Merge "Give system_server access to last reboot reason" into oc-dev
diff --git a/Android.mk b/Android.mk
index 1281695..dd37341 100644
--- a/Android.mk
+++ b/Android.mk
@@ -305,24 +305,15 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
-$(plat_policy_nvr): PRIVATE_ADDITIONAL_CIL_FILES := \
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
- @mkdir -p $(dir $@)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
- # Confirm that the resulting policy compiles
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -363,16 +354,13 @@
ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-mapping_policy_nvr := $(current_mapping.cil)
+mapping_policy := $(current_mapping.cil)
else
-mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
+mapping_policy := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
endif
-$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $< > $@
+$(LOCAL_BUILT_MODULE): $(mapping_policy) $(ACP)
+ $(hide) $(ACP) $< $@
built_mapping_cil := $(LOCAL_BUILT_MODULE)
current_mapping.cil :=
@@ -434,25 +422,15 @@
$(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-nonplat_policy_nvr := $(intermediates)/nonplat_policy_nvr.cil
-$(nonplat_policy_nvr) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(nonplat_policy_nvr) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
-$(nonplat_policy_nvr) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(HOST_OUT_EXECUTABLES)/version_policy
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
+$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr) $(built_plat_cil) \
-$(built_mapping_cil)
- @mkdir -p $(dir $@)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
- # Confirm that the resulting policy compiles combined with platform and mapping policies
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_nonplat_cil := $(LOCAL_BUILT_MODULE)
@@ -508,9 +486,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \
- $(plat_policy_nvr) \
- $(mapping_policy_nvr) \
- $(nonplat_policy_nvr) \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@@ -1152,10 +1130,8 @@
built_sepolicy :=
built_plat_svc :=
built_nonplat_svc :=
-mapping_policy_nvr :=
+mapping_policy :=
my_target_arch :=
-nonplat_policy_nvr :=
-plat_policy_nvr :=
plat_pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
diff --git a/private/access_vectors b/private/access_vectors
index 6b08d9e..74cf530 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@
list
}
-class vndservice_manager
-{
- add
- find
- list
-}
-
class keystore_key
{
get_state
diff --git a/private/app.te b/private/app.te
index 2fddb44..d44cc88 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,6 +69,9 @@
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -81,14 +84,18 @@
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
@@ -173,9 +180,11 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -270,18 +279,15 @@
# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
-
# Allow app access to mediacodec (IOMX HAL)
binder_call({ appdomain -isolated_app }, mediacodec)
-# App can access configstore HAL which is read only
-binder_call({ appdomain -isolated_app }, hal_configstore)
-
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68..0917724 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -21,6 +21,10 @@
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow all_untrusted_apps property_socket:sock_file write;
@@ -87,6 +91,9 @@
')
}:dir_file_class_set { create unlink };
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
@@ -98,9 +105,68 @@
# Create a more specific label if needed
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ # Same process services are safe because they by definition run in the process
+ # of the client and thus have the same access as the client domain in which
+ # the process runs
+ -same_process_hwservice
+ -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+ -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+ # These operations are also offered by surfaceflinger Binder service which
+ # apps are permitted to access
+ -hal_graphics_allocator_hwservice
+ # HwBinder version of mediacodec Binder service which apps were permitted to
+ # access
+ -hal_omx_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ }:binder { call transfer };
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index b5bfe39..9119daa 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -39,6 +39,12 @@
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
###
### neverallow rules
###
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d05a21f..1c0e14f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -33,6 +33,9 @@
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
@@ -54,8 +57,10 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
@@ -67,6 +72,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index cbdfbc6..b8f8152 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -5,6 +5,9 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
# TODO: deal with tmpfs_domain pub/priv split properly
allow dumpstate dumpstate_tmpfs:file execute;
diff --git a/private/file_contexts b/private/file_contexts
index 66daf03..2879265 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -364,6 +364,7 @@
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
@@ -495,6 +496,28 @@
/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
+###########################################
+# debug-only tracing
+#
+/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index d4bdef9..9dcd3ee 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -8,3 +8,6 @@
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9330041..ecac57e 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,2 +1,49 @@
-android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0
-* u:object_r:default_android_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 627b93f..a43eb02 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,6 @@
typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/private/keystore.te b/private/keystore.te
