From b779833c271deb6fa7e2cfe3841cf9dd57871183 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Thu, 30 Mar 2017 10:00:20 -0700 Subject: [PATCH] Annotate core components that access vendor data types A neverallow asserts that core domains may not access data types specified in vendor policy. Some violations occured due to policy granted to both HALs and HAL clients. Some of these violations could be fixed by modifying the policy such that if a HAL no longer runs in passthrough mode, then only apply permissions to the HAL itself and not to clients. For domains that still violate the neverallow rule, grant a temporary exemption with TODOs and bugs assigned for the remaining work. Bug: 34980020 Test: Build and boot Muskie. Make phone call, watch youtube video. No new denials observed. Change-Id: I27ec9cdd04d8f5d5524b5b0bcb8c88f9edcc72fb --- sepolicy/hal_wifi.te | 10 ---------- sepolicy/hal_wifi_default.te | 10 ++++++++++ sepolicy/system_app.te | 3 +++ 3 files changed, 13 insertions(+), 10 deletions(-) delete mode 100644 sepolicy/hal_wifi.te create mode 100644 sepolicy/hal_wifi_default.te diff --git a/sepolicy/hal_wifi.te b/sepolicy/hal_wifi.te deleted file mode 100644 index bd7ebc1a..00000000 --- a/sepolicy/hal_wifi.te +++ /dev/null @@ -1,10 +0,0 @@ -# Allow wifi hal access to LOWI -allow hal_wifi location:unix_stream_socket connectto; -allow hal_wifi location_data_file:sock_file write; - -# write to files owned by location daemon -allow hal_wifi location_data_file:dir create_dir_perms; -allow hal_wifi location_data_file:{ file fifo_file } create_file_perms; - -# Allow wifi hal to read debug info from the driver. -r_dir_file(hal_wifi, proc_wifi_dbg) diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te new file mode 100644 index 00000000..fd030c24 --- /dev/null +++ b/sepolicy/hal_wifi_default.te @@ -0,0 +1,10 @@ +# Allow wifi hal access to LOWI +allow hal_wifi_default location:unix_stream_socket connectto; +allow hal_wifi_default location_data_file:sock_file write; + +# write to files owned by location daemon +allow hal_wifi_default location_data_file:dir create_dir_perms; +allow hal_wifi_default location_data_file:{ file fifo_file } create_file_perms; + +# Allow wifi hal to read debug info from the driver. +r_dir_file(hal_wifi_default, proc_wifi_dbg) diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index b3769991..ea234204 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -3,6 +3,9 @@ r_dir_file(system_app, sysfs_msm_subsys) unix_socket_connect(system_app, cnd, cnd) userdebug_or_eng(` + # TODO(b/36734870): Remove this once system_app no longer directly + # accesses data owned by vendor components + typeattribute system_app vendordata_in_core_violators; allow system_app ramdump_data_file:dir r_dir_perms; allow system_app ramdump_data_file:file r_file_perms; get_prop(system_app, ssr_prop)