This is a follow-up to 9339168688
which added both
hal_client_domain(cameraserver, hal_graphics_allocator) and
binder_call(cameraserver, hal_graphics_allocator). The latter
binder_call rule is no longer needed because it is automatically
granted by virtue of cameraserver being marked as a client of
Graphics Allocator HAL --
see 49274721b3.
Test: Take a photo (both HDR and conventional) using Google Camera
Test: Record video using Google Camera
Test: Record slow motion video using Google Camera
Test: No denials to do with cameraserver and hal_graphics_allocator*
Bug: 34170079
Change-Id: If93fe310fa62923b5107a7e78d158f6e4b4d0b3a
HALs are intended to be limited responsibility and thus limited
permission. In order to enforce this, place limitations on:
1. What processes may transition into a HAL - currently only init
2. What methods may be used to transition into a HAL - no using
seclabel
3. When HALs exec - only allow exec with a domain transition.
Bug: 36376258
Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules
are compile time assertions, so building is a sufficient test.
Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131
All previous users of this macro have been switched to
hal_server_domain macro.
Test: no hal_impl_domain in system/sepolicy/ and device/**/sepolicy
Test: mmm system/sepolicy
Bug: 34170079
Change-Id: I4a71b3fd5046c0d215b056f1cae25fe6bda0fb45
Apps should be able to access the configstore HAL since framework
libraries which are loaded into app process can call configstore.
Letting apps have direct access to this HAL is OK because:
(1) the API of this HAL does not make clients provide any sensitive
information to the HAL, which makes it impossible for the HAL to
disclose sensitive information of its clients when the HAL is
compromised,
(2) we will require that this HAL is binderized (i.e., does not run
inside the process of its clients),
(3) we will require that this HAL runs in a tight seccomp sandbox
(this HAL doesn't need much access, if at all) and,
(4) we'll restrict the HALs powers via neverallows.
Test: apps can use configstore hal.
Change-Id: I04836b7318fbc6ef78deff770a22c68ce7745fa9
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.
Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).
Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.
Test: Device boots, no denials to do with hal_graphics_allocator
(also, removing the binder_call(hal_graphics_allocator_client,
hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079
Change-Id: I5c64d966862a125994dab903c2eda5815e336a94
This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
This patch fixes Gatekeeper HAL rules.
Bug: 34260418
Test: Device boots with gatekeeper_hal using hwbinder and
gatekeeperd does not fall back to software.
Change-Id: I6aaacb08faaa7a90506ab569425dc525334c8171
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
