Allow coredomain access to only approved categories of vendor heaps One of the advantages of the DMA-BUF heaps framework over ION is that each heap is a separate char device and hence it is possible to create separate sepolicy permissions to restrict access to each heap. In the case of ION, allocation in every heap had to be done through /dev/ion which meant that there was no away to restrict allocations in a specific heap. This patch intends to restrict coredomain access to only approved categories of vendor heaps. Currently, the only identified category as per partner feedback is the system-secure heap which is defined as a heap that allocates from protected memory. Test: Build, video playback works on CF with ION disabled and without sepolicy denials Bug: 175697666 Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b

commit: 8c9cf62edb9c1a2b839a7e201526fddd526f7af2 [log] [tgz]
author: Hridya Valsaraju <hridya@google.com> Mon Dec 14 22:57:49 2020 -0800
committer: Hridya Valsaraju <hridya@google.com> Wed Dec 16 10:08:54 2020 -0800
tree: 7bf1c9f6d91dcef92a0208813723b56447c1c659
parent: 14a15d900bc505fa3bda02727794d125670ab231 [diff]
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index d1d5f0f..4cc8e7d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -16,7 +16,9 @@
     device_config_profcollect_native_boot_prop
     device_state_service
     dm_user_device
+    dmabuf_heap_device
     dmabuf_system_heap_device
+    dmabuf_system_secure_heap_device
     framework_watchdog_config_prop
     gki_apex_prepostinstall
     gki_apex_prepostinstall_exec

diff --git a/private/coredomain.te b/private/coredomain.te
index fe3e1ae..bac494f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -211,6 +211,17 @@
     coredomain
     -init
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+
+  # dmabuf heaps
+  neverallow {
+    coredomain
+    -init
+    -ueventd
+  }{
+    dmabuf_heap_device_type
+    -dmabuf_system_heap_device
+    -dmabuf_system_secure_heap_device
+  }:chr_file no_rw_file_perms;
 ')
 
 # Following /dev nodes must not be directly accessed by coredomain, but should

diff --git a/private/file_contexts b/private/file_contexts
index 79b16b1..8c9d331 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -93,8 +93,10 @@
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
+/dev/dma_heap(/.*)?     u:object_r:dmabuf_heap_device:s0
 /dev/dma_heap/system    u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/system-uncached    u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure	 u:object_r:dmabuf_system_secure_heap_device:s0
 /dev/dm-user(/.*)?	u:object_r:dm_user_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0

diff --git a/public/attributes b/public/attributes
index 5b0d019..c881466 100644
--- a/public/attributes
+++ b/public/attributes

@@ -381,3 +381,6 @@
 
 # All types used for super partition block devices.
 attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;

diff --git a/public/device.te b/public/device.te
index 1acbc36..d98806a 100644
--- a/public/device.te
+++ b/public/device.te

@@ -45,7 +45,9 @@
 type fuse_device, dev_type, mlstrustedobject;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
 type qtaguid_device, dev_type;
 type watchdog_device, dev_type;
 type uhid_device, dev_type;

diff --git a/public/domain.te b/public/domain.te
index ec4b379..cc16e97 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -66,6 +66,7 @@
 allow domain device:dir search;
 allow domain dev_type:lnk_file r_file_perms;
 allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir search;
 allow domain socket_device:dir r_dir_perms;
 allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;

diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 5597f14..edd1708 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py

@@ -82,6 +82,10 @@
     ]
     return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
                                             exceptions)
+def TestDmaHeapDevTypeViolations(pol):
+    return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
+                                       "dmabuf_heap_device_type")
+
 
 
 ###
@@ -111,6 +115,7 @@
     "TestCoreDataTypeViolations",
     "TestPropertyTypeViolations",
     "TestAppDataTypeViolations",
+    "TestDmaHeapDevTypeViolations",
 ]
 
 if __name__ == '__main__':
@@ -168,6 +173,8 @@
         results += TestPropertyTypeViolations(pol)
     if options.test is None or "TestAppDataTypeViolations" in options.test:
         results += TestAppDataTypeViolations(pol)
+    if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
+        results += TestDmaHeapDevTypeViolations(pol)
 
     if len(results) > 0:
         sys.exit(results)
commit	8c9cf62edb9c1a2b839a7e201526fddd526f7af2	[log] [tgz]
author	Hridya Valsaraju <hridya@google.com>	Mon Dec 14 22:57:49 2020 -0800
committer	Hridya Valsaraju <hridya@google.com>	Wed Dec 16 10:08:54 2020 -0800
tree	7bf1c9f6d91dcef92a0208813723b56447c1c659
parent	14a15d900bc505fa3bda02727794d125670ab231 [diff]