2012-01-04 18:33:27 +01:00
|
|
|
######################################
|
|
|
|
# Attribute declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
# All types used for devices.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# in tools/checkfc.c
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute dev_type;
|
|
|
|
|
|
|
|
# All types used for processes.
|
|
|
|
attribute domain;
|
|
|
|
|
|
|
|
# All types used for filesystems.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute fs_type;
|
|
|
|
|
2014-05-30 14:49:51 +02:00
|
|
|
# All types used for context= mounts.
|
|
|
|
attribute contextmount_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for files that can exist on a labeled fs.
|
|
|
|
# Do not use for pseudo file types.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute file_type;
|
|
|
|
|
|
|
|
# All types used for domain entry points.
|
|
|
|
attribute exec_type;
|
|
|
|
|
|
|
|
# All types used for /data files.
|
|
|
|
attribute data_file_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute data_file_type false;
|
2017-03-28 07:44:40 +02:00
|
|
|
# All types in /data, not in /data/vendor
|
|
|
|
attribute core_data_file_type;
|
2018-01-24 16:01:13 +01:00
|
|
|
expandattribute core_data_file_type false;
|
2017-04-02 02:17:12 +02:00
|
|
|
# All types in /vendor
|
|
|
|
attribute vendor_file_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types use for sysfs files.
|
|
|
|
attribute sysfs_type;
|
|
|
|
|
2015-12-08 02:02:31 +01:00
|
|
|
# All types use for debugfs files.
|
|
|
|
attribute debugfs_type;
|
|
|
|
|
2013-03-07 01:26:36 +01:00
|
|
|
# Attribute used for all sdcards
|
|
|
|
attribute sdcard_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for nodes/hosts.
|
|
|
|
attribute node_type;
|
|
|
|
|
|
|
|
# All types used for network interfaces.
|
|
|
|
attribute netif_type;
|
|
|
|
|
|
|
|
# All types used for network ports.
|
|
|
|
attribute port_type;
|
|
|
|
|
2012-04-04 16:11:16 +02:00
|
|
|
# All types used for property service
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_PC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-04-04 16:11:16 +02:00
|
|
|
attribute property_type;
|
|
|
|
|
2015-12-08 23:45:50 +01:00
|
|
|
# All properties defined in core SELinux policy. Should not be
|
|
|
|
# used by device specific properties
|
|
|
|
attribute core_property_type;
|
|
|
|
|
2016-04-15 20:10:06 +02:00
|
|
|
# All properties used to configure log filtering.
|
|
|
|
attribute log_property_type;
|
|
|
|
|
2015-04-09 00:12:24 +02:00
|
|
|
# All service_manager types created by system_server
|
2015-04-03 01:50:08 +02:00
|
|
|
attribute system_server_service;
|
|
|
|
|
|
|
|
# services which should be available to all but isolated apps
|
|
|
|
attribute app_api_service;
|
|
|
|
|
Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
|
|
|
# services which should be available to all ephemeral apps
|
|
|
|
attribute ephemeral_app_api_service;
|
|
|
|
|
2015-04-03 01:50:08 +02:00
|
|
|
# services which export only system_api
|
|
|
|
attribute system_api_service;
|
2014-12-17 00:45:26 +01:00
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# All types used for services managed by servicemanager.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_SC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2014-06-06 00:52:02 +02:00
|
|
|
attribute service_manager_type;
|
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# All types used for services managed by hwservicemanager
|
|
|
|
attribute hwservice_manager_type;
|
|
|
|
|
2017-04-22 02:06:43 +02:00
|
|
|
# All HwBinder services guaranteed to be passthrough. These services always run
|
|
|
|
# in the process of their clients, and thus operate with the same access as
|
|
|
|
# their clients.
|
|
|
|
attribute same_process_hwservice;
|
|
|
|
|
|
|
|
# All HwBinder services guaranteed to be offered only by core domain components
|
|
|
|
attribute coredomain_hwservice;
|
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# All types used for services managed by vndservicemanager
|
|
|
|
attribute vndservice_manager_type;
|
|
|
|
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All domains that can override MLS restrictions.
|
|
|
|
# i.e. processes that can read up and write down.
|
|
|
|
attribute mlstrustedsubject;
|
|
|
|
|
|
|
|
# All types that can override MLS restrictions.
|
|
|
|
# i.e. files that can be read by lower and written by higher
|
|
|
|
attribute mlstrustedobject;
|
|
|
|
|
|
|
|
# All domains used for apps.
|
|
|
|
attribute appdomain;
|
|
|
|
|
2017-02-13 22:33:27 +01:00
|
|
|
# All third party apps.
|
|
|
|
attribute untrusted_app_all;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All domains used for apps with network access.
|
|
|
|
attribute netdomain;
|
|
|
|
|
|
|
|
# All domains used for apps with bluetooth access.
|
|
|
|
attribute bluetoothdomain;
|
|
|
|
|
|
|
|
# All domains used for binder service domains.
|
|
|
|
attribute binderservicedomain;
|
2016-04-22 22:23:36 +02:00
|
|
|
|
2016-08-04 05:31:37 +02:00
|
|
|
# update_engine related domains that need to apply an update and run
|
|
|
|
# postinstall. This includes the background daemon and the sideload tool from
|
|
|
|
# recovery for A/B devices.
|
|
|
|
attribute update_engine_common;
|
2016-11-15 19:05:55 +01:00
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
# All core domains (as opposed to vendor/device-specific domains)
|
|
|
|
attribute coredomain;
|
|
|
|
|
2017-03-31 02:39:00 +02:00
|
|
|
# All socket devices owned by core domain components
|
|
|
|
attribute coredomain_socket;
|
2018-01-24 16:01:13 +01:00
|
|
|
expandattribute coredomain_socket false;
|
2017-03-31 02:39:00 +02:00
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
# All vendor domains which violate the requirement of not using Binder
|
|
|
|
# TODO(b/35870313): Remove this once there are no violations
|
|
|
|
attribute binder_in_vendor_violators;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute binder_in_vendor_violators false;
|
2017-03-23 22:27:32 +01:00
|
|
|
|
2017-03-25 00:07:35 +01:00
|
|
|
# All vendor domains which violate the requirement of not using sockets for
|
|
|
|
# communicating with core components
|
|
|
|
# TODO(b/36577153): Remove this once there are no violations
|
|
|
|
attribute socket_between_core_and_vendor_violators;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute socket_between_core_and_vendor_violators false;
|
2017-03-25 00:07:35 +01:00
|
|
|
|
2017-04-15 06:26:57 +02:00
|
|
|
# All vendor domains which violate the requirement of not executing
|
|
|
|
# system processes
|
|
|
|
# TODO(b/36463595)
|
|
|
|
attribute vendor_executes_system_violators;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute vendor_executes_system_violators false;
|
2017-04-15 06:26:57 +02:00
|
|
|
|
2017-10-17 22:07:54 +02:00
|
|
|
# All domains which violate the requirement of not sharing files by path
|
|
|
|
# between between vendor and core domains.
|
|
|
|
# TODO(b/34980020)
|
|
|
|
attribute data_between_core_and_vendor_violators;
|
|
|
|
expandattribute data_between_core_and_vendor_violators false;
|
|
|
|
|
2017-12-21 00:38:35 +01:00
|
|
|
# All system domains which violate the requirement of not executing vendor
|
|
|
|
# binaries/libraries.
|
|
|
|
# TODO(b/62041836)
|
|
|
|
attribute system_executes_vendor_violators;
|
|
|
|
expandattribute system_executes_vendor_violators false;
|
|
|
|
|
2017-06-21 19:00:32 +02:00
|
|
|
# hwservices that are accessible from untrusted applications
|
|
|
|
# WARNING: Use of this attribute should be avoided unless
|
|
|
|
# absolutely necessary. It is a temporary allowance to aid the
|
|
|
|
# transition to treble and will be removed in a future platform
|
|
|
|
# version, requiring all hwservices that are labeled with this
|
|
|
|
# attribute to be submitted to AOSP in order to maintain their
|
|
|
|
# app-visibility.
|
|
|
|
attribute untrusted_app_visible_hwservice;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute untrusted_app_visible_hwservice false;
|
|
|
|
|
|
|
|
# halserver domains that are accessible to untrusted applications. These
|
|
|
|
# domains are typically those hosting hwservices attributed by the
|
|
|
|
# untrusted_app_visible_hwservice.
|
|
|
|
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
|
|
|
|
# It is a temporary allowance to aid the transition to treble and will be
|
|
|
|
# removed in the future platform version, requiring all halserver domains that
|
|
|
|
# are labeled with this attribute to be submitted to AOSP in order to maintain
|
|
|
|
# their app-visibility.
|
|
|
|
attribute untrusted_app_visible_halserver;
|
|
|
|
expandattribute untrusted_app_visible_halserver false;
|
2017-06-21 19:00:32 +02:00
|
|
|
|
2017-05-01 22:01:44 +02:00
|
|
|
# PDX services
|
|
|
|
attribute pdx_endpoint_dir_type;
|
|
|
|
attribute pdx_endpoint_socket_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute pdx_endpoint_socket_type false;
|
2017-05-01 22:01:44 +02:00
|
|
|
attribute pdx_channel_socket_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute pdx_channel_socket_type false;
|
2017-05-01 22:01:44 +02:00
|
|
|
|
|
|
|
pdx_service_attributes(display_client)
|
|
|
|
pdx_service_attributes(display_manager)
|
|
|
|
pdx_service_attributes(display_screenshot)
|
|
|
|
pdx_service_attributes(display_vsync)
|
|
|
|
pdx_service_attributes(performance_client)
|
|
|
|
pdx_service_attributes(bufferhub_client)
|
|
|
|
|
2017-02-13 23:40:49 +01:00
|
|
|
# All HAL servers
|
|
|
|
attribute halserverdomain;
|
|
|
|
# All HAL clients
|
|
|
|
attribute halclientdomain;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute halclientdomain true;
