tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/attributes

268 lines
7.7 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
######################################
# Attribute declarations
#
# All types used for devices.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute dev_type;
# All types used for processes.
attribute domain;
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 18:54:39 +01:00
# Temporary attribute used for migrating permissions out of domain.
# Motivation: Domain is overly permissive. Start removing permissions
# from domain and assign them to the domain_deprecated attribute.
# Domain_deprecated and domain can initially be assigned to all
# domains. The goal is to not assign domain_deprecated to new domains
# and to start removing domain_deprecated where it's not required or
# reassigning the appropriate permissions to the inheriting domain
# when necessary.
attribute domain_deprecated;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for filesystems.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute fs_type;
Define contextmount_type attribute and add it to oemfs. Several device-specific policy changes with the same Change-Id also add this attribute to device-specific types. Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 14:49:51 +02:00
# All types used for context= mounts.
attribute contextmount_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute file_type;
# All types used for domain entry points.
attribute exec_type;
# All types used for /data files.
attribute data_file_type;
Ban vendor components access to core data types Vendor and system components are only allowed to share files by passing open FDs over HIDL. Ban all directory access and all file accesses other than what can be applied to an open file: stat/read/write/append. This commit marks core data types as core_data_file_type and bans access to non-core domains with an exemption for apps. A temporary exemption is also granted to domains that currently rely on access with TODOs and bug number for each exemption. Bug: 34980020 Test: Build and boot Marlin. Make phone call, watch youtube video. No new denials observed. Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
2017-03-28 07:44:40 +02:00
# All types in /data, not in /data/vendor
attribute core_data_file_type;
sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-02 02:17:12 +02:00
# All types in /vendor
attribute vendor_file_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types use for sysfs files.
attribute sysfs_type;
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-08 02:02:31 +01:00
# All types use for debugfs files.
attribute debugfs_type;
Split internal and external sdcards Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-07 01:26:36 +01:00
# Attribute used for all sdcards
attribute sdcard_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for nodes/hosts.
attribute node_type;
# All types used for network interfaces.
attribute netif_type;
# All types used for network ports.
attribute port_type;
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
# All types used for property service
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
attribute property_type;
Remove property read access for non-core properties Instead of allowing global read access to all properties, only allow read access to the properties which are part of core SELinux policy. Device-specific policies are no longer readable by default and need to be granted in device-specific policy. Grant read-access to any property where the person has write access. In most cases, anyone who wants to write a property needs read access to that property. Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
2015-12-08 23:45:50 +01:00
# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
# All properties used to configure log filtering.
attribute log_property_type;
Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 00:12:24 +02:00
# All service_manager types created by system_server
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 01:50:08 +02:00
attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
Start locking down access to services from ephemeral apps This starts with the reduction in the number of services that ephemeral apps can access. Prior to this commit, ephemeral apps were permitted to access most of the service_manager services accessible by conventional apps. This commit reduces this set by removing access from ephemeral apps to: * gatekeeper_service, * sec_key_att_app_id_provider_service, * wallpaper_service, * wifiaware_service, * wifip2p_service, * wifi_service. Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine. Bug: 33349998 Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 01:50:08 +02:00
# services which export only system_api
attribute system_api_service;
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2014-12-17 00:45:26 +01:00
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
# All types used for services managed by servicemanager.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-06 00:52:02 +02:00
attribute service_manager_type;
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-22 02:06:43 +02:00
# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
# All domains used for apps.
attribute appdomain;
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
# All third party apps.
attribute untrusted_app_all;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All domains used for apps with network access.
