From 1bbbf810c9d61fb85be5fee43503ef9b0c726772 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Mon, 22 Apr 2019 10:09:38 -0700 Subject: [PATCH] Treble-ize sepolicy for fwk HIDL services. Bug: 130734497 Test: m selinux_policy; system_server and statds still have permission to export HIDL services. Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d (cherry picked from commit 1d34b8cc313228cbcc5e4ff1d7be9c9db69d8585) --- private/statsd.te | 1 + private/system_server.te | 6 ++---- public/attributes | 11 +++++++---- public/scheduler_service_server.te | 1 + public/sensor_service_server.te | 1 + public/stats_service_server.te | 1 + public/statsd.te | 3 --- 7 files changed, 13 insertions(+), 11 deletions(-) create mode 100644 public/scheduler_service_server.te create mode 100644 public/sensor_service_server.te create mode 100644 public/stats_service_server.te diff --git a/private/statsd.te b/private/statsd.te index 16d3aebad..99548a0d5 100644 --- a/private/statsd.te +++ b/private/statsd.te @@ -1,4 +1,5 @@ typeattribute statsd coredomain; +typeattribute statsd stats_service_server; init_daemon_domain(statsd) diff --git a/private/system_server.te b/private/system_server.te index e7244473d..00fe3c300 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -5,6 +5,8 @@ typeattribute system_server coredomain; typeattribute system_server mlstrustedsubject; +typeattribute system_server scheduler_service_server; +typeattribute system_server sensor_service_server; # Define a type for tmpfs-backed ashmem regions. tmpfs_domain(system_server) @@ -240,10 +242,6 @@ allow system_server hal_graphics_composer:fd use; allow system_server hal_renderscript_hwservice:hwservice_manager find; allow system_server same_process_hal_file:file { execute read open getattr map }; -# Offer HwBinder services -add_hwservice(system_server, fwk_scheduler_hwservice) -add_hwservice(system_server, fwk_sensor_hwservice) - # Talk to tombstoned to get ANR traces. unix_socket_connect(system_server, tombstoned_intercept, tombstoned) diff --git a/public/attributes b/public/attributes index dbb935696..67979dafb 100644 --- a/public/attributes +++ b/public/attributes @@ -303,11 +303,14 @@ hal_attribute(wifi_supplicant); # from one core domain to another, without having to update the vendor image # which contains clients of this service. -attribute display_service_server; -attribute wifi_keystore_service_server; -attribute mediaswcodec_server; -attribute system_suspend_server; attribute camera_service_server; +attribute display_service_server; +attribute mediaswcodec_server; +attribute scheduler_service_server; +attribute sensor_service_server; +attribute stats_service_server; +attribute system_suspend_server; +attribute wifi_keystore_service_server; # All types used for super partition block devices. attribute super_block_device_type; diff --git a/public/scheduler_service_server.te b/public/scheduler_service_server.te new file mode 100644 index 000000000..b3cede168 --- /dev/null +++ b/public/scheduler_service_server.te @@ -0,0 +1 @@ +add_hwservice(scheduler_service_server, fwk_scheduler_hwservice) diff --git a/public/sensor_service_server.te b/public/sensor_service_server.te new file mode 100644 index 000000000..7c526a5f3 --- /dev/null +++ b/public/sensor_service_server.te @@ -0,0 +1 @@ +add_hwservice(sensor_service_server, fwk_sensor_hwservice) diff --git a/public/stats_service_server.te b/public/stats_service_server.te new file mode 100644 index 000000000..564ae234e --- /dev/null +++ b/public/stats_service_server.te @@ -0,0 +1 @@ +add_hwservice(stats_service_server, fwk_stats_hwservice) diff --git a/public/statsd.te b/public/statsd.te index 8ba7f637e..089cae936 100644 --- a/public/statsd.te +++ b/public/statsd.te @@ -50,9 +50,6 @@ allow statsd { system_api_service }:service_manager find; -# Allow statsd to add as HIDL service. -add_hwservice(statsd, fwk_stats_hwservice) - # Grant statsd to access health hal to access battery metrics. allow statsd hal_health_hwservice:hwservice_manager find;