server self:capability_class_set *;
# No ptracing other processes
neverallow hal_configstore_server *:process ptrace;
# no relabeling
neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };