PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Properly define hal_codec2 and related policies" into qt-dev

Browse Source
This commit is contained in:
TreeHugger Robot 2019-05-24 07:21:23 +00:00 committed by Android (Google) Code Review
commit cf48bfd082
34 changed files with 146 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
prebuilts/api/29.0/private/app_neverallows.te
View File

@ -311,9 +311,10 @@ full_treble_only(`
neverallow all_untrusted_apps {
halserverdomain
-coredomain
-hal_cas_server
-hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone

1
prebuilts/api/29.0/private/incidentd.te
View File

@ -90,6 +90,7 @@ allow incidentd {
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server

2
prebuilts/api/29.0/private/mediaserver.te
View File

@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)

1
prebuilts/api/29.0/private/surfaceflinger.te
View File

@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)

3
prebuilts/api/29.0/private/system_server.te
View File

@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@ -206,6 +207,7 @@ binder_service(system_server)
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@ -275,6 +277,7 @@ allow system_server {
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server

4
prebuilts/api/29.0/private/technical_debt.cil
View File

@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Codec2-related services
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;

2
prebuilts/api/29.0/public/attributes
View File

@ -252,6 +252,7 @@ hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
attribute camera_service_server;
attribute display_service_server;
attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;

4
prebuilts/api/29.0/public/bufferhubd.te
View File

@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
# Codec2 is similar to OMX
allow bufferhubd hal_codec2_server:fd use;

1
prebuilts/api/29.0/public/cameraserver.te
View File

@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)

4
prebuilts/api/29.0/public/domain.te
View File

@ -1063,8 +1063,8 @@ neverallow {
-system_server
# Processes that can't exec crash_dump
-hal_codec2_server
-hal_omx_server
-mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@ -1394,7 +1394,7 @@ full_treble_only(`
neverallow {
domain
-mediaswcodec_server
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;

1
prebuilts/api/29.0/public/dumpstate.te
View File

@ -78,6 +78,7 @@ allow dumpstate {
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
hal_graphics_allocator_server
hal_graphics_composer_server

22
prebuilts/api/29.0/public/hal_codec2.te Normal file
View File

@ -0,0 +1,22 @@
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
# Allow server access to composer sync fences
allow hal_codec2_server hal_graphics_composer:fd use;
# Allow both server and client access to ion
allow hal_codec2_server ion_device:chr_file r_file_perms;
# Allow server access to camera HAL's fences
allow hal_codec2_server hal_camera:fd use;
# Receive gralloc buffer FDs from bufferhubd.
allow hal_codec2_server bufferhubd:fd use;
allow hal_codec2_client ion_device:chr_file r_file_perms;

4
prebuilts/api/29.0/public/hal_omx.te
View File

@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)

2
prebuilts/api/29.0/public/mediaserver.te
View File

@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
# For interfacing with OMX HAL
# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access

21
prebuilts/api/29.0/public/mediaswcodec.te
View File

@ -1,10 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
typeattribute mediaswcodec halserverdomain;
typeattribute mediaswcodec mediaswcodec_server;
hal_server_domain(mediaswcodec, hal_codec2)
# mediaswcodec may use an input surface from a different Codec2 service or an
# OMX service
hal_client_domain(mediaswcodec, hal_codec2)
hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;

40
prebuilts/api/29.0/public/swcodec_service_server.te
View File

@ -1,40 +0,0 @@
# Add hal_codec2_hwservice to mediaswcodec_server
allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
# Allow mediaswcodec_server access to composer sync fences
allow mediaswcodec_server hal_graphics_composer:fd use;
allow mediaswcodec_server ion_device:chr_file r_file_perms;
allow mediaswcodec_server hal_camera:fd use;
crash_dump_fallback(mediaswcodec_server)
# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
# via PDX. Thus, there is no need to use pdx_client macro.
allow mediaswcodec_server bufferhubd:fd use;
binder_call(mediaswcodec_server, hal_omx_client)
binder_call(hal_omx_client, mediaswcodec_server)
###
### neverallow rules
###
# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver/codec split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;