attribute netdomain;
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
# All domains used for binder service domains.
attribute binderservicedomain;
Move boot_control HAL permissions to an attribute. The boot_control HAL is library loaded by our daemons (like update_engine and update_verifier) that interacts with the bootloader. The actual implementation of this library is provided by the vendor and its runtime permissions are tied to this implementation which varies a lot based on how the bootloader and the partitions it uses are structured. This patch moves these permissions to an attribute so the attribute can be expanded on each device without the need to repeat that on each one of our daemons using the boot_control HAL. Bug: 27107517 Change-Id: Idfe6a208720b49802b03f70fee4a3e73030dae2e
2016-04-22 22:23:36 +02:00
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-15 19:05:55 +01:00
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
Tighten restrictions on core <-> vendor socket comms This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 (cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1) Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
2017-03-31 02:39:00 +02:00
# All socket devices owned by core domain components
attribute coredomain_socket;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
Ban socket connections between core and vendor On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and vendor domain are not permitted to connect to each other's sockets. There are two main exceptions: (1) apps are permitted to talk to other apps over Unix domain sockets (this is public API in Android framework), and (2) domains with network access (netdomain) are permitted to connect to netd. This commit thus: * adds neverallow rules restricting socket connection establishment, * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "socket_between_core_and_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Bug: 36613996 Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
2017-03-25 00:07:35 +01:00
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
Add vendor_executes_system_violators attribute Temporary attribute (checked against in CTS) to point out vendor processes that run /system executables. These are currently only down to 2-3 of them that are related to telephony on sailfish Bug: 36463595 Test: Build succeeds for sailfish Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \ --skip-device-info --skip-preconditions --skip-connectivity-check \ --abi arm64-v8a Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-15 06:26:57 +02:00
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
Group all HAL impls using haldomain attribute This marks all HAL domain implementations with the haldomain attribute so that rules can be written which apply to all HAL implementations. This follows the pattern used for appdomain, netdomain and bluetoothdomain. Test: No change to policy according to sesearch. Bug: 34180936 Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
2017-01-11 00:54:25 +01:00
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-15 19:05:55 +01:00
# HALs
Switch Allocator HAL policy to _client/_server This switches Allocator HAL policy to the design which enables us to identify all SELinux domains which host HALs and all domains which are clients of HALs. Allocator HAL is special in the sense that it's assumed to be always binderized. As a result, rules in Camera HAL target hal_allocator_server rather than hal_allocator (which would be the server and any client, if the Allocator HAL runs in passthrough mode). Test: Device boots up, no new denials Test: YouTube video plays back Test: Take photo using Google Camera app, recover a video, record a slow motion video Bug: 34170079 Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
2017-03-18 00:51:56 +01:00
attribute hal_allocator;
attribute hal_allocator_client;
attribute hal_allocator_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_audio;
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
attribute hal_audio_client;
attribute hal_audio_server;
Add selinux policy for Bluetooth HAL Bug: 31972505 Test: VTS test passes, Bluetooth starts/stops Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08
2016-10-12 23:49:56 +02:00
attribute hal_bluetooth;
Switch Bluetooth HAL policy to _client/_server This switches Bluetooth HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Bluetooth HAL. Domains which are clients of Bluetooth HAL, such as bluetooth domain, are granted rules targeting hal_bluetooth only when the Bluetooth HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bluetooth are not granted to client domains. Domains which offer a binderized implementation of Bluetooth HAL, such as hal_bluetooth_default domain, are always granted rules targeting hal_bluetooth. Test: Toggle Bluetooth off and on Test: Pair with another Android, and transfer a file to that Android over Bluetooth Test: Pair with a Bluetooth speaker, play music through that speaker over Bluetooth Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device, adb shell stop, adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test Bug: 34170079 Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
2017-02-17 05:14:56 +01:00
attribute hal_bluetooth_client;
