Commit graph

214 commits

Author SHA1 Message Date
Peng Xu
5d06d48197 Merge changes Id4ac3552,I2068f6f4
am: 4828451231

Change-Id: I3096c5d0871872de5484f862f9f9878d6a8fce13
2017-09-15 01:32:37 +00:00
Peng Xu
123bbe9491 Allow sensor hal to use wakelock
Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
2017-09-14 13:40:33 -07:00
Peng Xu
d1a9a2f419 Allow sensor to use gralloc handle and access ion device
Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.

Test: SensorDirectReportTest passes without setenforce 0

Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
Merged-In: I2068f6f4a8ac15da40126892e1326e0b90a6576f
2017-09-14 13:36:27 -07:00
Tomasz Wasilczyk
567b947d85 Move Broadcast Radio HAL to a separate binary.
Bug: 63600413
Test: VTS, instrumentation, audit2allow
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
2017-08-28 09:44:50 -07:00
Todd Poynor
e9b2def796 thermal: sepolicy for thermalservice and Thermal HAL revision 1.1
Add sepolicy for thermalserviced daemon, IThermalService binder
service, IThermalCallback hwservice, and Thermal HAL revision 1.1.

Test: manual: marlin with modified thermal-engine.conf
Bug: 30982366
Change-Id: I207fa0f922a4e658338af91dea28c497781e8fe9
(cherry picked from commit ec3b6b7e25)
2017-08-04 16:24:05 +00:00
Jeff Vander Stoep
0f697a7e88 Merge "hal_tetheroffload: Grant permissions" into oc-dr1-dev am: 243c46cc46
am: 6907f57417

Change-Id: I2b073252ccdcd30fce523a83ba43dea14eeaad3b
2017-06-29 04:36:30 +00:00
Jeff Vander Stoep
e58a8de5e7 hal_tetheroffload: Grant permissions
avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21
2017-06-29 04:24:14 +00:00
TreeHugger Robot
724e825a62 Merge "cas: add CAS hal and switch to use hwservice" 2017-06-28 20:37:18 +00:00
Sandeep Patil
63475b084c Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev am: 0e0ed156ea am: ed27bec522
am: 9f5801de50

Change-Id: I5861f5464762ddea8c6a39cb3968d73017d9767d
2017-06-22 00:43:46 +00:00
Sandeep Patil
ed27bec522 Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev
am: 0e0ed156ea

Change-Id: I8ec0c46355507e8c1a7d10c53805eb350ebbe6a5
2017-06-22 00:38:43 +00:00
Sandeep Patil
65ffb0657f Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev
am: 0e0ed156ea

Change-Id: Ic73d84dacc95d5b902dc6c9530b98e53d71574f1
2017-06-22 00:37:47 +00:00
Sandeep Patil
3a9391152f Revert "Annotate rild with socket_between_core_and_vendor_violators"
This reverts commit 57e9946fb7.

Bug: 62616897
Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
    not break.

Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-06-21 15:30:56 -07:00
Chong Zhang
78e595deab cas: add CAS hal and switch to use hwservice
bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028
2017-06-16 13:28:36 -07:00
Jeff Vander Stoep
4a057c9459 Files on /data must have the data_file_type attr
This will be enforced by build-time and CTS tests.

Test: build policy
Change-Id: Ie852fa59670969a2352a97be357d37e420fb180e
2017-06-08 20:03:18 +00:00
Sandeep Patil
0a53f1d4fa Fix coredomain violation for modprobe
am: e41af20397

Change-Id: I586cf07d87339f83d66919871d1531e9b8d79c4e
2017-06-06 03:54:39 +00:00
Sandeep Patil
e41af20397 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
2017-06-05 08:09:18 -07:00
Sandeep Patil
9e366a0e49 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-06-02 16:11:52 -07:00
Sohani Rao
55c7adde2d SE Policy for Wifi Offload HAL
am: 325bf72592

Change-Id: I024229279b62dbd30287c505f20f51e9131b82c5
2017-05-18 20:23:03 +00:00
Sohani Rao
325bf72592 SE Policy for Wifi Offload HAL
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf502

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
2017-05-18 09:49:55 -07:00
Jeff Vander Stoep
093bcd99b4 Merge "Move domain_deprecated into private policy" into oc-dev am: 02a101a695
am: 35e09523a5

