Merge "sepolicy: allow audioserver to use ALSA MMAP FDs" into oc-dev am: 4f1763ef34
am: 14bb96f2b1
Change-Id: I7c9f2eae1ca88ac7aab960a3d8ddef7dace09c5c
diff --git a/private/access_vectors b/private/access_vectors
index 6b08d9e..74cf530 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@
list
}
-class vndservice_manager
-{
- add
- find
- list
-}
-
class keystore_key
{
get_state
diff --git a/private/app.te b/private/app.te
index 2ee3bee..b41ebec 100644
--- a/private/app.te
+++ b/private/app.te
@@ -315,6 +315,9 @@
allow appdomain cache_file:dir getattr;
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
###
### Neverallow rules
###
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index d35cd3c..0401ffe 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -3,3 +3,7 @@
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/private/security_classes b/private/security_classes
index 5685bd6..02e3ef2 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@
# hardware service manager # userspace
class hwservice_manager
-# vendor service manager # userspace
-class vndservice_manager
-
# Keystore Key
class keystore_key # userspace
diff --git a/private/system_server.te b/private/system_server.te
index 404a253..89b14a9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@
# Report dalvikcache_data_file:file execute violations.
auditallow system_server dalvikcache_data_file:file execute;
')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -182,6 +185,7 @@
hal_client_domain(system_server, hal_light)
binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_oemlock)
binder_call(system_server, hal_power)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
@@ -195,7 +199,9 @@
hal_client_domain(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant)
@@ -652,6 +658,7 @@
# asanwrapper.
with_asan(`
allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
')
###
@@ -679,7 +686,7 @@
file_type
-toolbox_exec
-logcat_exec
- with_asan(`-shell_exec')
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
diff --git a/private/wificond.te b/private/wificond.te
index 5476e33..cc76447 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,4 @@
typeattribute wificond coredomain;
init_daemon_domain(wificond)
+hal_client_domain(wificond, hal_wifi_offload)
diff --git a/public/attributes b/public/attributes
index adad87f..b48e21a 100644
--- a/public/attributes
+++ b/public/attributes
@@ -212,6 +212,9 @@
attribute hal_nfc;
attribute hal_nfc_client;
attribute hal_nfc_server;
+attribute hal_oemlock;
+attribute hal_oemlock_client;
+attribute hal_oemlock_server;
attribute hal_power;
attribute hal_power_client;
attribute hal_power_server;
@@ -239,12 +242,18 @@
attribute hal_vr;
attribute hal_vr_client;
attribute hal_vr_server;
+attribute hal_weaver;
+attribute hal_weaver_client;
+attribute hal_weaver_server;
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
attribute hal_wifi_keystore;
attribute hal_wifi_keystore_client;
attribute hal_wifi_keystore_server;
+attribute hal_wifi_offload;
+attribute hal_wifi_offload_client;
+attribute hal_wifi_offload_server;
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
diff --git a/public/domain.te b/public/domain.te
index e75ce1a..6453978 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -219,7 +219,10 @@
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
###
### neverallow rules
@@ -914,8 +917,17 @@
} shell_data_file:file open;
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
diff --git a/public/file.te b/public/file.te
index eacfc2c..926fd59 100644
--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,9 @@
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
new file mode 100644
index 0000000..69870ec
--- /dev/null
+++ b/public/hal_oemlock.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+binder_call(hal_oemlock_client, hal_oemlock_server)
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
new file mode 100644
index 0000000..78d2b75
--- /dev/null
+++ b/public/hal_weaver.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+binder_call(hal_weaver_client, hal_weaver_server)
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
new file mode 100644
index 0000000..dac5171
--- /dev/null
+++ b/public/hal_wifi_offload.te
@@ -0,0 +1,6 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
+binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+
+r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/su.te b/public/su.te
index 77fd071..47349d8 100644
--- a/public/su.te
+++ b/public/su.te
@@ -38,10 +38,10 @@
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:vndservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:vndservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ac5d1d0..e7a371a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -30,6 +30,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
diff --git a/vendor/hal_wifi_offload_default.te b/vendor/hal_wifi_offload_default.te
new file mode 100644
index 0000000..44bd306
--- /dev/null
+++ b/vendor/hal_wifi_offload_default.te
@@ -0,0 +1,5 @@
+type hal_wifi_offload_default, domain;
+hal_server_domain(hal_wifi_offload_default, hal_wifi_offload)
+
+type hal_wifi_offload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_offload_default)