diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te index cdddd38b0..d5e8a7409 100644 --- a/private/isolated_compute_app.te +++ b/private/isolated_compute_app.te @@ -14,8 +14,8 @@ typeattribute isolated_compute_app coredomain; app_domain(isolated_compute_app) isolated_app_domain(isolated_compute_app) -allow isolated_compute_app isolated_compute_allowed_services:service_manager find; -allow isolated_compute_app isolated_compute_allowed_devices:chr_file { read write ioctl map }; +allow isolated_compute_app isolated_compute_allowed_service:service_manager find; +allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map }; # Enable access to hardware services for camera functionalilites hal_client_domain(isolated_compute_app, hal_allocator) diff --git a/public/attributes b/public/attributes index 499ae7cd9..16a8e66af 100644 --- a/public/attributes +++ b/public/attributes @@ -210,10 +210,10 @@ attribute untrusted_app_all; attribute isolated_app_all; # All service types that would be allowed for isolated_compute_app. -attribute isolated_compute_allowed_services; +attribute isolated_compute_allowed_service; # All device types that would be allowed for isolated_compute_app. -attribute isolated_compute_allowed_devices; +attribute isolated_compute_allowed_device; # All domains used for apps with network access. attribute netdomain; diff --git a/public/device.te b/public/device.te index e0872b767..fa292565e 100644 --- a/public/device.te +++ b/public/device.te @@ -4,7 +4,7 @@ type ashmem_device, dev_type, mlstrustedobject; type ashmem_libcutils_device, dev_type, mlstrustedobject; type audio_device, dev_type; type binder_device, dev_type, mlstrustedobject; -type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices; +type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_device; type vndbinder_device, dev_type; type block_device, dev_type; type bt_device, dev_type; @@ -48,9 +48,9 @@ type video_device, dev_type; type zero_device, dev_type, mlstrustedobject; type fuse_device, dev_type, mlstrustedobject; type iio_device, dev_type; -type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices; +type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_device; type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; -type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_devices; +type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_device; type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; type qtaguid_device, dev_type; type watchdog_device, dev_type; diff --git a/public/service.te b/public/service.te index e720c21e9..27403ca2c 100644 --- a/public/service.te +++ b/public/service.te @@ -2,11 +2,11 @@ type aidl_lazy_test_service, service_manager_type; type apc_service, service_manager_type; type apex_service, service_manager_type; type artd_service, service_manager_type; -type audioserver_service, service_manager_type, isolated_compute_allowed_services; +type audioserver_service, service_manager_type, isolated_compute_allowed_service; type authorization_service, service_manager_type; type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type; type bluetooth_service, service_manager_type; -type cameraserver_service, service_manager_type, isolated_compute_allowed_services; +type cameraserver_service, service_manager_type, isolated_compute_allowed_service; type fwk_camera_service, service_manager_type; type default_android_service, service_manager_type; type device_config_updatable_service, system_api_service, system_server_service,service_manager_type; @@ -29,7 +29,7 @@ type keystore_service, service_manager_type; type legacykeystore_service, service_manager_type; type lpdump_service, service_manager_type; type mdns_service, service_manager_type; -type mediaserver_service, service_manager_type, isolated_compute_allowed_services; +type mediaserver_service, service_manager_type, isolated_compute_allowed_service; type mediametrics_service, service_manager_type; type mediaextractor_service, service_manager_type; type mediadrmserver_service, service_manager_type; @@ -93,7 +93,7 @@ type connectivity_native_service, app_api_service, ephemeral_app_api_service, sy type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; -type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services; +type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service; type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; @@ -107,7 +107,7 @@ type dataloader_manager_service, system_server_service, service_manager_type; type dbinfo_service, system_api_service, system_server_service, service_manager_type; type device_config_service, system_server_service, service_manager_type; type device_policy_service, app_api_service, system_server_service, service_manager_type; -type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services; +type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service; type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type devicestoragemonitor_service, system_server_service, service_manager_type; @@ -224,7 +224,7 @@ type system_config_service, system_api_service, system_server_service, service_m type system_server_dumper_service, system_api_service, system_server_service, service_manager_type; type system_update_service, system_server_service, service_manager_type; type soundtrigger_middleware_service, system_server_service, service_manager_type; -type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services; +type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service; type tare_service, app_api_service, system_server_service, service_manager_type; type task_service, system_server_service, service_manager_type; type testharness_service, system_server_service, service_manager_type; diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py index 8abad94d3..0628d359c 100644 --- a/tests/treble_sepolicy_tests.py +++ b/tests/treble_sepolicy_tests.py @@ -357,8 +357,8 @@ def TestIsolatedAttributeConsistency(test_policy): def checkIsolatedComputeAllowed(tctx, tclass): # check if the permission is in isolated_compute_allowed - allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_services", IsAttr=True) \ - .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_devices", IsAttr=True)) + allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \ + .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True)) return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]