android_system_sepolicy/public/hal_configstore.te

# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)

hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)

# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
crash_dump_fallback(hal_configstore_server)

###
### neverallow rules
###

# Should never execute an executable without a domain transition
neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;

# Should never need network access. Disallow sockets except for
# for unix stream/dgram sockets used for logging/debugging.
neverallow hal_configstore_server domain:{
  rawip_socket tcp_socket udp_socket
  netlink_route_socket netlink_selinux_socket
  socket netlink_socket packet_socket key_socket appletalk_socket
  netlink_tcpdiag_socket netlink_nflog_socket
  netlink_xfrm_socket netlink_audit_socket
  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
  netlink_rdma_socket netlink_crypto_socket
} *;
neverallow hal_configstore_server {
  domain
  -hal_configstore_server
  -logd
  userdebug_or_eng(`-su')
  -tombstoned
}:{ unix_dgram_socket unix_stream_socket } *;

# Should never need access to anything on /data
neverallow hal_configstore_server {
  data_file_type
  -anr_data_file # for crash dump collection
  -tombstone_data_file # for crash dump collection
  -zoneinfo_data_file # granted to domain
}:{ file fifo_file sock_file } *;

# Should never need sdcard access
neverallow hal_configstore_server {
    sdcard_type
    fuse sdcardfs vfat exfat        # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
    sdcard_type
    fuse sdcardfs vfat exfat        # manual expansion for completeness
}:file *;

# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;

# No privileged capabilities
neverallow hal_configstore_server self:capability_class_set *;

# No ptracing other processes
neverallow hal_configstore_server *:process ptrace;

# no relabeling
neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
surfaceflinger and apps are clients of Configstore HAL This commit marks surfaceflinger and app domain (except isolated_app) as clients of Configstore HAL. This cleans up the policy and will make it easier to restrict access to HwBinder services later. Test: Play YouTube clip in YouTube app and YouTube web page in Chrome Test: Take an HDR+ photo, a normal photo, a video, and slow motion video in Google Camera app. Check that photos show up fine and that videos play back with sound. Test: Play movie using Google Play Movies Test: Google Maps app displays the Android's correct location Bug: 34454312 Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371 2017-04-17 13:08:44 -07:00			`# HwBinder IPC from client to server`
			`binder_call(hal_configstore_client, hal_configstore_server)`
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31 2017-04-13 19:05:27 -07:00
Make hal_configstore consistent. Previously, supposedly, each individual client of configstore was supposed to add the add_hwservice attribute itself to get ahold of the specific sub-interface of configstore relevant to it. However, there is only one configstore interface, ISurfaceFlingerConfigs. From this point onward, the configstore hal is to be thought of as specifically relating to surface flinger. Other properties may be added as other attributes/packages. For instance, if we want a configstore entry for 'IFooConfig', then we would add the configuration to one of the following packages: - android.hardware.foo@X.Y (to the interface itself) - android.hardware.foo.config@X.Y (to a configuration of the interface) - android.hardware.configstore.foo@X.Y (as a sub-interface of configstore) and then it could be associated with the sepolicy attributes (respectively): - hal_foo - hal_foo_config (or just hal_foo if they are 1-1) - hal_configstore_foo The specific pattern to be followed irrelevant to this CL and subject to future discussion, the point being that we're going to have a separate sepolicy attribute (and package, although this isn't strictly necessary) for each separate domain's configuration. Fixes: 109806245 Test: boot walleye, check for denials Change-Id: If661e3fca012017a6c854fe3f02df4b779d514df 2018-06-06 12:55:06 -07:00			`hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 12:58:29 -07:00
			`# hal_configstore runs with a strict seccomp filter. Use crash_dump's`
			`# fallback path to collect crash data.`
			`crash_dump_fallback(hal_configstore_server)`

			`###`
			`### neverallow rules`
			`###`

			`# Should never execute an executable without a domain transition`
			`neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;`

			`# Should never need network access. Disallow sockets except for`
			`# for unix stream/dgram sockets used for logging/debugging.`
			`neverallow hal_configstore_server domain:{`
			`rawip_socket tcp_socket udp_socket`
			`netlink_route_socket netlink_selinux_socket`
			`socket netlink_socket packet_socket key_socket appletalk_socket`
			`netlink_tcpdiag_socket netlink_nflog_socket`
			`netlink_xfrm_socket netlink_audit_socket`
			`netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket`
			`netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket`
			`netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket`
			`netlink_rdma_socket netlink_crypto_socket`
			`} *;`
			`neverallow hal_configstore_server {`
			`domain`
			`-hal_configstore_server`
			`-logd`
			userdebug_or_eng(`-su')
			`-tombstoned`
			`}:{ unix_dgram_socket unix_stream_socket } *;`

			`# Should never need access to anything on /data`
			`neverallow hal_configstore_server {`
			`data_file_type`
			`-anr_data_file # for crash dump collection`
			`-tombstone_data_file # for crash dump collection`
			`-zoneinfo_data_file # granted to domain`
			`}:{ file fifo_file sock_file } *;`

			`# Should never need sdcard access`
Add exFAT support; unify behind "sdcard_type". We're adding support for OEMs to ship exFAT, which behaves identical to vfat. Some rules have been manually enumerating labels related to these "public" volumes, so unify them all behind "sdcard_type". Test: atest Bug: 67822822 Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56 2018-03-30 11:22:54 -07:00			`neverallow hal_configstore_server {`
			`sdcard_type`
			`fuse sdcardfs vfat exfat # manual expansion for completeness`
			`}:dir ~getattr;`
			`neverallow hal_configstore_server {`
			`sdcard_type`
			`fuse sdcardfs vfat exfat # manual expansion for completeness`
			`}:file *;`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 12:58:29 -07:00
			`# Do not permit access to service_manager and vndservice_manager`
			`neverallow hal_configstore_server :service_manager ;`

			`# No privileged capabilities`
			`neverallow hal_configstore_server self:capability_class_set *;`

			`# No ptracing other processes`
			`neverallow hal_configstore_server *:process ptrace;`

			`# no relabeling`
			`neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };`