Merge "Further lock down access to services from ephemeral apps" into oc-dev
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index def8759..4e511a8 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,8 @@
typeattribute mediadrmserver coredomain;
init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4b510a5..08c3f9b 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,6 @@
typeattribute mediaserver coredomain;
init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 2d9ec8b..abc21a7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -11,3 +11,8 @@
; typeattribute hal_allocator_client halclientdomain;
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/public/domain.te b/public/domain.te
index 97d6a11..bd5cb89 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -445,16 +445,46 @@
neverallow {
domain
-coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediacasserver_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -vr_manager_service
+ }:service_manager find;
+ neverallow {
+ domain
+ -coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+')
- ##
- # On full TREBLE devices core android components and vendor components may
- # not directly access each other data types. All communication must occur
- # over HW binder. Open file descriptors may be passed and read/write/stat
- # operations my be performed on those FDs. Disallow all other operations.
- #
+##
+# On full TREBLE devices core android components and vendor components may
+# not directly access each other's data types. All communication must occur
+# over HW binder. Open file descriptors may be passed and read/write/stat
+# operations my be performed on those FDs. Disallow all other operations.
+full_treble_only(`
# do not allow vendor component access to coredomains data types
neverallow {
domain
@@ -479,7 +509,6 @@
-appdomain
-coredata_in_vendor_violators
} system_data_file:dir ~search;
-
')
# On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index e9679de..46fd9d7 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -12,9 +12,6 @@
allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-# Access to config files to look for a Bluetooth address
-r_dir_file(hal_bluetooth, bluetooth_data_file)
-
# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index ecbe280..721f624 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -22,13 +22,15 @@
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_graphics_allocator:fd use;
allow mediacodec hal_camera:fd use;
crash_dump_fallback(mediacodec)
hal_client_domain(mediacodec, hal_allocator)
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to mediacodec via Binder and talks to bufferhubd
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 398d413..969c1a5 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,9 @@
crash_dump_fallback(mediaextractor)
+# allow mediaextractor read permissions for file sources
+allow mediaextractor media_rw_data_file:file { getattr read };
+
###
### neverallow rules
###
diff --git a/public/runas.te b/public/runas.te
index 19e30e8..046165d 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -23,6 +23,10 @@
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 54f2abf..e32770d 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -3,11 +3,3 @@
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
-
-# Logging for backward compatibility
-allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
-allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
-
-# TODO (b/36602160) Remove hal_bluetooth's access to the Bluetooth app's
-# data type. Remove coredata_in_vendor_violators attribute.
-typeattribute hal_bluetooth_default coredata_in_vendor_violators;