Merge "relax fuse_device neverallow rules" into oc-dev
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bb37ceb..0917724 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -21,6 +21,10 @@
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow all_untrusted_apps property_socket:sock_file write;
diff --git a/private/service_contexts b/private/service_contexts
index 8ba1b0c..d8d846f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,7 +22,7 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-companion_device u:object_r:companion_device_service:s0
+companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
diff --git a/public/domain.te b/public/domain.te
index 188c560..f75b531 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -549,6 +549,8 @@
-nfc_service
-radio_service
-surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
-vr_manager_service
}:service_manager find;
neverallow {
@@ -559,6 +561,27 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 2600843..5a6bf5c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -32,6 +32,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
diff --git a/public/init.te b/public/init.te
index e997e13..6d43ef4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,7 +205,13 @@
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
auditallow init {
dev_type
-alarm_device
diff --git a/public/servicemanager.te b/public/servicemanager.te
index bba9c6e..3cf5a46 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,7 +9,12 @@
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
# Access to all (system and vendor) service_contexts
# TODO(b/36866029) access to nonplat_service_contexts
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 544550a..8a28cf0 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -7,6 +7,3 @@
# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Limit access so that nothing else can inject input.
-neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index b0d3ad9..7488cc0 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -8,6 +8,7 @@
binder_service(vr_hwc)
binder_call(vr_hwc, surfaceflinger)
+# TODO(dnicoara): Remove once vr_wm is disabled.
binder_call(vr_hwc, vr_wm)
add_service(vr_hwc, vr_hwc_service)
@@ -24,6 +25,3 @@
# Allow connection to VR DisplayClient to get the primary display metadata
# (ie: size).
use_pdx(vr_hwc, surfaceflinger)
-
-# Limit access so only vr_wm can connect.
-neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7..26ce144 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@
}
}
- if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
- fprintf(stderr, "Warning! Empty type set\n");
-
*ptr = p;
return 0;
err:
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 65ad467..618166b 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,5 +6,5 @@
hal_client_domain(hal_audio_default, hal_allocator)
-# TODO(b/37640821): Remove one Audio HAL is no longer granted access bluetooth daemon sockets
+# TODO(b/37640821): Remove once Audio HAL is no longer granted access to bluetooth daemon sockets
typeattribute hal_audio_default socket_between_core_and_vendor_violators;