Commit graph

93 commits

Author SHA1 Message Date
Courtney Goeltzenleuchter
0629dedc41 Merge "Add support for updated HW composer interface" 2017-11-21 23:42:05 +00:00
Courtney Goeltzenleuchter
68f2438870 Add support for updated HW composer interface
Test: build
Bug: 63710530
Change-Id: I85cddfaf3ec004165040935f8723e9eed0ef7900
2017-11-21 10:09:23 -07:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Jeff Vander Stoep
d4785c3707 Move platform/vendor data violations to device policy
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e
2017-11-20 17:18:56 +00:00
Jeff Vander Stoep
13c69b891e Remove unused permissions from tee
Only getattr and read are necessary for lnk_file. Open violates a new
neverallow for separating system and vendor data.

Bug: 34980020
Test: Enroll fingerprint on Taimen
Change-Id: I9434afbd5b4ecc1ead9f0ba47c7582fb5a6c6bf0
2017-11-16 15:59:22 +00:00
Max Bires
afcb72ec63 Moving bug_map entry from wahoo specific to global policy
This denial affects marlin as well

Test: The associated denials are properly tagged with this bug
Change-Id: Ie90f1ac8c9a930465d8b806d77c2975c5f046403
2017-11-01 15:28:43 -07:00
Chong Zhang
42959b8f6e Allow CAS HAL default implementation to use vndbinder
bug: 67029332
testing:
- build
- boot
- CTS MediaCasTest on Pixel2

Change-Id: I019e0156c67c84875310d630f8a8bec7aaa483a6
2017-10-11 06:00:24 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Tomasz Wasilczyk
a9159dd155 Branch out Broadcast Radio 1.2 HAL.
Bug: 62945293
Test: instrumentation, VTS
Change-Id: I7e896b64bf0ee907af21d08f6b78561fadc7f0e3
2017-09-15 14:30:32 -07:00
Tomasz Wasilczyk
c998f31936 Merge "Move Broadcast Radio HAL to a separate binary." 2017-09-15 20:41:47 +00:00
Tomasz Wasilczyk
26ff5eb6b9 Move Broadcast Radio HAL to a separate binary.
Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d85)
2017-09-15 10:16:48 -07:00
Peng Xu
123bbe9491 Allow sensor hal to use wakelock
Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
2017-09-14 13:40:33 -07:00
Peng Xu
d1a9a2f419 Allow sensor to use gralloc handle and access ion device
Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.

Test: SensorDirectReportTest passes without setenforce 0

Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
Merged-In: I2068f6f4a8ac15da40126892e1326e0b90a6576f
2017-09-14 13:36:27 -07:00
Sandeep Patil
65ffb0657f Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev
am: 0e0ed156ea

Change-Id: Ic73d84dacc95d5b902dc6c9530b98e53d71574f1
2017-06-22 00:37:47 +00:00
Sandeep Patil
3a9391152f Revert "Annotate rild with socket_between_core_and_vendor_violators"
This reverts commit 57e9946fb7.

Bug: 62616897
Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
    not break.

Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-06-21 15:30:56 -07:00
Sandeep Patil
0a53f1d4fa Fix coredomain violation for modprobe
am: e41af20397

Change-Id: I586cf07d87339f83d66919871d1531e9b8d79c4e
2017-06-06 03:54:39 +00:00
Sandeep Patil
e41af20397 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
2017-06-05 08:09:18 -07:00
Sohani Rao
55c7adde2d SE Policy for Wifi Offload HAL
am: 325bf72592

Change-Id: I024229279b62dbd30287c505f20f51e9131b82c5
2017-05-18 20:23:03 +00:00
Sohani Rao
325bf72592 SE Policy for Wifi Offload HAL
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf502

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
2017-05-18 09:49:55 -07:00
Jeff Vander Stoep
35e09523a5 Merge "Move domain_deprecated into private policy" into oc-dev
am: 02a101a695

Change-Id: I0140009cfbf316489db4994b414ac079776ead21
2017-05-16 21:46:06 +00:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Jaesoo Lee
3986e93590 configstore: assign label to all minor versions of configstore service am: c895f278bb am: 8741d4fe3d
am: 0e573bd59c

Change-Id: Ifde25dcde7b5eec4a797124ed3eeaa45dc9d4414
2017-05-10 13:45:59 +00:00
Jaesoo Lee
c895f278bb configstore: assign label to all minor versions of configstore service
Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58
2017-05-10 12:27:34 +09:00
TreeHugger Robot
bd08796853 Merge "Remove audio from socket_between.._violators" into oc-dev 2017-04-29 21:06:54 +00:00
TreeHugger Robot
74a96734a9 Merge "Add default label and mapping for vendor services" into oc-dev 2017-04-29 18:05:30 +00:00
Jeff Vander Stoep
082eae4e51 Add default label and mapping for vendor services
Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b842c)
2017-04-28 14:56:57 -07:00
Steven Moreland
b0ed936373 Remove audio from socket_between.._violators
Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5
2017-04-28 20:03:03 +00:00
Ruchi Kandoi
688a76672e NFC HAL no longer violates socket access restrictions
Test: compiles
Bug: 37640900
Change-Id: Ia9960af9da880fd130b5fb211a054689e2353f1d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
2017-04-27 17:21:42 +00:00
Alex Klyubin
a8a03c842c Fix typos in comment
This is a follow-up to cbc0d2bb91 which
introduced the typos.

