Merge "Move isolated_compute_app to be public" am: 290d1876ff

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2544610

Change-Id: I9093ea1878a6dbb6af85fb69a3547303dfd08784
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Charles Chen 2023-04-20 17:25:33 +00:00 committed by Automerger Merge Worker
commit 48a0bcd865
6 changed files with 34 additions and 31 deletions

View file

@ -8,19 +8,14 @@
###
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
###
type isolated_compute_app, domain;
typeattribute isolated_compute_app coredomain;
app_domain(isolated_compute_app)
isolated_app_domain(isolated_compute_app)
allow isolated_compute_app audioserver_service:service_manager find;
allow isolated_compute_app cameraserver_service:service_manager find;
allow isolated_compute_app content_capture_service:service_manager find;
allow isolated_compute_app device_state_service:service_manager find;
allow isolated_compute_app speech_recognition_service:service_manager find;
allow isolated_compute_app mediaserver_service:service_manager find;
allow isolated_compute_app isolated_compute_allowed_services:service_manager find;
allow isolated_compute_app isolated_compute_allowed_devices:chr_file { read write ioctl map };
# Enable access to hardware services for camera functionalilites
hal_client_domain(isolated_compute_app, hal_allocator)

View file

@ -209,6 +209,12 @@ attribute untrusted_app_all;
# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
attribute isolated_app_all;
# All service types that would be allowed for isolated_compute_app.
attribute isolated_compute_allowed_services;
# All device types that would be allowed for isolated_compute_app.
attribute isolated_compute_allowed_devices;
# All domains used for apps with network access.
attribute netdomain;

View file

@ -4,7 +4,7 @@ type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
type vndbinder_device, dev_type;
type block_device, dev_type;
type bt_device, dev_type;
@ -48,9 +48,9 @@ type video_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;

View file

@ -0,0 +1 @@
type isolated_compute_app, domain;

View file

@ -2,11 +2,11 @@ type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type audioserver_service, service_manager_type, isolated_compute_allowed_services;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type cameraserver_service, service_manager_type, isolated_compute_allowed_services;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
@ -29,7 +29,7 @@ type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediaserver_service, service_manager_type, isolated_compute_allowed_services;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
@ -93,7 +93,7 @@ type connectivity_native_service, app_api_service, ephemeral_app_api_service, sy
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@ -107,7 +107,7 @@ type dataloader_manager_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@ -224,7 +224,7 @@ type system_config_service, system_api_service, system_server_service, service_m
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
type tare_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;

View file

@ -312,10 +312,9 @@ def TestCoreDataTypeViolations(test_policy):
# TODO move this to sepolicy_tests
def TestIsolatedAttributeConsistency(test_policy):
permissionAllowList = {
# hardware related
# access given from technical_debt.cil
"codec2_config_prop" : ["file"],
"device_config_nnapi_native_prop":["file"],
"dmabuf_system_heap_device":["chr_file"],
"hal_allocator_default":["binder", "fd"],
"hal_codec2": ["binder", "fd"],
"hal_codec2_hwservice":["hwservice_manager"],
@ -325,6 +324,7 @@ def TestIsolatedAttributeConsistency(test_policy):
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
"hal_neuralnetworks": ["binder", "fd"],
"hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
"hal_omx_hwservice":["hwservice_manager"],
"hidl_allocator_hwservice":["hwservice_manager"],
@ -333,22 +333,14 @@ def TestIsolatedAttributeConsistency(test_policy):
"hidl_token_hwservice":["hwservice_manager"],
"hwservicemanager":["binder"],
"hwservicemanager_prop":["file"],
"hwbinder_device":["chr_file"],
"mediacodec":["binder", "fd"],
"mediaswcodec":["binder", "fd"],
"media_variant_prop":["file"],
"nnapi_ext_deny_product_prop":["file"],
"ion_device" : ["chr_file"],
# system services
"audioserver_service":["service_manager"],
"cameraserver_service":["service_manager"],
"content_capture_service":["service_manager"],
"device_state_service":["service_manager"],
"hal_neuralnetworks_service":["service_manager"],
"servicemanager":["fd"],
"speech_recognition_service":["service_manager"],
"mediaserver_service" :["service_manager"],
"toolbox_exec": ["file"],
# extra types being granted to isolated_compute_app
"isolated_compute_allowed":["service_manager", "chr_file"],
}
def resolveHalServerSubtype(target):
@ -363,15 +355,24 @@ def TestIsolatedAttributeConsistency(test_policy):
return attr.rsplit("_", 1)[0]
return target
def checkIsolatedComputeAllowed(tctx, tclass):
# check if the permission is in isolated_compute_allowed
allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_services", IsAttr=True) \
.union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_devices", IsAttr=True))
return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
def checkPermissions(permissions):
violated_permissions = []
for perm in permissions:
tctx, tclass, p = perm.split(":")
tctx = resolveHalServerSubtype(tctx)
if tctx not in permissionAllowList \
# check unwanted permissions
if not checkIsolatedComputeAllowed(tctx, tclass) and \
( tctx not in permissionAllowList \
or tclass not in permissionAllowList[tctx] \
or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \
or ( p == "rw_file_perms"):
or ( p == "write") \
or ( p == "rw_file_perms") ):
violated_permissions += [perm]
return violated_permissions