Merge "Remove vr_wm service selinux policy" into oc-dev
diff --git a/Android.mk b/Android.mk
index 1281695..dd37341 100644
--- a/Android.mk
+++ b/Android.mk
@@ -305,24 +305,15 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
-$(plat_policy_nvr): PRIVATE_ADDITIONAL_CIL_FILES := \
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
- @mkdir -p $(dir $@)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
- # Confirm that the resulting policy compiles
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -363,16 +354,13 @@
ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-mapping_policy_nvr := $(current_mapping.cil)
+mapping_policy := $(current_mapping.cil)
else
-mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
+mapping_policy := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
endif
-$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $< > $@
+$(LOCAL_BUILT_MODULE): $(mapping_policy) $(ACP)
+ $(hide) $(ACP) $< $@
built_mapping_cil := $(LOCAL_BUILT_MODULE)
current_mapping.cil :=
@@ -434,25 +422,15 @@
$(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-nonplat_policy_nvr := $(intermediates)/nonplat_policy_nvr.cil
-$(nonplat_policy_nvr) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(nonplat_policy_nvr) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
-$(nonplat_policy_nvr) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(HOST_OUT_EXECUTABLES)/version_policy
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
+$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr) $(built_plat_cil) \
-$(built_mapping_cil)
- @mkdir -p $(dir $@)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
- # Confirm that the resulting policy compiles combined with platform and mapping policies
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_nonplat_cil := $(LOCAL_BUILT_MODULE)
@@ -508,9 +486,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \
- $(plat_policy_nvr) \
- $(mapping_policy_nvr) \
- $(nonplat_policy_nvr) \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@@ -1152,10 +1130,8 @@
built_sepolicy :=
built_plat_svc :=
built_nonplat_svc :=
-mapping_policy_nvr :=
+mapping_policy :=
my_target_arch :=
-nonplat_policy_nvr :=
-plat_policy_nvr :=
plat_pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
diff --git a/private/app.te b/private/app.te
index 2ee3bee..d6d407a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,6 +69,9 @@
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -81,6 +84,9 @@
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
@@ -174,9 +180,11 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -274,9 +282,15 @@
# Allow app access to mediacodec (IOMX HAL)
binder_call({ appdomain -isolated_app }, mediacodec)
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68..0917724 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -21,6 +21,10 @@
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow all_untrusted_apps property_socket:sock_file write;
@@ -87,6 +91,9 @@
')
}:dir_file_class_set { create unlink };
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
@@ -98,9 +105,68 @@
# Create a more specific label if needed
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ # Same process services are safe because they by definition run in the process
+ # of the client and thus have the same access as the client domain in which
+ # the process runs
+ -same_process_hwservice
+ -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+ -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+ # These operations are also offered by surfaceflinger Binder service which
+ # apps are permitted to access
+ -hal_graphics_allocator_hwservice
+ # HwBinder version of mediacodec Binder service which apps were permitted to
+ # access
+ -hal_omx_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ }:binder { call transfer };
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index bf883d1..9119daa 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -42,6 +42,9 @@
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
###
### neverallow rules
###
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 45b5710..1c0e14f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -57,8 +57,10 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
@@ -70,6 +72,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index cbdfbc6..b8f8152 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -5,6 +5,9 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
# TODO: deal with tmpfs_domain pub/priv split properly
allow dumpstate dumpstate_tmpfs:file execute;
diff --git a/private/file_contexts b/private/file_contexts
index 866b630..3b5319a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -363,6 +363,7 @@
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index d4bdef9..9dcd3ee 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -8,3 +8,6 @@
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9330041..ecac57e 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,2 +1,49 @@
-android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0
-* u:object_r:default_android_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 627b93f..a43eb02 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,6 @@
typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/private/keystore.te b/private/keystore.te
index 6aa8884..a9647c6 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,10 @@
typeattribute keystore coredomain;
init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 08c3f9b..a9b85be 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -4,3 +4,7 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..fd4634a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/service_contexts b/private/service_contexts
index c7e9723..dc77cb9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,7 +22,7 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-companion_device u:object_r:companion_device_service:s0
+companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index eeea185..8e5892b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -10,11 +10,11 @@
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
binder_use(surfaceflinger)
@@ -52,6 +52,9 @@
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101..7950044 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/private/system_server.te b/private/system_server.te
index 8b922d1..f391aa5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -30,6 +30,10 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
+# Read and delete last_reboot_reason file
+allow system_server reboot_data_file:file { rename r_file_perms unlink };
+allow system_server reboot_data_file:dir { write search open remove_name };
+
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
@@ -98,6 +102,7 @@
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -167,36 +172,26 @@
binder_call(system_server, wificond)
binder_service(system_server)
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack)
-binder_call(system_server, hal_power)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
-binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
-
hal_client_domain(system_server, hal_wifi_supplicant)
binder_call(system_server, mediacodec)
@@ -204,9 +199,19 @@
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
# Send signals to trigger ANR traces.
allow system_server {
# This is derived from the list that system server defines as interesting native processes
@@ -228,6 +233,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_graphics_composer_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process { signal };
@@ -345,6 +351,10 @@
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
@@ -632,9 +642,6 @@
r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type)
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.
allow system_server sysfs_leds:lnk_file read;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 73aa79e..fc80129 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,7 +2,8 @@
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
-### ephemeral apps.