Change-Id: I728d32563d123fafd7c316f5ea5764a463876757
2017-05-16 21:49:16 +00:00
Jeff Vander Stoep
35e09523a5 Merge "Move domain_deprecated into private policy" into oc-dev
am: 02a101a695

Change-Id: I0140009cfbf316489db4994b414ac079776ead21
2017-05-16 21:46:06 +00:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Jaesoo Lee
8c79670e5f configstore: assign label to all minor versions of configstore service am: c895f278bb am: 8741d4fe3d am: 0e573bd59c
am: 3986e93590

Change-Id: I9f30605deb73d922d3758971a07a470f242b484a
2017-05-10 13:54:29 +00:00
Jaesoo Lee
3986e93590 configstore: assign label to all minor versions of configstore service am: c895f278bb am: 8741d4fe3d
am: 0e573bd59c

Change-Id: Ifde25dcde7b5eec4a797124ed3eeaa45dc9d4414
2017-05-10 13:45:59 +00:00
Jaesoo Lee
c895f278bb configstore: assign label to all minor versions of configstore service
Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58
2017-05-10 12:27:34 +09:00
Peng Xu
66e6a49499 Allow sensor to use gralloc handle and access ion device
Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.

Test: SensorDirectReportTest passes without setenforce 0

Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
2017-05-03 17:53:15 -07:00
Steven Moreland
e94edba94e Merge "Remove audio from socket_between.._violators" into oc-dev am: bd08796853
am: ce83ea6187

Change-Id: Iad18f7eccc02d3eb1e1955989ede6318597f9273
2017-04-29 21:18:48 +00:00
TreeHugger Robot
bd08796853 Merge "Remove audio from socket_between.._violators" into oc-dev 2017-04-29 21:06:54 +00:00
TreeHugger Robot
74a96734a9 Merge "Add default label and mapping for vendor services" into oc-dev 2017-04-29 18:05:30 +00:00
TreeHugger Robot
02bbb402e0 Merge "Add default label and mapping for vendor services" 2017-04-28 22:30:52 +00:00
Jeff Vander Stoep
082eae4e51 Add default label and mapping for vendor services
Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b842c)
2017-04-28 14:56:57 -07:00
Jeff Vander Stoep
639a2b842c Add default label and mapping for vendor services
Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
2017-04-28 14:00:10 -07:00
Steven Moreland
b0ed936373 Remove audio from socket_between.._violators
Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5
2017-04-28 20:03:03 +00:00
Ruchi Kandoi
179f26bd6b Merge changes Ia9960af9,I6987d60c into oc-dev am: b9d5d5cc8b
am: d792de481a

Change-Id: I94257c20a5b7621c883c9386dc327501e713860c
2017-04-28 02:33:07 +00:00
Ruchi Kandoi
688a76672e NFC HAL no longer violates socket access restrictions
Test: compiles
Bug: 37640900
Change-Id: Ia9960af9da880fd130b5fb211a054689e2353f1d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
2017-04-27 17:21:42 +00:00
Alex Klyubin
8fed11ad94 Fix typos in comment am: a8a03c842c
am: 68266d0663

Change-Id: I6d7f435636dc240da6cab0e0412ad84d90482848
2017-04-25 18:24:37 +00:00
Alex Klyubin
a8a03c842c Fix typos in comment
This is a follow-up to cbc0d2bb91 which
introduced the typos.

Test: mmm system/sepolicy -- comments only change
Bug: 37640821
Change-Id: Ibe0eda0b3ee9bbfb1e33ef98f2e81267ec580e59
2017-04-25 08:49:44 -07:00
Alex Klyubin
69b0e12775 Merge "Add a TODO for the Audio HAL socket use violation" into oc-dev am: 53b2c80949
am: 406fbf506c

Change-Id: I5a883b0b1bc35cebe19aebecd56cfb83b3661695
2017-04-25 15:17:43 +00:00
TreeHugger Robot
53b2c80949 Merge "Add a TODO for the Audio HAL socket use violation" into oc-dev 2017-04-25 15:11:02 +00:00
Alex Klyubin
67dec7750f Merge "Add a TODO for the NFC HAL socket use violation" into oc-dev am: 3f6b7ff0c1
am: c29f695571