index 6aa8884..a9647c6 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,10 @@
typeattribute keystore coredomain;
init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 08c3f9b..a9b85be 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -4,3 +4,7 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..fd4634a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index bb7598e..065ea1a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -82,6 +82,9 @@
r_dir_file(priv_app, proc)
r_dir_file(priv_app, rootfs)
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
diff --git a/private/security_classes b/private/security_classes
index 5685bd6..02e3ef2 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@
# hardware service manager # userspace
class hwservice_manager
-# vendor service manager # userspace
-class vndservice_manager
-
# Keystore Key
class keystore_key # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 8ba1b0c..d8d846f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,7 +22,7 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-companion_device u:object_r:companion_device_service:s0
+companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
diff --git a/private/shell.te b/private/shell.te
index c24bfd3..c0b4ee5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -7,6 +7,10 @@
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
+userdebug_or_eng(`
+ allow shell tracing_shell_writable_debug:file rw_file_perms;
+')
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 9f5e4fa..8e5892b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -10,12 +10,11 @@
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
-binder_call(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
binder_use(surfaceflinger)
@@ -53,6 +52,9 @@
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101..7950044 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/private/system_server.te b/private/system_server.te
index 7a7ba59..7e644a5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -102,6 +102,7 @@
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -171,36 +172,26 @@
binder_call(system_server, wificond)
binder_service(system_server)
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
+hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack)
-binder_call(system_server, hal_power)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
-binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
-
hal_client_domain(system_server, hal_wifi_supplicant)
binder_call(system_server, mediacodec)
@@ -208,9 +199,19 @@
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
# Send signals to trigger ANR traces.
allow system_server {
# This is derived from the list that system server defines as interesting native processes
@@ -232,6 +233,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_graphics_composer_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process { signal };
@@ -349,6 +351,10 @@
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
@@ -631,7 +637,6 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
r_dir_file(system_server, proc)
r_dir_file(system_server, proc_meminfo)
@@ -639,9 +644,6 @@
r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type)
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.
allow system_server sysfs_leds:lnk_file read;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index abc21a7..ccbae10 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,16 @@
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
; Domains hosting Camera HAL implementations are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute hal_camera hal_allocator_client;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 73aa79e..fc80129 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,7 +2,8 @@
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
-### ephemeral apps.
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
@@ -17,6 +18,8 @@
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;
@@ -93,3 +96,11 @@
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
allow untrusted_app_all preloads_media_file:file r_file_perms;
allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
index 51d2420..053c03d 100644
--- a/private/vr_hwc.te
+++ b/private/vr_hwc.te
@@ -2,3 +2,5 @@
# Daemon started by init.
init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/public/attributes b/public/attributes
index adad87f..f2ae06f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -94,6 +94,14 @@
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 2a243cc..0dd4a80 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,7 +8,6 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
-allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
hal_client_domain(cameraserver, hal_graphics_allocator)
@@ -27,6 +26,8 @@
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
###
### neverallow rules
###
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 2fb2336..cc8111f 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -27,7 +27,8 @@
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock };
# Allow dex2oat to compile app's secondary dex files which were reported back to
@@ -42,6 +43,7 @@
allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
diff --git a/public/dhcp.te b/public/dhcp.te
index c18b08d..22351ed 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -9,6 +9,7 @@
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e75ce1a..c48950d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -212,14 +212,12 @@
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-# TODO(b/34454312) remove this when the correct policy is in place
-allow domain default_android_hwservice:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
###
### neverallow rules
@@ -423,12 +421,23 @@
neverallow { domain -recovery } contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-# Do not allow service_manager add for default_android_service.
+# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
@@ -535,6 +544,8 @@
-nfc_service
-radio_service
-surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
-vr_manager_service
}:service_manager find;
neverallow {
@@ -545,6 +556,27 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
@@ -658,6 +690,7 @@
-appdomain
-idmap
-init
+ -installd
-system_server
-zygote
} vendor_overlay_file:dir { getattr open read search };
@@ -667,6 +700,7 @@
-appdomain
-idmap
-init
+ -installd
-system_server
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
@@ -914,8 +948,17 @@
} shell_data_file:file open;
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
@@ -942,26 +985,6 @@
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-neverallow {
- domain
- -init
- -recovery
- -sdcardd
- -vold
-} fuse_device:chr_file open;
-neverallow {
- domain
- -dumpstate
- -init
- -priv_app
- -recovery
- -sdcardd
- -shell # Restricted by shell.te to only getattr
- -system_server
- -ueventd
- -vold
-} fuse_device:chr_file *;
-
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
@@ -984,3 +1007,12 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index bfbb43b..503f359 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
# Create and write into /data/anr/
@@ -68,6 +69,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_graphics_composer_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
@@ -93,10 +95,9 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
-binder_call(dumpstate, hal_vibrator)
+hal_client_domain(dumpstate, hal_graphics_allocator)
+# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
@@ -172,6 +173,7 @@
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
@@ -184,6 +186,9 @@
# Read device's serial number from system properties
get_prop(dumpstate, serialno_prop)
+# Read state of logging-related properties
+get_prop(dumpstate, device_logging_prop)
+
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/public/file.te b/public/file.te
index 35bbd6d..7cb7c36 100644
--- a/public/file.te
+++ b/public/file.te
@@ -69,6 +69,8 @@
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type tracing_shell_writable, fs_type, debugfs_type;
+type tracing_shell_writable_debug, fs_type, debugfs_type;
+
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
@@ -198,6 +200,7 @@
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b444593..646cebd 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,2 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 3531944..5b1a4df 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,6 +2,9 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
allow hal_audio ion_device:chr_file r_file_perms;
userdebug_or_eng(`
@@ -18,10 +21,6 @@
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(hal_audio, bluetooth, bluetooth)
-
###
### neverallow rules
###
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 46fd9d7..c04cd08 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,6 +2,9 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index b731fd6..8b240b1 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,3 +1,6 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index a00bf9f..3c15e85 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,8 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
-add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
@@ -33,4 +34,4 @@
# Only camera HAL may directly access the camera and video hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
-neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
+neverallow { halserverdomain -coredomain -hal_camera_server } video_device:chr_file *;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
new file mode 100644
index 0000000..4bf6cfd
--- /dev/null
+++ b/public/hal_configstore.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index d991e9d..f11bfc8 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a773dd5..5a6bf5c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,6 +2,11 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
@@ -27,6 +32,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 884b6fc..2853567 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,9 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 580ef37..bef9f55 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,6 +2,9 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 618a2ee..123acf5 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,5 +1,8 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 753791b..b59cd1d 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1 +1,6 @@
-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e434751..5f2f098 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,10 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 9ba0bdb..2d8483d 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,9 @@
-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index 341efdd..c19c5f1 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,5 +1,9 @@
-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index adfb5ae..b1bfdd8 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index afcd0bd..dc5f6d0 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,8 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 145b02e..5b93dd1 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 0000000..b2cc9cd
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index d289ef7..a027c48 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,6 +2,9 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
@@ -10,4 +13,4 @@
# Data file accesses.
allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 0000000..fcba3d2
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 567b0be..3cf3069 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,6 +1,9 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 704adc0..41cfd4b 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,3 +1,7 @@
-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index a59a978..b1764f1 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index aa85b92..7719cae 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_cec_client, hal_tv_cec_server)
binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5276ddf..31a0067 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_input_client, hal_tv_input_server)
binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 5c31c06..9cfd516 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_usb, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 0d9d308..c8612d7 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,2 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 08102ad..3cb392d 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,2 +1,6 @@
-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e06d8f9..5e0b9bc 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 49ce4fa..0f2540e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/healthd.te b/public/healthd.te
index 8737dbe..c0a7bec 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -24,8 +24,6 @@
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
hal_client_domain(healthd, hal_health)
