Commit graph

46 commits

Author SHA1 Message Date
Siarhei Vishniakou
41a871ba84 Permissions for InputClassifier HAL
Add the required permissions for the InputClassifier HAL.

Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76
2019-01-11 02:08:19 +00:00
Zachary Iqbal
893272d883 Added placeholder SELinux policy for the biometric face HAL.
Notes:
- Added face hal domain, context and file types for the default
  SELinux policy.
- Please see aosp/q/topic:"Face+Authentication"

Bug: 80155388
Test: Built successfully.
Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
2018-12-28 12:23:56 -08:00
Benjamin Schwartz
e7040eada0 Add power.stats HAL 1.0 sepolicy
Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0
2018-12-11 00:11:08 +00:00
Pawin Vongmasa
7d9d64dcd9 Add public Codec2 HIDL interfaces
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 112362730
Bug: 119853704

Change-Id: Ie84dab48c4f068eb1f6289b5c022525cd06ef7fc
2018-11-30 05:11:21 -08:00
Jiwen 'Steve' Cai
d5c5ef900c Sepolicy for bufferhub hwservice
Bug: 118124442
Test: device can boot with android.frameworks.bufferhub@1.0-service
      running
Change-Id: I1d186d5350671b0d2dd4e831429b8fba828316e0
2018-10-25 10:08:05 -07:00
Howard Ro
b41dd1b54f Merge "Update sepolicies for stats hal"
am: aabee5fe5f

Change-Id: Ib271b23881eeff75f62613054714a11e8d67dc44
2018-10-02 14:06:31 -07:00
Howard Ro
578a189178 Update sepolicies for stats hal
Bug: 116732452
Test: No sepolicy violations observed with this change
(cherry picked from commit I1958182dd8ecc496625da2a2a834f71f5d43e7bb)

Change-Id: Ib386767d8acfacf9fedafd9a79dd555ce233f41c
2018-09-28 13:34:37 -07:00
Wei Wang
a15a0804bc Add atrace HAL 1.0 sepolicy
am: bc71a6109e

Change-Id: Iad34b6a0a8e4a9b885244804e07c93bc79f8731b
2018-09-27 16:27:11 -07:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Yifan Hong
fc433b5553 health.filesystem HAL renamed to health.storage
am: 1cef6a94eb

Change-Id: Ia7c2b0c347eb945777eac435c45df2683c556b80
2018-09-20 22:36:15 -07:00
Yifan Hong
1cef6a94eb health.filesystem HAL renamed to health.storage
...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
2018-09-20 04:12:45 +00:00
Tri Vo
e5374e6784 Sepolicy for system suspend HAL.
am: dac2a4a3a4

Change-Id: Ia03441639efe7f2147db104c7b1533b941c60f9e
2018-08-13 18:52:30 -07:00
Tri Vo
dac2a4a3a4 Sepolicy for system suspend HAL.
Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be
2018-08-13 17:26:34 -07:00
Yifan Hong
562a0d2f97 Merge "Add sepolicy for health filesystem HAL" am: 3dd465a097
am: 33eee9c584

Change-Id: I84d7cc56ec9280957218357ed97c1ca606b24795
2018-08-10 16:10:17 -07:00
Yifan Hong
0814795c79 Add sepolicy for health filesystem HAL
Test: builds
Test: vts
Bug: 111655771
Change-Id: Iabad3d124bf476cb624addf7d7898e0c2894d550
2018-08-10 11:02:21 -07:00
Todd Poynor
c6afcb7fc0 remove thermalcallback_hwservice
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
2018-06-29 23:01:43 +00:00
Pavel Maltsev
43e172af66 Move automotive HALs sepolicy to system/
Bug: 70637118
Test: build, flash and boot automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef
(cherry picked from commit 394dbe34a0)
2018-05-04 21:36:48 +00:00
Roshan Pius
d7b34a48ff sepolicy(hostapd): Add a HIDL interface for hostapd
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
2018-05-04 21:36:24 +00:00
Pavel Maltsev
394dbe34a0 Move automotive HALs sepolicy to system/
Bug: 70637118
Test: build, flash and boot bat_land and owl automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
2018-04-23 15:46:41 -07:00
Jeff Vander Stoep
c41f5b8465 hal_tetheroffload: move hwservice mapping to core policy
Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
(cherry picked from commit 3a346ea732)
2018-04-11 15:03:13 -07:00
Jeff Vander Stoep
3a346ea732 hal_tetheroffload: move hwservice mapping to core policy
Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
2018-04-11 14:52:48 -07:00
Sunny Kapdi
bc0c88f37d Bluetooth A2DP offload: Binder call to audio HAL
Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8)
2018-03-12 13:28:43 -07:00
Sunny Kapdi
863a4efaf3 Bluetooth A2DP offload: Binder call to audio HAL
Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 63932139
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8)
2018-03-12 19:21:08 +00:00
Andrew Scull
64f35fa01e authsecret HAL policies.
Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5f8)
2018-02-05 11:19:46 +00:00
Ruchi Kandoi
1c57b81c1e Merge "SE Policy for Secure Element app and Secure Element HAL" am: 6a60cb3e69 am: f285f2db4b
am: 4757882300

