Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_google_pixel-sepolicy / c07026b447d3a47e9213159e2935ff9e02791935^2..c07026b447d3a47e9213159e2935ff9e02791935 / .
commitc07026b447d3a47e9213159e2935ff9e02791935[log] [tgz]
authorMartin Liu <liumartin@google.com>Thu Sep 24 08:36:08 2020 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Thu Sep 24 08:36:08 2020 +0000
tree371b1dfc01ee75f3eb6c735c9c83b74ce30b7d72
parent11917c047693ba6cf7bd4911e41e64499707246a [diff]
parentf9529992d66abb38523e05778aa419ce37f85d29 [diff]
[automerger skipped] mm: allow access fastrpc total_dma_kb sysfs am: f9529992d6 -s ours

am skip reason: Change-Id I8a548fa667072f188b86d101b874a7cf8c9d5d79 with SHA-1 52299584f2 is in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/12662148

Change-Id: I1ccde569e04939c5d9f082cf058c0d6255f0842a

diff --git a/citadel/README.md b/citadel/README.md
new file mode 100644
index 0000000..40b330b
--- /dev/null
+++ b/citadel/README.md

@@ -0,0 +1,7 @@
+### Citadel SELinux rules
+
+This directory contains all the SELinux rules for communication with the
+apps on Citadel. For more information on Citadel, see
+[go/nugget-os](https://goto.google.com/nugget-os) or the
+[`external/nos`](../../../../external/nos) and
+[`vendor/google_nos`](../../../../vendor/google_nos) directories.

diff --git a/citadel/citadel_provision.te b/citadel/citadel_provision.te
new file mode 100644
index 0000000..5605085
--- /dev/null
+++ b/citadel/citadel_provision.te

@@ -0,0 +1,6 @@
+type citadel_provision, domain;
+type citadel_provision_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(citadel_provision)
+')

diff --git a/citadel/citadeld.te b/citadel/citadeld.te
new file mode 100644
index 0000000..266dee2
--- /dev/null
+++ b/citadel/citadeld.te

@@ -0,0 +1,18 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(citadeld)
+add_service(citadeld, citadeld_service)
+
+allow citadeld citadel_device:chr_file rw_file_perms;
+
+init_daemon_domain(citadeld)
+
+binder_call(citadeld, hal_power_stats_default)
+allow citadeld hal_power_stats_vendor_service:service_manager find;
+
+# Let citadeld find and use statsd.
+hwbinder_use(citadeld)
+get_prop(citadeld, hwservicemanager_prop)
+allow citadeld fwk_stats_hwservice:hwservice_manager find;
+binder_call(citadeld, stats_service_server)

diff --git a/citadel/device.te b/citadel/device.te
new file mode 100644
index 0000000..f63186f
--- /dev/null
+++ b/citadel/device.te

@@ -0,0 +1 @@
+type citadel_device, dev_type;

diff --git a/citadel/file.te b/citadel/file.te
new file mode 100644
index 0000000..951393e
--- /dev/null
+++ b/citadel/file.te

@@ -0,0 +1 @@
+type hal_rebootescrow_citadel_data_file, file_type, data_file_type;

diff --git a/citadel/file_contexts b/citadel/file_contexts
new file mode 100644
index 0000000..d749e46
--- /dev/null
+++ b/citadel/file_contexts

@@ -0,0 +1,10 @@
+/data/vendor/rebootescrow(/.*)?                                    u:object_r:hal_rebootescrow_citadel_data_file:s0
+/dev/citadel0                                                      u:object_r:citadel_device:s0
+/vendor/bin/CitadelProvision                                       u:object_r:citadel_provision_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel  u:object_r:hal_keymaster_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel    u:object_r:hal_rebootescrow_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel     u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/citadel_updater                                     u:object_r:citadel_updater_exec:s0
+/vendor/bin/hw/citadeld                                            u:object_r:citadeld_exec:s0
+/vendor/bin/hw/init_citadel                                        u:object_r:init_citadel_exec:s0
+/vendor/bin/hw/wait_for_strongbox                                  u:object_r:wait_for_strongbox_exec:s0

diff --git a/citadel/hal_keymaster_citadel.te b/citadel/hal_keymaster_citadel.te
new file mode 100644
index 0000000..dd0a735
--- /dev/null
+++ b/citadel/hal_keymaster_citadel.te

@@ -0,0 +1,11 @@
+type hal_keymaster_citadel, domain;
+type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_keymaster_citadel)
+binder_call(hal_keymaster_citadel, citadeld)
+allow hal_keymaster_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_keymaster_citadel, hal_keymaster)
+init_daemon_domain(hal_keymaster_citadel)
+
+get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop)

diff --git a/citadel/hal_rebootescrow_citadel.te b/citadel/hal_rebootescrow_citadel.te
new file mode 100644
index 0000000..c85ce20
--- /dev/null
+++ b/citadel/hal_rebootescrow_citadel.te

@@ -0,0 +1,15 @@
+type hal_rebootescrow_citadel, domain;
+type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow)
+
+vndbinder_use(hal_rebootescrow_citadel)
+binder_call(hal_rebootescrow_citadel, citadeld)
+allow hal_rebootescrow_citadel citadeld_service:service_manager find;
+
+hal_client_domain(hal_rebootescrow_citadel, hal_keymaster)
+
+init_daemon_domain(hal_rebootescrow_citadel)
+
+allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms;
+allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms;

diff --git a/citadel/hal_weaver_citadel.te b/citadel/hal_weaver_citadel.te
new file mode 100644
index 0000000..aa16960
--- /dev/null
+++ b/citadel/hal_weaver_citadel.te

