wpa_supplicant needs permission to access the Netlink Interceptor HAL.
Bug: 224844967
Test: Modified version of wpa_supplicant can access Netlink Interceptor
Change-Id: I80c6c980b6655beadfaf14535702ad8e96c2befe
This restores the change made in ag/3883322, which was inadvertently
reverted with the combination of ag/3998755 and the merge of
aosp/666885.
Bug: 9496886
Bug: 68016944
Test: Builds, device boots, no denial seen.
Change-Id: I6af83c5bf982283d69ac31c0495471079555c894
This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.
Bug: 77903086
Test: WiFi still working
Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893
This is needed to allow it to log audit events, e.g. cert
validation failure.
Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Merged-In: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
This is needed to allow it to log audit events, e.g. cert
validation failure.
Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Treble compliance.
Bug: 70228425
Bug: 70393317
Test: complete wifi test in b/70393317
Test: Test wifi on Taimen and Sailfish
Test: verify sockets exist in /data/vendor/wifi/wpa/sockets
Change-Id: I217c0eda0e5af50bb603cfcc35d60bf0d9cad72e
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.
Bug: 36463595
Test: Boot sailfish without any new denials
Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.
The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).
Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
keystore and hal_wifi_supplicant_default domains
Bug: 36896667
Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.
Denials addressed:
03-29 00:04:52.075 734 734 E SELinux : avc: denied { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key
Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.
This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.
Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
Note: The existing rules allowing socket communication will be removed
once we migrate over to HIDL completely.
(cherry-pick of 2a9595ede2)
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
