Merge "iorapd: Add new binder service iorapd."

am: 77e40fbd06

Change-Id: Ibf6517366094b6d47cc0e1551b2ed709c3b10937
This commit is contained in:
Igor Murashkin 2018-10-09 16:29:10 -07:00 committed by android-build-merger
commit 9a88ef46a9
16 changed files with 113 additions and 0 deletions

View file

@ -33,6 +33,7 @@ allow atrace {
service_manager_type
-apex_service
-incident_service
-iorapd_service
-netd_service
-stats_service
-dumpstate_service

View file

@ -89,6 +89,11 @@
hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
iorapd
iorapd_data_file
iorapd_exec
iorapd_service
iorapd_tmpfs
kmsg_debug_device
last_boot_reason_prop
llkd

View file

@ -80,6 +80,11 @@
hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
iorapd
iorapd_data_file
iorapd_exec
iorapd_service
iorapd_tmpfs
last_boot_reason_prop
llkd
llkd_exec

View file

@ -31,6 +31,11 @@
llkd_prop
llkd_tmpfs
looper_stats_service
iorapd
iorapd_exec
iorapd_data_file
iorapd_service
iorapd_tmpfs
mnt_product_file
overlayfs_file
recovery_socket

View file

@ -273,6 +273,7 @@
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@ -451,6 +452,7 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
@ -516,6 +518,9 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
# iorapd per-user data
/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
#############################
# efs files
#

3
private/iorapd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute iorapd coredomain;
init_daemon_domain(iorapd)

View file

@ -70,6 +70,7 @@ inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0

View file

@ -73,6 +73,7 @@ allow system_app {
-apex_service
-dumpstate_service
-installd_service
-iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
@ -82,6 +83,7 @@ allow system_app {
dontaudit system_app {
dumpstate_service
installd_service
iorapd_service
netd_service
virtual_touchpad_service
vold_service

View file

@ -209,6 +209,7 @@ allow dumpstate {
-dumpstate_service
-gatekeeper_service
-incident_service
-iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@ -218,6 +219,7 @@ dontaudit dumpstate {
dumpstate_service
gatekeeper_service
incident_service
iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service

View file

@ -296,6 +296,7 @@ type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -158,6 +158,7 @@ allow init {
file_type
-app_data_file
-exec_type
-iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -173,6 +174,7 @@ allow init {
file_type
-app_data_file
-exec_type
-iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -189,6 +191,7 @@ allow init {
file_type
-app_data_file
-exec_type
-iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -204,6 +207,7 @@ allow init {
file_type
-app_data_file
-exec_type
-iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file

75
public/iorapd.te Normal file
View file

@ -0,0 +1,75 @@
# volume manager
type iorapd, domain;
type iorapd_exec, exec_type, file_type, system_file_type;
r_dir_file(iorapd, rootfs)
# Allow read/write /proc/sys/vm/drop/caches
allow iorapd proc_drop_caches:file rw_file_perms;
# Give iorapd a place where only iorapd can store files; everyone else is off limits
allow iorapd iorapd_data_file:dir create_dir_perms;
allow iorapd iorapd_data_file:file create_file_perms;
# Allow iorapd to publish a binder service and make binder calls.
binder_use(iorapd)
add_service(iorapd, iorapd_service)
# Allow iorapd to call into the system server so it can check permissions.
binder_call(iorapd, system_server)
allow iorapd permission_service:service_manager find;
# IUserManager
allow iorapd user_service:service_manager find;
# IPackageManagerNative
allow iorapd package_native_service:service_manager find;
# talk to batteryservice
binder_call(iorapd, healthd)
# TODO: does each of the service_manager allow finds above need the binder_call?
# iorapd temporarily changes its priority when running benchmarks
allow iorapd self:global_capability_class_set sys_nice;
###
### neverallow rules
###
neverallow {
domain
-iorapd
} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow {
domain
-init
-iorapd
} iorapd_data_file:dir *;
neverallow {
domain
-kernel
-iorapd
} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow {
domain
-init
-kernel
-vendor_init
-iorapd
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server can interact with iorapd over binder
neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
-healthd
-servicemanager
-system_server
userdebug_or_eng(`-su')
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;

View file

@ -10,6 +10,7 @@ type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;

View file

@ -108,6 +108,7 @@ allow shell {
-gatekeeper_service
-incident_service
-installd_service
-iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service

View file

@ -11,6 +11,7 @@ allow traceur_app {
-gatekeeper_service
-incident_service
-installd_service
-iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service

View file

@ -272,6 +272,7 @@ neverallow vold {
-hal_bootctl
-healthd
-hwservicemanager
-iorapd_service
-servicemanager
-system_server
userdebug_or_eng(`-su')