3
private/app_neverallows.te
View File

@ -311,9 +311,10 @@ full_treble_only(`
neverallow all_untrusted_apps {
halserverdomain
-coredomain
-hal_cas_server
-hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone

1
private/incidentd.te
View File

@ -90,6 +90,7 @@ allow incidentd {
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server

2
private/mediaserver.te
View File

@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)

1
private/surfaceflinger.te
View File

@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)

3
private/system_server.te
View File

@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@ -206,6 +207,7 @@ binder_service(system_server)
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@ -275,6 +277,7 @@ allow system_server {
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server

4
private/technical_debt.cil
View File

@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Codec2-related services
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;

2
public/attributes
View File

@ -252,6 +252,7 @@ hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
attribute camera_service_server;
attribute display_service_server;
attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;

4
public/bufferhubd.te
View File

@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
# Codec2 is similar to OMX
allow bufferhubd hal_codec2_server:fd use;

1
public/cameraserver.te
View File

@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)

4
public/domain.te
View File

@ -1063,8 +1063,8 @@ neverallow {
-system_server
# Processes that can't exec crash_dump
-hal_codec2_server
-hal_omx_server
-mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@ -1394,7 +1394,7 @@ full_treble_only(`
neverallow {
domain
-mediaswcodec_server
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;

1
public/dumpstate.te
View File

@ -78,6 +78,7 @@ allow dumpstate {
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
hal_graphics_allocator_server
hal_graphics_composer_server

22
public/hal_codec2.te Normal file
View File

@ -0,0 +1,22 @@
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
# Allow server access to composer sync fences
allow hal_codec2_server hal_graphics_composer:fd use;
# Allow both server and client access to ion
allow hal_codec2_server ion_device:chr_file r_file_perms;
# Allow server access to camera HAL's fences
allow hal_codec2_server hal_camera:fd use;
# Receive gralloc buffer FDs from bufferhubd.
allow hal_codec2_server bufferhubd:fd use;
allow hal_codec2_client ion_device:chr_file r_file_perms;

4
public/hal_omx.te
View File

@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)

2
public/mediaserver.te
View File

@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
# For interfacing with OMX HAL
# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access

21
public/mediaswcodec.te
View File

@ -1,10 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
typeattribute mediaswcodec halserverdomain;
typeattribute mediaswcodec mediaswcodec_server;
hal_server_domain(mediaswcodec, hal_codec2)
# mediaswcodec may use an input surface from a different Codec2 service or an
# OMX service
hal_client_domain(mediaswcodec, hal_codec2)
hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;

40
public/swcodec_service_server.te
View File

@ -1,40 +0,0 @@
# Add hal_codec2_hwservice to mediaswcodec_server
allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
# Allow mediaswcodec_server access to composer sync fences
allow mediaswcodec_server hal_graphics_composer:fd use;
allow mediaswcodec_server ion_device:chr_file r_file_perms;
allow mediaswcodec_server hal_camera:fd use;
crash_dump_fallback(mediaswcodec_server)
# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
# via PDX. Thus, there is no need to use pdx_client macro.
allow mediaswcodec_server bufferhubd:fd use;
binder_call(mediaswcodec_server, hal_omx_client)
binder_call(hal_omx_client, mediaswcodec_server)
###
### neverallow rules
###
# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver/codec split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;

1
vendor/hal_drm_default.te vendored
View File

@ -4,6 +4,7 @@ hal_server_domain(hal_drm_default, hal_drm)
type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
allow hal_drm_default hal_codec2_server:fd use;
allow hal_drm_default hal_omx_server:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;

17
vendor/mediacodec.te vendored
View File

@ -15,12 +15,29 @@ not_full_treble(`
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)
hal_server_domain(mediacodec, hal_codec2)
hal_server_domain(mediacodec, hal_omx)
# mediacodec may use an input surface from a different Codec2 or OMX service
hal_client_domain(mediacodec, hal_codec2)
hal_client_domain(mediacodec, hal_omx)
hal_client_domain(mediacodec, hal_allocator)
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
crash_dump_fallback(mediacodec)
# mediacodec should never execute any executable without a domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;