From 3007344dcd29f0d1320c6145302c2d833fda1a7c Mon Sep 17 00:00:00 2001 From: Amit Mahajan Date: Mon, 12 Mar 2018 17:12:09 +0000 Subject: [PATCH] Revert "Revert "Move rild from public to vendor."" This reverts commit 016f0a58a9cd429f1986033f922d4bb7f58f5f3a. Reason for revert: Was temporarily reverted, merging back in with fix. Test: Basic telephony sanity, treehugger Bug: 74486619 Bug: 36427227 Merged-in: Ide68726a90d5485c2758673079427407aee1e4f2 Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2 (cherry picked from commit 312248ff726d11b88aeb6db5ba7ca2df09077adf) --- private/compat/26.0/26.0.cil | 1 + private/compat/27.0/27.0.cil | 1 + public/domain.te | 1 - public/hal_neverallows.te | 6 ++--- public/hal_telephony.te | 39 +++++++++++++++++++++++++++++++ public/property.te | 4 ++-- public/radio.te | 4 ++-- public/rild.te | 45 ------------------------------------ vendor/rild.te | 5 ++++ 9 files changed, 53 insertions(+), 53 deletions(-) delete mode 100644 public/rild.te diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil index 261fc6de2..74fef1a9a 100644 --- a/private/compat/26.0/26.0.cil +++ b/private/compat/26.0/26.0.cil @@ -11,6 +11,7 @@ (type tracing_shell_writable) (type tracing_shell_writable_debug) (type webview_zygote_socket) +(type rild) (typeattributeset accessibility_service_26_0 (accessibility_service)) (typeattributeset account_service_26_0 (account_service)) diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil index 1be82bfa5..791a6f19b 100644 --- a/private/compat/27.0/27.0.cil +++ b/private/compat/27.0/27.0.cil @@ -1,6 +1,7 @@ ;; types removed from current policy (type webview_zygote_socket) (type reboot_data_file) +(type rild) (expandtypeattribute (accessibility_service_27_0) true) (expandtypeattribute (account_service_27_0) true) diff --git a/public/domain.te b/public/domain.te index b079b072f..2681b9923 100644 --- a/public/domain.te +++ b/public/domain.te @@ -960,7 +960,6 @@ full_treble_only(` domain -coredomain -appdomain - -rild -vendor_executes_system_violators -vendor_init } { diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te index c866baeff..ce4b48cd0 100644 --- a/public/hal_neverallows.te +++ b/public/hal_neverallows.te @@ -5,7 +5,7 @@ neverallow { -hal_bluetooth_server -hal_wifi_server -hal_wifi_supplicant_server - -rild + -hal_telephony_server } self:global_capability_class_set { net_admin net_raw }; # Unless a HAL's job is to communicate over the network, or control network @@ -15,7 +15,7 @@ neverallow { -hal_tetheroffload_server -hal_wifi_server -hal_wifi_supplicant_server - -rild + -hal_telephony_server } domain:{ tcp_socket udp_socket rawip_socket } *; ### @@ -42,7 +42,7 @@ neverallow { neverallow { halserverdomain -hal_dumpstate_server - -rild + -hal_telephony_server } { file_type fs_type }:file execute_no_trans; # Do not allow a process other than init to transition into a HAL domain. neverallow { domain -init } halserverdomain:process transition; diff --git a/public/hal_telephony.te b/public/hal_telephony.te index 41cfd4bf3..86f41cbea 100644 --- a/public/hal_telephony.te +++ b/public/hal_telephony.te @@ -5,3 +5,42 @@ binder_call(hal_telephony_server, hal_telephony_client) add_hwservice(hal_telephony_server, hal_telephony_hwservice) allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find; +allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls; + +allow hal_telephony_server self:netlink_route_socket nlmsg_write; +allow hal_telephony_server kernel:system module_request; +allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw }; +allow hal_telephony_server alarm_device:chr_file rw_file_perms; +allow hal_telephony_server cgroup:dir create_dir_perms; +allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms; +allow hal_telephony_server radio_device:chr_file rw_file_perms; +allow hal_telephony_server radio_device:blk_file r_file_perms; +allow hal_telephony_server mtd_device:dir search; +allow hal_telephony_server efs_file:dir create_dir_perms; +allow hal_telephony_server efs_file:file create_file_perms; +allow hal_telephony_server vendor_shell_exec:file