Commit graph

33 commits

Author SHA1 Message Date
Ytai Ben-Tsvi
9eaf3be545 Add soundtrigger3 HAL (AIDL) to sepolicy
Test: Compile and boot. Don't yet have a HAL implementation to test
      with.
Change-Id: I387abd0e8913eef865cba2aee0a4ef714232bb19
2021-03-23 10:34:19 -07:00
Inseob Kim
ebde47c63f Move ro.audio.* props to audio_config_prop
Bug: 155844385
Test: boot, play sound and see no denials
Change-Id: If457a6a1fe083d77a3387051edcf40fb12a0624c
2020-06-23 23:52:55 +09:00
Yiming Jing
6067b53d4f Remove duplicate neverallow for hal_audio_server
A vendor has an audio HAL implementation for Android Automotive that
controls amplifiers with tcp sockets. This violates a neverallow rule
in 'public/hal_audio.te':

neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket
} *;

This rule prevents any audio HAL server from accessing sockets; But
public/hal_neverallows.te, line 19 exempts HAL servers on automotive
devices; because in a car it is common to have external modules
accessible over in-vehicle networks.

Therefore, the existing neverallow rule in hal_audio.te is a duplicate;
and this CL removes this rule.

Vendors on automotive devices should refer to 'vendor/hal_audio_default.te',
by (1) creating a new type; (2) associating the type with the
'hal_automotive_socket_exemption' attribute.

Bug: 150400684
Test: tested with the following rules in 'vendor/hal_audio_default.te'
Test: type harmon_amplifier, domain;
Test: typeattribute hal_audio_default hal_automotive_socket_exemption;
Test: allow hal_audio_default harmon_amplifier:tcp_socket connect;
Test: m -j should compile sepolicy without complaints
Change-Id: I517b050d0582d08f94f35ba815a030121385f319
2020-04-20 15:25:51 -07:00
Ytai Ben-Tsvi
d09bf56664 Allow audio HAL to access application shared memory
Bug: 151190218
Change-Id: I430ebe60e192803a3cc699477db83d1a33f8c62e
2020-03-26 16:02:39 -07:00
Vignesh Kulothungan
155ca12879 sepolicy: allow hal_omx to access audio devices
hal_omx needs to access audio devices to use OMX HW decoders and
encoders. Allow hal_omx to access audio devices.

authored-by: Banajit Goswami <bgoswami@codeaurora.org>

Change-Id: I742c29c4105e5647ca1a7e017e311559a0567b52
2019-04-10 11:31:04 -07:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Steven Moreland
9234e00daf hal_attribute_hwservice_client drop '_client'
Since this attribute just associates a hal_attribute
with a given hwservice in the standard way.

Bug: 80319537
Test: boot + sanity + test for denials
Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
2018-06-06 09:30:18 -07:00
Steven Moreland
343e24a1be hal_attribute_hwservice_client += add_hwservice
For sanity, this makes 'hal_attribute_hwservice_client'
be associated with a specific hwservice thus making things
consistent.

After this change, only configstore, hal_allocator, and the
fwk_* services are inconsistent with all other HALs.

Bug: 80319537
Test: boot device, sanity tests, check for denials
Change-Id: Ibffc65c9567a429e07a3dc4dd41117738459dc2a
2018-06-06 09:25:52 -07:00
Steven Moreland
8fc7981885 Find hal_foo_hwservice -> you are hal_foo_client.
Before, it was possible to access a hwservice without declaring
that you were a client.

This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)

which makes sure the above implication holds using a neverallow rule.

Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
2018-05-30 16:46:57 -07:00
Jaekyun Seok
224921d18a Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-13 09:25:06 +09:00
Sunny Kapdi
bc0c88f37d Bluetooth A2DP offload: Binder call to audio HAL
Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8)
2018-03-12 13:28:43 -07:00
Haynes Mathew George
ebc7b434e2 audio: Enable vndbinder use from hal_audio
Allow hal audio to use vndbinder

Change-Id: I83fc8d5b873bfc4e36f44e423d5740cb5e9739ee
2018-02-28 08:56:56 -08:00
Jeff Vander Stoep
6a28b68d54 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
2017-11-22 04:54:41 +00:00
Jeffrey Vander Stoep
cd69bebf76 Revert "Fix CTS regressions"
This reverts commit ed876a5e96.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 20:27:47 +00:00
Jeff Vander Stoep
ed876a5e96 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
2017-11-21 18:06:20 +00:00
Jeff Vander Stoep
b1a921e24e hal_audio: remove access to audiohal_data_file
This is no longer used and violates Treble data separation.

