Create a separate domain for permissioncontroller

This creates an SELinux domain for permissioncontroller and moves it out of the priv_app SELinux domain. Bug: 142672293 Test: Flashed a device with this build and verified com.google.android.permissioncontroller runs in the permissioncontroller_app domain. Change-Id: Ieb2e4cb806d18aaeb2e5c458e138975d1d5b64fe
2019-10-21 15:28:00 -07:00 · 2019-10-21 15:28:00 -07:00 · 9bc81125ef
commit 9bc81125ef
parent 94b0e84094
4 changed files with 37 additions and 0 deletions
--- a/private/keys.conf
+++ b/private/keys.conf
@ -17,6 +17,9 @@ ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
 [@NETWORK_STACK]
 ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem

+[@PERMISSION_CONTROLLER]
+ALL: $DEFAULT_SYSTEM_DEV_CERTIFICATE/com_google_android_permissioncontroller-container.x509.pem
+
 [@SHARED]
 ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem

--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@ -59,4 +59,10 @@
    <signer signature="@NETWORK_STACK" >
      <seinfo value="network_stack" />
    </signer>
+
+    <signer signature="@PERMISSION_CONTROLLER" >
+        <package name="com.google.android.permissioncontroller">
+            <seinfo value="permission_controller" />
+        </package>
+    </signer>
 </policy>
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@ -0,0 +1,27 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
+
+app_domain(permissioncontroller_app)
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -156,6 +156,7 @@ user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app seinfo=permission_controller isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user