attribute hal_bluetooth_server;
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
attribute hal_bootctl;
attribute hal_bootctl_client;
attribute hal_bootctl_server;
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
2016-12-22 21:55:02 +01:00
attribute hal_camera;
Switch Camera HAL policy to _client/_server This switches Camera HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Camera HAL. Domains which are clients of Camera HAL, such as cameraserver domain, are granted rules targeting hal_camera only when the Camera HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_camera are not granted to client domains. Domains which offer a binderized implementation of Camera HAL, such as hal_camera_default domain, are always granted rules targeting hal_camera. Test: Take non-HDR photo using Google Camera app Test: Take HDR photo using Google Camera app Test: Record video using Google Camera app Bug: 34170079 Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e
2017-02-17 01:08:22 +01:00
attribute hal_camera_client;
attribute hal_camera_server;
configstore: add selinux policy for configstore@1.0 hal This change adds selinux policy for configstore@1.0 hal. Currently, only surfaceflinger has access to the HAL, but need to be widen. Bug: 34314793 Test: build & run Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964 Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964 (cherry picked from commit 5ff0f178ba077594e80d9777bbe7a13d25d2484d)
2017-01-19 03:41:56 +01:00
attribute hal_configstore;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_configstore_client;
attribute hal_configstore_server;
Sort hal_* declarations alphabetically Test: No change to SELinux policy Change-Id: I45d6d6ab0538b9d4768b922cfdc2c972272d0b18
2017-01-20 19:39:32 +01:00
attribute hal_contexthub;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_contexthub_client;
attribute hal_contexthub_server;
Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
2017-01-01 21:01:18 +01:00
attribute hal_drm;
Switch DRM HAL policy to _client/_server This switches DRM HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of DRM HAL. Domains which are clients of DRM HAL, such as mediadrmserver domain, are granted rules targeting hal_drm only when the DRM HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_drm are not granted to client domains. Domains which offer a binderized implementation of DRM HAL, such as hal_drm_default domain, are always granted rules targeting hal_drm. Test: Play movie using Google Play Movies Test: Play movie using Netflix Bug: 34170079 Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
2017-02-17 23:51:02 +01:00
attribute hal_drm_client;
attribute hal_drm_server;
Add hal_dumpstate attribute. - Also allow dumpstate to talk to hal_dumpstate. Bug: 31982882 Test: compiles Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
2016-12-01 18:39:10 +01:00
attribute hal_dumpstate;
Switch Dumpstate HAL policy to _client/_server This switches Dumpstate HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Dumpstate HAL. Domains which are clients of Dumpstate HAL, such as dumpstate domain, are granted rules targeting hal_dumpstate only when the Dumpstate HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_dumpstate are not granted to client domains. Domains which offer a binderized implementation of Dumpstate HAL, such as hal_dumpstate_default domain, are always granted rules targeting hal_dumpstate. Test: adb bugreport Test: Take bugreport through system UI Bug: 34170079 Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27
2017-02-22 19:15:24 +01:00
attribute hal_dumpstate_client;
attribute hal_dumpstate_server;
New SeLinux policy for fingerprint HIDL Move from fingerprintd to new fingerprint_hal and update SeLinux policy. Test: Boot with no errors related to fingerprint sepolicy Bug: 33199080 Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
2016-12-16 04:46:43 +01:00
attribute hal_fingerprint;
Switch Fingerprint HAL policy to _client/_server This switches Fingerprint HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Bluetooth HAL. Domains which are clients of Fingerprint HAL, such as system_server domain, are granted rules targeting hal_fingerprint only when the Fingerprint HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_fingerprint are not granted to client domains. Domains which offer a binderized implementation of Fingerprint HAL, such as hal_fingerprint_default domain, are always granted rules targeting hal_fingerprint. NOTE: This commit also removes unnecessary allow rules from Fingerprint HAL, such access to servicemanager (not hwservicemanager) and access to keystore daemon over Binder IPC. Fingerprint HAL does not use this functionality anyway and shouldn't use it either. Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks with fingerprint or PIN Test: Disable PIN (and thus fingerprint) secure lock screen Test: make FingerprintDialog, install, make a fake purchase Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device, adb shell stop, adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass Bug: 34170079 Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-22 00:35:16 +01:00
attribute hal_fingerprint_client;
attribute hal_fingerprint_server;
