Commit graph

37 commits

Author SHA1 Message Date
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Mikhail Naganov
8b69e5fd48 Add ro.audio.ihaladaptervendorextension_enabled property
This property is used by libaudiohal@aidl to detect whether
the system_ext partition provides an instance of
IHalAdapterVendorExtension. This is a "system internal"
property because it belongs to `system_ext`.

Bug: 323989070
Test: atest audiorouting_test
Ignore-AOSP-First: coupled with Pixel change, will upstream
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:17406cd0a723cb89a03705709ec78d37b3d66042)
Merged-In: I81267da070958a70f2f3c4882718cac4600e3476
Change-Id: I81267da070958a70f2f3c4882718cac4600e3476
2024-02-14 18:53:37 +00:00
Vlad Popa
3fc7d83663 Add SELinux policy for accessing the AudioService
This is used by the playback notification API to get a reference to the
AudioService with the help of the ServiceManager.

Change-Id: I70324cf0579fd029ee9b3a20115bdab9106d24a8
Test: avd/avd_boot_test
Bug: 235521198
2022-07-27 12:11:50 +00:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Yifan Hong
be04b091bb Allow binder services to r/w su:tcp_socket
Test: binderHostDeviceTest
Bug: 182914638
Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9
2021-06-08 10:39:02 -07:00
Svet Ganov
365c57f338 Allow mediaserver/audioserver to access permission checker service
bug: 158792096

Test: atest CtsMediaTestCases
      atest CtsPermissionTestCases
      atest CtsPermission2TestCases
      atest CtsPermission3TestCases
      atest CtsPermission4TestCases

Change-Id: I392c87f0a85a09d891bceaaefeae1b3f9acff55a
2021-05-20 19:07:29 +00:00
Inseob Kim
4ce4e87de1 Move audio config props to audio_config_prop
Bug: 155844385
Test: sepolicy_tests
Change-Id: Ic199925b5e3e1c80f1e692c8c5fc2cbb73eda0f5
2020-05-06 22:58:29 +09:00
Ytai Ben-Tsvi
43a474271f Allow audio_server to access soundtrigger_middleware service
In order to update it when external capture is taking place.

Change-Id: I7620902bfdd93b3f80f3ab2921b6adae2e77166f
Bug: 142070343
2019-12-12 10:56:35 -08:00
Cheney Ni
25c58d0b57 Add rules for accessing the related bluetooth_audio_hal_prop am: e55a74bdff am: dd367bd058
am: 7f1e977b42

Change-Id: I0f2dd66489bb9d529f6e6cbd5bba7651fc5cf7ea
2019-03-20 01:53:39 -07:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Kevin Rocard
83f65ebbb2 Allow audioserver to access the package manager
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).

Test: adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
2019-02-28 01:50:22 +00:00
Kevin Rocard
25f60574ee Allow audioserver to access the package manager
The audioserver needs to know if an app allows its audio to be recorded.
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).

Test: adb shell audiorecorder --target /data/file.raw
      play sound
      adb shell dumpsys media.audio_policy | sed -n '/Mix:/,/^$/p'
      adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
2019-02-27 17:38:27 -08:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Jeffrey Vander Stoep
dd57e7b69f Merge "Properly Treble-ize tmpfs access" 2019-01-26 17:27:47 +00:00
Jeff Vander Stoep
e16fb9109c Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
2019-01-25 08:56:45 -08:00
Michael Wright
345d030880 Add new external vibrator service to system_server am: e9f1668c17 am: 24f1d94dfa
am: a55d651f46

Change-Id: I956c3652a6e0d84ed14f5c3ab52459d7214679ca
2019-01-25 08:54:32 -08:00
Michael Wright
e9f1668c17 Add new external vibrator service to system_server
Bug: 111457573
Test: N/A
Change-Id: I457fd9d13cc481f2687ab39d22240c6ea7231183
2019-01-25 14:26:07 +00:00
Michael Groover
1f6b919845 Add sepolicy for audioserver to find SensorPrivacyService
Test: Manually verified apps cannot record when Sensor Privacy \
      is enabled
Bug: 110842805

Change-Id: Ib68e686b4cee4a47e074a9097f22a6d58c7941f2
2018-12-17 21:33:15 -08:00
Tomoharu Kasahara
0a65041cba Allow audioserver to access persist.log.tag
Bug: 113756665
Test: adb shell getprop shows
persist.log.tag.APM_AudioPolicyManager

Change-Id: Id9363718a14c797de3fa146d2d0c34ee860bcdb6
2018-11-08 19:01:47 +09:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Tri Vo
ef81102a1d audioserver: add access to wake locks.
Bug: n/a
Test: audioserver is sucessfully able to acquire a wake lock
Change-Id: Ic3d3692eba2c1641ba3c9d8dc5f000f89105d752
2018-05-17 17:27:56 -07:00
Ray Essick
b85e382f50 give audioserver access to media.metrics
Let the audioserver record metrics with media.metrics service.
This is for 'audiopolicy' metrics.

Bug: 78595399
Test: record from different apps, see records in 'dumpsys media.metrics'
Change-Id: Ie5c403d0e5ac8c6d614db5e7b700611ddd6d07e9
Merged-In: I63f9d4ad2d2b08eb98a49b8de5f86b6797ba2995
2018-05-07 13:30:53 -07:00
Jaekyun Seok
224921d18a Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-13 09:25:06 +09:00
Mikhail Naganov
05e12dba34 Add shell:fifo_file permission for audioserver
Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
(cherry picked from commit c5815891f8)
Merged-In: I09bdb74c9ecc317ea090643635ca26165efa423a
2018-04-06 15:18:22 -07:00
Joel Galenson
6e8bfa2d3e Allow audioserver to access audio_device on non-Treble devices.
This should fix audio on non-Treble devices.

Bug: 75949883
Test: Built policy.
Change-Id: I90a4648aaf975d59be36afd5f62c88a015af10f7
2018-03-19 17:16:52 -07:00
Aniket Kumar Lata
d3d7800469 sepolicy: Read access to audioserver for Bluetooth properties
Provide read/write access to audioserver for Bluetooth
properties used with A2DP offload.

Bug: 68824150
Test: Manual; TestTracker/148125
Change-Id: I40c932d085ac55bc45e6654f966b2c9d244263d0
(cherry picked from commit 041049bc7a)
2018-03-12 13:28:55 -07:00
Ajay Panicker
e32d94064f Allow audioserver to access Bluetooth Properties
Now that Bluetooth supports delay reporting, audioserver needs
access to Bluetooth Properties in order to determine whether the
feature is enabled or disabled.

Bug: 32755225
Test: Enable the property and see that there was no error accessing it
Change-Id: I519d49deb2df4efb3cc2cce9c6d497db18b50c13
2018-02-28 04:09:33 +00:00
Svet Ganov
b9a1e7ba84 Don't record audio if UID is idle - sepolicy
If a UID is in an idle state we don't allow recording to protect
user's privacy. If the UID is in an idle state we allow recording
but report empty data (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.

Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
      Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
              -t android.media.cts.AudioRecordTest

bug:63938985

Change-Id: I8c044e588bac4182efcdc08197925fddf593a717
2018-01-16 21:22:18 -08:00
Mikhail Naganov
9450a8754d Allow audioserver to talk to bluetooth server
Audioserver loads A2DP module directly. The A2DP module
talks to the bluetooth server.

Bug: 37640821
Test: Play Music over BT headset
Change-Id: Ie6233e52a3773b636a81234b73e5e64cfbff458e
2017-04-28 20:02:48 +00:00
Phil Burk
2b7f74e21f sepolicy: allow audioserver to use ALSA MMAP FDs
Bug: 37504387
Test: aaudio example write_sine, needs MMAP support
Change-Id: I7fbd87ad4803e8edbde4ba79220cb5c0bd6e85a0
Signed-off-by: Phil Burk <philburk@google.com>
2017-04-19 13:21:27 -07:00
Alex Klyubin
2d704464b7 Grant audioserver access to /system/lib64/hw
audioserver uses an always-passthrough Allocator HAL (ashmem / mapper)
whose .so is loaded from /system/lib64/hw.

Test: Modify hal_client_domain macro to not associate client of X HAL
      with hal_x attribute. Play Google Play Movies move -- no denials
      and AV playback works.
Bug: 37160141

Change-Id: I7b88b222aba5361a6c7f0f6bb89705503255a4b1
2017-04-10 11:40:53 -07:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Nick Kralevich
38c12828da Add documentation on neverallow rules
Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
2017-02-17 22:37:23 +00:00
Alex Klyubin
ac2b4cd2cb Use _client and _server for Audio HAL policy
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-15 13:32:14 -08:00
Alex Klyubin
238ce796a4 Move audioserver policy to private
This leaves only the existence of audioserver domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with audioserver_current
      except those created by other domains' allow rules referencing
      audioserver domain from public and vendor policies.
Bug: 31364497

Change-Id: I6662394d8318781de6e3b0c125435b66581363af
2017-02-07 10:47:18 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00