android_system_sepolicy/public/hal_audio.te

# HwBinder IPC from client to server, and callbacks
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)

hal_attribute_hwservice(hal_audio, hal_audio_hwservice)

allow hal_audio ion_device:chr_file r_file_perms;

r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
allow hal_audio_server audio_device:dir r_dir_perms;
allow hal_audio_server audio_device:chr_file rw_file_perms;

# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
allow hal_audio dumpstate:fd use;
allow hal_audio dumpstate:fifo_file write;

# allow hal audio to use vnbinder
vndbinder_use(hal_audio)

###
### neverallow rules
###

# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;

# Should never need network access.
# Disallow network sockets.
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;

# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;

get_prop(hal_audio, bluetooth_a2dp_offload_prop)
get_prop(hal_audio, bluetooth_audio_hal_prop)
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20 2017-02-13 14:40:49 -08:00			`# HwBinder IPC from client to server, and callbacks`
			`binder_call(hal_audio_client, hal_audio_server)`
			`binder_call(hal_audio_server, hal_audio_client)`

hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e 2018-06-06 09:30:18 -07:00			`hal_attribute_hwservice(hal_audio, hal_audio_hwservice)`
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31 2017-04-13 19:05:27 -07:00
clean up hal types Bug: 32123421 Test: build Hikey Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d 2016-10-25 12:42:39 -07:00			`allow hal_audio ion_device:chr_file r_file_perms;`

Revert "Remove proc access from hal_audio." Reason: breaks "Ok google". Soundtrigger module needs to access /proc/asound/pcm. This reverts commit 5cccb249151ce06f9e05ad9abf5a1c362712e212. Bug: 67930353 Change-Id: I67e0912a6795b3715a3321d3fe5147f49cebc9b5 2017-10-18 13:28:33 -07:00			`r_dir_file(hal_audio, proc)`
Extend access to proc/asound/* Renamed this type: proc_asound_cards -> proc_asound Labeled /proc/asound/devices as proc_asound. We now use proc_asound type to label files under /proc/asound which we want to expose to system components. Bug: 66988327 Test: Pixel 2 boots, can play sound with or without headphones, and selinux denials to proc_asound are not seen. Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0 2017-10-06 10:20:53 -07:00			`r_dir_file(hal_audio, proc_asound)`
Bluetooth A2DP offload: Binder call to audio HAL Add rule to allow Binder call from Bluetooth process to Bluetooth audio HIDL interface running in audio HAL service process. Bug: 72242910 Test: Manual; TestTracker/148125 Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130 (cherry picked from commit e8cfac90e8bf14466b6431a21bc5ccd4bf6ca3ea) 2017-10-30 12:58:20 -07:00			`allow hal_audio_server audio_device:dir r_dir_perms;`
			`allow hal_audio_server audio_device:chr_file rw_file_perms;`
clean up hal types Bug: 32123421 Test: build Hikey Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d 2016-10-25 12:42:39 -07:00
hal_audio: Allow writing dump info into pipes The following HAL methods use file descriptors to write dump info comprising audioflinger debug dump: IDevice.debugDump IEffectsFactory.debugDump IStream.debugDump Bug: 36074936 Test: check contents of 'adb shell dumpsys media.audio_flinger' on -userdebug builds Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1 2017-03-09 14:32:16 -08:00			`# Needed to provide debug dump output via dumpsys' pipes.`
			`allow hal_audio shell:fd use;`
			`allow hal_audio shell:fifo_file write;`
hal_audio: Allow writing dump info into pipes when capturing BR The following HAL methods use file descriptors to write dump info comprising audioflinger debug dump: IDevice.debugDump IEffectsFactory.debugDump IStream.debugDump Bug: 37993476 Test: check contents of media.audio_flinger section in a bugreport captured on Pixel device Change-Id: I77d347c019ac93c3ba0d54ce50f0fdc243b04685 2017-05-04 13:25:52 -07:00			`allow hal_audio dumpstate:fd use;`
			`allow hal_audio dumpstate:fifo_file write;`
hal_audio: Allow writing dump info into pipes The following HAL methods use file descriptors to write dump info comprising audioflinger debug dump: IDevice.debugDump IEffectsFactory.debugDump IStream.debugDump Bug: 36074936 Test: check contents of 'adb shell dumpsys media.audio_flinger' on -userdebug builds Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1 2017-03-09 14:32:16 -08:00
audio: Enable vndbinder use from hal_audio Allow hal audio to use vndbinder Change-Id: I83fc8d5b873bfc4e36f44e423d5740cb5e9739ee 2018-02-27 16:21:27 -08:00			`# allow hal audio to use vnbinder`
			`vndbinder_use(hal_audio)`

clean up hal types Bug: 32123421 Test: build Hikey Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d 2016-10-25 12:42:39 -07:00			`###`
			`### neverallow rules`
			`###`

Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20 2017-02-13 14:40:49 -08:00			`# Should never execute any executable without a domain transition`
Fix CTS regressions Commit 7688161 "hal__(client\|server) => hal(client\|server)domain" added neverallow rules on hal__client attributes while simultaneously expanding these attribute which causes them to fail CTS neverallow tests. Remove these neverallow rules as they do not impose specific security properties that we want to enforce. Modify Other neverallow failures which were imposed on hal_foo attributes and should have been enforced on hal_foo_server attributes instead. Bug: 69566734 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed remaining failure appears to be caused by b/68133473 Test: build taimen-user/userdebug Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc 2017-11-20 21:43:25 -08:00			`neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;`
clean up hal types Bug: 32123421 Test: build Hikey Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d 2016-10-25 12:42:39 -07:00
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20 2017-02-13 14:40:49 -08:00			`# Should never need network access.`
clean up hal types Bug: 32123421 Test: build Hikey Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d 2016-10-25 12:42:39 -07:00			`# Disallow network sockets.`
Fix CTS regressions Commit 7688161 "hal__(client\|server) => hal(client\|server)domain" added neverallow rules on hal__client attributes while simultaneously expanding these attribute which causes them to fail CTS neverallow tests. Remove these neverallow rules as they do not impose specific security properties that we want to enforce. Modify Other neverallow failures which were imposed on hal_foo attributes and should have been enforced on hal_foo_server attributes instead. Bug: 69566734 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed remaining failure appears to be caused by b/68133473 Test: build taimen-user/userdebug Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc 2017-11-20 21:43:25 -08:00			`neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;`
Enforce separation of privilege for HAL driver access Only audio HAL may access audio driver. Only camera HAL may access camera driver. Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow rules are compile time assertions and do not change the on-device policy. Bug: 36185625 Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3 2017-03-13 22:03:10 -07:00
			`# Only audio HAL may directly access the audio hardware`
sepolicy: allow hal_omx to access audio devices hal_omx needs to access audio devices to use OMX HW decoders and encoders. Allow hal_omx to access audio devices. authored-by: Banajit Goswami <bgoswami@codeaurora.org> Change-Id: I742c29c4105e5647ca1a7e017e311559a0567b52 2019-03-18 17:21:17 -07:00			`neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;`
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5 2018-04-08 20:07:32 -07:00
			`get_prop(hal_audio, bluetooth_a2dp_offload_prop)`
Add rules for accessing the related bluetooth_audio_hal_prop This change allows those daemons of the audio and Bluetooth which include HALs to access the bluetooth_audio_hal_prop. This property is used to force disable the new BluetoothAudio HAL. - persist.bluetooth.bluetooth_audio_hal.disabled Bug: 128825244 Test: audio HAL can access the property Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74 2019-03-17 20:07:32 -07:00			`get_prop(hal_audio, bluetooth_audio_hal_prop)`