Test: mmm system/sepolicy -- comments only change
Bug: 37640821
Change-Id: Ibe0eda0b3ee9bbfb1e33ef98f2e81267ec580e59
2017-04-25 08:49:44 -07:00
TreeHugger Robot
53b2c80949 Merge "Add a TODO for the Audio HAL socket use violation" into oc-dev 2017-04-25 15:11:02 +00:00
Alex Klyubin
cbc0d2bb91 Add a TODO for the Audio HAL socket use violation
Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640821
Change-Id: I28c27b369268e75ab6b2d27bcb30b88acb2732e6
2017-04-24 14:47:20 -07:00
Alex Klyubin
2e53216b9f Add a TODO for the NFC HAL socket use violation
Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640900
Change-Id: I7c96dde15f74822a19ecc1b28665913b54b3973b
2017-04-24 14:37:53 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
20c2d4e98c Remove unnecessary attributes
Test: mmm system/sepolicy
Bug: 34980020

(cherry picked from commit 3cc6a95944)

Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0
2017-04-14 09:39:19 -07:00
Sandeep Patil
5d81208e81 Make hal_tv_cec_default exec a vendor_file_type
Bug: 36987889
Test: Build

Change-Id: I6dda2949069ccf14d3463bd7428494bde561ed9a
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-13 17:32:43 -07:00
Sandeep Patil
c01a7e193f Merge "sepolicy: make exec_types in /vendor a subset of vendor_file_type" into oc-dev 2017-04-12 19:25:12 +00:00
TreeHugger Robot
976fb16bc1 Merge "Add sepolicy for tv.cec" into oc-dev 2017-04-12 08:13:40 +00:00
Sandeep Patil
2ee66e7d14 sepolicy: make exec_types in /vendor a subset of vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.

Bug: 36463595
Test: Boot sailfish without any new denials

Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-11 17:20:36 +00:00
Donghyun Cho
f81dd0c578 Add sepolicy for tv.cec
Bug: 36562029
Test: m -j40 and CEC functionality works well
Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
2017-04-07 11:21:56 +09:00
Sandeep Patil
366c2ec1dc sepolicy: add missing labels for same process HALs.
Some of the same process HAL labeling was missing from Marlin.
These are identified by tracking library dependencies.

Bug: 37084733
Test: Build and boot sailfish. The change allows the labelled libraries
      to be opened by any domain. So, the boot test is sufficient.

Change-Id: Id55e834d6863ca644f912efdd690fccb71d3eaf3
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:50:23 -07:00
Alex Klyubin
7c3dbfeb69 Merge "Wifi Keystore HAL is not a HAL" into oc-dev 2017-04-06 04:02:04 +00:00
Sandeep Patil
277a20ebec sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-05 13:58:32 -07:00
Alex Klyubin
9a14704f62 Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.

The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).

Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
      keystore and hal_wifi_supplicant_default domains
Bug: 36896667

Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 15:04:05 -07:00
Alex Klyubin
645abeaded tee no longer violates the socket comms ban
SELinux policy no longer has allow rules which permit core/non-vendor
domains to communicate with tee domain over sockets. This commit thus
removes tee from the list of temporary exceptions for the socket
communications prohibition.

Test: mmm system/sepolicy
Bug: 36714625
Bug: 36715266
Change-Id: Iccbd9ea0555b0c9f1cb6c5e0f5a6c0d3f8730b4d
2017-04-04 14:12:14 -07:00
TreeHugger Robot
fbccda3423 Merge "Move TEE rules to vendor image" into oc-dev 2017-04-04 18:59:24 +00:00
TreeHugger Robot
29f273ce6a Merge "sepolicy: Add new wifi keystore HAL" into oc-dev 2017-04-04 16:12:48 +00:00
Martijn Coenen
c3a9e7df5f Merge "Add target for vndservice_contexts." into oc-dev 2017-04-04 03:41:47 +00:00
Martijn Coenen
6676c234fc Add target for vndservice_contexts.
So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
2017-04-03 15:39:42 -07:00
Shubang Lu
a1c0650898 Merge "Add sepolicy for tv.input" into oc-dev 2017-04-03 19:55:53 +00:00
Alex Klyubin
304d653637 Move TEE rules to vendor image
"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6
2017-04-03 11:11:48 -07:00