Move isolated_compute_app to be public
This will allow vendor customization of isolated_compute_app. New permissions added should be associated with isolated_compute_allowed.
Bug: 274535894
Test: m
Change-Id: I4239228b80544e6f5ca1dd68ae1f44c0176d1bce
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 4ed4b36..cdddd38 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -8,19 +8,14 @@
###
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
###
-type isolated_compute_app, domain;
typeattribute isolated_compute_app coredomain;
app_domain(isolated_compute_app)
isolated_app_domain(isolated_compute_app)
-allow isolated_compute_app audioserver_service:service_manager find;
-allow isolated_compute_app cameraserver_service:service_manager find;
-allow isolated_compute_app content_capture_service:service_manager find;
-allow isolated_compute_app device_state_service:service_manager find;
-allow isolated_compute_app speech_recognition_service:service_manager find;
-allow isolated_compute_app mediaserver_service:service_manager find;
+allow isolated_compute_app isolated_compute_allowed_services:service_manager find;
+allow isolated_compute_app isolated_compute_allowed_devices:chr_file { read write ioctl map };
# Enable access to hardware services for camera functionalilites
hal_client_domain(isolated_compute_app, hal_allocator)
diff --git a/public/attributes b/public/attributes
index 09463e3..499ae7c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,12 @@
# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
attribute isolated_app_all;
+# All service types that would be allowed for isolated_compute_app.
+attribute isolated_compute_allowed_services;
+
+# All device types that would be allowed for isolated_compute_app.
+attribute isolated_compute_allowed_devices;
+
# All domains used for apps with network access.
attribute netdomain;
diff --git a/public/device.te b/public/device.te
index 066600e..e0872b7 100644
--- a/public/device.te
+++ b/public/device.te
@@ -4,7 +4,7 @@
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
type vndbinder_device, dev_type;
type block_device, dev_type;
type bt_device, dev_type;
@@ -48,9 +48,9 @@
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
+type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_devices;
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
diff --git a/public/isolated_compute_app.te b/public/isolated_compute_app.te
new file mode 100644
index 0000000..f2ae9a1
--- /dev/null
+++ b/public/isolated_compute_app.te
@@ -0,0 +1 @@
+type isolated_compute_app, domain;
diff --git a/public/service.te b/public/service.te
index 0936cc4..e720c21 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,11 +2,11 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
-type audioserver_service, service_manager_type;
+type audioserver_service, service_manager_type, isolated_compute_allowed_services;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
+type cameraserver_service, service_manager_type, isolated_compute_allowed_services;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
@@ -29,7 +29,7 @@
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mdns_service, service_manager_type;
-type mediaserver_service, service_manager_type;
+type mediaserver_service, service_manager_type, isolated_compute_allowed_services;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
@@ -93,7 +93,7 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -107,7 +107,7 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -224,7 +224,7 @@
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
-type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_services;
type tare_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2c52e2c..8abad94 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -312,10 +312,9 @@
# TODO move this to sepolicy_tests
def TestIsolatedAttributeConsistency(test_policy):
permissionAllowList = {
- # hardware related
+ # access given from technical_debt.cil
"codec2_config_prop" : ["file"],
"device_config_nnapi_native_prop":["file"],
- "dmabuf_system_heap_device":["chr_file"],
"hal_allocator_default":["binder", "fd"],
"hal_codec2": ["binder", "fd"],
"hal_codec2_hwservice":["hwservice_manager"],
@@ -325,6 +324,7 @@
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
"hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
"hal_omx_hwservice":["hwservice_manager"],
"hidl_allocator_hwservice":["hwservice_manager"],
@@ -333,22 +333,14 @@
"hidl_token_hwservice":["hwservice_manager"],
"hwservicemanager":["binder"],
"hwservicemanager_prop":["file"],
- "hwbinder_device":["chr_file"],
"mediacodec":["binder", "fd"],
"mediaswcodec":["binder", "fd"],
"media_variant_prop":["file"],
"nnapi_ext_deny_product_prop":["file"],
- "ion_device" : ["chr_file"],
- # system services
- "audioserver_service":["service_manager"],
- "cameraserver_service":["service_manager"],
- "content_capture_service":["service_manager"],
- "device_state_service":["service_manager"],
- "hal_neuralnetworks_service":["service_manager"],
"servicemanager":["fd"],
- "speech_recognition_service":["service_manager"],
- "mediaserver_service" :["service_manager"],
"toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
}
def resolveHalServerSubtype(target):
@@ -363,15 +355,24 @@
return attr.rsplit("_", 1)[0]
return target
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_services", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_devices", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+
def checkPermissions(permissions):
violated_permissions = []
for perm in permissions:
tctx, tclass, p = perm.split(":")
tctx = resolveHalServerSubtype(tctx)
- if tctx not in permissionAllowList \
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
or tclass not in permissionAllowList[tctx] \
- or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \
- or ( p == "rw_file_perms"):
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
violated_permissions += [perm]
return violated_permissions