Merge "Move isolated_compute_app to be public" am: 290d1876ff
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2544610 Change-Id: I9093ea1878a6dbb6af85fb69a3547303dfd08784 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
48a0bcd865
6 changed files with 34 additions and 31 deletions
|
@ -8,19 +8,14 @@
|
|||
###
|
||||
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
|
||||
###
|
||||
type isolated_compute_app, domain;
|
||||
|
||||
typeattribute isolated_compute_app coredomain;
|
||||
|
||||
app_domain(isolated_compute_app)
|
||||
isolated_app_domain(isolated_compute_app)
|
||||
|
||||
allow isolated_compute_app audioserver_service:service_manager find;
|
||||
allow isolated_compute_app cameraserver_service:service_manager find;
|
||||
allow isolated_compute_app content_capture_service:service_manager find;
|
||||
allow isolated_compute_app device_state_service:service_manager find;
|
||||
allow isolated_compute_app speech_recognition_service:service_manager find;
|
||||
allow isolated_compute_app mediaserver_service:service_manager find;
|
||||
allow isolated_compute_app isolated_compute_allowed_services:service_manager find;
|
||||
allow isolated_compute_app isolated_compute_allowed_devices:chr_file { read write ioctl map };
|
||||
|
||||
# Enable access to hardware services for camera functionalilites
|
||||
hal_client_domain(isolated_compute_app, hal_allocator)
|
||||
|
|
|
@ -209,6 +209,12 @@ attribute untrusted_app_all;
|
|||
# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
|
||||
attribute isolated_app_all;
|
||||
|
||||
# All service types that would be allowed for isolated_compute_app.
|
||||
attribute isolated_compute_allowed_services;
|
||||
|
||||
# All device types that would be allowed for isolated_compute_app.
|
||||
attribute isolated_compute_allowed_devices;
|
||||
|
||||
# All domains used for apps with network access.
|
||||
attribute netdomain;
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ type ashmem_device, dev_type, mlstrustedobject;
|
|||
type ashmem_libcutils_device, dev_type, mlstrustedobject;
|
||||
type audio_device, dev_type;
|
||||
type binder_device, dev_type, mlstrustedobject;
|
||||
type hwbinder_device, dev_type, mlstrustedobject;
|
||||
type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
|
||||
type vndbinder_device, dev_type;
|
||||
type block_device, dev_type;
|
||||
type bt_device, dev_type;
|
||||
|
@ -48,9 +48,9 @@ type video_device, dev_type;
|
|||
type zero_device, dev_type, mlstrustedobject;
|
||||
type fuse_device, dev_type, mlstrustedobject;
|
||||
type iio_device, dev_type;
|
||||
type ion_device, dev_type, mlstrustedobject;
|
||||
type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
|
||||
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
|
||||
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
|
||||
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
|
||||
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
|
||||
type qtaguid_device, dev_type;
|
||||
type watchdog_device, dev_type;
|
||||
|
|
1
public/isolated_compute_app.te
Normal file
1
public/isolated_compute_app.te
Normal file
|
@ -0,0 +1 @@
|
|||
type isolated_compute_app, domain;
|
|
@ -2,11 +2,11 @@ type aidl_lazy_test_service, service_manager_type;
|
|||
type apc_service, service_manager_type;
|
||||
type apex_service, service_manager_type;
|
||||
type artd_service, service_manager_type;
|
||||
type audioserver_service, service_manager_type;
|
||||
type audioserver_service, service_manager_type, isolated_compute_allowed_services;
|
||||
type authorization_service, service_manager_type;
|
||||
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
|
||||
type bluetooth_service, service_manager_type;
|
||||
type cameraserver_service, service_manager_type;
|
||||
type cameraserver_service, service_manager_type, isolated_compute_allowed_services;
|
||||
type fwk_camera_service, service_manager_type;
|
||||
type default_android_service, service_manager_type;
|
||||
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
|
||||
|
@ -29,7 +29,7 @@ type keystore_service, service_manager_type;
|
|||
type legacykeystore_service, service_manager_type;
|
||||
type lpdump_service, service_manager_type;
|
||||
type mdns_service, service_manager_type;
|
||||
type mediaserver_service, service_manager_type;
|
||||
type mediaserver_service, service_manager_type, isolated_compute_allowed_services;
|
||||
type mediametrics_service, service_manager_type;
|
||||
type mediaextractor_service, service_manager_type;
|
||||
type mediadrmserver_service, service_manager_type;
|
||||
|
@ -93,7 +93,7 @@ type connectivity_native_service, app_api_service, ephemeral_app_api_service, sy
|
|||
