platform_system_sepolicy/private/vdc.te

typeattribute vdc coredomain;

init_daemon_domain(vdc)

# Allow stdin/out back to vehicle_binding_util
allow vdc vehicle_binding_util:fd use;

# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file rw_file_perms;

# vdc writes directly to kmsg during the boot process
allow vdc kmsg_device:chr_file { getattr w_file_perms };

# vdc talks to vold over Binder
binder_use(vdc)
binder_call(vdc, vold)
allow vdc vold_service:service_manager find;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute vdc coredomain;`

Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`init_daemon_domain(vdc)`
Add vehicle_binding_util SELinux context Adds required context for 'vehicle_binding_util' to 'vold' interactions. The vehicle_binding_util actually fork/execvp vdc. And vdc will call vold to set the binding seed value. Test: manual 'make' Bug: 157501579 Change-Id: I5194c9cd0f5a910b1309b547aabf66bb9c397738 2021-06-01 22:13:02 +02:00
			`# Allow stdin/out back to vehicle_binding_util`
			`allow vdc vehicle_binding_util:fd use;`
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged \| grep "^-" \| cut -b2- \| sort) \ <(git diff --staged \| grep "^+" \| cut -b2- \| sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12 2024-03-27 09:18:41 +01:00
			`# vdc can be invoked with logwrapper, so let it write to pty`
			`allow vdc devpts:chr_file rw_file_perms;`

			`# vdc writes directly to kmsg during the boot process`
			`allow vdc kmsg_device:chr_file { getattr w_file_perms };`

			`# vdc talks to vold over Binder`
			`binder_use(vdc)`
			`binder_call(vdc, vold)`
			`allow vdc vold_service:service_manager find;`