Change-Id: I30f34d3397d1e8868793785e1d9441ebdf312cff
2017-04-25 02:40:25 +00:00
Alex Klyubin
cbc0d2bb91 Add a TODO for the Audio HAL socket use violation
Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640821
Change-Id: I28c27b369268e75ab6b2d27bcb30b88acb2732e6
2017-04-24 14:47:20 -07:00
Alex Klyubin
2e53216b9f Add a TODO for the NFC HAL socket use violation
Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640900
Change-Id: I7c96dde15f74822a19ecc1b28665913b54b3973b
2017-04-24 14:37:53 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
632bc494f1 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
2017-04-20 14:45:21 -07:00
Sandeep Patil
66e27bf502 label hal_wifi_offload to be vendor type
Bug: 36463595
Test: make -j48 sepolicy
Change-Id: Id8e66e3e08ceb1301c36824af93410aa84def8d3
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-15 19:07:12 -07:00
Alex Klyubin
20c2d4e98c Remove unnecessary attributes
Test: mmm system/sepolicy
Bug: 34980020

(cherry picked from commit 3cc6a95944)

Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0
2017-04-14 09:39:19 -07:00
Sandeep Patil
c493a88edb Make hal_tv_cec_default exec a vendor_file_type am: 5d81208e81
am: 6f3fbd6acd

Change-Id: Ibe500a319b929c558b1f0289dd0f84a1b00d0019
2017-04-14 03:45:16 +00:00
Sandeep Patil
5d81208e81 Make hal_tv_cec_default exec a vendor_file_type
Bug: 36987889
Test: Build

Change-Id: I6dda2949069ccf14d3463bd7428494bde561ed9a
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-13 17:32:43 -07:00
Alex Klyubin
3cc6a95944 Remove unnecessary attributes
Test: mmm system/sepolicy
Bug: 34980020
Change-Id: I36547658a844c58fcb21bb5a0244ab6f61291736
2017-04-12 18:50:46 -07:00
Sandeep Patil
d3472370b4 Merge "sepolicy: make exec_types in /vendor a subset of vendor_file_type" into oc-dev am: c01a7e193f
am: 64c41a7199

Change-Id: I51768d388cb25ea1a0b345d99f3d7fd9b57be25c
2017-04-12 19:37:46 +00:00
Sandeep Patil
c01a7e193f Merge "sepolicy: make exec_types in /vendor a subset of vendor_file_type" into oc-dev 2017-04-12 19:25:12 +00:00
Donghyun Cho
677d6f4e9c Merge "Add sepolicy for tv.cec" into oc-dev am: 976fb16bc1
am: 6b2e934c3c

Change-Id: If4839eb04ee034f4cdc10db1d04b39e13c718b5c
2017-04-12 08:23:58 +00:00
TreeHugger Robot
976fb16bc1 Merge "Add sepolicy for tv.cec" into oc-dev 2017-04-12 08:13:40 +00:00
Sandeep Patil
2ee66e7d14 sepolicy: make exec_types in /vendor a subset of vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.

Bug: 36463595
Test: Boot sailfish without any new denials

Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-11 17:20:36 +00:00
Donghyun Cho
f81dd0c578 Add sepolicy for tv.cec
Bug: 36562029
Test: m -j40 and CEC functionality works well
Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
2017-04-07 11:21:56 +09:00
Sandeep Patil
323ffe2fdf Merge "sepolicy: add missing labels for same process HALs." into oc-dev am: 42424f13e5
am: 870160d528

Change-Id: Ia54190a372be0ffb8ed573dab31cdce4c0ddbf7a
2017-04-06 23:43:04 +00:00
Sandeep Patil
366c2ec1dc sepolicy: add missing labels for same process HALs.
Some of the same process HAL labeling was missing from Marlin.
These are identified by tracking library dependencies.

Bug: 37084733
Test: Build and boot sailfish. The change allows the labelled libraries
      to be opened by any domain. So, the boot test is sufficient.

Change-Id: Id55e834d6863ca644f912efdd690fccb71d3eaf3
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:50:23 -07:00
Alex Klyubin
195d569ce1 Merge "Wifi Keystore HAL is not a HAL" into oc-dev am: 7c3dbfeb69
am: ec9209be52

Change-Id: I4162ad407b058de775089b003f6a9227db379154
2017-04-06 04:08:54 +00:00
Alex Klyubin
7c3dbfeb69 Merge "Wifi Keystore HAL is not a HAL" into oc-dev 2017-04-06 04:02:04 +00:00
Sandeep Patil
9954cb6142 Merge changes from topic 'vendor-ocdev-relabel' into oc-dev am: 37792cecad
am: 6d2e29c1b7

Change-Id: I130f42e045695b3c08d25f4ba287a35c4687d8c1
2017-04-06 03:27:42 +00:00
Sandeep Patil
277a20ebec sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-05 13:58:32 -07:00
Alex Klyubin
c4e4eef7de Merge "tee no longer violates the socket comms ban" into oc-dev am: e311d66955
am: 8e7b0763f3

Change-Id: I90e02a9387f4efa001454be7c4351e10c92ae7f9
2017-04-04 23:24:01 +00:00
Alex Klyubin
9a14704f62 Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.

