Merge "Allow GMSCore to call dumpsys storaged" into oc-dev
diff --git a/Android.mk b/Android.mk
index 7c75f9d..03970b7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -474,7 +474,7 @@
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
@@ -979,6 +979,70 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
+$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
+$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+plat_hwsvcfiles :=
+plat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
+$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
+$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+nonplat_hwsvcfiles :=
+nonplat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vndservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
diff --git a/private/access_vectors b/private/access_vectors
index dcd86c2..6b08d9e 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -702,6 +702,7 @@
clear_uid
add_auth
user_changed
+ gen_unique_id
}
class drmservice {
diff --git a/private/domain.te b/private/domain.te
index 6f8814e..d37a0bd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -13,3 +13,6 @@
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/file_contexts b/private/file_contexts
index aa89601..c31ec06 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -51,7 +51,9 @@
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
@@ -252,6 +254,7 @@
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
@@ -280,6 +283,7 @@
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
new file mode 100644
index 0000000..9330041
--- /dev/null
+++ b/private/hwservice_contexts
@@ -0,0 +1,2 @@
+android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index da7581c..4ce142f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -118,6 +118,9 @@
# TODO: narrow this to just MediaProvider
allow priv_app mnt_media_rw_file:dir search;
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
read_runtime_log_tags(priv_app)
###
diff --git a/private/system_server.te b/private/system_server.te
index a4fa493..2711a8c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -197,11 +197,6 @@
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
-# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
-# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
-# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
-typeattribute system_server socket_between_core_and_vendor_violators;
-
hal_client_domain(system_server, hal_wifi_supplicant)
# Talk to tombstoned to get ANR traces.
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d1b55cf..46083f5 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,8 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
+
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 2a27ad9..91e1671 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -212,6 +212,10 @@
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+# TODO(b/34454312) remove this when the correct policy is in place
+allow domain default_android_hwservice:hwservice_manager { add find };
+allow domain hwservice_manager_type:hwservice_manager { add find };
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 8133401..35bbd6d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -296,6 +296,9 @@
# service_contexts file
type service_contexts_file, file_type;
+# hwservice_contexts file
+type hwservice_contexts_file, file_type;
+
# vndservice_contexts file
type vndservice_contexts_file, file_type;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index b05239b..a00bf9f 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,6 +2,8 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
allow hal_camera camera_data_file:file create_file_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
new file mode 100644
index 0000000..cf59629
--- /dev/null
+++ b/public/hwservice.te
@@ -0,0 +1,2 @@
+type default_android_hwservice, hwservice_manager_type;
+type hw_camera_provider_ICameraProvider, hwservice_manager_type;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 20a7229..1ffd2a6 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -15,6 +15,8 @@
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
-# TODO once hwservicemanager checks whether HALs are
-# allowed to register a certain service, add policy here
-# for allowing to check SELinux permissions.
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/public/shell.te b/public/shell.te
index cb1a086..fd0f2ef 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -86,6 +86,7 @@
# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal
hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
diff --git a/public/su.te b/public/su.te
index f410c4d..77fd071 100644
--- a/public/su.te
+++ b/public/su.te
@@ -40,6 +40,8 @@
dontaudit su hwservice_manager_type:hwservice_manager *;
dontaudit su vndservice_manager_type:vndservice_manager *;
dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:vndservice_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/te_macros b/public/te_macros
index 020bdc5..b931f1e 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -175,15 +175,17 @@
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
-# TODO(b/34170079): Make the inclusion of the rules below conditional,
-# once we know at build time whether a HAL is going to run in
-# passthrough or binderized mode.
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute };
')
+')
#####################################
# passthrough_hal_client_domain(domain, hal_type)
@@ -500,6 +502,17 @@
neverallow { domain -$1 } $2:service_manager add;
')
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+# TODO(b/34454312): Uncomment the neverallow once issues on user builds are resolved
+# neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
##########################################
# print a message with a trailing newline
# print(`args')