Commit graph

21 commits

Author SHA1 Message Date
Håkan Kvist
1f915b4b13 label boot animations on oem with bootanim_oem_file
Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.

Also allow mediaserver and app to read this new label as they can access
/oem/media folder.

Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb
2024-02-16 11:08:30 +01:00
Gavin Corkery
d4d3c01fa3 Allow apps and SDK sandbox to access each others' open FDs
An app may wish to pass an open FD for the SDK sandbox
to consume, and vice versa. Neither party will be
permitted to write to the other's open FD.

Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
2023-05-12 11:35:07 +00:00
Gavin Corkery
a2e6584772 Allow mediaprovider and mediaserver to read sdk_sandbox_data_file
Context: go/videoview-local-sandbox. This change is required to
play local files in a VideoView in the SDK sandbox.

Test: Manual steps described in doc
Bug: 266592086
Change-Id: I940609d5dff4fc73d0376489646488c7b96eebb8
2023-05-04 16:21:38 +00:00
Alfred Piccioni
30ae427ed0 Adds support for fuseblk binaries.
This is a rather large, single change to the SEPolicies, as fuseblk
required multiple new domains. The goal is to allow any fuseblk
drivers to also use the same sepolicy.

Note the compartmentalized domain for sys_admin and mount/unmount
permissions.

Bug: 254407246

Test: Extensive testing with an ADT-4 and NTFS USB drives.
Change-Id: I6619ac77ce44ba60edd6ab10e8436a8712459b48
2023-02-02 15:32:39 +01:00
Eric Biggers
9a5992336e Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug.  Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()".  Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories.  Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.

This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible.  This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories.  This
is similar to what https://r.android.com/1117297 did for /data itself.

Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.

A significant limitation is that /data/user/0 is currently being created
by init during early boot.  Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories.  As the
next step, I'll try to eliminate the /data/user/0 quirk.  Anyway, this
CL is needed regardless of whether we're able to do that.

Test: Booted cuttlefish.  Ran 'sm partition disk:253,32 private', then
      created and deleted a user.  Used 'ls -lZ' to check the relevant
      SELinux labels on both internal and adoptable storage.  Also did
      similar tests on raven, with the addition of going through the
      setup wizard and using an app that creates media files.  No
      relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 04:12:46 +00:00
Jason Macnak
a93398051c Adds GPU sepolicy to support devices with DRM gralloc/rendering
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
2022-04-18 17:30:56 -07:00
Stephane Lee
b30e888b5c Add search in bpf directory for bpfdomains
Bug: 203462310
Test: Ensure that associated BPFs can be loaded
Change-Id: I317a890abb518cf4ac47cd089e882315434342ce
2022-03-21 17:31:17 -07:00
Steven Moreland
6598175e06 bpfdomain: attribute for domain which can use BPF
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.

Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
2022-02-10 00:34:50 +00:00
Rick Yiu
8cb0bb81f0 sepolicy: Fix potential avc denials
Bug: 206970384
Test: make selinux_policy pass
Change-Id: I2516987ea609b4328951b519f437405bef7a78d5
2021-12-08 10:24:30 +08:00
Alessio Balsini
fd3e9d838e mediaprovider_app can access BPF resources
The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.

Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
2021-12-06 19:12:55 +00:00
Zim
26d73ceb6e Allow MediaProvider to access the media metrics service
This allows MediaProvider call certain MediaCodec APIs

Test: atest TranscodeTest
Bug: 190422448
Change-Id: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
2021-10-15 08:39:30 +00:00
Rick Yiu
bc2fe2d944 Move mediaprovider_app to common code
The policy under device folder will be removed for GSI, so move the
policy to common code.

Bug: 196326750
Test: build pass
Change-Id: I9544db1771ba7b94a98913bf892386f95cf919be
2021-08-12 17:04:30 +08:00
Sahana Rao
21d69b1222 Allow AudioServer find for mediaprovider_app
As part of PhotoPicker, we will be playing the video. To allow video
playback, allow AudioServer `find` access for mediaprovider_app.

Bug: 169737802
Test: Verified that video playback works in PhotoPicker
Change-Id: Ie5acb77b2f446ee8af6cf384fd5a66bf64a15752
2021-07-02 10:23:04 +01:00
Hridya Valsaraju
a2a2d9cbbd Add missing permissions for Cuttlefish to support GSI testing
Once b/186727553 is fixed, booting GSI on cuttlefish will no longer load
cuttlefish's system_ext sepolicy. These domains are all private and
hence the permissions are being added to system/sepolicy to avoid
making them public(especially mediatranscoding that was changed from
public to private in Android S).

Test: build, boot
Change-Id: I4a78030015fff147545bb627c9e62afbd0daa9d7
2021-05-03 16:49:07 -07:00
Inseob Kim
832e17b695 Relabel drm related props from exported*_prop
To clean up bad context name exported[23]_default_prop

Bug: 155844385
Test: m selinux_policy
Change-Id: I9f9ddb0d44c4cea9bd1724df730bb7be9a6fb2d2
2020-06-19 10:52:10 +09:00
shafik
6ca338d69b Allow MediaProvider to binder call into statsd
Adds sepolicy rules to allow MediaProvider to make binder calls into
statsd. That's to allow MediaProvider to register a StatsCallbackPuller
for metrics.

Test: build
Bug: 149669087
Change-Id: I9a13fc04c12557a0435724cfae04f752f856a06e
2020-06-15 19:21:28 +01:00
Daniel Rosenberg
afede84ad5 Add sdcardfs variable to storage_config_props
This property allows us to disable sdcardfs if it is present. The old
property ended up getting repurposed, so a new one was needed.
Mediaprovider will also need to access this to determine what actions it
needs to take.

Test: builds
Bug: 155222498
Change-Id: I66ac106613cbb374f54659601e4ba3f61eaecd2f
2020-05-19 00:30:52 -07:00
Zim
85d87cfa6e Grant MediaProvider read file access on /mnt/pass_through
It already has read dir access, but was missing file access which
would allow it read /sdcard symlink (/mnt/pass_through/0/self/primary)

Test: adb shell am broadcast -a
android.intent.action.MEDIA_SCANNER_SCAN_FILE
--receiver-include-background -d file:///sdcard
Bug: 153151011

Change-Id: If4d3fa3d96de6dd9672c0c3aa25fb25f196fe295
2020-04-15 09:13:09 +01:00
Zim
64011ac697 Grant MediaProvider access to /mnt/media_rw
Copied access from the old mediaprovider.te to the new
mediaprovider_app.te.

Test: MediaProvider can create dirs on /mnt/media_rw/<uuid>
Bug: 151981237
Change-Id: Icdb260d2e76a05a15512a5dd00e08f8ae861dce6
2020-03-25 13:36:06 +00:00
Martijn Coenen
fd54803f0b Allow mediaprovider_app access to /proc/filesystems.
It needs to be able to see supported filesystems to handle external
storage correctly.

Bug: 146419093
Test: no denials
Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
2020-02-19 17:24:24 +01:00
Martijn Coenen
e3f1d5a314 Create new mediaprovider_app domain.
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-02-04 16:53:18 +01:00