The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).

Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
      keystore and hal_wifi_supplicant_default domains
Bug: 36896667

Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 15:04:05 -07:00
Sohani Rao
3dd460ba2b SE Policy for Wifi Offload HAL
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
2017-04-04 14:28:39 -07:00
Alex Klyubin
645abeaded tee no longer violates the socket comms ban
SELinux policy no longer has allow rules which permit core/non-vendor
domains to communicate with tee domain over sockets. This commit thus
removes tee from the list of temporary exceptions for the socket
communications prohibition.

Test: mmm system/sepolicy
Bug: 36714625
Bug: 36715266
Change-Id: Iccbd9ea0555b0c9f1cb6c5e0f5a6c0d3f8730b4d
2017-04-04 14:12:14 -07:00
TreeHugger Robot
fbccda3423 Merge "Move TEE rules to vendor image" into oc-dev 2017-04-04 18:59:24 +00:00
TreeHugger Robot
29f273ce6a Merge "sepolicy: Add new wifi keystore HAL" into oc-dev 2017-04-04 16:12:48 +00:00
Martijn Coenen
c3a9e7df5f Merge "Add target for vndservice_contexts." into oc-dev 2017-04-04 03:41:47 +00:00
Martijn Coenen
6676c234fc Add target for vndservice_contexts.
So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
2017-04-03 15:39:42 -07:00
Shubang Lu
a1c0650898 Merge "Add sepolicy for tv.input" into oc-dev 2017-04-03 19:55:53 +00:00
Alex Klyubin
304d653637 Move TEE rules to vendor image
"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6
2017-04-03 11:11:48 -07:00
Shubang
c76e158c27 Add sepolicy for tv.input
Test: build, flash; adb shell lshal
Bug: 36562029
Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2
2017-03-31 13:44:50 -07:00
Alex Klyubin
2f6151ea44 Tighten restrictions on core <-> vendor socket comms
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153

(cherry picked from commit cf2ffdf0d8)

Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
2017-03-31 09:17:54 -07:00
Myles Watson
02d9d21dcb Disallow HAL access to Bluetooth data files
Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
Merged-In: Ib8d610f201a8c35f95b464c24857c6639205bc66
2017-03-30 17:59:32 +00:00
Myles Watson
1317b4ca23 Disallow HAL access to Bluetooth data files
Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
2017-03-30 16:00:23 +00:00
TreeHugger Robot
36c8f1601a Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev 2017-03-30 07:40:04 +00:00
Jiyong Park
57e9946fb7 Annotate rild with socket_between_core_and_vendor_violators
Full treble targets cannot have sockets between framework and vendor
processes. In theory, this should not affect aosp_arm64_ab where only
framework binaries are built. However, /system/sepolicy has rild.te
which is now vendor binary and this causes neverallow conflict when
building aosp_arm64_ab.

So, we just temporarily annotate the rild with
socket_between_core_and_vendor_violators so that the neverallow conflict
can be avoided.

Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.

Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7
2017-03-30 11:05:14 +09:00
Roshan Pius
9af7c95f86 sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.

Denials addressed:
03-29 00:04:52.075   734   734 E SELinux : avc:  denied  { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key

Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
2017-03-29 14:07:36 -07:00
Alex Klyubin
0f6c047d2e tee domain is a vendor domain
As a result, Keymaster and DRM HALs are permitted to talk to tee domain
over sockets. Unfortunately, the tee domain needs to remain on the
exemptions list because drmserver, mediaserver, and surfaceflinger are
currently permitted to talk to this domain over sockets.

We need to figure out why global policy even defines a TEE domain...

Test: mmm system/sepolicy
Bug: 36601092
Bug: 36601602
Bug: 36714625
Bug: 36715266
Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895
2017-03-29 13:13:27 -07:00
Jeff Vander Stoep
4a478c47f4 Ban vendor components access to core data types
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
2017-03-28 15:44:39 -07:00
Alex Klyubin
2746ae6822 Ban socket connections between core and vendor
On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.

