SEPolicy rules for CAN bus HAL

Bug: 135918744 Test: VTS (separate new change) Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9
2019-07-23 17:38:51 -07:00 · 2019-07-23 17:38:51 -07:00 · 602b30302a
commit 602b30302a
parent 5ee628f0ce
8 changed files with 46 additions and 0 deletions
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -10,6 +10,8 @@
    platform_compat_service
    ctl_apexd_prop
    device_config_sys_traced_prop
    hal_can_bus_hwservice
    hal_can_controller_hwservice
    ota_metadata_file
    runtime_apex_dir
    system_ashmem_hwservice
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@ -9,6 +9,8 @@ android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_a
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
 android.hardware.authsecret::IAuthSecret                        u:object_r:hal_authsecret_hwservice:s0
 android.hardware.automotive.audiocontrol::IAudioControl         u:object_r:hal_audiocontrol_hwservice:s0
 android.hardware.automotive.can::ICanController                 u:object_r:hal_can_controller_hwservice:s0
 android.hardware.automotive.can::ICanBus                        u:object_r:hal_can_bus_hwservice:s0
 android.hardware.automotive.evs::IEvsEnumerator                 u:object_r:hal_evs_hwservice:s0
 android.hardware.automotive.vehicle::IVehicle                   u:object_r:hal_vehicle_hwservice:s0
 android.hardware.biometrics.face::IBiometricsFace               u:object_r:hal_face_hwservice:s0
--- a/public/attributes
+++ b/public/attributes
@ -251,6 +251,8 @@ hal_attribute(bootctl);
 hal_attribute(bufferhub);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(can_bus);
 hal_attribute(can_controller);
 hal_attribute(cas);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
--- a/public/hal_can.te
+++ b/public/hal_can.te
@ -0,0 +1,9 @@
 # CAN controller
 binder_call(hal_can_controller_client, hal_can_controller_server)
 add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
 allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
 # CAN bus
 binder_call(hal_can_bus_client, hal_can_bus_server)
 add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
 allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@ -3,6 +3,7 @@
 neverallow {
  halserverdomain
  -hal_bluetooth_server
  -hal_can_controller_server
  -hal_wifi_server
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
@ -18,6 +19,7 @@ neverallow {
 neverallow {
  halserverdomain
  -hal_automotive_socket_exemption
  -hal_can_controller_server
  -hal_tetheroffload_server
  -hal_wifi_server
  -hal_wifi_hostapd_server
--- a/public/hwservice.te
+++ b/public/hwservice.te
@ -13,6 +13,8 @@ type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
 type hal_can_bus_hwservice, hwservice_manager_type;
 type hal_can_controller_hwservice, hwservice_manager_type;
 type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_confirmationui_hwservice, hwservice_manager_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -4,6 +4,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service     u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service  u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@ -0,0 +1,26 @@
 type hal_can_socketcan, domain;
 hal_server_domain(hal_can_socketcan, hal_can_controller)
 hal_server_domain(hal_can_socketcan, hal_can_bus)
 type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_can_socketcan)
 # Managing SocketCAN interfaces
 allow hal_can_socketcan self:capability net_admin;
 allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
 # Calling if_nametoindex(3) to open CAN sockets
 allow hal_can_socketcan self:udp_socket { create ioctl };
 allowxperm hal_can_socketcan self:udp_socket ioctl {
    SIOCGIFINDEX
 };
 # Communicating with SocketCAN interfaces and bringing them up/down
 allow hal_can_socketcan self:can_socket { bind create read write ioctl };
 allowxperm hal_can_socketcan self:can_socket ioctl {
    SIOCGIFFLAGS
    SIOCSIFFLAGS
 };
 # Un-publishing ICanBus interfaces
 allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;