Like HIDL HALs, if we have a service which is allowed to access
hal_<foo>_service, we want that service to have the attribute
hal_<foo>_client.
Unlike HIDL HALs, some AIDL services are allowed to get ahold of all
HALs, so these have to be exempted from this check.
Fixes: 168152053
Test: neverallows pass
Change-Id: I4bce6d9441c2921c3ea40f2b01fef4030c02a28a
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.
Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
Similar to aosp/961857, but enables the logging of atrace events from
the camera HAL (primarily HIDL interactions, but also a couple of ION
events).
Keeping it confined to userdebug_or_eng. Longer-term planning belongs on
b/78136428.
Not adding fwk_camera_hwservice, as it is a HIDL interface to
cameraserver (which is already covered above).
Plus slight reorganization of existing atrace.te contents, and donaudits
to reduce logspam from denials (including pre-existing ones that were
hitting the rate limiter).
Specific denials addressed (listing HALs, finding camera HAL, notifying it):
05-15 18:07:19.684 618 618 E SELinux : avc: denied { list } for scontext=u:r:atrace:s0 tcontext=u:r:hwservicemanager:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.701 618 618 E SELinux : avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider sid=u:r:atrace:s0 pid=10137 scontext=u:r:atrace:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.698 10137 10137 I atrace : type=1400 audit(0.0:273): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=1
Bug: 130543265
Tested: flashed blueline-userdebug, took a trace with perfetto, confirmed HIDL atrace slices present in camera hal trace.
Change-Id: I0f8ce989355603e41d6c05c3de07e7dd615555eb
This allows the atrace cmd to notify cameraserver (the host of
media.camera service) that the set of tracing-related system properties
have changed. This allows the cameraserver to notice that it might need
to enable its trace events.
The atrace cmd has the necessary permission when running as shell, but
not when it is running as the "atrace" domain (notably when exec'd by
perfetto's traced_probes).
We're adding cameraserver to the whitelist as it contains important
events for investigating the camera stack.
Example denial:
05-14 22:29:43.501 8648 8648 W atrace : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0
Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
Bug: 130543265
Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
- lpdump is a binary on the device that talks to lpdumpd
via binder.
- lpdumpd is a daemon on the device that actually reads
dynamic partition metadata. Only lpdump can talk to it.
Bug: 126233777
Test: boots (sanity)
Test: lpdump
Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
This CL adds rules to allow traced_probes to dup a pipe as the stderr
for atrace and also send a sigkill to atrace after a timeout.
This fixes b/119656920
Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
Historically most uses of atrace happen via the shell domain.
There are two exceptions:
- boot tracing
- traced_probes
We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.
For more use cases see b/113127224
[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)
Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.
Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.
This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.
Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.
Bug: 64762598
Test: Successfully took traces in user mode.
Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
long live domain.te!
Remove all references.
Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
atrace and its atrace_exec now exist only in private policy.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with atrace_current
which is expected now that atrace cannot be referenced from
public or vendor policy.
Bug: 31364497
Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types. Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.
Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c