|
2017-01-11 00:54:25 +01:00
|
|
|
|
2018-02-01 01:58:51 +01:00
|
|
|
# TODO(b/72757373): Use hal_attribute macro once expandattribute value conflicts
|
|
|
|
# can be resolve.
|
|
|
|
attribute hal_audio;
|
|
|
|
attribute hal_audio_client;
|
|
|
|
expandattribute hal_audio_client true;
|
|
|
|
attribute hal_audio_server;
|
|
|
|
expandattribute hal_audio_server false;
|
|
|
|
|
|
|
|
attribute hal_bootctl;
|
|
|
|
attribute hal_bootctl_client;
|
|
|
|
expandattribute hal_bootctl_client true;
|
|
|
|
attribute hal_bootctl_server;
|
|
|
|
expandattribute hal_bootctl_server false;
|
|
|
|
|
|
|
|
attribute hal_camera;
|
|
|
|
attribute hal_camera_client;
|
|
|
|
expandattribute hal_camera_client true;
|
|
|
|
attribute hal_camera_server;
|
|
|
|
expandattribute hal_camera_server false;
|
|
|
|
|
|
|
|
attribute hal_drm;
|
|
|
|
attribute hal_drm_client;
|
|
|
|
expandattribute hal_drm_client true;
|
|
|
|
attribute hal_drm_server;
|
|
|
|
expandattribute hal_drm_server false;
|
|
|
|
|
|
|
|
attribute hal_cas;
|
|
|
|
attribute hal_cas_client;
|
|
|
|
expandattribute hal_cas_client true;
|
|
|
|
attribute hal_cas_server;
|
|
|
|
expandattribute hal_cas_server false;
|
|
|
|
|
2016-11-15 19:05:55 +01:00
|
|
|
# HALs
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(allocator);
|
2018-01-10 17:11:46 +01:00
|
|
|
hal_attribute(authsecret);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(bluetooth);
|
|
|
|
hal_attribute(broadcastradio);
|
|
|
|
hal_attribute(configstore);
|
2018-01-09 23:42:53 +01:00
|
|
|
hal_attribute(confirmationui);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(contexthub);
|
|
|
|
hal_attribute(dumpstate);
|
|
|
|
hal_attribute(fingerprint);
|
|
|
|
hal_attribute(gatekeeper);
|
|
|
|
hal_attribute(gnss);
|
|
|
|
hal_attribute(graphics_allocator);
|
|
|
|
hal_attribute(graphics_composer);
|
|
|
|
hal_attribute(health);
|
|
|
|
hal_attribute(ir);
|
|
|
|
hal_attribute(keymaster);
|
|
|
|
hal_attribute(light);
|
|
|
|
hal_attribute(lowpan);
|
|
|
|
hal_attribute(memtrack);
|
|
|
|
hal_attribute(neuralnetworks);
|
|
|
|
hal_attribute(nfc);
|
|
|
|
hal_attribute(oemlock);
|
|
|
|
hal_attribute(power);
|
2018-01-04 19:33:20 +01:00
|
|
|
hal_attribute(secure_element);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(sensors);
|
|
|
|
hal_attribute(telephony);
|
|
|
|
hal_attribute(tetheroffload);
|
|
|
|
hal_attribute(thermal);
|
|
|
|
hal_attribute(tv_cec);
|
|
|
|
hal_attribute(tv_input);
|
|
|
|
hal_attribute(usb);
|
2018-01-08 18:29:40 +01:00
|
|
|
hal_attribute(usb_gadget);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(vibrator);
|
|
|
|
hal_attribute(vr);
|
|
|
|
hal_attribute(weaver);
|
|
|
|
hal_attribute(wifi);
|
|
|
|
hal_attribute(wifi_offload);
|
|
|
|
hal_attribute(wifi_supplicant);
|
Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.
The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).
Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
keystore and hal_wifi_supplicant_default domains
Bug: 36896667
Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
|
|
|
|
|
|
|
# HwBinder services offered across the core-vendor boundary
|
|
|
|
#
|
|
|
|
# We annotate server domains with x_server to loosen the coupling between
|
|
|
|
# system and vendor images. For example, it should be possible to move a service
|
|
|
|
# from one core domain to another, without having to update the vendor image
|
|
|
|
# which contains clients of this service.
|
|
|
|
|
2017-05-17 02:43:52 +02:00
|
|
|
attribute display_service_server;
|
Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.
The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).
Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
keystore and hal_wifi_supplicant_default domains
Bug: 36896667
Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
|
|
|
attribute wifi_keystore_service_server;
|