# Write to state file.
diff --git a/public/hwservice.te b/public/hwservice.te
index cf59629..2b1ffcf 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,2 +1,42 @@
-type default_android_hwservice, hwservice_manager_type;
-type hw_camera_provider_ICameraProvider, hwservice_manager_type;
+type default_android_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/init.te b/public/init.te
index e997e13..6d43ef4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,7 +205,13 @@
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
auditallow init {
dev_type
-alarm_device
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 06794ee..2115663 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
+not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
allow install_recovery toolbox_exec:file rx_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 774ba49..c5b45b4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -29,6 +29,8 @@
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/keystore.te b/public/keystore.te
index 378949a..2c31185 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -7,13 +7,6 @@
binder_service(keystore)
binder_call(keystore, system_server)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-hwbinder_use(keystore)
-typeattribute keystore wifi_keystore_service_server;
-
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 3445c7a..5c1ccbf 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -34,6 +34,8 @@
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_omx_hwservice)
+
hal_client_domain(mediacodec, hal_allocator)
# allocate and use graphic buffers
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index eccefc6..cef8121 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -16,6 +16,7 @@
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
add_service(mediadrmserver, mediacasserver_service)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 969c1a5..e1b460d 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,6 +23,11 @@
# allow mediaextractor read permissions for file sources
allow mediaextractor media_rw_data_file:file { getattr read };
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 8c9ef31..6efaf0f 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
@@ -126,6 +129,7 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
diff --git a/public/netd.te b/public/netd.te
index 3a48cd3..1694aec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -27,6 +27,7 @@
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
# Acquire advisory lock on /system/etc/xtables.lock
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 499e2a9..f0df6a0 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -1,9 +1,12 @@
# perfprofd - perf profile collection daemon
+type perfprofd, domain;
type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
- type perfprofd, domain, domain_deprecated, mlstrustedsubject, coredomain;
+ typeattribute perfprofd domain_deprecated;
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd mlstrustedsubject;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index b66c927..0ce617b 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -7,6 +7,7 @@
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc:file { getattr open read };
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada..918ef5e 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
diff --git a/public/racoon.te b/public/racoon.te
index d5d5a4e..00744d8 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/public/radio.te b/public/radio.te
index 8c3c6a5..f5604fd 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -37,5 +37,4 @@
# Perform HwBinder IPC.
hwbinder_use(radio)
-binder_call(radio, hal_telephony)
hal_client_domain(radio, hal_telephony)
diff --git a/public/recovery.te b/public/recovery.te
index 886f4fd..f0ac97d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -51,6 +51,9 @@
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index bba9c6e..3cf5a46 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,7 +9,12 @@
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
# Access to all (system and vendor) service_contexts
# TODO(b/36866029) access to nonplat_service_contexts
diff --git a/public/shell.te b/public/shell.te
index fd0f2ef..1fb896a 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -75,6 +75,9 @@
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/su.te b/public/su.te
index 77fd071..8ddd162 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,3 +1,7 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
@@ -5,7 +9,7 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, mlstrustedsubject;
+ typeattribute su mlstrustedsubject;
# Add su to various domains
net_domain(su)
@@ -38,10 +42,10 @@
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:vndservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:vndservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/te_macros b/public/te_macros
index beec546..661585a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -509,6 +509,7 @@
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 544550a..c2800e3 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -5,8 +5,12 @@
binder_service(virtual_touchpad)
add_service(virtual_touchpad, virtual_touchpad_service)
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-# Limit access so that nothing else can inject input.
-neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/public/vndservice.te b/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 89e2c24..20181d1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,6 +31,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index b0d3ad9..c0abdcd 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -8,6 +8,9 @@
binder_service(vr_hwc)
binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+# TODO(dnicoara): Remove once vr_wm is disabled.
binder_call(vr_hwc, vr_wm)
add_service(vr_hwc, vr_hwc_service)
@@ -25,5 +28,6 @@
# (ie: size).
use_pdx(vr_hwc, surfaceflinger)
-# Limit access so only vr_wm can connect.
-neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7..26ce144 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@
}
}
- if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
- fprintf(stderr, "Warning! Empty type set\n");
-
*ptr = p;
return 0;
err:
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 9c38819..0dc2170 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,4 +6,3 @@
hal_client_domain(hal_audio_default, hal_allocator)
-typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8f86a27..239e5c1 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,5 @@
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index 6a1002f..c13baa7 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -3,5 +3,3 @@
type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
-
-typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 5ba4aab..8379c82 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -3,3 +3,5 @@
type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 62b03be..8d7069c 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -10,4 +10,5 @@
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
new file mode 100644
index 0000000..4cca2fb
--- /dev/null
+++ b/vendor/vndservice_contexts
@@ -0,0 +1 @@
+* u:object_r:default_android_vndservice:s0