Commit graph

21 commits

Author SHA1 Message Date
Mugdha Lakhani
2ae45c5766 Create sdk_sandbox_all.
Rename sdk_sandbox to sdk_sandbox_34.
Additionally, Extract out parts of sdk_sandbox_34 to
sdk_sandbox_all.te that will be shared with all sdk_sandbox domains.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest

Change-Id: I36e0c8795148de83c81dfe12559452812aa2b25e
2023-05-09 15:11:39 +00:00
Martin Stjernholm
87143bd904 Revert "Introduce a new sdk_sandbox domain"
This reverts commit 304962477a.

Reason for revert: b/279565840

Change-Id: I6fc3a102994157ea3da751364f80730f4d0e87f0
2023-04-25 12:40:37 +00:00
Mugdha Lakhani
304962477a Introduce a new sdk_sandbox domain
Define the selinux domain to apply to SDK runtime for
targetSdkVersion=34.
The existing sdk_sandbox domain has been renamed to sdk_sandbox_next.
Future CLs will add logic to apply one of these to the SDK runtime
processes on the device, based on a flag.

auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.

Bug: 270148964
Test: make and boot the test device, load SDK using test app
Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d
2023-04-21 17:26:26 +00:00
Charles Chen
31a7fb09be Enable NNAPI for isolated compute app
Need access to TPU/GPU for neural models in isolated_compute_app.

Bug: 266923392
Test: m
Change-Id: I2ea7c551b5fe678f383d3854ae295b448e78b460
2023-03-01 20:27:13 +00:00
Charles Chen
3e9f05faa3 Extension of isolated_compute_app for media services.
Support media use cases in isolated_compute_app such as decoding with MediaCodecs.

Bug:266943251
Test: m &&  manual - sample app with IsolatedProcess=True can use MediaCodec.

Change-Id: I864dcfb16494efada2fbd2a7d34b5d7f6b8128cb
2023-02-08 15:48:25 -08:00
Charles Chen
3d4a6b7474 Add isolated_compute_app domain
Provides a new domain to enable secure sensitive data processing. This
allows processing of sensitive data, while enforcing necessary privacy
restrictions to prevent the egress of data via network, IPC or file
system.

Bug: 255597123
Test: m &&  manual - sample app with IsolatedProcess=True can use camera
service

Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
2023-01-31 15:24:55 +00:00
Charles Chen
ccf8014492 Share isolated properties across islolated apps
Introduce isolated_app_all typeattribute to share policies between
isolated_app and future similar apps that wish to be enforced with
isolation properties.

Bug: 255597123
Test: m && presubmit
Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89
2023-01-31 12:59:57 +00:00
Bram Bonne
85dfe313e5 Restrict sandbox access to drmservice
Bug: 226390597
Test: atest SdkSandboxRestrictionsTest

Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3
2022-03-24 14:09:46 +01:00
Steven Moreland
cc7de177ec Remove bufferhub HAL policy.
The bufferhub daemon policy still remains, since it still needs to be
deleted. However, since the HAL no longer exists, removing policy
related to this.

Bug: 204068144
Test: build only
Change-Id: I96b96c77a39e2ba2024680ebaf3067283d0cfc65
2021-10-27 10:54:45 -07:00
Inseob Kim
4c110ff19b Use attributes for exclusive property owners
tests/sepolicy_tests.py has been checking whether the property owner
attributes are mutually exclusive. This is because current policy
language can't express the following snippet:

    neverallow domain {
        system_property_type && vendor_property_type
    }:file no_rw_file_perms;

    neverallow domain {
        system_property_type && vendor_property_type
    }:property_service set;

This uses technical_debt.cil to workaround this.

Bug: 171437654
Test: Try to compile a type having both system_property_type and
      vendor_property_type
Change-Id: Ic65f2d00aa0f2fb7f5d78331b0a26e733fcd128e
2020-11-30 18:34:30 +09:00
Robert Shih
f58be478de Allow apps to access hal_drm
Bug: 134787536
Test: MediaDrmClearkeyTest#testClearKeyPlaybackCenc
Change-Id: I931ccdfa3b78c7210f9f94e94b48d2d6908a371d
Merged-In: I931ccdfa3b78c7210f9f94e94b48d2d6908a371d
2019-09-30 04:51:24 +00:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00
Jiwen 'Steve' Cai
e17b293528 Allow app to conntect to BufferHub service
Bug: 112940221
Test: AHardwareBufferTest
Change-Id: I1fd065844e03c7e079dc40b7f7dbb8968f1b00bc
2019-01-14 10:49:35 -08:00
Tri Vo
7f8b6cc66c Rename untrusted_app_visible_*' to include 'violators'.
Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d19)
2018-08-21 21:32:41 +00:00
Steven Moreland
8fc7981885 Find hal_foo_hwservice -> you are hal_foo_client.
Before, it was possible to access a hwservice without declaring
that you were a client.

This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)

which makes sure the above implication holds using a neverallow rule.

Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
2018-05-30 16:46:57 -07:00
Michael Butler
ea331aa7b8 Allow applications to use NN API HAL services
The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)
2018-01-16 13:50:37 -08:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Alex Klyubin
75ca483215 surfaceflinger and apps are clients of Configstore HAL
This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.

Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
      video in Google Camera app. Check that photos show up fine and
      that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371
2017-04-18 12:24:22 -07:00
Alex Klyubin
5007c10a51 Apps and system_server are gralloc HAL clients
This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.

Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
      photo, record a video with sound and a slow motion video with
      sound, then check that photos look good and videos play back
      fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a
2017-04-17 12:55:00 -07:00
Mathias Agopian
9901ff7c4f update sepolicy for gralloc HAL
the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d
2017-03-30 14:43:35 -07:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00