marlin: seal SE policy for location services
This CL enables /vendor/bin/slim_daemon and /vendor/bin/xtra-daemon to
work with Treble:
-- migrated SE policy from GNSS HAL to location domain
-- enabled the location domain to use hwbinder (to talk to
android.frameworks.sensorservice@1.0)
-- fix permissions to allow /vendor/bin/loc_daemon to launch xtra-daemon
and slim_daemon
-- added code to init.common.rc to change the membership of location
artifacts under /data/misc/location/xtra from system.system to
gps.gps to prevent having to wipe the device in order to enable slim
and XTRA
b/35757613
b/36569343
b/36651420
Test: marlin
Change-Id: Ief99a82ed3b32d00a30349b719d05fdb98c5e750
Signed-off-by: Iliyan Malchev <malchev@google.com>
diff --git a/init.common.rc b/init.common.rc
index 3e4632a..9fbc9d5 100644
--- a/init.common.rc
+++ b/init.common.rc
@@ -246,6 +246,14 @@
mkdir /data/misc/location/quipc 0770 gps system
mkdir /data/misc/location/gsiff 0770 gps gps
+ # migrating the GNSS hal to vendor requires this to be relabeled; the
+ # directory itself is created by /vendor/bin/xtra-daemon
+ chown gps gps /data/misc/location/xtra
+ chmod 0750 /data/misc/location/xtra
+ chown gps gps /data/misc/location/xtra/socket_hal_xtra
+ chmod 0660 /data/misc/location/xtra/socket_hal_xtra
+ chown gps gps /data/misc/location/xtra/xtra.sqlite
+
# Create directory from IMS services
mkdir /data/shared 0755
chown system system /data/shared
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index bf2f302..90ded8b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -95,6 +95,8 @@
/vendor/bin/netmgrd u:object_r:netmgrd_exec:s0
/vendor/bin/port-bridge u:object_r:port-bridge_exec:s0
/vendor/bin/loc_launcher u:object_r:location_exec:s0
+/vendor/bin/slim_daemon u:object_r:location_exec:s0
+/vendor/bin/xtra-daemon u:object_r:location_exec:s0
/vendor/bin/lowi-server u:object_r:location_exec:s0
/vendor/bin/cnd u:object_r:cnd_exec:s0
/vendor/bin/imsdatadaemon u:object_r:ims_exec:s0
diff --git a/sepolicy/hal_gnss.te b/sepolicy/hal_gnss.te
index 5942f55..3bf7b51 100644
--- a/sepolicy/hal_gnss.te
+++ b/sepolicy/hal_gnss.te
@@ -17,16 +17,3 @@
#access to /sys/devices/soc0/soc_id and /sys/devices/soc0/hw_platform
allow hal_gnss sysfs_soc:file { read open getattr };
-
-# Added to enable XTRA download (from internet) per
-# audit2allow after a test that downloaded XTRA on boot
-#
-# TODO:(b/35757613) - STOPSHIP - HAL cannot have direct inet access
-#
-typeattribute hal_gnss_default socket_between_core_and_vendor_violators;
-allow hal_gnss dnsproxyd_socket:sock_file write;
-allow hal_gnss fwmarkd_socket:sock_file write;
-allow hal_gnss netd:unix_stream_socket connectto;
-allow hal_gnss port:tcp_socket name_connect;
-allow hal_gnss self:tcp_socket { connect create read setopt write };
-allow hal_gnss self:udp_socket { create ioctl read write };
diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te
index 255a5e6..325907b 100644
--- a/sepolicy/hal_gnss_default.te
+++ b/sepolicy/hal_gnss_default.te
@@ -1,3 +1,10 @@
vndbinder_use(hal_gnss_default)
binder_call(hal_gnss_default, per_mgr);
allow hal_gnss_default per_mgr_service:vndservice_manager find;
+
+#============= hal_gnss_default ==============
+allow hal_gnss_default location_data_file:dir search;
+allow hal_gnss_default location_data_file:fifo_file { open read setattr write };
+allow hal_gnss_default location:unix_stream_socket connectto;
+allow hal_gnss_default location_data_file:sock_file write;
+allow hal_gnss_default self:udp_socket { create ioctl };
diff --git a/sepolicy/location.te b/sepolicy/location.te
index f288f37..72241ae 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -11,9 +11,8 @@
allow location self:capability { setgid setuid };
-# TODO(b/36569343): Remove this once location daemon stops using Binder
-typeattribute location binder_in_vendor_violators;
-binder_use(location)
+hwbinder_use(location)
+get_prop(location, hwservicemanager_prop)
binder_call(location, system_server)
allow location hal_wifi:unix_stream_socket { read write };
@@ -34,7 +33,8 @@
allow location proc_net:file r_file_perms;
# execute /vendor/bin/slim_daemon
-allow location system_file:file rx_file_perms;
+allow location vendor_file:file rx_file_perms;
+allow location vendor_file:file execute_no_trans;
# execute /vendor/bin/lowi-server
allow location location_exec:file rx_file_perms;
@@ -43,9 +43,24 @@
allow location location_data_file:dir create_dir_perms;
allow location location_data_file:{ file sock_file } create_file_perms;
-allow location permission_service:service_manager find;
-allow location sensorservice_service:service_manager find;
+# allow location permission_service:service_manager find;
+# allow location sensorservice_service:service_manager find;
userdebug_or_eng(`
allow location diag_device:chr_file rw_file_perms;
')
+
+# netd is a vendor daemon that is on /system; its functionality is related to
+# cellular data; since we allow telephony and telephony-data violations on
+# Marlin and Sailfish, we need to tag the dependency on netd with
+# socket_between_core_and_vendor_violators
+typeattribute location socket_between_core_and_vendor_violators;
+
+# Added to enable XTRA download (from internet) per
+# audit2allow after a test that downloaded XTRA on boot
+allow location dnsproxyd_socket:sock_file write;
+allow location fwmarkd_socket:sock_file write;
+allow location netd:unix_stream_socket connectto;
+allow location port:tcp_socket name_connect;
+allow location self:tcp_socket { connect create read setopt write };
+allow location self:udp_socket { create ioctl read write };
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
index 8c92cb5..6b38b8d 100644
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@@ -5,9 +5,5 @@
allowxperm netd self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCGIFHWADDR };
# Enable XTRA downloads
-#
-# TODO:(b/35757613) - STOPSHIP - HAL cannot have direct inet access
-#
-allow netd hal_gnss_default:fd use;
-allow netd hal_gnss_default:tcp_socket { getopt read setopt write };
-
+allow netd location:fd use;
+allow netd location:tcp_socket { getopt read setopt write };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 2b7be51..2debc32 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -19,6 +19,8 @@
allow system_server netmgrd_socket:dir search;
unix_socket_connect(system_server, netmgrd, netmgrd)
+binder_call(system_server, location)
+
# files in /sys
r_dir_file(system_server, sysfs_type)