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
|
||||
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
|
@ -107,7 +107,7 @@ type dataloader_manager_service, system_server_service, service_manager_type;
|
|||
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
|
||||
type device_config_service, system_server_service, service_manager_type;
|
||||
type device_policy_service, app_api_service, system_server_service, service_manager_type;
|
||||
type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
|
||||
type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
|
||||
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type devicestoragemonitor_service, system_server_service, service_manager_type;
|
||||
|
@ -224,7 +224,7 @@ type system_config_service, system_api_service, system_server_service, service_m
|
|||
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
|
||||
type system_update_service, system_server_service, service_manager_type;
|
||||
type soundtrigger_middleware_service, system_server_service, service_manager_type;
|
||||
type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
|
||||
type tare_service, app_api_service, system_server_service, service_manager_type;
|
||||
type task_service, system_server_service, service_manager_type;
|
||||
type testharness_service, system_server_service, service_manager_type;
|
||||
|
|
|
@ -312,10 +312,9 @@ def TestCoreDataTypeViolations(test_policy):
|
|||
# TODO move this to sepolicy_tests
|
||||
def TestIsolatedAttributeConsistency(test_policy):
|
||||
permissionAllowList = {
|
||||
# hardware related
|
||||
# access given from technical_debt.cil
|
||||
"codec2_config_prop" : ["file"],
|
||||
"device_config_nnapi_native_prop":["file"],
|
||||
"dmabuf_system_heap_device":["chr_file"],
|
||||
"hal_allocator_default":["binder", "fd"],
|
||||
"hal_codec2": ["binder", "fd"],
|
||||
"hal_codec2_hwservice":["hwservice_manager"],
|
||||
|
@ -325,6 +324,7 @@ def TestIsolatedAttributeConsistency(test_policy):
|
|||
"hal_graphics_allocator_server":["binder", "service_manager"],
|
||||
"hal_graphics_mapper_hwservice":["hwservice_manager"],
|
||||
"hal_neuralnetworks": ["binder", "fd"],
|
||||
"hal_neuralnetworks_service": ["service_manager"],
|
||||
"hal_neuralnetworks_hwservice":["hwservice_manager"],
|
||||
"hal_omx_hwservice":["hwservice_manager"],
|
||||
"hidl_allocator_hwservice":["hwservice_manager"],
|
||||
|
@ -333,22 +333,14 @@ def TestIsolatedAttributeConsistency(test_policy):
|
|||
"hidl_token_hwservice":["hwservice_manager"],
|
||||
"hwservicemanager":["binder"],
|
||||
"hwservicemanager_prop":["file"],
|
||||
"hwbinder_device":["chr_file"],
|
||||
"mediacodec":["binder", "fd"],
|
||||
"mediaswcodec":["binder", "fd"],
|
||||
"media_variant_prop":["file"],
|
||||
"nnapi_ext_deny_product_prop":["file"],
|
||||
"ion_device" : ["chr_file"],
|
||||
# system services
|
||||
"audioserver_service":["service_manager"],
|
||||
"cameraserver_service":["service_manager"],
|
||||
"content_capture_service":["service_manager"],
|
||||
"device_state_service":["service_manager"],
|
||||
"hal_neuralnetworks_service":["service_manager"],
|
||||
"servicemanager":["fd"],
|
||||
"speech_recognition_service":["service_manager"],
|
||||
"mediaserver_service" :["service_manager"],
|
||||
"toolbox_exec": ["file"],
|
||||
# extra types being granted to isolated_compute_app
|
||||
"isolated_compute_allowed":["service_manager", "chr_file"],
|
||||
}
|
||||
|
||||
def resolveHalServerSubtype(target):
|
||||
|
@ -363,15 +355,24 @@ def TestIsolatedAttributeConsistency(test_policy):
|
|||
return attr.rsplit("_", 1)[0]
|
||||
return target
|
||||
|
||||
def checkIsolatedComputeAllowed(tctx, tclass):
|
||||
# check if the permission is in isolated_compute_allowed
|
||||
allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_services", IsAttr=True) \
|
||||
.union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_devices", IsAttr=True))
|
||||
return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
|
||||
|
||||
|
||||
def checkPermissions(permissions):
|
||||
violated_permissions = []
|
||||
for perm in permissions:
|
||||
tctx, tclass, p = perm.split(":")
|
||||
tctx = resolveHalServerSubtype(tctx)
|
||||
if tctx not in permissionAllowList \
|
||||
# check unwanted permissions
|
||||
if not checkIsolatedComputeAllowed(tctx, tclass) and \
|
||||
( tctx not in permissionAllowList \
|
||||
or tclass not in permissionAllowList[tctx] \
|
||||
or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \
|
||||
or ( p == "rw_file_perms"):
|
||||
or ( p == "write") \
|
||||
or ( p == "rw_file_perms") ):
|
||||
violated_permissions += [perm]
|
||||
return violated_permissions
|
||||
|
||||
|
|
Loading…
Reference in a new issue