This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "socket_between_core_and_vendor_violators" attribute. The attribute
  is needed because the types corresponding to violators are not
  exposed to the public policy where the neverallow rules are.

Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
2017-03-27 08:49:13 -07:00
Alex Klyubin
44df5b9432 mediacodec violates "no Binder in vendor" rule
This adds mediacodec to the list of temporary exemptions from the "no
Binder in vendor" rule.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I0f00d4bfb90d6da45ae2fed65864bb8fb0a4e78e
2017-03-24 17:22:17 -07:00
Alex Klyubin
5e6a4dd332 Merge "Mark all clients of Allocator HAL" am: 73a6f38b94 am: 5d8fcf3bb0
am: f91f369d68

Change-Id: I58593c82cd9b7b1dc7fcdfa8916f4bf55a3d9ab4
2017-03-24 22:52:37 +00:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Alex Klyubin
68e6109d4a Vendor domains must not use Binder am: f5446eb148 am: 2fe065d708
am: 49ce439425

Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26
2017-03-24 15:03:44 +00:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Martijn Coenen
e7d8f4c3c8 Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff
2017-03-23 00:20:43 +00:00
Martijn Coenen
7cfba9a773 Merge "Initial sepolicy for vndservicemanager." 2017-03-22 22:14:05 +00:00
Martijn Coenen
cba70be751 Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387
2017-03-22 12:53:13 -07:00
Pawin Vongmasa
96a5b4a75a Move mediacodec to vendor partition.
Test: Camera, Photos, YouTube and Play Movies apps.
Bug: 35328855
Change-Id: I3643b668817a7336f7ccda781734920fbbcc2c63
2017-03-20 18:52:24 -07:00
Alex Klyubin
2438804719 Merge "Switch Boot Control HAL policy to _client/_server" am: 51a2238c9e am: 2a887bfb3d
am: 4abc2d23d5

Change-Id: I6602b883078cbf5778f9843d68263633de351dbc
2017-03-20 19:46:41 +00:00
Alex Klyubin
09d13e734d Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 17:22:06 -07:00
Alex Klyubin
578e2b8bcc Merge "Annotate most remaining HALs with _client/_server" am: 37f7ffa388 am: c067607bc3
am: 026679e3a1

Change-Id: Ia8f7ad357ce34068f0c1b4bfe54723e3ae05e2bc
2017-03-17 05:16:19 +00:00
Alex Klyubin
9e6b24c6a5 Annotate most remaining HALs with _client/_server
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-16 19:55:16 -07:00
Alex Klyubin
c2d6acfe5e Switch Sensors HAL policy to _client/_server am: 41518bec25 am: 6a0ba6c580
am: 37ec9b0a86

Change-Id: Iab8c116dc92313a7d987fd3c4b370da6d9483772
2017-03-14 22:10:57 +00:00
Alex Klyubin
41518bec25 Switch Sensors HAL policy to _client/_server
This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.

Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.

Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.

P. S. This commit also removes
  allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.

Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
      lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
      and that the app can register to listen for updates for sensors
      and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
2017-03-14 12:43:29 -07:00
Po-Chien Hsueh
9a29301376 sepolicy: Move hostapd to vendor
Move hostapd to vendor/bin/ because it's only used by WIFI HAL.
This commit is for sepolicy corresponding changes.

Bug: 34236942
Bug: 34237659
Test: Hotspot works fine. Integration test.

Change-Id: I2ee165970a20f4015d5d62fc590d448e9acb92c1
2017-03-09 11:17:45 +08:00
Roshan Pius
a976e64d89 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-03-07 01:34:28 +00:00
Roshan Pius
97f64b9057 Merge "sepolicy: Make wpa_supplicant a HIDL service" 2017-02-28 22:14:24 +00:00
Steven Moreland
ba1c5831fd Bluetooth hal: move to vendor partition.
Bug: 35328775
Test: works in both binderized and passthrough modes
Merged-In: I1f827b4983e5e67c516e4488ad3497dd62db7e20
Change-Id: I1f827b4983e5e67c516e4488ad3497dd62db7e20
2017-02-28 01:35:11 +00:00
Steven Moreland
0b23d3ed89 Bluetooth hal: move to vendor partition.
Bug: 35328775
Test: works in both binderized and passthrough modes
Change-Id: I1f827b4983e5e67c516e4488ad3497dd62db7e20
2017-02-27 15:42:52 -08:00
Roshan Pius
2a9595ede2 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-24 17:10:59 +00:00
Amit Mahajan
f7bed71a21 Move rild to vendor partition.
Test: Basic telephony sanity
Bug: 35672432
Change-Id: I7d17cc7efda9902013c21d508cefc77baccc06a8
2017-02-23 16:20:07 -08:00
Alex Klyubin
f7543d27b8 Switch Keymaster HAL policy to _client/_server
This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
2017-02-22 20:18:28 -08:00
Alex Klyubin
1d2a1476ae Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.

Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.

Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.

Test: Setup Wizard (incl. adding a Google Account) completes fine with
      Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
      not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079

Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-22 15:12:19 -08:00
Alex Klyubin
47174e3b9f Switch Dumpstate HAL policy to _client/_server
This switches Dumpstate HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Dumpstate HAL.

Domains which are clients of Dumpstate HAL, such as dumpstate domain,
are granted rules targeting hal_dumpstate only when the Dumpstate HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_dumpstate are not granted to client domains.

Domains which offer a binderized implementation of Dumpstate HAL, such
as hal_dumpstate_default domain, are always granted rules targeting
hal_dumpstate.

Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079
Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27
2017-02-22 10:15:24 -08:00
Alex Klyubin
f98650e4ab Switch Fingerprint HAL policy to _client/_server
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.

Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.

NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.

Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
      with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079

Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-21 16:11:25 -08:00
Alex Klyubin
9b718c409f Switch DRM HAL policy to _client/_server
This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.

Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.

Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.

Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
2017-02-17 15:36:41 -08:00
Alex Klyubin
3a8426bf89 Switch Camera HAL policy to _client/_server
This switches Camera HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Camera HAL.

Domains which are clients of Camera HAL, such as cameraserver domain,
are granted rules targeting hal_camera only when the Camera HAL runs
in passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_camera are
not granted to client domains.

Domains which offer a binderized implementation of Camera HAL, such
as hal_camera_default domain, are always granted rules targeting
hal_camera.

Test: Take non-HDR photo using Google Camera app
Test: Take HDR photo using Google Camera app
Test: Record video using Google Camera app
Bug: 34170079
Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e
2017-02-16 20:37:21 -08:00
Alex Klyubin
3001d5a336 Label /vendor/bin/hw on devices without vendor partition
SELinux labeling of filesystem files ignores symlinks. Unfortunately,
/vendor is a symlink on devices without vendor partition
(e.g., hikey). Thus, policy in directories which are used both for
devices with vendor partition and for devices without vendor partition
must be adjusted to match both /vendor and /system/vendor. It is
assumed that the /vendor symlink, if it exists at all, always points
to /system/vendor.

The alternative solution of adjusting vendor policy file labelling
rules at vendor policy build time, when the actual on-device paths are
known, was considered to make it harder to see how files are labelled
by looking solely at the source tree.

Test: Files under /vendor/bin/hw correctly labelled on sailfish,
      angler, and a device which uses the /vendor symlink.
Bug: 35431549
Change-Id: If6ccb2c9cb85b0589db03ab86de8071e15d5366f
2017-02-16 13:33:22 -08:00
Alex Klyubin
ac2b4cd2cb Use _client and _server for Audio HAL policy
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-15 13:32:14 -08:00
Alex Klyubin
ac1a6d440c Move hal_*_default policy to vendor image
hal_*_default daemons whose policy is in common/device-agnostic policy
are provided by the vendor image (see vendor/file_contexts). Thus,
their policy should also reside in the vendor image, rather than in
the system image. This means their policy should live in the vendor
subdirectory of this project.

Test: Device boots and appears to work
Bug: 34135607
Bug: 34170079
Change-Id: I6613e43733e03d4a3d4726f849732d903e024016
2017-02-14 18:35:50 -08:00
Steven Moreland
aa11b6a9c7 Move hals to vendor partition.
Bug: 34135607
Test: hals work

Merged-In: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
Change-Id: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
2017-02-13 23:14:13 +00:00
Chia-I Wu
1b95d88c6d Allow HWC to be binderized
Test: manual
Bug: 32021609
Change-Id: I6793794f3b1fb95b8dd9336f75362447de618274
2017-02-06 12:50:03 -08:00