Merge "android.hidl.memory -> android.hidl.allocator"
diff --git a/private/audioserver.te b/private/audioserver.te
index 17abd83..95a7521 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,5 +43,14 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 5ea6027..b2369c1 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,14 +22,6 @@
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(bluetooth, sysfs_type)
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
@@ -64,9 +56,7 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
-# Perform HwBinder IPC.
-hwbinder_use(bluetooth)
-binder_call(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/crash_dump.te b/private/crash_dump.te
deleted file mode 100644
index b3e4d9a..0000000
--- a/private/crash_dump.te
+++ /dev/null
@@ -1,4 +0,0 @@
-### HACK: Make crash_dump permissive temporarily to catch denials without breaking backtraces.
-userdebug_or_eng(`
- permissive crash_dump;
-')
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index 88fd42b..4fcb322 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
-hal_impl_domain(hal_bluetooth_default, hal_bluetooth)
+hal_server_domain(hal_bluetooth_default, hal_bluetooth)
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/private/system_server.te b/private/system_server.te
index fa55ada..e23a33c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -181,7 +181,6 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
hwallocator_use(system_server)
-binder_call(system_server, hal_bluetooth)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
binder_call(system_server, hal_fingerprint)
diff --git a/public/attributes b/public/attributes
index e48f96f..5c43d5e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -127,7 +127,11 @@
attribute hal_audio_client;
attribute hal_audio_server;
attribute hal_bluetooth;
+attribute hal_bluetooth_client;
+attribute hal_bluetooth_server;
attribute hal_camera;
+attribute hal_camera_client;
+attribute hal_camera_server;
attribute hal_configstore;
attribute hal_contexthub;
attribute hal_drm;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index a262940..f2364a7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -7,19 +7,9 @@
binder_call(cameraserver, appdomain)
binder_service(cameraserver)
-hwbinder_use(cameraserver)
-binder_call(cameraserver, hal_camera)
-binder_call(cameraserver, hwservicemanager)
+hal_client_domain(cameraserver, hal_camera)
-# access /data/misc/camera
-allow cameraserver camera_data_file:dir create_dir_perms;
-allow cameraserver camera_data_file:file create_file_perms;
-
-allow cameraserver video_device:dir r_dir_perms;
-allow cameraserver video_device:chr_file rw_file_perms;
-allow cameraserver camera_device:chr_file rw_file_perms;
allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver hal_graphics_allocator:fd use;
add_service(cameraserver, cameraserver_service)
allow cameraserver appops_service:service_manager find;
@@ -31,9 +21,6 @@
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
-# For HIDL hwservicemanager
-allow cameraserver system_file:dir r_dir_perms;
-
###
### neverallow rules
###
@@ -42,5 +29,14 @@
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-# cameraserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index e1327e4..a0e278a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -19,7 +19,10 @@
# Use inherited file descriptors
allow crash_dump domain:fd use;
-allow crash_dump domain:fifo_file write;
+
+# Write to the IPC pipe inherited from crashing processes.
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { write append };
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
@@ -28,6 +31,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/domain.te b/public/domain.te
index 9993f2f..e2c71da 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,7 +378,7 @@
-system_server
-shell # Shell is further restricted in shell.te
-ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file rw_file_perms;
+} frp_block_device:blk_file no_rw_file_perms;
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
diff --git a/public/fsck.te b/public/fsck.te
index 2f0a838..8f3b17a 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,9 +19,16 @@
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
r_dir_file(fsck, proc)
allow fsck rootfs:dir r_dir_perms;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 98806dd..a9dd805 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -14,6 +14,17 @@
r_dir_file(fsck_untrusted, proc)
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
###
### neverallow rules
###
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 3e132b9..207f718 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,7 +1,6 @@
-r_dir_file(hal_bluetooth, system_file)
-
-# call into the Bluetooth process (callbacks)
-binder_call(hal_bluetooth, bluetooth)
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_camera.te b/public/hal_camera.te
index b879c98..02b8e77 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -1,5 +1,6 @@
-hwbinder_use(hal_camera)
-binder_call(hal_camera, cameraserver)
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
@@ -9,7 +10,8 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
-allow hal_camera hal_graphics_allocator:fd use;
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
###
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6b4d677..f8986de 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -31,5 +31,14 @@
# domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-# mediacodec should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index deecc00..dc7c90e 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,5 +25,14 @@
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-# mediaextractor should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 84d184b..ce2dab7 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -22,5 +22,14 @@
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-# mediametrics should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7fc467e..7fda294 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -1,28 +1,28 @@
#############################
# Default HALs
#
-/vendor/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
-/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/vendor/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
-/vendor/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/vendor/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
-/vendor/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
-/vendor/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
-/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
-/vendor/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
-/vendor/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/vendor/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
-/vendor/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
-/vendor/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
-/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
-/vendor/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
-/vendor/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
-/vendor/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
-/vendor/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
-/vendor/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
-/vendor/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
-/vendor/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
-/vendor/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
-/vendor/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
-/vendor/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index a97989a..8fdb4f0 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -1,5 +1,5 @@
type hal_camera_default, domain;
-hal_impl_domain(hal_camera_default, hal_camera)
+hal_server_domain(hal_camera_default, hal_camera)
type hal_camera_default_exec, exec_type, file_type;
init_daemon_domain(hal_camera_default)