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
@@ -17,6 +18,8 @@
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;
@@ -93,3 +96,11 @@
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
allow untrusted_app_all preloads_media_file:file r_file_perms;
allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
index 51d2420..053c03d 100644
--- a/private/vr_hwc.te
+++ b/private/vr_hwc.te
@@ -2,3 +2,5 @@
# Daemon started by init.
init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/public/attributes b/public/attributes
index adad87f..f2ae06f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -94,6 +94,14 @@
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 2a243cc..0dd4a80 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,7 +8,6 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
-allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
hal_client_domain(cameraserver, hal_graphics_allocator)
@@ -27,6 +26,8 @@
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
###
### neverallow rules
###
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 4551e58..cc8111f 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -43,6 +43,7 @@
allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
diff --git a/public/domain.te b/public/domain.te
index 599975b..c48950d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -212,8 +212,6 @@
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-# TODO(b/34454312) remove this when the correct policy is in place
-allow domain default_android_hwservice:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
@@ -423,12 +421,23 @@
neverallow { domain -recovery } contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-# Do not allow service_manager add for default_android_service.
+# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
@@ -547,6 +556,27 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
@@ -660,6 +690,7 @@
-appdomain
-idmap
-init
+ -installd
-system_server
-zygote
} vendor_overlay_file:dir { getattr open read search };
@@ -669,6 +700,7 @@
-appdomain
-idmap
-init
+ -installd
-system_server
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
@@ -953,26 +985,6 @@
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-neverallow {
- domain
- -init
- -recovery
- -sdcardd
- -vold
-} fuse_device:chr_file open;
-neverallow {
- domain
- -dumpstate
- -init
- -priv_app
- -recovery
- -sdcardd
- -shell # Restricted by shell.te to only getattr
- -system_server
- -ueventd
- -vold
-} fuse_device:chr_file *;
-
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
@@ -995,3 +1007,12 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3322e14..503f359 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -69,6 +69,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_graphics_composer_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
@@ -94,10 +95,9 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
-binder_call(dumpstate, hal_vibrator)
+hal_client_domain(dumpstate, hal_graphics_allocator)
+# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
@@ -173,6 +173,7 @@
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
@@ -185,6 +186,9 @@
# Read device's serial number from system properties
get_prop(dumpstate, serialno_prop)
+# Read state of logging-related properties
+get_prop(dumpstate, device_logging_prop)
+
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/public/file.te b/public/file.te
index eacfc2c..7cb7c36 100644
--- a/public/file.te
+++ b/public/file.te
@@ -200,6 +200,7 @@
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b444593..646cebd 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,2 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 3531944..5b1a4df 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,6 +2,9 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
allow hal_audio ion_device:chr_file r_file_perms;
userdebug_or_eng(`
@@ -18,10 +21,6 @@
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(hal_audio, bluetooth, bluetooth)
-
###
### neverallow rules
###
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 46fd9d7..c04cd08 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,6 +2,9 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index b731fd6..8b240b1 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,3 +1,6 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index a00bf9f..3c15e85 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,8 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
-add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
@@ -33,4 +34,4 @@
# Only camera HAL may directly access the camera and video hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
-neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
+neverallow { halserverdomain -coredomain -hal_camera_server } video_device:chr_file *;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a8b88b..4bf6cfd 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,2 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index d991e9d..f11bfc8 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a773dd5..5a6bf5c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,6 +2,11 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
@@ -27,6 +32,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 884b6fc..2853567 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,9 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 580ef37..bef9f55 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,6 +2,9 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 618a2ee..123acf5 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,5 +1,8 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 753791b..b59cd1d 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1 +1,6 @@
-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e434751..5f2f098 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,10 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 9ba0bdb..2d8483d 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,9 @@
-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index 341efdd..c19c5f1 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,5 +1,9 @@
-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index adfb5ae..b1bfdd8 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index afcd0bd..dc5f6d0 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,8 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 145b02e..5b93dd1 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 0000000..b2cc9cd
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index d289ef7..a027c48 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,6 +2,9 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
