SEPolicy for AIDL MACSEC HAL
Bug: 254108688 Test: AIDL MACSEC HAL VTS (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fba6480fa08001a36faf524d0a6952f29d916a6b) Change-Id: I5ccaa24c6b9600713bbc0e4c523822567b64c662
This commit is contained in:
parent
70b7a8c76d
commit
df794b4590
9 changed files with 50 additions and 0 deletions
|
@ -70,6 +70,7 @@ var (
|
||||||
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
|
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
|
||||||
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
|
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
|
||||||
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
|
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
|
||||||
|
"android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
|
||||||
"android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
|
"android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
|
||||||
"android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
|
"android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
|
||||||
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
|
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
hal_authgraph_service
|
hal_authgraph_service
|
||||||
vibrator_control_service
|
vibrator_control_service
|
||||||
hal_codec2_service
|
hal_codec2_service
|
||||||
|
hal_macsec_service
|
||||||
hal_threadnetwork_service
|
hal_threadnetwork_service
|
||||||
virtual_camera_service
|
virtual_camera_service
|
||||||
ot_daemon_service
|
ot_daemon_service
|
||||||
|
|
|
@ -51,6 +51,7 @@ android.hardware.identity.IIdentityCredentialStore/default u:object_r:
|
||||||
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
|
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
|
||||||
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
|
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
|
||||||
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
|
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
|
||||||
|
android.hardware.macsec.IMacsecPskPlugin/default u:object_r:hal_macsec_service:s0
|
||||||
android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
|
android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
|
||||||
android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
|
android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
|
||||||
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
|
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
|
||||||
|
|
|
@ -365,6 +365,7 @@ hal_attribute(keymaster);
|
||||||
hal_attribute(keymint);
|
hal_attribute(keymint);
|
||||||
hal_attribute(light);
|
hal_attribute(light);
|
||||||
hal_attribute(lowpan);
|
hal_attribute(lowpan);
|
||||||
|
hal_attribute(macsec);
|
||||||
hal_attribute(memtrack);
|
hal_attribute(memtrack);
|
||||||
hal_attribute(neuralnetworks);
|
hal_attribute(neuralnetworks);
|
||||||
hal_attribute(nfc);
|
hal_attribute(nfc);
|
||||||
|
|
7
public/hal_macsec.te
Normal file
7
public/hal_macsec.te
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# Binder IPC from client to server, and callbacks
|
||||||
|
binder_call(hal_macsec_client, hal_macsec_server)
|
||||||
|
binder_call(hal_macsec_server, hal_macsec_client)
|
||||||
|
|
||||||
|
hal_attribute_service(hal_macsec, hal_macsec_service)
|
||||||
|
|
||||||
|
binder_use(hal_macsec_server)
|
|
@ -309,6 +309,7 @@ type hal_ir_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
|
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
|
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_light_service, protected_service, hal_service_type, service_manager_type;
|
type hal_light_service, protected_service, hal_service_type, service_manager_type;
|
||||||
|
type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
|
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
|
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
|
||||||
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
|
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
|
||||||
|
|
2
vendor/file_contexts
vendored
2
vendor/file_contexts
vendored
|
@ -76,6 +76,7 @@
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
|
||||||
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
|
||||||
|
@ -126,6 +127,7 @@
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
|
||||||
|
/(vendor|system/vendor)/bin/hw/wpa_supplicant_macsec u:object_r:wpa_supplicant_macsec_exec:s0
|
||||||
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
|
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
|
||||||
/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
|
/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
|
||||||
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
|
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
|
||||||
|
|
8
vendor/hal_macsec_default.te
vendored
Normal file
8
vendor/hal_macsec_default.te
vendored
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
type hal_macsec_default, domain;
|
||||||
|
hal_server_domain(hal_macsec_default, hal_macsec)
|
||||||
|
|
||||||
|
type hal_macsec_default_exec, exec_type, vendor_file_type, file_type;
|
||||||
|
init_daemon_domain(hal_macsec_default)
|
||||||
|
|
||||||
|
# Allow registering with service manager.
|
||||||
|
binder_call(hal_macsec_default, servicemanager)
|
28
vendor/wpa_supplicant_macsec.te
vendored
Normal file
28
vendor/wpa_supplicant_macsec.te
vendored
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# wpa supplicant macsec or equivalent
|
||||||
|
type wpa_supplicant_macsec, domain;
|
||||||
|
type wpa_supplicant_macsec_exec, exec_type, vendor_file_type, file_type;
|
||||||
|
init_daemon_domain(wpa_supplicant_macsec)
|
||||||
|
|
||||||
|
net_domain(wpa_supplicant_macsec)
|
||||||
|
|
||||||
|
# Allow wpa_supplicant to configure nl80211
|
||||||
|
allow wpa_supplicant_macsec proc_net_type:file write;
|
||||||
|
|
||||||
|
# in addition to ioctls allowlisted for all domains, grant wpa_supplicant_macsec priv_sock_ioctls.
|
||||||
|
allowxperm wpa_supplicant_macsec self:udp_socket ioctl priv_sock_ioctls;
|
||||||
|
|
||||||
|
r_dir_file(wpa_supplicant_macsec, sysfs_type)
|
||||||
|
r_dir_file(wpa_supplicant_macsec, proc_net_type)
|
||||||
|
|
||||||
|
allow wpa_supplicant_macsec self:global_capability_class_set { setuid net_admin setgid net_raw };
|
||||||
|
allow wpa_supplicant_macsec cgroup:dir create_dir_perms;
|
||||||
|
allow wpa_supplicant_macsec cgroup_v2:dir create_dir_perms;
|
||||||
|
allow wpa_supplicant_macsec self:netlink_route_socket nlmsg_write;
|
||||||
|
allow wpa_supplicant_macsec self:netlink_socket create_socket_perms_no_ioctl;
|
||||||
|
allow wpa_supplicant_macsec self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||||
|
allow wpa_supplicant_macsec self:packet_socket create_socket_perms;
|
||||||
|
allowxperm wpa_supplicant_macsec self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
|
||||||
|
|
||||||
|
binder_use(wpa_supplicant_macsec)
|
||||||
|
hal_client_domain(wpa_supplicant_macsec, hal_macsec)
|
||||||
|
|
Loading…
Reference in a new issue