Grant kernel access to new "virtual_disk" file. am: 3f724c95a8 am: 9222988479
am: a4960ef90f
Change-Id: Ia6fbb2aae4d5c66e868e43b279748a7a96ae3bf7
diff --git a/private/file_contexts b/private/file_contexts
index bd111b8..1db5210 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -198,7 +198,6 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -222,7 +221,6 @@
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
@@ -249,6 +247,7 @@
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
#############################
@@ -331,7 +330,6 @@
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
diff --git a/private/hostapd.te b/private/hostapd.te
deleted file mode 100644
index d895f29..0000000
--- a/private/hostapd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-init_daemon_domain(hostapd)
diff --git a/private/mediacodec.te b/private/mediacodec.te
deleted file mode 100644
index ff290bc..0000000
--- a/private/mediacodec.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediacodec coredomain;
-
-init_daemon_domain(mediacodec)
diff --git a/private/service_contexts b/private/service_contexts
index 5fd87dc..db2e9f6 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -156,6 +156,7 @@
vibrator u:object_r:vibrator_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_window_manager u:object_r:vr_window_manager_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 12ba609..1e2245f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -57,7 +57,7 @@
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/private/system_server.te b/private/system_server.te
index 8f85a48..3594266 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -58,16 +58,13 @@
net_raw
sys_boot
sys_nice
- sys_resource
+ sys_ptrace
sys_time
sys_tty_config
};
wakelock_use(system_server)
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -701,3 +698,11 @@
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/private/vr_wm.te b/private/vr_wm.te
new file mode 100644
index 0000000..38564f2
--- /dev/null
+++ b/private/vr_wm.te
@@ -0,0 +1,5 @@
+# vr_wm - VR Window Manager
+typeattribute vr_wm coredomain;
+
+# The vr_wm is started by init.
+init_daemon_domain(vr_wm)
diff --git a/public/bootanim.te b/public/bootanim.te
index 9922451..e2584c3 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -22,7 +22,6 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim audioserver_service:service_manager find;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index a13f396..fbc4f4a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -249,8 +249,6 @@
type vold_socket, file_type;
type webview_zygote_socket, file_type;
type wpa_socket, file_type;
-# hostapd control interface.
-type hostapd_socket, file_type;
type zygote_socket, file_type;
type sap_uim_socket, file_type;
# UART (for GPS) control proc file
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 469c8ba..ecbe280 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -13,6 +13,8 @@
binder_call(mediacodec, appdomain)
binder_service(mediacodec)
+# TODO(b/36604251): Remove this once OMX HAL stops using Binder
+typeattribute mediacodec binder_in_vendor_violators;
add_service(mediacodec, mediacodec_service)
allow mediacodec mediametrics_service:service_manager find;
allow mediacodec surfaceflinger_service:service_manager find;
diff --git a/public/performanced.te b/public/performanced.te
index 8f9d16b..95038cd 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger vr_wm })
dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel sensord surfaceflinger vr_wm }:process setsched;
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/service.te b/public/service.te
index 478b00e..444f82a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@
type system_app_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
+type vr_window_manager_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 92d5c27..544550a 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -9,4 +9,4 @@
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
# Limit access so that nothing else can inject input.
-neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
+neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
diff --git a/public/vr_wm.te b/public/vr_wm.te
new file mode 100644
index 0000000..deedb0a
--- /dev/null
+++ b/public/vr_wm.te
@@ -0,0 +1,31 @@
+type vr_wm, domain;
+type vr_wm_exec, exec_type, file_type;
+
+hal_client_domain(vr_wm, hal_graphics_allocator)
+
+binder_use(vr_wm)
+binder_call(vr_wm, surfaceflinger)
+binder_call(vr_wm, virtual_touchpad)
+
+allow vr_wm virtual_touchpad_service:service_manager find;
+
+binder_service(vr_wm)
+add_service(vr_wm, vr_window_manager_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_wm)
+
+# Load vendor libraries.
+allow vr_wm system_file:dir r_dir_perms;
+
+allow vr_wm gpu_device:chr_file rw_file_perms;
+allow vr_wm ion_device:chr_file r_file_perms;
+
+# Get buffer metadata.
+allow vr_wm hal_graphics_allocator:fd use;
+
+use_pdx(vr_wm, bufferhubd)
+use_pdx(vr_wm, sensord)
+use_pdx(vr_wm, surfaceflinger)
+use_pdx(vr_wm, performanced)
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..aeafb4a
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,2 @@
+# Socket types
+type hostapd_socket, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a781341..763a945 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,6 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -29,4 +30,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+#############################
+# Data files
+#
+/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_omx.te b/vendor/hal_omx.te
new file mode 100644
index 0000000..fdb4aca
--- /dev/null
+++ b/vendor/hal_omx.te
@@ -0,0 +1 @@
+init_daemon_domain(mediacodec)
diff --git a/public/hostapd.te b/vendor/hostapd.te
similarity index 97%
rename from public/hostapd.te
rename to vendor/hostapd.te
index b40bdc8..02bafaa 100644
--- a/public/hostapd.te
+++ b/vendor/hostapd.te
@@ -2,6 +2,7 @@
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
+init_daemon_domain(hostapd)
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };