Merge "sepolicy: allow AAudio apps to use FDs from the audio HAL" into oc-dev
diff --git a/Android.mk b/Android.mk
index dd37341..b7db00b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,7 +10,7 @@
# is made which breaks compatibility with the previous platform sepolicy version,
# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
-sepolicy_major_vers := 25
+sepolicy_major_vers := 26
sepolicy_minor_vers := 0
ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
diff --git a/private/app.te b/private/app.te
index f1bf1fc..d6d407a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -84,6 +84,9 @@
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0f0f577..0917724 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -21,6 +21,10 @@
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow all_untrusted_apps property_socket:sock_file write;
@@ -87,6 +91,9 @@
')
}:dir_file_class_set { create unlink };
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/audioserver.te b/private/audioserver.te
index bf883d1..9119daa 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -42,6 +42,9 @@
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
###
### neverallow rules
###
diff --git a/private/bluetooth.te b/private/bluetooth.te
index da05cc2..1c0e14f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -57,6 +57,9 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
@@ -69,6 +72,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/private/file_contexts b/private/file_contexts
index 81b0aae..2879265 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -364,6 +364,7 @@
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9134a27..ecac57e 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -22,6 +22,7 @@
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..fd4634a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/service_contexts b/private/service_contexts
index 8ba1b0c..d8d846f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,7 +22,7 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-companion_device u:object_r:companion_device_service:s0
+companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3e91d21..8e5892b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -52,6 +52,9 @@
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101..7950044 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/private/system_server.te b/private/system_server.te
index afca1f6..7e644a5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -30,6 +30,10 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
+# Read and delete last_reboot_reason file
+allow system_server reboot_data_file:file { rename r_file_perms unlink };
+allow system_server reboot_data_file:dir { write search open remove_name };
+
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
@@ -98,6 +102,7 @@
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -346,6 +351,10 @@
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 73aa79e..fc80129 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,7 +2,8 @@
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
-### ephemeral apps.
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
@@ -17,6 +18,8 @@
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;
@@ -93,3 +96,11 @@
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
allow untrusted_app_all preloads_media_file:file r_file_perms;
allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 4551e58..cc8111f 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -43,6 +43,7 @@
allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
diff --git a/public/domain.te b/public/domain.te
index f634336..c48950d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -421,18 +421,13 @@
neverallow { domain -recovery } contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-# Do not allow service_manager add for default_android_service.
+# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add;
-
-# Do not allow hwservice_manager add for default_android_hwservice.
-# Instead domains should use a more specific type such as
-# hal_audio_hwservice rather than the generic type.
-# New service_types are defined in hwservice.te and new mappings
-# from service name to service_type are defined in hwservice_contexts.
+neverallow * default_android_vndservice:service_manager { add find };
neverallow * default_android_hwservice:hwservice_manager { add find };
# Looking up the base class/interface of all HwBinder services is a bad idea.
@@ -549,6 +544,8 @@
-nfc_service
-radio_service
-surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
-vr_manager_service
}:service_manager find;
neverallow {
@@ -559,6 +556,27 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
@@ -672,6 +690,7 @@
-appdomain
-idmap
-init
+ -installd
-system_server
-zygote
} vendor_overlay_file:dir { getattr open read search };
@@ -681,6 +700,7 @@
-appdomain
-idmap
-init
+ -installd
-system_server
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
@@ -965,26 +985,6 @@
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-neverallow {
- domain
- -init
- -recovery
- -sdcardd
- -vold
-} fuse_device:chr_file open;
-neverallow {
- domain
- -dumpstate
- -init
- -priv_app
- -recovery
- -sdcardd
- -shell # Restricted by shell.te to only getattr
- -system_server
- -ueventd
- -vold
-} fuse_device:chr_file *;
-
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/public/file.te b/public/file.te
index eacfc2c..7cb7c36 100644
--- a/public/file.te
+++ b/public/file.te
@@ -200,6 +200,7 @@
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 9539ff4..5b1a4df 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -21,10 +21,6 @@
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(hal_audio, bluetooth, bluetooth)
-
###
### neverallow rules
###
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 2600843..5a6bf5c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -32,6 +32,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 349dea6..a027c48 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -13,4 +13,4 @@
# Data file accesses.
allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/init.te b/public/init.te
index e997e13..6d43ef4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,7 +205,13 @@
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
auditallow init {
dev_type
-alarm_device
diff --git a/public/installd.te b/public/installd.te
index 774ba49..c5b45b4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -29,6 +29,8 @@
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 5c1ccbf..771701c 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -8,10 +8,9 @@
# and use macro hal_server_domain
get_prop(mediacodec, hwservicemanager_prop)
-full_treble_only(`
- # on full-Treble devices, route all /dev/binder traffic to /dev/vndbinder
- vndbinder_use(mediacodec)
-')
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
not_full_treble(`
# on legacy devices, continue to allow /dev/binder traffic
binder_use(mediacodec)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index cf539f8..6efaf0f 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -129,6 +129,7 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index b66c927..0ce617b 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -7,6 +7,7 @@
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc:file { getattr open read };
diff --git a/public/servicemanager.te b/public/servicemanager.te
index bba9c6e..3cf5a46 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,7 +9,12 @@
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
# Access to all (system and vendor) service_contexts
# TODO(b/36866029) access to nonplat_service_contexts
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 544550a..c2800e3 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -5,8 +5,12 @@
binder_service(virtual_touchpad)
add_service(virtual_touchpad, virtual_touchpad_service)
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-# Limit access so that nothing else can inject input.
-neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/public/vndservice.te b/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index b0d3ad9..c0abdcd 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -8,6 +8,9 @@
binder_service(vr_hwc)
binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+# TODO(dnicoara): Remove once vr_wm is disabled.
binder_call(vr_hwc, vr_wm)
add_service(vr_hwc, vr_hwc_service)
@@ -25,5 +28,6 @@
# (ie: size).
use_pdx(vr_hwc, surfaceflinger)
-# Limit access so only vr_wm can connect.
-neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7..26ce144 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@
}
}
- if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
- fprintf(stderr, "Warning! Empty type set\n");
-
*ptr = p;
return 0;
err:
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 9c38819..0dc2170 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,4 +6,3 @@
hal_client_domain(hal_audio_default, hal_allocator)
-typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index cc9ee31..c13baa7 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -3,6 +3,3 @@
type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
-
-# TODO(b/37640900): Remove this one NFC HAL no longer needs access to nfc_data_file:sock_file
-typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
new file mode 100644
index 0000000..4cca2fb
--- /dev/null
+++ b/vendor/vndservice_contexts
@@ -0,0 +1 @@
+* u:object_r:default_android_vndservice:s0