platform_system_sepolicy/public/te_macros
Alex Klyubin 7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00

505 lines
16 KiB
Text

#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr };
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')
#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')
#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
define(`file_type_trans', `
# Allow the domain to add entries to the directory.
allow $1 $2:dir ra_dir_perms;
# Allow the domain to create the file.
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
')
#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
define(`file_type_auto_trans', `
# Allow the necessary permissions.
file_type_trans($1, $2, $3)
# Make the transition occur by default.
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
')
#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')
#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write };
allow $1 tmpfs:dir { getattr search };
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
# pdx_server(domain)
define(`pdx_server', `
allow $1 pdx_socket:dir create_dir_perms;
allow $1 pdx_socket:sock_file create_file_perms;
')
#####################################
# use_pdx(clientdomain, serverdomain)
define(`use_pdx', `
# Open the socket.
allow $1 pdx_socket:dir r_dir_perms;
allow $1 pdx_socket:sock_file rw_file_perms;
# Use the socket.
allow $1 $2:unix_stream_socket { connectto read write shutdown };
# Clients recieve an event fd from the server.
allow $1 $2:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
allow $2 $1:fd use;
')
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
tmpfs_domain($1)
')
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label ashmem objects with our own unique type.
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
')
#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
define(`untrusted_app_domain', `
typeattribute $1 untrusted_app_all;
')
#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
typeattribute $1 netdomain;
')
#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
define(`bluetooth_domain', `
typeattribute $1 bluetoothdomain;
')
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
# hal_server_domain(hal_foo_default, hal_foo)
#
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')
#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
# hal_client_domain(some_domain, hal_foo)
#
define(`hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
# TODO(b/34170079): Make the inclusion of the rules below conditional,
# once we know at build time whether a HAL is going to run in
# passthrough or binderized mode.
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
')
#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
# passthrough_hal_client_domain(some_domain, hal_foo)
#
define(`passthrough_hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
')
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
define(`unix_socket_connect', `
ifelse($2, `property', `
ifelse($3,`init', `
print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
')
')
__unix_socket_connect__($1, $2, $3)
')
define(`__unix_socket_connect__', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
define(`set_prop', `
__unix_socket_connect__($1, property, init)
allow $1 $2:property_service set;
get_prop($1, $2)
')
#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
define(`get_prop', `
allow $1 $2:file r_file_perms;
')
#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
define(`unix_socket_send', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_dgram_socket sendto;
')
#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open };
allow hwservicemanager $1:process getattr;
# TODO(b/34274385): hals wait for data to be mounted so they can
# start only if persist.hal.binderization is enabled. (for dogfood
# stability). getService must also check for data to be mounted
# if the vintf promises the hal will be registered over hwbinder.
get_prop($1, hal_binderization_prop)
get_prop($1, persistent_properties_ready_prop)
get_prop($1, vold_prop)
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
define(`vndbinder_use', `
# Talk to the vndbinder device node
allow $1 vndbinder_device:chr_file rw_file_perms;
# Call the vndservicemanager and transfer references to it.
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
allow vndservicemanager $1:file { read open };
allow vndservicemanager $1:process getattr;
')
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
# Receive and use open files from the server.
allow $1 $2:fd use;
')
#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:capability2 block_suspend;
')
#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
')
#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security check_context;
')
#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
# Each domain gets a unique devpts type.
type $1_devpts, fs_type;
# Label the pty with the unique type when created.
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')
#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
define(`crash_dump_fallback', `
userdebug_or_eng(`
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
allow $1 tombstone_data_file:file append;
')
#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
unix_socket_send($1, logdw, logd)
allow $1 pmsg_device:chr_file w_file_perms;
')
#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
define(`read_logd', `
allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')
#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
define(`read_runtime_log_tags', `
allow $1 runtime_event_log_tags_file:file r_file_perms;
')
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')
#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
define(`use_keystore', `
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
define(`use_drmservice', `
allow drmserver $1:dir search;
allow drmserver $1:file { read open };
allow drmserver $1:process getattr;
')
###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
')
##########################################
# print a message with a trailing newline
# print(`args')
define(`print', `errprint(`m4: '__file__: __line__`: $*
')')