Merge "Create a separate SELinux domain for gmscore"
This commit is contained in:
commit
8f079fb0e2
6 changed files with 122 additions and 1 deletions
|
@ -16,6 +16,7 @@
|
|||
ctl_apexd_prop
|
||||
device_config_storage_native_boot_prop
|
||||
device_config_sys_traced_prop
|
||||
gmscore_app
|
||||
hal_can_bus_hwservice
|
||||
hal_can_controller_hwservice
|
||||
hal_tv_tuner_hwservice
|
||||
|
|
|
@ -107,7 +107,7 @@ neverallow {
|
|||
} self:global_capability_class_set sys_ptrace;
|
||||
|
||||
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
||||
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
||||
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
|
|
111
private/gmscore_app.te
Normal file
111
private/gmscore_app.te
Normal file
|
@ -0,0 +1,111 @@
|
|||
###
|
||||
### A domain for further sandboxing the PrebuiltGMSCore app.
|
||||
###
|
||||
typeattribute gmscore_app coredomain;
|
||||
|
||||
# Allow everything.
|
||||
# TODO(b/142672293): remove when no selinux denials are triggered for this
|
||||
# domain
|
||||
# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
|
||||
# `gmscore_app` and remove this line once we are confident about this having
|
||||
# the right set of permissions.
|
||||
userdebug_or_eng(`permissive gmscore_app;')
|
||||
|
||||
app_domain(gmscore_app)
|
||||
|
||||
allow gmscore_app sysfs_type:dir search;
|
||||
# Read access to /sys/class/net/wlan*/address
|
||||
r_dir_file(gmscore_app, sysfs_net)
|
||||
# Read access to /sys/block/zram*/mm_stat
|
||||
r_dir_file(gmscore_app, sysfs_zram)
|
||||
|
||||
r_dir_file(gmscore_app, rootfs)
|
||||
|
||||
# Allow GMS core to open kernel config for OTA matching through libvintf
|
||||
allow gmscore_app config_gz:file { open read getattr };
|
||||
|
||||
# Allow GMS core to communicate with update_engine for A/B update.
|
||||
binder_call(gmscore_app, update_engine)
|
||||
allow gmscore_app update_engine_service:service_manager find;
|
||||
|
||||
# Allow GMS core to communicate with dumpsys storaged.
|
||||
binder_call(gmscore_app, storaged)
|
||||
allow gmscore_app storaged_service:service_manager find;
|
||||
|
||||
# Allow GMS core to access system_update_service (e.g. to publish pending
|
||||
# system update info).
|
||||
allow gmscore_app system_update_service:service_manager find;
|
||||
|
||||
# Allow GMS core to communicate with statsd.
|
||||
binder_call(gmscore_app, statsd)
|
||||
|
||||
# Allow GMS core to generate unique hardware IDs
|
||||
allow gmscore_app keystore:keystore_key gen_unique_id;
|
||||
|
||||
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
|
||||
allow gmscore_app selinuxfs:file r_file_perms;
|
||||
|
||||
# suppress denials for non-API accesses.
|
||||
dontaudit gmscore_app exec_type:file r_file_perms;
|
||||
dontaudit gmscore_app device:dir r_dir_perms;
|
||||
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
|
||||
dontaudit gmscore_app net_dns_prop:file r_file_perms;
|
||||
dontaudit gmscore_app proc:file r_file_perms;
|
||||
dontaudit gmscore_app proc_interrupts:file r_file_perms;
|
||||
dontaudit gmscore_app proc_modules:file r_file_perms;
|
||||
dontaudit gmscore_app proc_net:file r_file_perms;
|
||||
dontaudit gmscore_app proc_stat:file r_file_perms;
|
||||
dontaudit gmscore_app proc_version:file r_file_perms;
|
||||
dontaudit gmscore_app sysfs:dir r_dir_perms;
|
||||
dontaudit gmscore_app sysfs:file r_file_perms;
|
||||
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
|
||||
dontaudit gmscore_app sysfs_dm:file r_file_perms;
|
||||
dontaudit gmscore_app sysfs_loop:file r_file_perms;
|
||||
dontaudit gmscore_app wifi_prop:file r_file_perms;
|
||||
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
|
||||
|
||||
# Access the network
|
||||
net_domain(gmscore_app)
|
||||
|
||||
# Allow loading executable code from writable priv-app home
|
||||
# directories. This is a W^X violation, however, it needs
|
||||
# to be supported for now for the following reasons.
|
||||
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
|
||||
# 1) com.android.opengl.shaders_cache
|
||||
# 2) com.android.skia.shaders_cache
|
||||
# 3) com.android.renderscript.cache
|
||||
# * /data/user_de/0/com.google.android.gms/app_chimera
|
||||
# TODO: Tighten (b/112357170)
|
||||
allow gmscore_app privapp_data_file:file execute;
|
||||
|
||||
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
|
||||
|
||||
# /proc access
|
||||
allow gmscore_app proc_vmstat:file r_file_perms;
|
||||
|
||||
# Allow interaction with gpuservice
|
||||
binder_call(gmscore_app, gpuservice)
|
||||
allow gmscore_app gpu_service:service_manager find;
|
||||
|
||||
# find services that expose both @SystemAPI and normal APIs.
|
||||
allow gmscore_app app_api_service:service_manager find;
|
||||
allow gmscore_app system_api_service:service_manager find;
|
||||
allow gmscore_app audioserver_service:service_manager find;
|
||||
allow gmscore_app cameraserver_service:service_manager find;
|
||||
allow gmscore_app drmserver_service:service_manager find;
|
||||
allow gmscore_app mediadrmserver_service:service_manager find;
|
||||
allow gmscore_app mediaextractor_service:service_manager find;
|
||||
allow gmscore_app mediametrics_service:service_manager find;
|
||||
allow gmscore_app mediaserver_service:service_manager find;
|
||||
allow gmscore_app network_watchlist_service:service_manager find;
|
||||
allow gmscore_app nfc_service:service_manager find;
|
||||
allow gmscore_app oem_lock_service:service_manager find;
|
||||
allow gmscore_app persistent_data_block_service:service_manager find;
|
||||
allow gmscore_app radio_service:service_manager find;
|
||||
allow gmscore_app recovery_service:service_manager find;
|
||||
allow gmscore_app stats_service:service_manager find;
|
||||
|
||||
# Used by Finsky / Android "Verify Apps" functionality when
|
||||
# running "adb install foo.apk".
|
||||
allow gmscore_app shell_data_file:file r_file_perms;
|
||||
allow gmscore_app shell_data_file:dir r_dir_perms;
|
|
@ -160,6 +160,9 @@ user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
|
|||
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
||||
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
||||
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
|
||||
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
|
||||
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
|
||||
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
|
||||
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
|
||||
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
|
||||
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
|
||||
|
|
|
@ -40,6 +40,7 @@ binder_call(statsd, stats)
|
|||
neverallow {
|
||||
domain
|
||||
-dumpstate
|
||||
-gmscore_app
|
||||
-incidentd
|
||||
-platform_app
|
||||
-priv_app
|
||||
|
|
5
public/gmscore_app.te
Normal file
5
public/gmscore_app.te
Normal file
|
@ -0,0 +1,5 @@
|
|||
###
|
||||
### A domain for further sandboxing the PrebuiltGMSCore app.
|
||||
###
|
||||
|
||||
type gmscore_app, domain;
|
Loading…
Reference in a new issue