same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)
Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
diff --git a/public/app.te b/public/app.te
index 800e891..7f0d554 100644
--- a/public/app.te
+++ b/public/app.te
@@ -308,6 +308,7 @@
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 3e7a0dc..dcd12b1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -188,22 +188,10 @@
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
-# TODO(b/37211678): whitelist domains that actually need same process HALs.
-allow domain same_process_hal_file:file { execute read open getattr map };
-# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
-# same_process_hal_file label, which is what we are interested in.
-userdebug_or_eng(`
- auditallow {
- coredomain
- -zygote
- -hal_allocator_client
- # Graphics mapper clients.
- -hal_graphics_allocator_client
- # Renderscript clients include { system_server appdomain -isolated_app }.
- -appdomain
- -system_server
- } same_process_hal_file:file *;
-')
+allow {
+ domain
+ -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b7e3ca5..6417b62 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -3,3 +3,4 @@
hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
+allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 41a3249..991e147 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -3,6 +3,7 @@
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index a0fcf37..47dfbf2 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -76,6 +76,8 @@
r_dir_file(perfprofd, vendor_file)
# Vendor apps.
r_dir_file(perfprofd, vendor_app_file)
+ # SP HAL files.
+ r_dir_file(perfprofd, same_process_hal_file)
# simpleperf will set security.perf_harden to enable access to perf_event_open()
set_prop(perfprofd, shell_prop)