@@ -10,4 +13,4 @@
# Data file accesses.
allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 0000000..fcba3d2
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 567b0be..3cf3069 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,6 +1,9 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 704adc0..41cfd4b 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,3 +1,7 @@
-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index a59a978..b1764f1 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index aa85b92..7719cae 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_cec_client, hal_tv_cec_server)
binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5276ddf..31a0067 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_input_client, hal_tv_input_server)
binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 5c31c06..9cfd516 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_usb, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 0d9d308..c8612d7 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,2 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 08102ad..3cb392d 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,2 +1,6 @@
-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e06d8f9..5e0b9bc 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 49ce4fa..0f2540e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/healthd.te b/public/healthd.te
index 8737dbe..c0a7bec 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -24,8 +24,6 @@
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
hal_client_domain(healthd, hal_health)
# Write to state file.
diff --git a/public/hwservice.te b/public/hwservice.te
index cf59629..2b1ffcf 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,2 +1,42 @@
-type default_android_hwservice, hwservice_manager_type;
-type hw_camera_provider_ICameraProvider, hwservice_manager_type;
+type default_android_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/init.te b/public/init.te
index e997e13..6d43ef4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,7 +205,13 @@
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
auditallow init {
dev_type
-alarm_device
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 9a2a9ee..2115663 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,7 +10,7 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
-not_full_treble(allow install_recovery vendor_file:file rx_file_perms;')
+not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
allow install_recovery toolbox_exec:file rx_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 774ba49..c5b45b4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -29,6 +29,8 @@
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/keystore.te b/public/keystore.te
index 378949a..2c31185 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -7,13 +7,6 @@
binder_service(keystore)
binder_call(keystore, system_server)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-hwbinder_use(keystore)
-typeattribute keystore wifi_keystore_service_server;
-
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 3445c7a..771701c 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -8,10 +8,9 @@
# and use macro hal_server_domain
get_prop(mediacodec, hwservicemanager_prop)
-full_treble_only(`
- # on full-Treble devices, route all /dev/binder traffic to /dev/vndbinder
- vndbinder_use(mediacodec)
-')
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
not_full_treble(`
# on legacy devices, continue to allow /dev/binder traffic
binder_use(mediacodec)
@@ -34,6 +33,8 @@
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_omx_hwservice)
+
hal_client_domain(mediacodec, hal_allocator)
# allocate and use graphic buffers
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 8c9ef31..6efaf0f 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
@@ -126,6 +129,7 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 499e2a9..f0df6a0 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -1,9 +1,12 @@
# perfprofd - perf profile collection daemon
+type perfprofd, domain;
type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
- type perfprofd, domain, domain_deprecated, mlstrustedsubject, coredomain;
+ typeattribute perfprofd domain_deprecated;
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd mlstrustedsubject;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index b66c927..0ce617b 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -7,6 +7,7 @@
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc:file { getattr open read };
diff --git a/public/radio.te b/public/radio.te
index 8c3c6a5..f5604fd 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -37,5 +37,4 @@
# Perform HwBinder IPC.
hwbinder_use(radio)
-binder_call(radio, hal_telephony)
hal_client_domain(radio, hal_telephony)
diff --git a/public/servicemanager.te b/public/servicemanager.te
index bba9c6e..3cf5a46 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,7 +9,12 @@
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
# Access to all (system and vendor) service_contexts
# TODO(b/36866029) access to nonplat_service_contexts
diff --git a/public/shell.te b/public/shell.te
index fd0f2ef..1fb896a 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -75,6 +75,9 @@
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/su.te b/public/su.te
index 47349d8..8ddd162 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,3 +1,7 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
@@ -5,7 +9,7 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, mlstrustedsubject;
+ typeattribute su mlstrustedsubject;
# Add su to various domains
net_domain(su)
diff --git a/public/te_macros b/public/te_macros
index beec546..e1c46c9 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -77,7 +77,7 @@
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write };
+allow $1 $1_tmpfs:file { read write getattr };
allow $1 tmpfs:dir { getattr search };
')
@@ -509,6 +509,7 @@
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
diff --git a/public/vndservice.te b/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7..26ce144 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@
}
}
- if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
- fprintf(stderr, "Warning! Empty type set\n");
-
*ptr = p;
return 0;
err:
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 9c38819..0dc2170 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,4 +6,3 @@
hal_client_domain(hal_audio_default, hal_allocator)
-typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8f86a27..239e5c1 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,5 @@
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index 6a1002f..c13baa7 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -3,5 +3,3 @@
type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
-
-typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 5ba4aab..8379c82 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -3,3 +3,5 @@
type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 62b03be..8d7069c 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -10,4 +10,5 @@
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
new file mode 100644
index 0000000..4cca2fb
--- /dev/null
+++ b/vendor/vndservice_contexts
@@ -0,0 +1 @@
+* u:object_r:default_android_vndservice:s0