Move isolated_compute_app to be public
This will allow vendor customization of isolated_compute_app. New permissions added should be associated with isolated_compute_allowed.
Bug: 274535894
Test: m
Change-Id: I4239228b80544e6f5ca1dd68ae1f44c0176d1bce
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2c52e2c..8abad94 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -312,10 +312,9 @@
# TODO move this to sepolicy_tests
def TestIsolatedAttributeConsistency(test_policy):
permissionAllowList = {
- # hardware related
+ # access given from technical_debt.cil
"codec2_config_prop" : ["file"],
"device_config_nnapi_native_prop":["file"],
- "dmabuf_system_heap_device":["chr_file"],
"hal_allocator_default":["binder", "fd"],
"hal_codec2": ["binder", "fd"],
"hal_codec2_hwservice":["hwservice_manager"],
@@ -325,6 +324,7 @@
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
"hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
"hal_omx_hwservice":["hwservice_manager"],
"hidl_allocator_hwservice":["hwservice_manager"],
@@ -333,22 +333,14 @@
"hidl_token_hwservice":["hwservice_manager"],
"hwservicemanager":["binder"],
"hwservicemanager_prop":["file"],
- "hwbinder_device":["chr_file"],
"mediacodec":["binder", "fd"],
"mediaswcodec":["binder", "fd"],
"media_variant_prop":["file"],
"nnapi_ext_deny_product_prop":["file"],
- "ion_device" : ["chr_file"],
- # system services
- "audioserver_service":["service_manager"],
- "cameraserver_service":["service_manager"],
- "content_capture_service":["service_manager"],
- "device_state_service":["service_manager"],
- "hal_neuralnetworks_service":["service_manager"],
"servicemanager":["fd"],
- "speech_recognition_service":["service_manager"],
- "mediaserver_service" :["service_manager"],
"toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
}
def resolveHalServerSubtype(target):
@@ -363,15 +355,24 @@
return attr.rsplit("_", 1)[0]
return target
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_services", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_devices", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+
def checkPermissions(permissions):
violated_permissions = []
for perm in permissions:
tctx, tclass, p = perm.split(":")
tctx = resolveHalServerSubtype(tctx)
- if tctx not in permissionAllowList \
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
or tclass not in permissionAllowList[tctx] \
- or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \
- or ( p == "rw_file_perms"):
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
violated_permissions += [perm]
return violated_permissions