platform_system_sepolicy/public/hal_configstore.te
Steven Moreland ac88cb6101 Make hal_configstore consistent.
Previously, supposedly, each individual client of configstore
was supposed to add the add_hwservice attribute itself to get
ahold of the specific sub-interface of configstore relevant to
it. However, there is only one configstore interface,
ISurfaceFlingerConfigs.

From this point onward, the configstore hal is to be thought of
as specifically relating to surface flinger. Other properties
may be added as other attributes/packages.

For instance, if we want a configstore entry for 'IFooConfig',
then we would add the configuration to one of the following
packages:
- android.hardware.foo@X.Y (to the interface itself)
- android.hardware.foo.config@X.Y (to a configuration of the interface)
- android.hardware.configstore.foo@X.Y (as a sub-interface of configstore)

and then it could be associated with the sepolicy attributes
(respectively):
- hal_foo
- hal_foo_config (or just hal_foo if they are 1-1)
- hal_configstore_foo

The specific pattern to be followed irrelevant to this CL
and subject to future discussion, the point being that we're going
to have a separate sepolicy attribute (and package, although this
isn't strictly necessary) for each separate domain's configuration.

Fixes: 109806245
Test: boot walleye, check for denials
Change-Id: If661e3fca012017a6c854fe3f02df4b779d514df
2018-06-06 13:01:17 -07:00

66 lines
2.3 KiB
Text

# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
crash_dump_fallback(hal_configstore_server)
###
### neverallow rules
###
# Should never execute an executable without a domain transition
neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
# Should never need network access. Disallow sockets except for
# for unix stream/dgram sockets used for logging/debugging.
neverallow hal_configstore_server domain:{
rawip_socket tcp_socket udp_socket
netlink_route_socket netlink_selinux_socket
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
neverallow hal_configstore_server {
domain
-hal_configstore_server
-logd
userdebug_or_eng(`-su')
-tombstoned
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
neverallow hal_configstore_server {
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
fuse sdcardfs vfat exfat # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
fuse sdcardfs vfat exfat # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
# No privileged capabilities
neverallow hal_configstore_server self:capability_class_set *;
# No ptracing other processes
neverallow hal_configstore_server *:process ptrace;
# no relabeling
neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };