Move platform/vendor data violations to device policy

Sharing data folders by path will be disallowed because it violates the approved API between platform and vendor components tested by VTS. Move all violating permissions from core selinux policy to device specific policy so that we can exempt existing devices from the ban and enforce it on new devices. Bug: 34980020 Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint and Play movies on Marlin. Test: build Taimen Change-Id: I1c2f2acac02266f8d07ff1fc3c69329af0aa2f3d
2026-02-01 15:09:54 +00:00 · 2017-11-06 14:36:17 -08:00
parent 4c1bb0c66e
commit 98dd9bb659
7 changed files with 54 additions and 10 deletions
--- a/sepolicy/vendor/hal_drm_default.te
+++ b/sepolicy/vendor/hal_drm_default.te
@@ -1 +1,7 @@
 allow hal_drm_default vndbinder_device:chr_file rw_file_perms;
+
+# TODO(b/36601695): Remove data_between_core_and_vendor violators once
+# hal_drm_default no longer directly accesses media_data_file.
+typeattribute hal_drm_default data_between_core_and_vendor_violators;
+allow hal_drm_default media_data_file:dir create_dir_perms;
+allow hal_drm_default media_data_file:file create_file_perms;
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -8,8 +8,8 @@ hal_server_domain(hal_drm_widevine, hal_drm)

 vndbinder_use(hal_drm_widevine);

-allow hal_drm mediacodec:fd use;
-allow hal_drm { appdomain -isolated_app }:fd use;
+allow hal_drm_widevine mediacodec:fd use;
+allow hal_drm_widevine { appdomain -isolated_app }:fd use;

 # The Qualcomm DRM-HAL implementation uses a vendor-binder service provided
 # by the HWC HAL.
@@ -17,5 +17,7 @@ allow hal_drm_widevine qdisplay_service:service_manager { find };
 binder_call(hal_drm_widevine, hal_graphics_composer)

 # TODO(b/36601695): Remove data_between_core_and_vendor violators once
-# hal_drm no longer directly accesses media_data_file.
+# hal_drm_widevine no longer directly accesses media_data_file.
 typeattribute hal_drm_widevine data_between_core_and_vendor_violators;
+allow hal_drm_widevine media_data_file:dir create_dir_perms;
+allow hal_drm_widevine media_data_file:file create_file_perms;
--- a/sepolicy/vendor/hal_fingerprint.te
+++ b/sepolicy/vendor/hal_fingerprint.te
@@ -1,7 +0,0 @@
-allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms;
-allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
-allow hal_fingerprint sysfs_msm_subsys:dir search;
-allow hal_fingerprint sysfs_msm_subsys:file r_file_perms;
-allow hal_fingerprint tee_device:file rw_file_perms;
-allow hal_fingerprint tee_device:chr_file rw_file_perms;
-allow hal_fingerprint uhid_device:chr_file rw_file_perms;
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,14 @@
+allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default sysfs_msm_subsys:dir search;
+allow hal_fingerprint_default sysfs_msm_subsys:file r_file_perms;
+allow hal_fingerprint_default tee_device:file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# hal_fingerprint no longer directly accesses fingerprintd_data_file.
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+# access to /data/system/users/[0-9]+/fpdata
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
--- a/sepolicy/vendor/hal_nfc_default.te
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -1,3 +1,10 @@
 # Data file accesses.
 allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms;
 allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;
+
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hal_nfc no longer directly accesses /data owned by the nfc app.
+typeattribute hal_nfc_default data_between_core_and_vendor_violators;
+# Data file accesses.
+allow hal_nfc_default nfc_data_file:dir create_dir_perms;
+allow hal_nfc_default nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
--- a/sepolicy/vendor/hal_wifi_supplicant_default.te
+++ b/sepolicy/vendor/hal_wifi_supplicant_default.te
@@ -0,0 +1,10 @@
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hal_wifi_supplicant no longer directly accesses wifi_data_file .
+typeattribute hal_wifi_supplicant_default data_between_core_and_vendor_violators;
+
+allow hal_wifi_supplicant_default wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant_default wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant_default wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant_default wpa_socket:sock_file create_file_perms;
--- a/sepolicy/vendor/hostapd.te
+++ b/sepolicy/vendor/hostapd.te
@@ -0,0 +1,12 @@
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hostapd no longer directly accesses /data outside /data/vendor.
+typeattribute hostapd data_between_core_and_vendor_violators;
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;