Merge "Restrict access to hwservicemanager"

private/app.te

@@ -69,6 +69,9 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
 # App sandbox file accesses.
 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -174,9 +177,11 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain  -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
 
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;
@@ -277,6 +282,9 @@ binder_call({ appdomain -isolated_app }, mediacodec)
 # Allow app to access shared memory created by camera HAL1
 allow { appdomain -isolated_app } hal_camera:fd use;
 
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
 

private/bluetooth.te

@@ -57,7 +57,6 @@ allow bluetooth system_api_service:service_manager find;
 allow bluetooth shell_data_file:file read;
 
 hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
 hal_client_domain(bluetooth, hal_telephony)
 
 read_runtime_log_tags(bluetooth)

private/halclientdomain.te

@@ -8,3 +8,6 @@ hwbinder_use(halclientdomain)
 
 # Used to wait for hwservicemanager
 get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;

private/hwservice_contexts

-android.hardware.camera.provider::ICameraProvider             u:object_r:hw_camera_provider_ICameraProvider:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService   u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl                             u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory         u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory                               u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice                    u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper                        u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss                                    u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator                 u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer                   u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper                       u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth                                u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr                                u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice                    u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight                                  u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx                                u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack                            u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc                                      u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock                              u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower                                  u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook                     u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio                                  u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap                                    u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice                          u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors                              u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec                               u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput                             u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb                                      u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator                            u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr                                        u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver                                u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi                                    u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.offload::IOffload                         u:object_r:hal_wifi_offload_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant                   u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator                              u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase                                        u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager                           u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper                                    u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager                               u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore                         u:object_r:system_wifi_keystore_hwservice:s0
 *                                                               u:object_r:default_android_hwservice:s0

private/hwservicemanager.te

 typeattribute hwservicemanager coredomain;
 
 init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)

private/keystore.te

 typeattribute keystore coredomain;
 
 init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)

private/mediaserver.te

@@ -4,3 +4,7 @@ init_daemon_domain(mediaserver)
 
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;

private/surfaceflinger.te

@@ -10,11 +10,11 @@ typeattribute surfaceflinger mlstrustedsubject;
 read_runtime_log_tags(surfaceflinger)
 
 # Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
 
 # Perform Binder IPC.
 binder_use(surfaceflinger)

private/system_server.te

@@ -170,39 +170,29 @@ binder_call(system_server, netd)
 binder_call(system_server, wificond)
 binder_service(system_server)
 
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
 hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
 hal_client_domain(system_server, hal_gnss)
 hal_client_domain(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
 hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
 hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_oemlock)
-binder_call(system_server, hal_power)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
 hal_client_domain(system_server, hal_power)
 hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
 hal_client_domain(system_server, hal_thermal)
 hal_client_domain(system_server, hal_tv_cec)
 hal_client_domain(system_server, hal_tv_input)
-binder_call(system_server, hal_usb)
 hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
 hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_weaver)
 hal_client_domain(system_server, hal_wifi)
 hal_client_domain(system_server, hal_wifi_offload)
-
 hal_client_domain(system_server, hal_wifi_supplicant)
 
 binder_call(system_server, mediacodec)
@@ -210,6 +200,13 @@ binder_call(system_server, mediacodec)
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;
 
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
 # Talk to tombstoned to get ANR traces.
 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
 
@@ -640,9 +637,6 @@ r_dir_file(system_server, proc_net)
 r_dir_file(system_server, rootfs)
 r_dir_file(system_server, sysfs_type)
 
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
 ### Rules needed when Light HAL runs inside system_server process.
 ### These rules should eventually be granted only when needed.
 allow system_server sysfs_leds:lnk_file read;

private/vr_hwc.te

@@ -2,3 +2,5 @@ typeattribute vr_hwc coredomain;
 
 # Daemon started by init.
 init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)

public/cameraserver.te

@@ -8,7 +8,6 @@ binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
 hal_client_domain(cameraserver, hal_camera)
-allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
 
 hal_client_domain(cameraserver, hal_graphics_allocator)
 
@@ -27,6 +26,8 @@ allow cameraserver processinfo_service:service_manager find;
 allow cameraserver scheduling_policy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
 ###
 ### neverallow rules
 ###

public/domain.te

@@ -212,8 +212,6 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # separately.
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
-# TODO(b/34454312) remove this when the correct policy is in place
-allow domain default_android_hwservice:hwservice_manager { add find };
 # Workaround for policy compiler being too aggressive and removing hwservice_manager_type
 # when it's not explicitly used in allow rules
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
@@ -433,6 +431,22 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
 # from service name to service_type are defined in service_contexts.
 neverallow * default_android_service:service_manager add;
 
+# Do not allow hwservice_manager add for default_android_hwservice.
+# Instead domains should use a more specific type such as
+# hal_audio_hwservice rather than the generic type.
+# New service_types are defined in hwservice.te and new mappings
+# from service name to service_type are defined in hwservice_contexts.
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
 # Require that domains explicitly label unknown properties, and do not allow
 # anyone but init to modify unknown properties.
 neverallow { domain -init } default_prop:property_service set;

public/dumpstate.te

@@ -94,10 +94,8 @@ r_dir_file(dumpstate, cgroup)
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain netd wificond })
 
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
 hal_client_domain(dumpstate, hal_dumpstate)
-binder_call(dumpstate, hal_vibrator)
+# Vibrate the device after we are done collecting the bugreport
 hal_client_domain(dumpstate, hal_vibrator)
 # For passthrough mode:
 allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };

public/hal_allocator.te

 # HwBinder IPC from client to server
 binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;

public/hal_audio.te

@@ -2,6 +2,9 @@
 binder_call(hal_audio_client, hal_audio_server)
 binder_call(hal_audio_server, hal_audio_client)
 
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
 allow hal_audio ion_device:chr_file r_file_perms;
 
 userdebug_or_eng(`

public/hal_bluetooth.te

@@ -2,6 +2,9 @@
 binder_call(hal_bluetooth_client, hal_bluetooth_server)
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
 
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
 wakelock_use(hal_bluetooth);
 
 # The HAL toggles rfkill to power the chip off/on.

public/hal_bootctl.te

 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;

public/hal_camera.te

@@ -2,7 +2,8 @@
 binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 
-add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
 
 # access /data/misc/camera
 allow hal_camera camera_data_file:dir create_dir_perms;

public/hal_configstore.te

 # HwBinder IPC from client to server
 binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.

public/hal_contexthub.te

-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;