2012-01-04 18:33:27 +01:00
|
|
|
######################################
|
|
|
|
# Attribute declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
# All types used for devices.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# in tools/checkfc.c
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute dev_type;
|
|
|
|
|
|
|
|
# All types used for processes.
|
|
|
|
attribute domain;
|
|
|
|
|
2015-11-03 18:54:39 +01:00
|
|
|
# Temporary attribute used for migrating permissions out of domain.
|
|
|
|
# Motivation: Domain is overly permissive. Start removing permissions
|
|
|
|
# from domain and assign them to the domain_deprecated attribute.
|
|
|
|
# Domain_deprecated and domain can initially be assigned to all
|
|
|
|
# domains. The goal is to not assign domain_deprecated to new domains
|
|
|
|
# and to start removing domain_deprecated where it's not required or
|
|
|
|
# reassigning the appropriate permissions to the inheriting domain
|
|
|
|
# when necessary.
|
|
|
|
attribute domain_deprecated;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for filesystems.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute fs_type;
|
|
|
|
|
2014-05-30 14:49:51 +02:00
|
|
|
# All types used for context= mounts.
|
|
|
|
attribute contextmount_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for files that can exist on a labeled fs.
|
|
|
|
# Do not use for pseudo file types.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute file_type;
|
|
|
|
|
|
|
|
# All types used for domain entry points.
|
|
|
|
attribute exec_type;
|
|
|
|
|
|
|
|
# All types used for /data files.
|
|
|
|
attribute data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
# All types in /data, not in /data/vendor
|
|
|
|
attribute core_data_file_type;
|
|
|
|
# All vendor domains which violate the requirement of not accessing
|
|
|
|
# data outside /data/vendor.
|
|
|
|
# TODO(b/34980020): Remove this once there are no violations
|
|
|
|
attribute coredata_in_vendor_violators;
|
2017-03-30 00:50:32 +02:00
|
|
|
# All core domains which violate the requirement of not accessing vendor
|
|
|
|
# owned data.
|
|
|
|
# TODO(b/34980020): Remove this once there are no violations
|
|
|
|
attribute vendordata_in_core_violators;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
|
|
|
# All types use for sysfs files.
|
|
|
|
attribute sysfs_type;
|
|
|
|
|
2015-12-08 02:02:31 +01:00
|
|
|
# All types use for debugfs files.
|
|
|
|
attribute debugfs_type;
|
|
|
|
|
2013-03-07 01:26:36 +01:00
|
|
|
# Attribute used for all sdcards
|
|
|
|
attribute sdcard_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for nodes/hosts.
|
|
|
|
attribute node_type;
|
|
|
|
|
|
|
|
# All types used for network interfaces.
|
|
|
|
attribute netif_type;
|
|
|
|
|
|
|
|
# All types used for network ports.
|
|
|
|
attribute port_type;
|
|
|
|
|
2012-04-04 16:11:16 +02:00
|
|
|
# All types used for property service
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_PC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-04-04 16:11:16 +02:00
|
|
|
attribute property_type;
|
|
|
|
|
2015-12-08 23:45:50 +01:00
|
|
|
# All properties defined in core SELinux policy. Should not be
|
|
|
|
# used by device specific properties
|
|
|
|
attribute core_property_type;
|
|
|
|
|
2016-04-15 20:10:06 +02:00
|
|
|
# All properties used to configure log filtering.
|
|
|
|
attribute log_property_type;
|
|
|
|
|
2015-04-09 00:12:24 +02:00
|
|
|
# All service_manager types created by system_server
|
2015-04-03 01:50:08 +02:00
|
|
|
attribute system_server_service;
|
|
|
|
|
|
|
|
# services which should be available to all but isolated apps
|
|
|
|
attribute app_api_service;
|
|
|
|
|
Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
|
|
|
# services which should be available to all ephemeral apps
|
|
|
|
attribute ephemeral_app_api_service;
|
|
|
|
|
2015-04-03 01:50:08 +02:00
|
|
|
# services which export only system_api
|
|
|
|
attribute system_api_service;
|
2014-12-17 00:45:26 +01:00
|
|
|
|
2014-06-06 00:52:02 +02:00
|
|
|
# All types used for services managed by service_manager.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_SC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2014-06-06 00:52:02 +02:00
|
|
|
attribute service_manager_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All domains that can override MLS restrictions.