rx_file_perms; +allow hal_telephony_server bluetooth_efs_file:file r_file_perms; +allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms; +allow hal_telephony_server sdcard_type:dir r_dir_perms; + +# property service +set_prop(hal_telephony_server, radio_prop) +set_prop(hal_telephony_server, exported_radio_prop) +set_prop(hal_telephony_server, exported2_radio_prop) + +allow hal_telephony_server tty_device:chr_file rw_file_perms; + +# Allow hal_telephony_server to create and use netlink sockets. +allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl; +allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Access to wake locks +wakelock_use(hal_telephony_server) + +r_dir_file(hal_telephony_server, proc_net) +r_dir_file(hal_telephony_server, sysfs_type) +r_dir_file(hal_telephony_server, system_file) + +# granting the ioctl permission for hal_telephony_server should be device specific +allow hal_telephony_server self:socket create_socket_perms_no_ioctl; diff --git a/public/property.te b/public/property.te index e40033268..cb839c955 100644 --- a/public/property.te +++ b/public/property.te @@ -158,7 +158,7 @@ compatible_property_only(` domain -coredomain -appdomain - -rild + -hal_telephony_server -vendor_init } { exported_radio_prop @@ -203,7 +203,7 @@ compatible_property_only(` domain -coredomain -appdomain - -rild + -hal_telephony_server -vendor_init } { radio_prop diff --git a/public/radio.te b/public/radio.te index b66514c83..4998a61cd 100644 --- a/public/radio.te +++ b/public/radio.te @@ -5,8 +5,8 @@ net_domain(radio) bluetooth_domain(radio) binder_service(radio) -# Talks to rild via the rild socket only for devices without full treble -not_full_treble(`unix_socket_connect(radio, rild, rild)') +# Talks to hal_telephony_server via the rild socket only for devices without full treble +not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)') # Data file accesses. allow radio radio_data_file:dir create_dir_perms; diff --git a/public/rild.te b/public/rild.te deleted file mode 100644 index 8cafd23e4..000000000 --- a/public/rild.te +++ /dev/null @@ -1,45 +0,0 @@ -# rild - radio interface layer daemon -type rild, domain; -hal_server_domain(rild, hal_telephony) - -net_domain(rild) -allowxperm rild self:udp_socket ioctl priv_sock_ioctls; - -allow rild self:netlink_route_socket nlmsg_write; -allow rild kernel:system module_request; -allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw }; -allow rild alarm_device:chr_file rw_file_perms; -allow rild cgroup:dir create_dir_perms; -allow rild cgroup:{ file lnk_file } r_file_perms; -allow rild radio_device:chr_file rw_file_perms; -allow rild radio_device:blk_file r_file_perms; -allow rild mtd_device:dir search; -allow rild efs_file:dir create_dir_perms; -allow rild efs_file:file create_file_perms; -allow rild shell_exec:file rx_file_perms; -allow rild bluetooth_efs_file:file r_file_perms; -allow rild bluetooth_efs_file:dir r_dir_perms; -allow rild sdcard_type:dir r_dir_perms; - -# property service -set_prop(rild, radio_prop) -set_prop(rild, exported_radio_prop) -set_prop(rild, exported2_radio_prop) - -allow rild tty_device:chr_file rw_file_perms; - -# Allow rild to create and use netlink sockets. -allow rild self:netlink_socket create_socket_perms_no_ioctl; -allow rild self:netlink_generic_socket create_socket_perms_no_ioctl; -allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - -# Access to wake locks -wakelock_use(rild) - -r_dir_file(rild, proc_net) -r_dir_file(rild, sysfs_type) -r_dir_file(rild, system_file) - -# granting the ioctl permission for rild should be device specific -allow rild self:socket create_socket_perms_no_ioctl; - diff --git a/vendor/rild.te b/vendor/rild.te index 510a776c4..fc84ef706 100644 --- a/vendor/rild.te +++ b/vendor/rild.te @@ -1,3 +1,8 @@ +# rild - radio interface layer daemon +type rild, domain; +hal_server_domain(rild, hal_telephony) +net_domain(rild) + # type_transition must be private policy the domain_trans rules could stay # public, but conceptually should go with this type rild_exec, exec_type, vendor_file_type, file_type;