From c8ab3593d02f5bd473453b7eb955d7ea6c7229b4 Mon Sep 17 00:00:00 2001 From: Charles Chen Date: Mon, 17 Apr 2023 22:33:40 +0000 Subject: [PATCH] Move isolated_compute_app to be public This will allow vendor customization of isolated_compute_app. New permissions added should be associated with isolated_compute_allowed. Bug: 274535894 Test: m Change-Id: I4239228b80544e6f5ca1dd68ae1f44c0176d1bce --- private/isolated_compute_app.te | 9 ++------- public/attributes | 6 ++++++ public/device.te | 6 +++--- public/isolated_compute_app.te | 1 + public/service.te | 12 ++++++------ tests/treble_sepolicy_tests.py | 31 ++++++++++++++++--------------- 6 files changed, 34 insertions(+), 31 deletions(-) create mode 100644 public/isolated_compute_app.te diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te index 4ed4b362b..cdddd38b0 100644 --- a/private/isolated_compute_app.te +++ b/private/isolated_compute_app.te @@ -8,19 +8,14 @@ ### ### TODO(b/266923392): Clean rules for isolated_compute_app characteristics ### -type isolated_compute_app, domain; typeattribute isolated_compute_app coredomain; app_domain(isolated_compute_app) isolated_app_domain(isolated_compute_app) -allow isolated_compute_app audioserver_service:service_manager find; -allow isolated_compute_app cameraserver_service:service_manager find; -allow isolated_compute_app content_capture_service:service_manager find; -allow isolated_compute_app device_state_service:service_manager find; -allow isolated_compute_app speech_recognition_service:service_manager find; -allow isolated_compute_app mediaserver_service:service_manager find; +allow isolated_compute_app isolated_compute_allowed_services:service_manager find; +allow isolated_compute_app isolated_compute_allowed_devices:chr_file { read write ioctl map }; # Enable access to hardware services for camera functionalilites hal_client_domain(isolated_compute_app, hal_allocator) diff --git a/public/attributes b/public/attributes index 09463e3c0..499ae7cd9 100644 --- a/public/attributes +++ b/public/attributes @@ -209,6 +209,12 @@ attribute untrusted_app_all; # All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999). attribute isolated_app_all; +# All service types that would be allowed for isolated_compute_app. +attribute isolated_compute_allowed_services; + +# All device types that would be allowed for isolated_compute_app. +attribute isolated_compute_allowed_devices; + # All domains used for apps with network access. attribute netdomain; diff --git a/public/device.te b/public/device.te index 066600e8e..e0872b767 100644 --- a/public/device.te +++ b/public/device.te @@ -4,7 +4,7 @@ type ashmem_device, dev_type, mlstrustedobject; type ashmem_libcutils_device, dev_type, mlstrustedobject; type audio_device, dev_type; type binder_device, dev_type, mlstrustedobject; -type hwbinder_device, dev_type, mlstrustedobject; +type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices; type vndbinder_device, dev_type; type block_device, dev_type; type bt_device, dev_type; @@ -48,9 +48,9 @@ type video_device, dev_type; type zero_device, dev_type, mlstrustedobject; type fuse_device, dev_type, mlstrustedobject; type iio_device, dev_type; -type ion_device, dev_type, mlstrustedobject; +type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices; type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; -type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; +type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_devices; type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; type qtaguid_device, dev_type; type watchdog_device, dev_type; diff --git a/public/isolated_compute_app.te b/public/isolated_compute_app.te new file mode 100644 index 000000000..f2ae9a1e5 --- /dev/null +++ b/public/isolated_compute_app.te @@ -0,0 +1 @@ +type isolated_compute_app, domain; diff --git a/public/service.te b/public/service.te index 0936cc4c0..e720c21e9 100644 --- a/public/service.te +++ b/public/service.te @@ -2,11 +2,11 @@ type aidl_lazy_test_service, service_manager_type; type apc_service, service_manager_type; type apex_service, service_manager_type; type artd_service, service_manager_type; -type audioserver_service, service_manager_type; +type audioserver_service, service_manager_type, isolated_compute_allowed_services; type authorization_service, service_manager_type; type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type; type bluetooth_service, service_manager_type; -type cameraserver_service, service_manager_type; +type cameraserver_service, service_manager_type, isolated_compute_allowed_services; type fwk_camera_service, service_manager_type; type default_android_service, service_manager_type; type device_config_updatable_service, system_api_service, system_server_service,service_manager_type; @@ -29,7 +29,7 @@ type keystore_service, service_manager_type; type legacykeystore_service, service_manager_type; type lpdump_service, service_manager_type; type