Merge "dumpstate: allow HALs to read /proc/interrupts"
diff --git a/private/app.te b/private/app.te
index 1b1f4ca..ed2d8b6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,11 +87,12 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
# Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -133,7 +134,7 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -246,6 +247,9 @@
# Allow app to access the graphic allocator HAL
binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
+# App can access configstore HAL which is read only
+binder_call({ appdomain -isolated_app }, hal_configstore)
+
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 15ab764..5e47b68 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,3 +100,7 @@
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827..2b0515a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 1e7345a..94a2a53 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,7 +247,7 @@
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
#############################
# Vendor files
diff --git a/private/hal_allocator.te b/private/hal_allocator.te
deleted file mode 100644
index d185d49..0000000
--- a/private/hal_allocator.te
+++ /dev/null
@@ -1 +0,0 @@
-init_daemon_domain(hal_allocator)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
new file mode 100644
index 0000000..ff407d5
--- /dev/null
+++ b/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 0aff9f5..3808c83 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -9,7 +9,6 @@
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
-binder_call(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
diff --git a/private/system_server.te b/private/system_server.te
index 58a25e2..7361307 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,10 +14,6 @@
allow system_server zygote_tmpfs:file read;
-# Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
-
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -151,8 +147,6 @@
unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
-# TODO(b/35707797): Remove this socket access.
-unix_socket_send(system_server, wpa, hal_wifi_supplicant_server)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
@@ -174,7 +168,6 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
hwallocator_use(system_server)
-binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
@@ -424,13 +417,6 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
-# Create a socket for receiving info from wpa.
-allow system_server wpa_socket:dir rw_dir_perms;
-allow system_server system_wpa_socket:sock_file create_file_perms;
-
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
-
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/attributes b/public/attributes
index a0c1f93..b9360a6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -110,11 +110,6 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-# All domains that access the boot_control HAL. The permissions the HAL
-# requires are specific to the implementation provided in each device, but
-# common daemons need to be aware of those when calling into the HAL.
-attribute boot_control_hal;
-
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
@@ -126,12 +121,18 @@
attribute halclientdomain;
# HALs
+attribute hal_allocator;
+attribute hal_allocator_client;
+attribute hal_allocator_server;
attribute hal_audio;
attribute hal_audio_client;
attribute hal_audio_server;
attribute hal_bluetooth;
attribute hal_bluetooth_client;
attribute hal_bluetooth_server;
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+attribute hal_bootctl_server;
attribute hal_camera;
attribute hal_camera_client;
attribute hal_camera_server;
diff --git a/public/boot_control_hal.te b/public/boot_control_hal.te
deleted file mode 100644
index 2a670b3..0000000
--- a/public/boot_control_hal.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow read/write bootctrl block device, if one is defined.
-allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f2364a7..d1b55cf 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,7 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 633515f..c9c64dc 100644
--- a/public/device.te
+++ b/public/device.te
@@ -99,6 +99,3 @@
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index abecbda..ff36956 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -15,7 +15,6 @@
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
-hwbinder_use(gatekeeperd)
hal_client_domain(gatekeeperd, hal_gatekeeper)
###
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
deleted file mode 100644
index cab0145..0000000
--- a/public/hal_allocator.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# allocator subsystem
-type hal_allocator, domain;
-hal_impl_domain(hal_allocator)
-
-type hal_allocator_exec, exec_type, file_type;
diff --git a/public/hal_boot.te b/public/hal_boot.te
deleted file mode 100644
index 870f1e4..0000000
--- a/public/hal_boot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# boot_control subsystem
-type hal_boot, domain, boot_control_hal;
-
-# call into system_server process (callbacks)
-binder_call(hal_boot, system_server)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
new file mode 100644
index 0000000..b731fd6
--- /dev/null
+++ b/public/hal_bootctl.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 6ed06b7..b05239b 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -16,7 +16,7 @@
# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator:fd use;
+allow hal_camera hal_allocator_server:fd use;
###
### neverallow rules
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index c428eba..618a2ee 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,4 @@
-# call into gatekeeperd process (callbacks)
-# TODO: This rules is unlikely to be needed because Gatekeeper HIDL
-# says there are no callbacks
-binder_call(hal_gatekeeper, gatekeeperd)
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 45999be..e434751 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,3 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 61b15ca..130a8f6 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,3 +17,36 @@
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -rild
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 8d2c0ea..ed10f8d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -18,12 +18,6 @@
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-# TODO(b/35707797): Remove this socket access.
-unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
-
-# HIDL interface exposed by WPA.
-hwbinder_use(hal_wifi_supplicant)
-binder_call(hal_wifi_supplicant, system_server)
# Create a socket for receiving info from wpa
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 20a7229..77074f4 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,6 +2,9 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
+# serving android.hidl.manager@1.0 and android.hidl.token@1.0
+typeattribute hwservicemanager halserverdomain;
+
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
diff --git a/public/recovery.te b/public/recovery.te
index 11c01ed..1ec19c5 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -8,7 +8,9 @@
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common, boot_control_hal;
+ typeattribute recovery update_engine_common;
+ # Recovery can only use HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
diff --git a/public/te_macros b/public/te_macros
index bc5da60..0e1bffb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -148,26 +148,6 @@
typeattribute $1 bluetoothdomain;
')
-# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
-#####################################
-# hal_impl_domain(domain[, hal_type_attr])
-# Allow a base set of permissions required for a domain to host a
-# HAL implementation.
-#
-# Optionally, the type of the HAL can be specified as the second
-# argument. This is useful for HALs which may have multiple
-# implementations. Attributes are used to group the various
-# implementations of such HALs.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_impl_domain(hal_foo_default, hal_foo)
-#
-define(`hal_impl_domain', `
-typeattribute $1 halserverdomain;
-ifelse($2, `', `', `typeattribute $1 $2;')
-')
-
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
@@ -204,6 +184,22 @@
')
#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
+#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
@@ -322,7 +318,7 @@
# Allow a domain to use Hidl shared memory
define(`hwallocator_use', `
# Call into the allocator hal
-binder_call($1, hal_allocator);
+binder_call($1, hal_allocator_server);
')
#####################################
diff --git a/public/update_engine.te b/public/update_engine.te
index 31ba14f..33eb2a8 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,5 @@
# Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
@@ -39,6 +38,5 @@
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
-# Use binderized HAL
-hwbinder_use(update_engine)
-binder_call(update_engine, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8482159..8c8e9a9 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,11 +1,7 @@
# update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
+type update_verifier, domain;
type update_verifier_exec, exec_type, file_type;
-# find the boot_control_hal
-allow update_verifier system_file:dir r_dir_perms;
-
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
@@ -16,6 +12,5 @@
# Read all blocks in dm wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
-# Use binderized HAL
-hwbinder_use(update_verifier)
-binder_call(update_verifier, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 98317e3..4e74f00 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
diff --git a/vendor/hal_boot.te b/vendor/hal_boot.te
deleted file mode 100644
index 666eacd..0000000
--- a/vendor/hal_boot.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# boot_control subsystem
-
-hal_impl_domain(hal_boot)
-
-type hal_boot_exec, exec_type, file_type;
-init_daemon_domain(hal_boot)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..9986fb5
--- /dev/null
+++ b/vendor/hal_bootctl_default.te
@@ -0,0 +1,6 @@
+# Boot control subsystem
+type hal_bootctl_default, domain;
+hal_server_domain(hal_bootctl_default, hal_bootctl)
+
+type hal_bootctl_default_exec, exec_type, file_type;
+init_daemon_domain(hal_bootctl_default)