Commit graph

27 commits

Author SHA1 Message Date
Jaesoo Lee
8c79670e5f configstore: assign label to all minor versions of configstore service am: c895f278bb am: 8741d4fe3d am: 0e573bd59c
am: 3986e93590

Change-Id: I9f30605deb73d922d3758971a07a470f242b484a
2017-05-10 13:54:29 +00:00
Jaesoo Lee
3986e93590 configstore: assign label to all minor versions of configstore service am: c895f278bb am: 8741d4fe3d
am: 0e573bd59c

Change-Id: Ifde25dcde7b5eec4a797124ed3eeaa45dc9d4414
2017-05-10 13:45:59 +00:00
Jaesoo Lee
c895f278bb configstore: assign label to all minor versions of configstore service
Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58
2017-05-10 12:27:34 +09:00
Donghyun Cho
677d6f4e9c Merge "Add sepolicy for tv.cec" into oc-dev am: 976fb16bc1
am: 6b2e934c3c

Change-Id: If4839eb04ee034f4cdc10db1d04b39e13c718b5c
2017-04-12 08:23:58 +00:00
TreeHugger Robot
976fb16bc1 Merge "Add sepolicy for tv.cec" into oc-dev 2017-04-12 08:13:40 +00:00
Donghyun Cho
f81dd0c578 Add sepolicy for tv.cec
Bug: 36562029
Test: m -j40 and CEC functionality works well
Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
2017-04-07 11:21:56 +09:00
Sandeep Patil
323ffe2fdf Merge "sepolicy: add missing labels for same process HALs." into oc-dev am: 42424f13e5
am: 870160d528

Change-Id: Ia54190a372be0ffb8ed573dab31cdce4c0ddbf7a
2017-04-06 23:43:04 +00:00
Sandeep Patil
366c2ec1dc sepolicy: add missing labels for same process HALs.
Some of the same process HAL labeling was missing from Marlin.
These are identified by tracking library dependencies.

Bug: 37084733
Test: Build and boot sailfish. The change allows the labelled libraries
      to be opened by any domain. So, the boot test is sufficient.

Change-Id: Id55e834d6863ca644f912efdd690fccb71d3eaf3
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:50:23 -07:00
Sandeep Patil
9954cb6142 Merge changes from topic 'vendor-ocdev-relabel' into oc-dev am: 37792cecad
am: 6d2e29c1b7

Change-Id: I130f42e045695b3c08d25f4ba287a35c4687d8c1
2017-04-06 03:27:42 +00:00
Sandeep Patil
277a20ebec sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-05 13:58:32 -07:00
Sohani Rao
3dd460ba2b SE Policy for Wifi Offload HAL
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
2017-04-04 14:28:39 -07:00
Shubang
c76e158c27 Add sepolicy for tv.input
Test: build, flash; adb shell lshal
Bug: 36562029
Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2
2017-03-31 13:44:50 -07:00
Martijn Coenen
e7d8f4c3c8 Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff
2017-03-23 00:20:43 +00:00
Martijn Coenen
7cfba9a773 Merge "Initial sepolicy for vndservicemanager." 2017-03-22 22:14:05 +00:00
Martijn Coenen
cba70be751 Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387
2017-03-22 12:53:13 -07:00
Pawin Vongmasa
96a5b4a75a Move mediacodec to vendor partition.
Test: Camera, Photos, YouTube and Play Movies apps.
Bug: 35328855
Change-Id: I3643b668817a7336f7ccda781734920fbbcc2c63
2017-03-20 18:52:24 -07:00
Alex Klyubin
2438804719 Merge "Switch Boot Control HAL policy to _client/_server" am: 51a2238c9e am: 2a887bfb3d
am: 4abc2d23d5

Change-Id: I6602b883078cbf5778f9843d68263633de351dbc
2017-03-20 19:46:41 +00:00
Alex Klyubin
09d13e734d Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 17:22:06 -07:00
Po-Chien Hsueh
9a29301376 sepolicy: Move hostapd to vendor
Move hostapd to vendor/bin/ because it's only used by WIFI HAL.
This commit is for sepolicy corresponding changes.

Bug: 34236942
Bug: 34237659
Test: Hotspot works fine. Integration test.

Change-Id: I2ee165970a20f4015d5d62fc590d448e9acb92c1
2017-03-09 11:17:45 +08:00
Roshan Pius
a976e64d89 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-03-07 01:34:28 +00:00
Roshan Pius
97f64b9057 Merge "sepolicy: Make wpa_supplicant a HIDL service" 2017-02-28 22:14:24 +00:00
Steven Moreland
ba1c5831fd Bluetooth hal: move to vendor partition.
Bug: 35328775
Test: works in both binderized and passthrough modes
Merged-In: I1f827b4983e5e67c516e4488ad3497dd62db7e20
Change-Id: I1f827b4983e5e67c516e4488ad3497dd62db7e20
2017-02-28 01:35:11 +00:00
Steven Moreland
0b23d3ed89 Bluetooth hal: move to vendor partition.
Bug: 35328775
Test: works in both binderized and passthrough modes
Change-Id: I1f827b4983e5e67c516e4488ad3497dd62db7e20
2017-02-27 15:42:52 -08:00
Roshan Pius
2a9595ede2 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-24 17:10:59 +00:00
Amit Mahajan
f7bed71a21 Move rild to vendor partition.
Test: Basic telephony sanity
Bug: 35672432
Change-Id: I7d17cc7efda9902013c21d508cefc77baccc06a8
2017-02-23 16:20:07 -08:00
Alex Klyubin
3001d5a336 Label /vendor/bin/hw on devices without vendor partition
SELinux labeling of filesystem files ignores symlinks. Unfortunately,
/vendor is a symlink on devices without vendor partition
(e.g., hikey). Thus, policy in directories which are used both for
devices with vendor partition and for devices without vendor partition
must be adjusted to match both /vendor and /system/vendor. It is
assumed that the /vendor symlink, if it exists at all, always points
to /system/vendor.

The alternative solution of adjusting vendor policy file labelling
rules at vendor policy build time, when the actual on-device paths are
known, was considered to make it harder to see how files are labelled
by looking solely at the source tree.

Test: Files under /vendor/bin/hw correctly labelled on sailfish,
      angler, and a device which uses the /vendor symlink.
Bug: 35431549
Change-Id: If6ccb2c9cb85b0589db03ab86de8071e15d5366f
2017-02-16 13:33:22 -08:00
Steven Moreland
aa11b6a9c7 Move hals to vendor partition.
Bug: 34135607
Test: hals work

Merged-In: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
Change-Id: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
2017-02-13 23:14:13 +00:00