Skip to content
Snippets Groups Projects
Commit 7aed9d96 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Restrict access to hwservicemanager"

parents 8ffe7f20 632bc494
Branches
Tags
No related merge requests found
Showing
with 138 additions and 33 deletions
...@@ -69,6 +69,9 @@ allow appdomain appdomain:fifo_file rw_file_perms; ...@@ -69,6 +69,9 @@ allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger. # Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# Query whether a Surface supports wide color
allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
# App sandbox file accesses. # App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
...@@ -174,9 +177,11 @@ binder_call(appdomain, appdomain) ...@@ -174,9 +177,11 @@ binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps. # Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app) binder_call(appdomain, ephemeral_app)
# hidl access for mediacodec # TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
# TODO(b/34454312): only allow getting and talking to mediacodec service # as OMX HAL
hwbinder_use(appdomain) hwbinder_use({ appdomain -isolated_app })
allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
# Talk with graphics composer fences # Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use; allow appdomain hal_graphics_composer:fd use;
...@@ -277,6 +282,9 @@ binder_call({ appdomain -isolated_app }, mediacodec) ...@@ -277,6 +282,9 @@ binder_call({ appdomain -isolated_app }, mediacodec)
# Allow app to access shared memory created by camera HAL1 # Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use; allow { appdomain -isolated_app } hal_camera:fd use;
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
# TODO: switch to meminfo service # TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms; allow appdomain proc_meminfo:file r_file_perms;
......
...@@ -57,7 +57,6 @@ allow bluetooth system_api_service:service_manager find; ...@@ -57,7 +57,6 @@ allow bluetooth system_api_service:service_manager find;
allow bluetooth shell_data_file:file read; allow bluetooth shell_data_file:file read;
hal_client_domain(bluetooth, hal_bluetooth) hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony) hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth) read_runtime_log_tags(bluetooth)
......
...@@ -8,3 +8,6 @@ hwbinder_use(halclientdomain) ...@@ -8,3 +8,6 @@ hwbinder_use(halclientdomain)
# Used to wait for hwservicemanager # Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop) get_prop(halclientdomain, hwservicemanager_prop)
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0 android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
* u:object_r:default_android_hwservice:s0 * u:object_r:default_android_hwservice:s0
typeattribute hwservicemanager coredomain; typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager) init_daemon_domain(hwservicemanager)
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
typeattribute keystore coredomain; typeattribute keystore coredomain;
init_daemon_domain(keystore) init_daemon_domain(keystore)
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
...@@ -4,3 +4,7 @@ init_daemon_domain(mediaserver) ...@@ -4,3 +4,7 @@ init_daemon_domain(mediaserver)
# allocate and use graphic buffers # allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator) hal_client_domain(mediaserver, hal_graphics_allocator)
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
# of OMX HAL.
allow mediaserver hal_omx_hwservice:hwservice_manager find;
...@@ -10,11 +10,11 @@ typeattribute surfaceflinger mlstrustedsubject; ...@@ -10,11 +10,11 @@ typeattribute surfaceflinger mlstrustedsubject;
read_runtime_log_tags(surfaceflinger) read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC. # Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer) hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_configstore)
allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC. # Perform Binder IPC.
binder_use(surfaceflinger) binder_use(surfaceflinger)
......
...@@ -170,39 +170,29 @@ binder_call(system_server, netd) ...@@ -170,39 +170,29 @@ binder_call(system_server, netd)
binder_call(system_server, wificond) binder_call(system_server, wificond)
binder_service(system_server) binder_service(system_server)
# Perform HwBinder IPC. # Use HALs
hwbinder_use(system_server)
hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_allocator)
binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub) hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint) hal_client_domain(system_server, hal_fingerprint)
binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss) hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator) hal_client_domain(system_server, hal_graphics_allocator)
binder_call(system_server, hal_ir)
hal_client_domain(system_server, hal_ir) hal_client_domain(system_server, hal_ir)
binder_call(system_server, hal_light)
hal_client_domain(system_server, hal_light) hal_client_domain(system_server, hal_light)
binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack) hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_oemlock) hal_client_domain(system_server, hal_oemlock)
binder_call(system_server, hal_power) allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power) hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors) hal_client_domain(system_server, hal_sensors)
binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal) hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec) hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input) hal_client_domain(system_server, hal_tv_input)
binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb) hal_client_domain(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vibrator) hal_client_domain(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr) hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver) hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi) hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_offload) hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant) hal_client_domain(system_server, hal_wifi_supplicant)
binder_call(system_server, mediacodec) binder_call(system_server, mediacodec)
...@@ -210,6 +200,13 @@ binder_call(system_server, mediacodec) ...@@ -210,6 +200,13 @@ binder_call(system_server, mediacodec)
# Talk with graphics composer fences # Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use; allow system_server hal_graphics_composer:fd use;
# Use RenderScript always-passthrough HAL
allow system_server hal_renderscript_hwservice:hwservice_manager find;
# Offer HwBinder services
add_hwservice(system_server, fwk_scheduler_hwservice)
add_hwservice(system_server, fwk_sensor_hwservice)
# Talk to tombstoned to get ANR traces. # Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned) unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
...@@ -640,9 +637,6 @@ r_dir_file(system_server, proc_net) ...@@ -640,9 +637,6 @@ r_dir_file(system_server, proc_net)
r_dir_file(system_server, rootfs) r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type) r_dir_file(system_server, sysfs_type)
# Allow system_server to make binder calls to hwservicemanager
binder_call(system_server, hwservicemanager)
### Rules needed when Light HAL runs inside system_server process. ### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed. ### These rules should eventually be granted only when needed.
allow system_server sysfs_leds:lnk_file read; allow system_server sysfs_leds:lnk_file read;
......
