This is used for wificond to check if it is allowed to dump logs.
Bug: 31336376
Test: compile, manual test
Change-Id: I8a1b681255398f9a1f2cf79fd0891e58283aa747
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
We're going to be using Android framework directly to invoke Wifi HIDL
calls. So, change permissions appropriately.
Bug: 33398154
Test: Verfied that framework is able to make HIDL calls using
go/aog/310610.
Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a
Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.
Denials:
01-15 14:31:58.573 541 541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573 541 541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