|
|
|
|
# i.e. processes that can read up and write down.
|
|
|
|
attribute mlstrustedsubject;
|
|
|
|
|
|
|
|
# All types that can override MLS restrictions.
|
|
|
|
# i.e. files that can be read by lower and written by higher
|
|
|
|
attribute mlstrustedobject;
|
|
|
|
|
|
|
|
# All domains used for apps.
|
|
|
|
attribute appdomain;
|
|
|
|
|
2017-02-13 22:33:27 +01:00
|
|
|
# All third party apps.
|
|
|
|
attribute untrusted_app_all;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All domains used for apps with network access.
|
|
|
|
attribute netdomain;
|
|
|
|
|
|
|
|
# All domains used for apps with bluetooth access.
|
|
|
|
attribute bluetoothdomain;
|
|
|
|
|
|
|
|
# All domains used for binder service domains.
|
|
|
|
attribute binderservicedomain;
|
2016-04-22 22:23:36 +02:00
|
|
|
|
2016-08-04 05:31:37 +02:00
|
|
|
# update_engine related domains that need to apply an update and run
|
|
|
|
# postinstall. This includes the background daemon and the sideload tool from
|
|
|
|
# recovery for A/B devices.
|
|
|
|
attribute update_engine_common;
|
2016-11-15 19:05:55 +01:00
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
# All core domains (as opposed to vendor/device-specific domains)
|
|
|
|
attribute coredomain;
|
|
|
|
|
2017-03-31 02:39:00 +02:00
|
|
|
# All socket devices owned by core domain components
|
|
|
|
attribute coredomain_socket;
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
# All vendor domains which violate the requirement of not using Binder
|
|
|
|
# TODO(b/35870313): Remove this once there are no violations
|
|
|
|
attribute binder_in_vendor_violators;
|
|
|
|
|
2017-03-25 00:07:35 +01:00
|
|
|
# All vendor domains which violate the requirement of not using sockets for
|
|
|
|
# communicating with core components
|
|
|
|
# TODO(b/36577153): Remove this once there are no violations
|
|
|
|
attribute socket_between_core_and_vendor_violators;
|
|
|
|
|
2017-02-13 23:40:49 +01:00
|
|
|
# All HAL servers
|
|
|
|
attribute halserverdomain;
|
|
|
|
# All HAL clients
|
|
|
|
attribute halclientdomain;
|
2017-01-11 00:54:25 +01:00
|
|
|
|
2016-11-15 19:05:55 +01:00
|
|
|
# HALs
|
2017-03-18 00:51:56 +01:00
|
|
|
attribute hal_allocator;
|
|
|
|
attribute hal_allocator_client;
|
|
|
|
attribute hal_allocator_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_audio;
|
2017-02-13 23:40:49 +01:00
|
|
|
attribute hal_audio_client;
|
|
|
|
attribute hal_audio_server;
|
2016-10-12 23:49:56 +02:00
|
|
|
attribute hal_bluetooth;
|
Switch Bluetooth HAL policy to _client/_server
This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.
Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.
Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
2017-02-17 05:14:56 +01:00
|
|
|
attribute hal_bluetooth_client;
|
|
|
|
attribute hal_bluetooth_server;
|
Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
|
|
|
attribute hal_bootctl;
|
|
|
|
attribute hal_bootctl_client;
|
|
|
|
attribute hal_bootctl_server;
|
2016-12-22 21:55:02 +01:00
|
|
|
attribute hal_camera;
|
2017-02-17 01:08:22 +01:00
|
|
|
attribute hal_camera_client;
|
|
|
|
attribute hal_camera_server;
|
2017-01-19 03:41:56 +01:00
|
|
|
attribute hal_configstore;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_configstore_client;
|
|
|
|
attribute hal_configstore_server;
|
2017-01-20 19:39:32 +01:00
|
|
|
attribute hal_contexthub;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_contexthub_client;
|
|
|
|
attribute hal_contexthub_server;
|
2017-01-01 21:01:18 +01:00
|
|
|
attribute hal_drm;
|
2017-02-17 23:51:02 +01:00
|
|
|
attribute hal_drm_client;
|
|
|
|
attribute hal_drm_server;
|
2016-12-01 18:39:10 +01:00
|
|
|
attribute hal_dumpstate;
|
2017-02-22 19:15:24 +01:00
|
|
|
attribute hal_dumpstate_client;
|
|
|
|
attribute hal_dumpstate_server;
|
2016-12-16 04:46:43 +01:00
|
|
|
attribute hal_fingerprint;
|
Switch Fingerprint HAL policy to _client/_server
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.
Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.
NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.
Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079
Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-22 00:35:16 +01:00
|
|
|
attribute hal_fingerprint_client;
|
|
|
|
attribute hal_fingerprint_server;
|
2016-10-20 20:20:25 +02:00
|
|
|
attribute hal_gatekeeper;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_gatekeeper_client;
|
|
|
|
attribute hal_gatekeeper_server;
|
2016-12-09 17:53:42 +01:00
|
|
|
attribute hal_gnss;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_gnss_client;
|
|
|
|
attribute hal_gnss_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_graphics_allocator;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_graphics_allocator_client;
|
|
|
|
attribute hal_graphics_allocator_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_graphics_composer;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_graphics_composer_client;
|
|
|
|
attribute hal_graphics_composer_server;
|
2016-12-16 22:20:25 +01:00
|
|
|
attribute hal_health;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_health_client;
|
|
|
|
attribute hal_health_server;
|
2016-12-06 01:20:44 +01:00
|
|
|
attribute hal_ir;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_ir_client;
|
|
|
|
attribute hal_ir_server;
|
2017-01-28 00:00:27 +01:00
|
|
|
attribute hal_keymaster;
|
2017-02-23 04:48:17 +01:00
|
|
|
attribute hal_keymaster_client;
|
|
|
|
attribute hal_keymaster_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_light;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_light_client;
|
|
|
|
attribute hal_light_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_memtrack;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_memtrack_client;
|
|
|
|
attribute hal_memtrack_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_nfc;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_nfc_client;
|
|
|
|
attribute hal_nfc_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_power;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_power_client;
|
|
|
|
attribute hal_power_server;
|
2016-11-29 21:26:51 +01:00
|
|
|
attribute hal_sensors;
|
2017-03-13 23:13:52 +01:00
|
|
|
attribute hal_sensors_client;
|
|
|
|
attribute hal_sensors_server;
|
2016-12-08 02:43:46 +01:00
|
|
|
attribute hal_telephony;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_telephony_client;
|
|
|
|
attribute hal_telephony_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_thermal;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_thermal_client;
|
|
|
|
attribute hal_thermal_server;
|
2017-03-30 00:03:59 +02:00
|
|
|
attribute hal_tv_input;
|
|
|
|
attribute hal_tv_input_client;
|
|
|
|
attribute hal_tv_input_server;
|
2017-01-13 02:18:52 +01:00
|
|
|
attribute hal_usb;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_usb_client;
|
|
|
|
attribute hal_usb_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_vibrator;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_vibrator_client;
|
|
|
|
attribute hal_vibrator_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_vr;
|
2017-03-17 02:48:40 +01:00
|
|
|
attribute hal_vr_client;
|
|
|
|
attribute hal_vr_server;
|
2016-12-13 21:17:09 +01:00
|
|
|
attribute hal_wifi;
|
Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.
Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.
Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.
Test: Setup Wizard (incl. adding a Google Account) completes fine with
Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079
Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-23 00:12:19 +01:00
|
|
|
attribute hal_wifi_client;
|
|
|
|
attribute hal_wifi_server;
|
2017-03-29 00:45:42 +02:00
|
|
|
attribute hal_wifi_keystore;
|
|
|
|
attribute hal_wifi_keystore_client;
|
|
|
|
attribute hal_wifi_keystore_server;
|
2017-02-19 06:32:32 +01:00
|
|
|
attribute hal_wifi_supplicant;
|
|
|
|
attribute hal_wifi_supplicant_client;
|
|
|
|
attribute hal_wifi_supplicant_server;
|