Associate hal_service_type with all HAL services
By default, HAL's services are not accessible by dumpstate. HIDL implementations were silenced via a dontaudit on hwservice_manager. But AIDL implementations will trigger a denial, unless authorized via `dump_hal`. Mark all HAL services with a new attribute `hal_service_type` so they can be ignored by dumpstate. Test: m selinux_policy Bug: 219172252 Change-Id: Ib484368fdeff814d4799792d57a238d6d6e965fd
This commit is contained in:
parent
ba8615a186
commit
373cf3ba8e
3 changed files with 48 additions and 45 deletions
|
@ -198,6 +198,8 @@ attribute protected_hwservice;
|
|||
# All types used for services managed by vndservicemanager
|
||||
attribute vndservice_manager_type;
|
||||
|
||||
# All services declared as part of an HAL
|
||||
attribute hal_service_type;
|
||||
|
||||
# All domains that can override MLS restrictions.
|
||||
# i.e. processes that can read up and write down.
|
||||
|
|
|
@ -142,6 +142,7 @@ r_dir_file(dumpstate, cgroup_v2)
|
|||
binder_call(dumpstate, binderservicedomain)
|
||||
binder_call(dumpstate, { appdomain netd wificond })
|
||||
|
||||
# Allow dumpstate to call dump() on specific hals.
|
||||
dump_hal(hal_dumpstate)
|
||||
dump_hal(hal_wifi)
|
||||
dump_hal(hal_graphics_allocator)
|
||||
|
@ -254,7 +255,7 @@ allow dumpstate {
|
|||
-apex_service
|
||||
-dumpstate_service
|
||||
-gatekeeper_service
|
||||
-hal_wifi_supplicant_service
|
||||
-hal_service_type
|
||||
-virtual_touchpad_service
|
||||
-vold_service
|
||||
-default_android_service
|
||||
|
@ -264,7 +265,7 @@ dontaudit dumpstate {
|
|||
apex_service
|
||||
dumpstate_service
|
||||
gatekeeper_service
|
||||
hal_wifi_supplicant_service
|
||||
hal_service_type
|
||||
virtual_touchpad_service
|
||||
vold_service
|
||||
}:service_manager find;
|
||||
|
|
|
@ -259,54 +259,54 @@ type inputflinger_service, system_api_service, system_server_service, service_ma
|
|||
type wpantund_service, system_api_service, service_manager_type;
|
||||
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type emergency_affordance_service, system_server_service, service_manager_type;
|
||||
type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_wifi_supplicant_service, vendor_service, protected_service, service_manager_type;
|
||||
|
||||
###
|
||||
### HAL Services
|
||||
###
|
||||
|
||||
type hal_audio_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_audiocontrol_service, vendor_service, service_manager_type;
|
||||
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_camera_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_dice_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_drm_service, vendor_service, service_manager_type;
|
||||
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_evs_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_face_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_graphics_allocator_service, vendor_service, service_manager_type;
|
||||
type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_health_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_identity_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_input_processor_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_ir_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_light_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_neuralnetworks_service, vendor_service, service_manager_type;
|
||||
type hal_nfc_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_power_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_radio_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_system_suspend_service, protected_service, service_manager_type;
|
||||
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_usb_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
|
||||
type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
|
||||
type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
|
||||
type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
|
||||
type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
Loading…
Reference in a new issue