...@@ -2,3 +2,5 @@ typeattribute vr_hwc coredomain; ...@@ -2,3 +2,5 @@ typeattribute vr_hwc coredomain;
# Daemon started by init. # Daemon started by init.
init_daemon_domain(vr_hwc) init_daemon_domain(vr_hwc)
hal_server_domain(vr_hwc, hal_graphics_composer)
...@@ -8,7 +8,6 @@ binder_call(cameraserver, appdomain) ...@@ -8,7 +8,6 @@ binder_call(cameraserver, appdomain)
binder_service(cameraserver) binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera) hal_client_domain(cameraserver, hal_camera)
allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
hal_client_domain(cameraserver, hal_graphics_allocator) hal_client_domain(cameraserver, hal_graphics_allocator)
...@@ -27,6 +26,8 @@ allow cameraserver processinfo_service:service_manager find; ...@@ -27,6 +26,8 @@ allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find; allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find; allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
### ###
### neverallow rules ### neverallow rules
### ###
......
...@@ -212,8 +212,6 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ...@@ -212,8 +212,6 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
# separately. # separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
# TODO(b/34454312) remove this when the correct policy is in place
allow domain default_android_hwservice:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type # Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules # when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
...@@ -433,6 +431,22 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set ...@@ -433,6 +431,22 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
# from service name to service_type are defined in service_contexts. # from service name to service_type are defined in service_contexts.
neverallow * default_android_service:service_manager add; neverallow * default_android_service:service_manager add;
# Do not allow hwservice_manager add for default_android_hwservice.
# Instead domains should use a more specific type such as
# hal_audio_hwservice rather than the generic type.
# New service_types are defined in hwservice.te and new mappings
# from service name to service_type are defined in hwservice_contexts.
neverallow * default_android_hwservice:hwservice_manager { add find };
# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
# decisions are expressed in SELinux policy. However, it's unclear whether this
# lookup has security implications. If it doesn't, hwservicemanager should be
# modified to not offer this lookup.
# This rule can be removed if hwservicemanager is modified to not permit these
# lookups.
neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow # Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties. # anyone but init to modify unknown properties.
neverallow { domain -init } default_prop:property_service set; neverallow { domain -init } default_prop:property_service set;
......
...@@ -94,10 +94,8 @@ r_dir_file(dumpstate, cgroup) ...@@ -94,10 +94,8 @@ r_dir_file(dumpstate, cgroup)
binder_call(dumpstate, binderservicedomain) binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond }) binder_call(dumpstate, { appdomain netd wificond })
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate) hal_client_domain(dumpstate, hal_dumpstate)
binder_call(dumpstate, hal_vibrator) # Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator) hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode: # For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr }; allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
......
# HwBinder IPC from client to server # HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server) binder_call(hal_allocator_client, hal_allocator_server)
add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
...@@ -2,6 +2,9 @@ ...@@ -2,6 +2,9 @@
binder_call(hal_audio_client, hal_audio_server) binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client) binder_call(hal_audio_server, hal_audio_client)
add_hwservice(hal_audio_server, hal_audio_hwservice)
allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
allow hal_audio ion_device:chr_file r_file_perms; allow hal_audio ion_device:chr_file r_file_perms;
userdebug_or_eng(` userdebug_or_eng(`
......
...@@ -2,6 +2,9 @@ ...@@ -2,6 +2,9 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server) binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client) binder_call(hal_bluetooth_server, hal_bluetooth_client)
add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
wakelock_use(hal_bluetooth); wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on. # The HAL toggles rfkill to power the chip off/on.
......
# HwBinder IPC from client to server, and callbacks # HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server) binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client) binder_call(hal_bootctl_server, hal_bootctl_client)
add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
...@@ -2,7 +2,8 @@ ...@@ -2,7 +2,8 @@
binder_call(hal_camera_client, hal_camera_server) binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client) binder_call(hal_camera_server, hal_camera_client)
add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider) add_hwservice(hal_camera_server, hal_camera_hwservice)
allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
# access /data/misc/camera # access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms; allow hal_camera camera_data_file:dir create_dir_perms;
......
# HwBinder IPC from client to server # HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server) binder_call(hal_configstore_client, hal_configstore_server)
add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
# As opposed to the rules of most other HALs, the different services exposed by
# this HAL should be restricted to different clients. Thus, the allow rules for
# clients are defined in the .te files of the clients.
# call into system_server process (callbacks) # HwBinder IPC from client to server, and callbacks
binder_call(hal_contexthub, system_server) binder_call(hal_contexthub_client, hal_contexthub_server)
binder_call(hal_contexthub_server, hal_contexthub_client)
add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment