The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:
IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump
Bug: 37993476
Test: check contents of media.audio_flinger section in
a bugreport captured on Pixel device
Merged-In: I77d347c019ac93c3ba0d54ce50f0fdc243b04685
Change-Id: Ia0531f715ae5f8b2599153e54a11e9eb4ee47d4b
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0
Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
Whether a device is full Treble or not, omx should be able to
access vndbinder
Test: (sanity) oc-dev marlin boots + YouTube + lshal
Fixes: 37528973
Change-Id: Idd734b42c7dfe3e09e544680a6893b03910ecd3e
The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.
Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39
Fixes `adb shell cmd gpu vkjson`, which was previously failing due to
surfaceflinger not being able to use the socket passed to it by adbd.
Bug: b/37157136
Test: run above command, verified on marlin + bullhead
Change-Id: I57fa7e99d5c3dc7bc7d033b83f8ce6032162d7d3
The typical use case is where vendor apps which run as untrusted apps
use libraries that are packaged withing the apk
Bug: 37753883
Test: Tested by runnig pre-installed app that packages a library from
/vendor/app
Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf
Signed-off-by: Sandeep Patil <sspatil@google.com>
The API does not expose the FD directly. But they are
used by libaaudio.so linked with the app.
Needed for low latency audio.
Bug: 37167970
Test: NativeOboe touch to tone latency app
Change-Id: I92372eff44d856e9aff399dc9c64fd18524fdc44
Signed-off-by: Phil Burk <philburk@google.com>
Adding the default label/mapping is important because:
1. Lookups of services without an selinux label should generate
a denial.
2. In permissive mode, lookups of a service without a label should be
be allowed, without the default label service manager disallows
access.
3. We can neverallow use of the default label.
Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
Add/find of unlabeled vendor services generate a denial.
Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b842c)
Audioserver loads A2DP module directly. The A2DP module
talks to the bluetooth server.
Bug: 37640821
Test: Play Music over BT headset
Change-Id: Ie6233e52a3773b636a81234b73e5e64cfbff458e
Rules defined in utrusted_app_all do not apply to all untrusted apps,
update the comments to reflect that.
Test: builds
Change-Id: I6f064bd93c13d8341128d941be34fdfaa0bec5da
Bluetooth needs the capability to set audio-related threads to be RT
scheduled. Grant it sys_nice.
system_server needs to set priority for the Bluetooth HAL. Allow it.
Bug 37518404
Test: Play Bluetooth audio, confirm RT scheduling with systrace
Merged-In: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
(cherry picked from commit 6eee6eb2c0)
The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.
Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
Empty typeset is not an issue in neverallow rules. The reason is that
it's completly normal for scontext or tcontext of neverallow rules to
evaluate to an empty type set. For example, there are neverallow rules
whose purpose is to test that all types with particular powers are
associated with a particular attribute:
neverallow {
untrusted_app_all
-untrusted_app
-untrusted_app_25
} domain:process fork;
Test: sepolicy-analyze neverallow -w -n \
'neverallow {} {}:binder call;'
produces empty output instead of "Warning! Empty type set"
Bug: 37357742
Change-Id: Id61b4fe22fafaf0522d8769dd4e23dfde6cd9f45
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.
Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.
P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.
Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
