Commit graph

23 commits

Author SHA1 Message Date
Pawin Vongmasa
4be2889477 Put in sepolicies for Codec2.0 services
Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
2018-03-29 04:42:25 -07:00
Chong Zhang
78e595deab cas: add CAS hal and switch to use hwservice
bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028
2017-06-16 13:28:36 -07:00
Alex Vakulenko
41daa7f859 SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-10 16:39:19 -07:00
Steven Moreland
d64561f716 Allow omx hal access to vndbinder on all devices.
Whether a device is full Treble or not, omx should be able to
access vndbinder

Test: (sanity) oc-dev marlin boots + YouTube + lshal
Fixes: 37528973
Change-Id: Idd734b42c7dfe3e09e544680a6893b03910ecd3e
2017-05-02 18:25:07 +00:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Martijn Coenen
fc80f48082 Remove mediacodec from binder violators.
The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
2017-04-15 21:48:56 -07:00
Martijn Coenen
b4d701bf9c Allow mediacodec access to sync fences.
Test: WIP
Change-Id: I678b0d0e9750b25628b86060574fd516d3749cdf
2017-04-15 09:47:17 -07:00
Iliyan Malchev
56cdcd48d5 Transition mediacodec to /dev/hwbinder and /dev/vndbinder
This change disables /dev/binder access to and by mediacodec on
full-Treble devices.

b/36604251 OMX HAL (aka mediacodec) uses Binder and even exposes a
	   Binder service

Test: marlin
Change-Id: I1e30a6c56950728f36351c41b2859221753fd91a
Signed-off-by: Iliyan Malchev <malchev@google.com>
2017-04-14 18:50:40 +00:00
Sandeep Patil
2ee66e7d14 sepolicy: make exec_types in /vendor a subset of vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.

Bug: 36463595
Test: Boot sailfish without any new denials

Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-11 17:20:36 +00:00
Mathias Agopian
9901ff7c4f update sepolicy for gralloc HAL
the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d
2017-03-30 14:43:35 -07:00
Alex Klyubin
44df5b9432 mediacodec violates "no Binder in vendor" rule
This adds mediacodec to the list of temporary exemptions from the "no
Binder in vendor" rule.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I0f00d4bfb90d6da45ae2fed65864bb8fb0a4e78e
2017-03-24 17:22:17 -07:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Steven Moreland
d3ce5dc38c Allow hals to read hwservicemanager prop.
Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2
2017-03-23 01:50:50 +00:00
Jiwen 'Steve' Cai
eeb0d38037 Allow fd access between mediacodec and bufferhubd
bufferhubd should be able to use sync fence fd from mediacodec; and
mediacodec should be able to use a gralloc buffer fd from the bufferhubd.

Bug: 32213311
Test: Ran exoplayer_demo and verify mediacodec can plumb buffer through
bufferhub.

Change-Id: Id175827c56c33890ecce33865b0b1167d872fc56
2017-03-15 15:56:27 -07:00
Josh Gao
12b4750fec Allow fallback crash dumping for seccomped processes.
Let mediacodec and mediaextractor talk directly to tombstoned to
generate tombstones/ANR traces.

Bug: http://b/35858739
Test: debuggerd -b `pidof media.codec`
Change-Id: I091be946d58907c5aa7a2fe23995597638adc896
2017-03-07 15:53:46 -08:00
Yin-Chia Yeh
6824dfd773 Camera: hal_camera FD access update
Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
2017-03-05 14:34:25 -08:00
Nick Kralevich
38c12828da Add documentation on neverallow rules
Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
2017-02-17 22:37:23 +00:00
Pawin Vongmasa
5559d21aa5 Sepolicy for OMX hal.
Bug: 31399200
Test: Compiles
Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57
2017-02-11 00:12:00 -08:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Ray Essick
391854000a rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
2017-01-24 16:57:19 -08:00
Ray Essick
090f4a4d9f Allow access to mediaanalytics service
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
2016-12-03 00:06:20 +00:00
Chia-I Wu
dd958e5a21 Add sepolicy for gralloc-alloc HAL
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
2016-11-14 01:09:51 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from mediacodec.te (Browse further)