Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Annotate core components that access vendor data types

Browse Source 
A neverallow asserts that core domains may not access data types
specified in vendor policy. Some violations occured due to policy
granted to both HALs and HAL clients. Some of these violations could
be fixed by modifying the policy such that if a HAL no longer runs in
passthrough mode, then only apply permissions to the HAL itself and
not to clients.

For domains that still violate the neverallow rule, grant a temporary
exemption with TODOs and bugs assigned for the remaining work.

Bug: 34980020
Test: Build and boot Muskie. Make phone call, watch youtube video.
      No new denials observed.

Change-Id: I27ec9cdd04d8f5d5524b5b0bcb8c88f9edcc72fb
This commit is contained in:
Jeff Vander Stoep
2017-03-30 10:00:20 -07:00
parent 8f6890a219
commit b779833c27
3 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
sepolicy/hal_wifi.te
View File

@@ -1,10 +0,0 @@
# Allow wifi hal access to LOWI
allow hal_wifi location:unix_stream_socket connectto;
allow hal_wifi location_data_file:sock_file write;
# write to files owned by location daemon
allow hal_wifi location_data_file:dir create_dir_perms;
allow hal_wifi location_data_file:{ file fifo_file } create_file_perms;
# Allow wifi hal to read debug info from the driver.
r_dir_file(hal_wifi, proc_wifi_dbg)

10
sepolicy/hal_wifi_default.te Normal file
View File

@@ -0,0 +1,10 @@
# Allow wifi hal access to LOWI
allow hal_wifi_default location:unix_stream_socket connectto;
allow hal_wifi_default location_data_file:sock_file write;
# write to files owned by location daemon
allow hal_wifi_default location_data_file:dir create_dir_perms;
allow hal_wifi_default location_data_file:{ file fifo_file } create_file_perms;
# Allow wifi hal to read debug info from the driver.
r_dir_file(hal_wifi_default, proc_wifi_dbg)

3
sepolicy/system_app.te
View File

@@ -3,6 +3,9 @@ r_dir_file(system_app, sysfs_msm_subsys)
unix_socket_connect(system_app, cnd, cnd)
userdebug_or_eng(`
# TODO(b/36734870): Remove this once system_app no longer directly
# accesses data owned by vendor components
typeattribute system_app vendordata_in_core_violators;
allow system_app ramdump_data_file:dir r_dir_perms;
allow system_app ramdump_data_file:file r_file_perms;
get_prop(system_app, ssr_prop)