@@ -0,0 +1,11 @@
+type hal_weaver_citadel, domain;
+type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_weaver_citadel)
+binder_call(hal_weaver_citadel, citadeld)
+allow hal_weaver_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_weaver_citadel, hal_weaver)
+hal_server_domain(hal_weaver_citadel, hal_oemlock)
+hal_server_domain(hal_weaver_citadel, hal_authsecret)
+init_daemon_domain(hal_weaver_citadel)

diff --git a/citadel/init_citadel.te b/citadel/init_citadel.te
new file mode 100644
index 0000000..1459ef4
--- /dev/null
+++ b/citadel/init_citadel.te

@@ -0,0 +1,17 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+type citadel_updater_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
+
+# Citadel communication must be via citadeld
+vndbinder_use(init_citadel)
+binder_call(init_citadel, citadeld)
+allow init_citadel citadeld_service:service_manager find;
+
+# Many standard utils are actually vendor_toolbox (like xxd)
+allow init_citadel vendor_toolbox_exec:file rx_file_perms;
+
+# init_citadel needs to invoke citadel_updater
+allow init_citadel citadel_updater_exec:file rx_file_perms;
+allow init_citadel citadel_device:chr_file rw_file_perms;

diff --git a/citadel/recovery.te b/citadel/recovery.te
new file mode 100644
index 0000000..c68244f
--- /dev/null
+++ b/citadel/recovery.te

@@ -0,0 +1,3 @@
+recovery_only(`
+  allow recovery citadel_device:chr_file rw_file_perms;
+')

diff --git a/citadel/vndservice.te b/citadel/vndservice.te
new file mode 100644
index 0000000..a756bce
--- /dev/null
+++ b/citadel/vndservice.te

@@ -0,0 +1,2 @@
+type citadeld_service, vndservice_manager_type;
+type hal_power_stats_vendor_service,      vndservice_manager_type;

diff --git a/citadel/vndservice_contexts b/citadel/vndservice_contexts
new file mode 100644
index 0000000..2e1be43
--- /dev/null
+++ b/citadel/vndservice_contexts

@@ -0,0 +1,2 @@
+android.hardware.citadel.ICitadeld  u:object_r:citadeld_service:s0
+power.stats-vendor                  u:object_r:hal_power_stats_vendor_service:s0

diff --git a/citadel/wait_for_strongbox.te b/citadel/wait_for_strongbox.te
new file mode 100644
index 0000000..960d063
--- /dev/null
+++ b/citadel/wait_for_strongbox.te

@@ -0,0 +1,9 @@
+# wait_for_strongbox service
+type wait_for_strongbox, domain;
+type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wait_for_strongbox)
+
+hal_client_domain(wait_for_strongbox, hal_keymaster)
+
+allow wait_for_strongbox kmsg_device:chr_file w_file_perms;

diff --git a/common/property.te b/common/property.te
index f014ad5..50f7b34 100644
--- a/common/property.te
+++ b/common/property.te

@@ -1 +1 @@
-type vendor_device_prop, property_type;
+vendor_internal_prop(vendor_device_prop)

diff --git a/mm/file.te b/mm/file.te
index 81a4050..8541232 100644
--- a/mm/file.te
+++ b/mm/file.te

@@ -1,3 +1,4 @@
 type mm_logd_vendor_data_file, file_type, data_file_type;
+type debugfs_page_owner, debugfs_type, fs_type;
 type sysfs_fastrpc, sysfs_type, fs_type;
 

diff --git a/mm/genfs_contexts b/mm/genfs_contexts
index 6546455..57b26d4 100644
--- a/mm/genfs_contexts
+++ b/mm/genfs_contexts

@@ -1 +1,2 @@
+genfscon debugfs /page_owner                          u:object_r:debugfs_page_owner:s0
 genfscon sysfs /kernel/fastrpc/total_dma_kb            u:object_r:sysfs_fastrpc:s0

diff --git a/power-libperfmgr/property.te b/power-libperfmgr/property.te
index 5e889ac..6f6e3a7 100644
--- a/power-libperfmgr/property.te
+++ b/power-libperfmgr/property.te

@@ -1 +1 @@
-type vendor_power_prop, property_type;
+vendor_internal_prop(vendor_power_prop)

diff --git a/powerstats/file_contexts b/powerstats/file_contexts
new file mode 100644
index 0000000..231503b
--- /dev/null
+++ b/powerstats/file_contexts

@@ -0,0 +1 @@
+/(vendor|system/vendor)/bin/hw/android\.hardware\.powerstats-service\.pixel u:object_r:hal_power_stats_default_exec:s0

diff --git a/powerstats/hal_power_stats_default.te b/powerstats/hal_power_stats_default.te
new file mode 100644
index 0000000..7e00470
--- /dev/null
+++ b/powerstats/hal_power_stats_default.te

@@ -0,0 +1,5 @@
+add_service(hal_power_stats_default, hal_power_stats_vendor_service)
+
+vndbinder_use(hal_power_stats)
+add_service(hal_power_stats_server, hal_power_stats_service)
+

diff --git a/thermal/property.te b/thermal/property.te
index 57065a3..676c85a 100644
--- a/thermal/property.te
+++ b/thermal/property.te

@@ -1,2 +1,2 @@
 #thermal HAL
-type vendor_thermal_prop, property_type;
+vendor_internal_prop(vendor_thermal_prop)

diff --git a/wifi_sniffer/property.te b/wifi_sniffer/property.te
index df29700..ca72d35 100644
--- a/wifi_sniffer/property.te
+++ b/wifi_sniffer/property.te

@@ -1 +1 @@
-type vendor_wifi_sniffer_prop, property_type;
+vendor_internal_prop(vendor_wifi_sniffer_prop)