gatekeeper HAL service: add security policy Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c Signed-off-by: Alexey Polyudov <apolyudov@google.com>
2016-10-20 20:20:25 +02:00
attribute hal_gatekeeper;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_gatekeeper_client;
attribute hal_gatekeeper_server;
add selinux policy for GNSS hal The following are the avc denials that are addressed: avc: denied { call } for pid=889 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_gnss_default:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=0 avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Bug:31974439 Test: Checked that there no more related avc denial messages related to the GNSS HAL in dmesg. Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5
2016-12-09 17:53:42 +01:00
attribute hal_gnss;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_gnss_client;
attribute hal_gnss_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_graphics_allocator;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_graphics_allocator_client;
attribute hal_graphics_allocator_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_graphics_composer;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_graphics_composer_client;
attribute hal_graphics_composer_server;
hal_health: express the sepolicy as attribute Bug: http://b/32905206 Test: Boot sailfish and no new selinux failures observed in logs Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9 Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-16 22:20:25 +01:00
attribute hal_health;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_health_client;
attribute hal_health_server;
Add sepolicy for consumerir HIDL HAL Test: logging confirms service runs on boot Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce Signed-off-by: Connor O'Brien <connoro@google.com>
2016-12-06 01:20:44 +01:00
attribute hal_ir;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_ir_client;
attribute hal_ir_server;
Preliminary policy for hal_keymaster (TREBLE) This adds the premissions required for android.hardware.keymaster@2.0-service to access the keymaster TA as well as for keystore and vold to lookup and use android.hardware.keymaster@2.0-service. IT DOES NOT remove the privileges from keystore and vold to access the keymaster TA directly. Test: Run keystore CTS tests Bug: 32020919 (cherry picked from commit 5090d6f3241ffbd96f5a0b24df602bd2559f3cf4) Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
2017-01-28 00:00:27 +01:00
attribute hal_keymaster;
Switch Keymaster HAL policy to _client/_server This switches Keymaster HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Keymaster HAL. Domains which are clients of Keymaster HAL, such as keystore and vold domains, are granted rules targeting hal_keymaster only when the Keymaster HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_keymaster are not granted to client domains. Domains which offer a binderized implementation of Keymaster HAL, such as hal_keymaster_default domain, are always granted rules targeting hal_keymaster. Test: Password-protected sailfish boots up and lock screen unlocks -- this exercises vold -> Keymaster HAL interaction Test: All Android Keystore CTS tests pass -- this exercises keystore -> Keymaster HAL interaction: make cts cts-tradefed cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsKeystoreTestCases Bug: 34170079 Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
2017-02-23 04:48:17 +01:00
attribute hal_keymaster_client;
attribute hal_keymaster_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_light;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_light_client;
attribute hal_light_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_memtrack;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_memtrack_client;
attribute hal_memtrack_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_nfc;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_nfc_client;
attribute hal_nfc_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_power;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_power_client;
attribute hal_power_server;
Add sepolicy for sensors Adding sepoilcy for sensors. Test: Sensors work. Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255
2016-11-29 21:26:51 +01:00
attribute hal_sensors;
Switch Sensors HAL policy to _client/_server This switches Sensors HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Sensors HAL. Domains which are clients of Sensors HAL, such as system_server, are granted rules targeting hal_sensors only when the Sensors HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_sensors are not granted to client domains. Domains which offer a binderized implementation of Sensors HAL, such as hal_sensors_default domain, are always granted rules targeting hal_sensors. P. S. This commit also removes allow system_server sensors_device:chr_file rw_file_perms because this is device-specific and thus not needed in device-agnostic policy. The device-specific policy of the affected devices already has this rule. Test: Device boots, no new denials Test: adb shell dumpsys sensorservice lists tons of sensors Test: Proprietary sensors test app indicates that there are sensors and that the app can register to listen for updates for sensors and that such updates arrive to the app. Bug: 34170079 Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
2017-03-13 23:13:52 +01:00
attribute hal_sensors_client;
attribute hal_sensors_server;
SEPolicy changes for BT SAP hal. Test: Verified that WIP telephony and BT SAP CLs work fine with this change https://android-review.googlesource.com/#/q/topic:%22Basic+radio+service+and+client%22+(status:open+OR+status:merged) https://android-review.googlesource.com/#/q/topic:%22SAP+HAL%22+(status:open+OR+status:merged) Bug: 32020264 Change-Id: If15820d43e324d80e35808a292ee811f98d499cc
2016-12-08 02:43:46 +01:00
attribute hal_telephony;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_telephony_client;
attribute hal_telephony_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_thermal;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_thermal_client;
attribute hal_thermal_server;
Add sepolicy for tv.cec Bug: 36562029 Test: m -j40 and CEC functionality works well Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
2017-04-05 04:20:48 +02:00
attribute hal_tv_cec;
attribute hal_tv_cec_client;
attribute hal_tv_cec_server;
Add sepolicy for tv.input Test: build, flash; adb shell lshal Bug: 36562029 Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2
2017-03-30 00:03:59 +02:00
attribute hal_tv_input;
attribute hal_tv_input_client;
attribute hal_tv_input_server;
sepolicy for usb hal Bug: 31015010 cherry-pick from b6e4d4bdf12e8a61414596d3d23c5016ae0d6477 Test: checked for selinux denial msgs in the dmesg logs. Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
2017-01-13 02:18:52 +01:00
attribute hal_usb;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_usb_client;
attribute hal_usb_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_vibrator;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_vibrator_client;
attribute hal_vibrator_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_vr;
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
attribute hal_vr_client;
attribute hal_vr_server;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_wifi;
Switch Wi-Fi HAL policy to _client/_server This switches Wi-Fi HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Wi-Fi HAL. Domains which are clients of Wi-Fi HAL, such as system_server domain, are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_wifi are not granted to client domains. Domains which offer a binderized implementation of Wi-Fi HAL, such as hal_wifi_default domain, are always granted rules targeting hal_wifi. Test: Setup Wizard (incl. adding a Google Account) completes fine with Wi-Fi connectivity only Test: Toggle Wi-Fi off, on, off, on Test: Use System UI to see list of WLANs and connect to one which does not require a password, and to one which requries a PSK Test: ip6.me loads fine in Chrome over Wi-Fi Bug: 34170079 Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-23 00:12:19 +01:00
attribute hal_wifi_client;
attribute hal_wifi_server;
sepolicy: Add new wifi keystore HAL Moving the wpa_supplicant interaction from the binder keystore service to the new wifi keystore HAL. Denials addressed: 03-29 00:04:52.075 734 734 E SELinux : avc: denied { get } for pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0 tcontext=u:r:keystore:s0 tclass=keystore_key Bug: 34603782 Test: Able to connect to wifi passpoint networks. Denials no longer seen. Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
2017-03-29 00:45:42 +02:00
attribute hal_wifi_keystore;
attribute hal_wifi_keystore_client;
attribute hal_wifi_keystore_server;
sepolicy: Make wpa_supplicant a HIDL service Note: The existing rules allowing socket communication will be removed once we migrate over to HIDL completely. (cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0) Bug: 34603782 Test: Able to connect to wifi networks. Test: Will be sending for full wifi integration tests (go/wifi-test-request) Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-19 06:32:32 +01:00
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
Wifi Keystore HAL is not a HAL Wifi Keystore HAL is a HwBinder service (currently offered by keystore daemon) which is used by Wifi Supplicant HAL. This commit thus switches the SELinux policy of Wifi Keystore HAL to the approach used for non-HAL HwBinder services. The basic idea is simimilar to how we express Binder services in the policy, with two tweaks: (1) we don't have 'hwservicemanager find' and thus there's no add_hwservice macro, and (2) we need loosen the coupling between core and vendor components. For example, it should be possible to move a HwBinder service offered by a core component into another core component, without having to update the SELinux policy of the vendor image. We thus annotate all components offering HwBinder service x across the core-vendor boundary with x_server, which enables the policy of clients to contain rules of the form: binder_call(mydomain, x_server), and, if the service uses IPC callbacks, also binder_call(x_server, mydomain). Test: mmm system/sepolicy Test: sesearch indicates to changes to binder { call transfer} between keystore and hal_wifi_supplicant_default domains Bug: 36896667 Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
attribute wifi_keystore_service_server;
Reference in a new issue Copy permalink