Bug: 68057930
Test: verify on Sailfish that /data/misc/audiohal doesn't exist
    This dir appears to be Qualcomm specific and should not have
    been defined in core policy.

Change-Id: I55fba7564203a7f8a1d8612abd36ec1f89dc869d
2017-10-21 03:29:36 +00:00
Mikhail Naganov
804838530e Revert "Remove proc access from hal_audio."
Reason: breaks "Ok google". Soundtrigger module needs to access /proc/asound/pcm.

This reverts commit 5cccb24915.

Bug: 67930353
Change-Id: I67e0912a6795b3715a3321d3fe5147f49cebc9b5
2017-10-18 20:30:14 +00:00
Tri Vo
5cccb24915 Remove proc access from hal_audio.
As a consequence, hal_audio_default (and any domain with hal_audio attribute)
loses access to proc label.

Bug: 65643247
Test: sailfish boots, can play sound through speakers and headset
(3.5mm, usb, and bluetooth) without denials from hal_audio to proc.
Test: VtsHalAudioEffectV2_0Target
Test: VtsHalAudioV2_0Target

Change-Id: I3eead5a26ef36b8840d31c5e078f006b0c2266a3
2017-10-16 12:46:12 -07:00
Tri Vo
464f59ae10 Extend access to proc/asound/*
Renamed this type:
proc_asound_cards -> proc_asound

Labeled /proc/asound/devices as proc_asound.

We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.

Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.

Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0
2017-10-06 10:29:03 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Mikhail Naganov
da694ced44 hal_audio: Allow writing dump info into pipes when capturing BR am: 9686cbcdbf am: 4aac6fdbac
am: b00a85c3f8

Change-Id: I82f7934d824a35644263eb298d6c2c5eb018c8b5
2017-05-08 18:38:52 +00:00
Mikhail Naganov
9686cbcdbf hal_audio: Allow writing dump info into pipes when capturing BR
The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device

Change-Id: I77d347c019ac93c3ba0d54ce50f0fdc243b04685
2017-05-04 13:25:52 -07:00
Steven Moreland
b0ed936373 Remove audio from socket_between.._violators
Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5
2017-04-28 20:03:03 +00:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Jeff Vander Stoep
7fa59c819c Enforce separation of privilege for HAL driver access
Only audio HAL may access audio driver.
Only camera HAL may access camera driver.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625
Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3
2017-03-13 22:40:01 -07:00
Mikhail Naganov
d7c88ddf5a hal_audio: Allow writing dump info into pipes
The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 36074936
Test: check contents of 'adb shell dumpsys media.audio_flinger'
      on -userdebug builds

Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1
2017-03-09 14:32:16 -08:00
Alex Klyubin
ac2b4cd2cb Use _client and _server for Audio HAL policy
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-15 13:32:14 -08:00
Steven Moreland
a25192262b haldomain: add hwbinder_use
All hals need to use hwbinder.

Test: no additional denials
Bug: 34180936
Change-Id: Ie92cdbd79fc75062c4afa4cda53cb57ccde7e370
2017-01-18 09:47:50 -08:00
Mikhail Naganov
ddb52d823f hal_audio: In binderized mode hal_audio needs access to IAllocator
This is to ensure that hal_audio can access memory shared by
audioserver.

Bug: 34261005
Change-Id: I84103b0d4692fd10afc56846fb116fec6a7b3dc7
2017-01-17 09:24:56 -08:00
Mikhail Naganov
e91740a588 Allow hal_audio to set scheduling policy for its threads
Audio HAL server needs to set SCHED_FIFO scheduling policy
for its threads that communicate with FastMixer threads of
AudioFlinger that use the same scheduler.

Bug: 30222631
Change-Id: I405a69d097a6bfed455e3483365b27c4004e1063
2016-12-22 09:26:41 -08:00
Steven Moreland
29eed9faea All hal policies expressed as attributes.
Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 17:18:27 -08:00
Jeff Vander Stoep
27ae545a78 clean up hal types
Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d
2016-10-26 09:50:04 -07:00