Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2afdf49a1ccde7e4b3bb9ced1f556919445575e0^2..2afdf49a1ccde7e4b3bb9ced1f556919445575e0 / .
commit2afdf49a1ccde7e4b3bb9ced1f556919445575e0[log] [tgz]
authorMichael Peck <mpeck@mitre.org>Tue Feb 14 23:50:30 2017 +0000
committerandroid-build-merger <android-build-merger@google.com>Tue Feb 14 23:50:30 2017 +0000
tree6e611a979844e33d2dacf4d2a6aa2942a310ec52
parent44badf7562819637566eca88271e4a3563607768 [diff]
parentf54b3622c70d9c0fbdd6cdf2eff89ec5dd5d7f16 [diff]
Add minTargetSdkVersion input selector to seapp_contexts
am: f54b3622c7

Change-Id: I0a304ed2b5591e58b0e39b37cb9fb8f392fe663b

diff --git a/README b/README
index a3c75b8..0cc8e30 100644
--- a/README
+++ b/README

@@ -26,7 +26,7 @@
 For example, if you have 2 instances of widget.te files in the
 BOARD_SEPOLICY_DIRS search path, then the first one found (at the
 first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
+Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
 will help sort out ordering issues.
 
 Example BoardConfig.mk Usage:

diff --git a/private/app.te b/private/app.te
index e0fb6f1..b009d98 100644
--- a/private/app.te
+++ b/private/app.te

@@ -158,6 +158,11 @@
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services

diff --git a/private/file_contexts b/private/file_contexts
index 812ae5a..31e813e 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -246,32 +246,7 @@
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
-/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
-/system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
-/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
-/system/bin/hw/android\.hardware\.configstore@1\.0-service    u:object_r:hal_configstore_default_exec:s0
-/system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
-/system/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
-/system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
-/system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
-/system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
-/system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
-/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service    u:object_r:hal_graphics_composer_default_exec:s0
-/system/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0
-/system/bin/hw/android\.hardware\.ir@1\.0-service             u:object_r:hal_ir_default_exec:s0
-/system/bin/hw/android\.hardware\.keymaster@3\.0-service      u:object_r:hal_keymaster_default_exec:s0
-/system/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
-/system/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
-/system/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0
-/system/bin/hw/android\.hardware\.power@1\.0-service          u:object_r:hal_power_default_exec:s0
-/system/bin/hw/android\.hardware\.sensors@1\.0-service        u:object_r:hal_sensors_default_exec:s0
-/system/bin/hw/android\.hardware\.thermal@1\.0-service        u:object_r:hal_thermal_default_exec:s0
-/system/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0
-/system/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
-/system/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
-/system/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
 /system/bin/hw/android\.hidl\.memory@1\.0-service             u:object_r:hal_allocator_exec:s0
 
 #############################

diff --git a/private/init.te b/private/init.te
index d495d54..8a6dcea 100644
--- a/private/init.te
+++ b/private/init.te

@@ -17,3 +17,8 @@
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
 ')
+
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit init sysfs:dir write;

diff --git a/private/system_server.te b/private/system_server.te
index 30fe3e2..cba1ab3 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -179,6 +179,7 @@
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+hwallocator_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)

diff --git a/public/mediacodec.te b/public/mediacodec.te
index 9f07d85..6b4d677 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te

@@ -18,6 +18,11 @@
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
 
+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
 ###
 ### neverallow rules
 ###

diff --git a/public/mediaserver.te b/public/mediaserver.te
index 16b8013..fa47288 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -132,6 +132,10 @@
 
 allow mediaserver system_server:fd use;
 
+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
 ###
 ### neverallow rules
 ###

diff --git a/public/shell.te b/public/shell.te
index fb40b95..0e55f84 100644
--- a/public/shell.te
+++ b/public/shell.te

@@ -86,7 +86,7 @@
 allow shell dumpstate:binder call;
 
 # allow shell to get information from hwservicemanager
-# for instance, listing hardware services with dumpsys
+# for instance, listing hardware services with lshal
 hwbinder_use(shell)
 
 # allow shell to look through /proc/ for ps, top, netstat

diff --git a/vendor/file_contexts b/vendor/file_contexts
new file mode 100644
index 0000000..7fc467e
--- /dev/null
+++ b/vendor/file_contexts

@@ -0,0 +1,28 @@
+#############################
+# Default HALs
+#
+/vendor/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.configstore@1\.0-service    u:object_r:hal_configstore_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
+/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
+/vendor/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.graphics\.composer@2\.1-service    u:object_r:hal_graphics_composer_default_exec:s0
+/vendor/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0
+/vendor/bin/hw/android\.hardware\.ir@1\.0-service             u:object_r:hal_ir_default_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service      u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
+/vendor/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
+/vendor/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0
+/vendor/bin/hw/android\.hardware\.power@1\.0-service          u:object_r:hal_power_default_exec:s0
+/vendor/bin/hw/android\.hardware\.sensors@1\.0-service        u:object_r:hal_sensors_default_exec:s0
+/vendor/bin/hw/android\.hardware\.thermal@1\.0-service        u:object_r:hal_thermal_default_exec:s0
+/vendor/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
+/vendor/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0