Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP. As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app. This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition. Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.
Bug: 62806062
Test: neverallow-only change builds. Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
This is to Allow commands like `adb shell run-as ...`.
Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
(cherry picked from commit 1847a38b4a)
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons. Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced. Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.
This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types. In
particular, this has caused an issue with the neverallows added in our
macros. Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this. Also add corresponding rules
for other types which have been removed due to no corresponding rules.
Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes. sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
This violates the socket comms ban between coredomain (radio) and
non coredomain (rild) in the platform policy.
Bug: 62616897
Bug: 62343727
Test: Build and boot sailfish
Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43
Signed-off-by: Sandeep Patil <sspatil@google.com>
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.
Bug: http://b/62297059
Test: dumpstate
Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
(cherry picked from commit 7aa085233a)
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.
Bug: 37008075
Test: Build and boot sailfish
Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
Modprobe requires this permission or the following denial will
prevent loading of signed kernel modules:
audit: type=1400 audit(27331649.656:4): avc: denied { search } for
pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0
tclass=key permissive=0
Bug: 62256697
Test: Verified signed module loading on sailfish.
Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb
vendor implementations need to be able to run modprobe as part of
init.rc scripts. They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.
Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.
Bug: b/38212864
Test: Boot sailfish
Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>
Needed to allow lower power Play Music of downloaded files.
05-24 10:12:49.331 24025 24025 W generic : type=1400
audit(0.0:1259): avc: denied { read } for
path="/data/data/com.google.android.music/files/music/925.mp3"
dev="sda35" ino=2179256 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
permissive=0
Test: Play Music
Bug: 62059834
Change-Id: I97bdb1d175dba8f7a8ec6cd9084323cfcd3660bd
Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
HIDL binderized service.
Bug: 38417260
Test: New functionality. So we don't have any tests.
Change-Id: I2c95b290523c55c081afa1bca091f368559c9125
(cherry picked from commit 722249b3e8)
Right now, the hwcomposer hidl hal is unable to figure out where
to get the hidl mapper implementation.
It is expected that all graphics composer objects will need this
permission. The interfaces are written to work together with the
"IMapper" being the same-process ("sphal") component and the
"IComposer" interface being the binderized compoenent.
10-09 00:24:38.900 457 457 E SELinux : avc: denied { find } for
interface=android.hardware.graphics.mapper::IMapper pid=495
scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:hal_graphics_mapper_hwservice:s0 tclass=hwservice_manager
Test: boot marlin, denial no longer present.
Bug: 38415912
Change-Id: I1b274be10e115fa7b53fb81e85be8827da05997e
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf502
Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.
Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.
Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
Disallowing other HALs access to video_device does not appear to be
enforceable.
(cherry picked from commit c26dd18aeb)
Bug: 37669506
Test: build policy. Neverallow rules are build time test and do not
impact the policy binary.
Change-Id: Iea401de08a63f3261a461f67b85113a9d838e88a
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.
Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
New binder kernel changes extend the areas where
binder will set real-time scheduling priorities
on threads; to make sure the driver can correctly
determine whether a process is allowed to run
at real-time priority or not, add the capability
to the services that need it.
Bug: 37293077
Test: processes run at real-time prio on incoming
real-time binder calls.
Change-Id: Ia4b3e5ecb1f5e18e7272bdaaad5c31a856719633
The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:
IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump
Bug: 37993476
Test: check contents of media.audio_flinger section in
a bugreport captured on Pixel device
Merged-In: I77d347c019ac93c3ba0d54ce50f0fdc243b04685
Change-Id: Ia0531f715ae5f8b2599153e54a11e9eb4ee47d4b
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0
Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
Whether a device is full Treble or not, omx should be able to
access vndbinder
Test: (sanity) oc-dev marlin boots + YouTube + lshal
Fixes: 37528973
Change-Id: Idd734b42c7dfe3e09e544680a6893b03910ecd3e
