From 98dd9bb6595c50ea459b0a6b279b0916a6d521ca Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Mon, 6 Nov 2017 14:36:17 -0800 Subject: [PATCH] Move platform/vendor data violations to device policy Sharing data folders by path will be disallowed because it violates the approved API between platform and vendor components tested by VTS. Move all violating permissions from core selinux policy to device specific policy so that we can exempt existing devices from the ban and enforce it on new devices. Bug: 34980020 Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint and Play movies on Marlin. Test: build Taimen Change-Id: I1c2f2acac02266f8d07ff1fc3c69329af0aa2f3d --- sepolicy/vendor/hal_drm_default.te | 6 ++++++ sepolicy/vendor/hal_drm_widevine.te | 8 +++++--- sepolicy/vendor/hal_fingerprint.te | 7 ------- sepolicy/vendor/hal_fingerprint_default.te | 14 ++++++++++++++ sepolicy/vendor/hal_nfc_default.te | 7 +++++++ sepolicy/vendor/hal_wifi_supplicant_default.te | 10 ++++++++++ sepolicy/vendor/hostapd.te | 12 ++++++++++++ 7 files changed, 54 insertions(+), 10 deletions(-) delete mode 100644 sepolicy/vendor/hal_fingerprint.te create mode 100644 sepolicy/vendor/hal_fingerprint_default.te create mode 100644 sepolicy/vendor/hal_wifi_supplicant_default.te create mode 100644 sepolicy/vendor/hostapd.te diff --git a/sepolicy/vendor/hal_drm_default.te b/sepolicy/vendor/hal_drm_default.te index 3781f126..d7346144 100644 --- a/sepolicy/vendor/hal_drm_default.te +++ b/sepolicy/vendor/hal_drm_default.te @@ -1 +1,7 @@ allow hal_drm_default vndbinder_device:chr_file rw_file_perms; + +# TODO(b/36601695): Remove data_between_core_and_vendor violators once +# hal_drm_default no longer directly accesses media_data_file. +typeattribute hal_drm_default data_between_core_and_vendor_violators; +allow hal_drm_default media_data_file:dir create_dir_perms; +allow hal_drm_default media_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te index 629ba5e9..46abf783 100644 --- a/sepolicy/vendor/hal_drm_widevine.te +++ b/sepolicy/vendor/hal_drm_widevine.te @@ -8,8 +8,8 @@ hal_server_domain(hal_drm_widevine, hal_drm) vndbinder_use(hal_drm_widevine); -allow hal_drm mediacodec:fd use; -allow hal_drm { appdomain -isolated_app }:fd use; +allow hal_drm_widevine mediacodec:fd use; +allow hal_drm_widevine { appdomain -isolated_app }:fd use; # The Qualcomm DRM-HAL implementation uses a vendor-binder service provided # by the HWC HAL. @@ -17,5 +17,7 @@ allow hal_drm_widevine qdisplay_service:service_manager { find }; binder_call(hal_drm_widevine, hal_graphics_composer) # TODO(b/36601695): Remove data_between_core_and_vendor violators once -# hal_drm no longer directly accesses media_data_file. +# hal_drm_widevine no longer directly accesses media_data_file. typeattribute hal_drm_widevine data_between_core_and_vendor_violators; +allow hal_drm_widevine media_data_file:dir create_dir_perms; +allow hal_drm_widevine media_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_fingerprint.te b/sepolicy/vendor/hal_fingerprint.te deleted file mode 100644 index 3f2e772d..00000000 --- a/sepolicy/vendor/hal_fingerprint.te +++ /dev/null @@ -1,7 +0,0 @@ -allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms; -allow hal_fingerprint sysfs_fingerprint:file rw_file_perms; -allow hal_fingerprint sysfs_msm_subsys:dir search; -allow hal_fingerprint sysfs_msm_subsys:file r_file_perms; -allow hal_fingerprint tee_device:file rw_file_perms; -allow hal_fingerprint tee_device:chr_file rw_file_perms; -allow hal_fingerprint uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 00000000..ed638458 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,14 @@ +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint_default sysfs_msm_subsys:dir search; +allow hal_fingerprint_default sysfs_msm_subsys:file r_file_perms; +allow hal_fingerprint_default tee_device:file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; + +# TODO(b/36644492): Remove data_between_core_and_vendor_violators once +# hal_fingerprint no longer directly accesses fingerprintd_data_file. +typeattribute hal_fingerprint_default data_between_core_and_vendor_violators; +# access to /data/system/users/[0-9]+/fpdata +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; +allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te index 3044f1d5..8aa7c444 100644 --- a/sepolicy/vendor/hal_nfc_default.te +++ b/sepolicy/vendor/hal_nfc_default.te @@ -1,3 +1,10 @@ # Data file accesses. allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms; allow hal_nfc_default nfc_vendor_data_file:file create_file_perms; + +# TODO(b/36657258): Remove data_between_core_and_vendor_violators once +# hal_nfc no longer directly accesses /data owned by the nfc app. +typeattribute hal_nfc_default data_between_core_and_vendor_violators; +# Data file accesses. +allow hal_nfc_default nfc_data_file:dir create_dir_perms; +allow hal_nfc_default nfc_data_file:{ file lnk_file fifo_file } create_file_perms; diff --git a/sepolicy/vendor/hal_wifi_supplicant_default.te b/sepolicy/vendor/hal_wifi_supplicant_default.te new file mode 100644 index 00000000..4f13574e --- /dev/null +++ b/sepolicy/vendor/hal_wifi_supplicant_default.te @@ -0,0 +1,10 @@ +# TODO(b/36657258): Remove data_between_core_and_vendor_violators once +# hal_wifi_supplicant no longer directly accesses wifi_data_file . +typeattribute hal_wifi_supplicant_default data_between_core_and_vendor_violators; + +allow hal_wifi_supplicant_default wifi_data_file:dir create_dir_perms; +allow hal_wifi_supplicant_default wifi_data_file:file create_file_perms; + +# Create a socket for receiving info from wpa +allow hal_wifi_supplicant_default wpa_socket:dir create_dir_perms; +allow hal_wifi_supplicant_default wpa_socket:sock_file create_file_perms; diff --git a/sepolicy/vendor/hostapd.te b/sepolicy/vendor/hostapd.te new file mode 100644 index 00000000..b7069692 --- /dev/null +++ b/sepolicy/vendor/hostapd.te @@ -0,0 +1,12 @@ +# TODO(b/36657258): Remove data_between_core_and_vendor_violators once +# hostapd no longer directly accesses /data outside /data/vendor. +typeattribute hostapd data_between_core_and_vendor_violators; +# hostapd can read and write WiFi related data and configuration. +# For example, the entropy file is periodically updated. +allow hostapd wifi_data_file:file rw_file_perms; +r_dir_file(hostapd, wifi_data_file) + +# hostapd wants to create the directory holding its control socket. +allow hostapd hostapd_socket:dir create_dir_perms; +# hostapd needs to create, bind to, read, and write its control socket. +allow hostapd hostapd_socket:sock_file create_file_perms;