Commit graph

22 commits

Author SHA1 Message Date
Hridya Valsaraju
8d5403c517 Add missing permission for accessing the DMA-BUF system heap
This patch fixes the following denials:

avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="BootAnimation"
path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:bootanim:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs"
ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1

Bug: 178865267
Test: boot without these denials
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07
2021-03-03 14:22:48 -08:00
Steven Moreland
9234e00daf hal_attribute_hwservice_client drop '_client'
Since this attribute just associates a hal_attribute
with a given hwservice in the standard way.

Bug: 80319537
Test: boot + sanity + test for denials
Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
2018-06-06 09:30:18 -07:00
Steven Moreland
343e24a1be hal_attribute_hwservice_client += add_hwservice
For sanity, this makes 'hal_attribute_hwservice_client'
be associated with a specific hwservice thus making things
consistent.

After this change, only configstore, hal_allocator, and the
fwk_* services are inconsistent with all other HALs.

Bug: 80319537
Test: boot device, sanity tests, check for denials
Change-Id: Ibffc65c9567a429e07a3dc4dd41117738459dc2a
2018-06-06 09:25:52 -07:00
Steven Moreland
8fc7981885 Find hal_foo_hwservice -> you are hal_foo_client.
Before, it was possible to access a hwservice without declaring
that you were a client.

This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)

which makes sure the above implication holds using a neverallow rule.

Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
2018-05-30 16:46:57 -07:00
Yin-Chia Yeh
77c7d6fa8a hal_camera: Allow writing dump info into pipes
So dumpsys media.camera can do hal dump without root.

Bug: 72261676
Change-Id: Ic7325418bc2ee5dbb005430135f1ccc88b418e8c
2018-02-26 14:53:39 -08:00
Yin-Chia Yeh
746c61f015 Camera: sepolicy for external camera
Allow external camera HAL to monitor video device add/removal.

Bug: 64874137
Change-Id: I1a3116a220df63c0aabb3c9afd7450552e6cd417
2018-01-30 16:27:47 -08:00
Jeff Vander Stoep
6a28b68d54 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
2017-11-22 04:54:41 +00:00
Jeffrey Vander Stoep
cd69bebf76 Revert "Fix CTS regressions"
This reverts commit ed876a5e96.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 20:27:47 +00:00
Jeff Vander Stoep
ed876a5e96 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
2017-11-21 18:06:20 +00:00
Eino-Ville Talvala
815affc8da hal_camera: Don't allow access to /data/misc/camera
HALs are supposed to only access /data/vendor/*

Test: Camera CTS/ITS on walleye
Bug: 36601397
Change-Id: I8f586938127b5a9acaace4d5b8c3fc42ab13e0cf
(cherry picked from commit d7241d627d)
2017-11-10 14:15:04 -08:00
Jeff Vander Stoep
a1c94c8d25 hal_camera: remove video_device restriction
Disallowing other HALs access to video_device does not appear to be
enforceable.

(cherry picked from commit c26dd18aeb)

Bug: 37669506
Test: build policy. Neverallow rules are build time test and do not
      impact the policy binary.
Change-Id: Iea401de08a63f3261a461f67b85113a9d838e88a
2017-05-16 09:42:09 -07:00
Alex Klyubin
3ef2d51bac Relax neverallow for video_device access
On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260
2017-04-21 14:40:07 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
ab2c681fb1 Policy for Camera HAL HwBinder service
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
2017-04-13 10:31:04 -07:00
Alex Klyubin
08d6f56649 Switch Allocator HAL policy to _client/_server
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.

Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).

Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
      motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
2017-03-20 22:18:12 +00:00
Jeff Vander Stoep
7fa59c819c Enforce separation of privilege for HAL driver access
Only audio HAL may access audio driver.
Only camera HAL may access camera driver.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625
Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3
2017-03-13 22:40:01 -07:00
Yin-Chia Yeh
6824dfd773 Camera: hal_camera FD access update
Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
2017-03-05 14:34:25 -08:00
Yin-Chia Yeh
2dc4d1cc1c Camera: allow various FD usage for hal_camera
The camera HAL1 will need to pass/receive FD from various
related processes (app/surfaceflinger/medaiserver)

Change-Id: Ia6a6efdddc6e3e92c71211bd28a83eaf2ebd1948
2017-02-23 18:14:31 -08:00
Yin-Chia Yeh
2eca9e4a44 Camera: allow appdomain FD use for hal_camera
The preview surface will run in app process and hal_camera will
need to wait on FD generated by preview surface.

Test: the denial is gone, able to take photo in
      messenger/hangout/drive application.
Bug: 35589980
Bug: 35485227
Change-Id: I1977174369b104617156065ff25203a17265b707
2017-02-21 14:53:02 -08:00
Alex Klyubin
3a8426bf89 Switch Camera HAL policy to _client/_server
This switches Camera HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Camera HAL.

Domains which are clients of Camera HAL, such as cameraserver domain,
are granted rules targeting hal_camera only when the Camera HAL runs
in passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_camera are
not granted to client domains.

Domains which offer a binderized implementation of Camera HAL, such
as hal_camera_default domain, are always granted rules targeting
hal_camera.

Test: Take non-HDR photo using Google Camera app
Test: Take HDR photo using Google Camera app
Test: Record video using Google Camera app
Bug: 34170079
Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e
2017-02-16 20:37:21 -08:00
Steven Moreland
18d7f8c1b8 haldomain: search for passthrough hals
Bug: 34366227
Test: passthrough services successfully found
Change-Id: If2cad09edc42f01cc5a444229758ecdfe2017cf2
2017-01-24 16:41:00 -08:00
Eino-Ville Talvala
9c43a3ff10 DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy
- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice

Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
2017-01-18 12:02:36 -08:00