Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 93f99cb1d940b83b076d7a1a4619c811f8029716^2..93f99cb1d940b83b076d7a1a4619c811f8029716 / .
commit93f99cb1d940b83b076d7a1a4619c811f8029716[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Fri Mar 24 05:20:11 2017 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Mar 24 05:20:12 2017 +0000
treea8473bc4837d543c8a9f9e9449e5f9826cd031b9
parent45afc7a68af50f16887d6536fde476864ea681e7 [diff]
parente539570694170353ecede5843015b0565f903e6f [diff]
Merge "Remove unnecessary rules from NFC HAL clients"
diff --git a/private/app.te b/private/app.te
index ed2d8b6..c5943dd 100644
--- a/private/app.te
+++ b/private/app.te

@@ -244,6 +244,9 @@
 # TODO is write really necessary ?
 auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
 # Allow app to access the graphic allocator HAL
 binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
 

diff --git a/private/file_contexts b/private/file_contexts
index 94a2a53..d5cf3f7 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -155,6 +155,7 @@
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0

diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index aa224ec..d4bdef9 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te

@@ -5,3 +5,6 @@
 # Find out whether a HAL in passthrough/in-process mode or
 # binderized/out-of-process mode
 hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)

diff --git a/private/halserverdomain.te b/private/halserverdomain.te
index 7be8360..f36e0e7 100644
--- a/private/halserverdomain.te
+++ b/private/halserverdomain.te

@@ -7,3 +7,6 @@
 
 # Find HAL implementations
 allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)

diff --git a/public/bootanim.te b/public/bootanim.te
index 9c5702d..9922451 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te

@@ -2,6 +2,9 @@
 type bootanim, domain;
 type bootanim_exec, exec_type, file_type;
 
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
 binder_use(bootanim)
 binder_call(bootanim, surfaceflinger)
 binder_call(bootanim, audioserver)

diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 2314433..7d5be49 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te

@@ -2,6 +2,8 @@
 type bufferhubd, domain, mlstrustedsubject;
 type bufferhubd_exec, exec_type, file_type;
 
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
 pdx_server(bufferhubd)
 use_pdx(bufferhubd, performanced)
 

diff --git a/public/device.te b/public/device.te
index c9c64dc..53414e2 100644
--- a/public/device.te
+++ b/public/device.te

@@ -7,6 +7,7 @@
 type audio_seq_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
 type block_device, dev_type;
 type camera_device, dev_type;
 type dm_device, dev_type;

diff --git a/public/domain.te b/public/domain.te
index 9631c9c..5f7da0b 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -66,8 +66,8 @@
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@@ -410,11 +410,15 @@
   -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
 # The service managers are only allowed to access their own device node
 neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 8e645b9..9b54329 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -52,18 +52,24 @@
 allow dumpstate { appdomain system_server }:process signal;
 
 # Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in dumpstate/utils.c
 allow dumpstate {
+  # This list comes from native_processes_to_dump in dumpstate/utils.c
   audioserver
   cameraserver
   drmserver
   inputflinger
-  mediacodec
   mediadrmserver
   mediaextractor
   mediaserver
   sdcardd
   surfaceflinger
+
+  # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+  hal_audio_server
+  hal_bluetooth_server
+  hal_camera_server
+  hal_vr_server
+  mediacodec # TODO(b/36375899): hal_omx_server
 }:process signal;
 
 # Connect to tombstoned to intercept dumps.

diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6ab90eb..f0e7e9a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te

@@ -4,6 +4,10 @@
 
 typeattribute mediacodec mlstrustedsubject;
 
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
 binder_use(mediacodec)
 binder_call(mediacodec, binderservicedomain)
 binder_call(mediacodec, appdomain)

diff --git a/public/mediaserver.te b/public/mediaserver.te
index a641bf7..46140b3 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -4,6 +4,9 @@
 
 typeattribute mediaserver mlstrustedsubject;
 
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
 net_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)

diff --git a/public/sensord.te b/public/sensord.te
index bffe3cd..3211f81 100644
--- a/public/sensord.te
+++ b/public/sensord.te

@@ -2,6 +2,9 @@
 type sensord, domain, mlstrustedsubject;
 type sensord_exec, exec_type, file_type;
 
+hal_client_domain(sensord, hal_graphics_allocator)
+allow sensord hal_graphics_allocator:fd use;
+
 pdx_server(sensord)
 use_pdx(sensord, bufferhubd)
 use_pdx(sensord, performanced)

diff --git a/public/te_macros b/public/te_macros
index d31bb1d..aeb2916 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -294,6 +294,20 @@
 ')
 
 #####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
 define(`binder_call', `

diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/public/vndservicemanager.te

@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4e74f00..a781341 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -28,4 +28,5 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant           u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0

diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000..9357042
--- /dev/null
+++ b/vendor/vndservicemanager.te

@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)