Change-Id: I36147d7f0359cef7f80ee36086150936bed2e672
2018-01-30 01:26:15 +00:00
Ruchi Kandoi
8a2b4a783e SE Policy for Secure Element app and Secure Element HAL
Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-29 21:31:42 +00:00
yinxu
9a786ae738 Merge "Add sepolicy for radio.config" am: 2638cd2c96 am: 2af6b8602c
am: ec5ab9db31

Change-Id: I808c3b1f4abe806b2e3ae558a01206368359edc0
2018-01-25 04:19:17 +00:00
yinxu
612350e34f Add sepolicy for radio.config
Bug: 64131518
Test: Compile and flash the device, check whether service vendor.radio-config-hal-1-0 starts
Change-Id: Id728658b4acdda87748259b74e6b7438f6283ea5
2018-01-24 12:13:10 -08:00
Janis Danisevskis
f5ea7ab181 Added default policy for Confirmation UI HAL am: 97c56bdd78 am: 5029fe7236
am: a2f243dc35

Change-Id: I670465743596b35c37a4ca591e5a8f4848222bb9
2018-01-24 20:09:47 +00:00
Janis Danisevskis
97c56bdd78 Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-24 10:22:40 -08:00
Andrew Scull
8d11ef5a37 Merge "authsecret HAL policies." 2018-01-23 17:43:59 +00:00
Badhri Jagan Sridharan
7bee33e665 hal_usb_gadget sepolicy
Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
2018-01-19 18:56:16 +00:00
Badhri Jagan Sridharan
9b07889452 hal_usb_gadget sepolicy
Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
2018-01-19 07:59:11 -08:00
Roshan Pius
5bca3e860d sepolicy(hostapd): Add a HIDL interface for hostapd
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
2018-01-12 14:05:38 -08:00
Andrew Scull
1aedf4b5f8 authsecret HAL policies.
Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
2018-01-10 16:26:44 +00:00
Tomasz Wasilczyk
4f7bb7576a Add broadcast radio HAL 2.0 default implementation to the sepolicy.
Test: VTS
Bug: 69958777
Change-Id: I6db7dd9afc9c7f254a0233ff3144b02e48727038
2017-12-07 09:48:16 -08:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Tomasz Wasilczyk
26ff5eb6b9 Move Broadcast Radio HAL to a separate binary.
Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d85)
2017-09-15 10:16:48 -07:00
TreeHugger Robot
60e4fd9dfa Merge "Add missing sepolicies for OemLock HAL." into oc-dev 2017-06-01 22:05:18 +00:00
Andrew Scull
475954dad5 Add missing sepolicies for OemLock HAL.
Bug: 38232801
Test: Build

Change-Id: Iccc16430e7502bb317f95bb2a5e2f021d8239a00
2017-05-31 15:22:05 +01:00
Andrew Scull
a939c4324c Add missing sepolicies for the Weaver HAL.
Bug: 38233550
Test: Build
Change-Id: I7c2105d5f215a60a611110640afff25fc3403559
2017-05-31 15:17:11 +01:00
Steven Moreland
e8ab0020ba Add fwk_display_hwservice.
This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.

Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
2017-05-17 11:00:28 -07:00
Pawin Vongmasa
98b7f66da9 Enable the use of IOmxStore service
Test: Manual use of Camera app
Test: lshal shows IOmxStore

Bug: 37657124
Bug: 37726880
Change-Id: I5459d992c2feb14bd26765673864e583d48e3ba4
2017-04-28 16:38:28 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
ab2c681fb1 Policy for Camera HAL HwBinder service
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
2017-04-13 10:31:04 -07:00
Martijn Coenen
3ea47b9249 Add hwservice_contexts and support for querying it.
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
2017-04-12 18:07:12 -07:00