mdns_service, service_manager_type; -type mediaserver_service, service_manager_type; +type mediaserver_service, service_manager_type, isolated_compute_allowed_services; type mediametrics_service, service_manager_type; type mediaextractor_service, service_manager_type; type mediadrmserver_service, service_manager_type; @@ -93,7 +93,7 @@ type connectivity_native_service, app_api_service, ephemeral_app_api_service, sy type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; -type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services; type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; @@ -107,7 +107,7 @@ type dataloader_manager_service, system_server_service, service_manager_type; type dbinfo_service, system_api_service, system_server_service, service_manager_type; type device_config_service, system_server_service, service_manager_type; type device_policy_service, app_api_service, system_server_service, service_manager_type; -type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type; +type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services; type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type devicestoragemonitor_service, system_server_service, service_manager_type; @@ -224,7 +224,7 @@ type system_config_service, system_api_service, system_server_service, service_m type system_server_dumper_service, system_api_service, system_server_service, service_manager_type; type system_update_service, system_server_service, service_manager_type; type soundtrigger_middleware_service, system_server_service, service_manager_type; -type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services; type tare_service, app_api_service, system_server_service, service_manager_type; type task_service, system_server_service, service_manager_type; type testharness_service, system_server_service, service_manager_type; diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py index 2c52e2c00..8abad94d3 100644 --- a/tests/treble_sepolicy_tests.py +++ b/tests/treble_sepolicy_tests.py @@ -312,10 +312,9 @@ def TestCoreDataTypeViolations(test_policy): # TODO move this to sepolicy_tests def TestIsolatedAttributeConsistency(test_policy): permissionAllowList = { - # hardware related + # access given from technical_debt.cil "codec2_config_prop" : ["file"], "device_config_nnapi_native_prop":["file"], - "dmabuf_system_heap_device":["chr_file"], "hal_allocator_default":["binder", "fd"], "hal_codec2": ["binder", "fd"], "hal_codec2_hwservice":["hwservice_manager"], @@ -325,6 +324,7 @@ def TestIsolatedAttributeConsistency(test_policy): "hal_graphics_allocator_server":["binder", "service_manager"], "hal_graphics_mapper_hwservice":["hwservice_manager"], "hal_neuralnetworks": ["binder", "fd"], + "hal_neuralnetworks_service": ["service_manager"], "hal_neuralnetworks_hwservice":["hwservice_manager"], "hal_omx_hwservice":["hwservice_manager"], "hidl_allocator_hwservice":["hwservice_manager"], @@ -333,22 +333,14 @@ def TestIsolatedAttributeConsistency(test_policy): "hidl_token_hwservice":["hwservice_manager"], "hwservicemanager":["binder"], "hwservicemanager_prop":["file"], - "hwbinder_device":["chr_file"], "mediacodec":["binder", "fd"], "mediaswcodec":["binder", "fd"], "media_variant_prop":["file"], "nnapi_ext_deny_product_prop":["file"], - "ion_device" : ["chr_file"], - # system services - "audioserver_service":["service_manager"], - "cameraserver_service":["service_manager"], - "content_capture_service":["service_manager"], - "device_state_service":["service_manager"], - "hal_neuralnetworks_service":["service_manager"], "servicemanager":["fd"], - "speech_recognition_service":["service_manager"], - "mediaserver_service" :["service_manager"], "toolbox_exec": ["file"], + # extra types being granted to isolated_compute_app + "isolated_compute_allowed":["service_manager", "chr_file"], } def resolveHalServerSubtype(target): @@ -363,15 +355,24 @@ def TestIsolatedAttributeConsistency(test_policy): return attr.rsplit("_", 1)[0] return target + def checkIsolatedComputeAllowed(tctx, tclass): + # check if the permission is in isolated_compute_allowed + allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_services", IsAttr=True) \ + .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_devices", IsAttr=True)) + return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"] + + def checkPermissions(permissions): violated_permissions = [] for perm in permissions: tctx, tclass, p = perm.split(":") tctx = resolveHalServerSubtype(tctx) - if tctx not in permissionAllowList \ + # check unwanted permissions + if not checkIsolatedComputeAllowed(tctx, tclass) and \ + ( tctx not in permissionAllowList \ or tclass not in permissionAllowList[tctx] \ - or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \ - or ( p == "rw_file_perms"): + or ( p == "write") \ + or ( p == "rw_file_perms") ): violated_permissions += [perm] return violated_permissions