Merge "Allow bugreport to dump some HAL processes."
diff --git a/Android.mk b/Android.mk
index 254acd0..e288356 100644
--- a/Android.mk
+++ b/Android.mk
@@ -131,6 +131,11 @@
intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
+with_asan := false
+ifneq (,$(filter address,$(SANITIZE_TARGET)))
+ with_asan := true
+endif
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -143,6 +148,7 @@
$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
@@ -151,6 +157,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-s $^ > $@
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -170,6 +177,7 @@
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
@@ -179,6 +187,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-s $^ > $@
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -223,6 +232,7 @@
$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
@@ -232,6 +242,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -320,6 +331,7 @@
$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@@ -329,6 +341,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -452,6 +465,7 @@
$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_pub_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_pub_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
@@ -461,6 +475,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_recovery=true \
-s $^ > $@
@@ -479,6 +494,7 @@
$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
@@ -488,6 +504,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_recovery=true \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -526,6 +543,7 @@
$(nonplat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(nonplat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(nonplat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(nonplat_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(nonplat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@@ -535,6 +553,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_recovery=true \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -603,6 +622,7 @@
-D target_build_variant=user \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=false \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -1090,5 +1110,6 @@
plat_pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
+with_asan :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/private/app.te b/private/app.te
index 1b1f4ca..c5943dd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,11 +87,12 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
# Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -133,7 +134,7 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -243,9 +244,15 @@
# TODO is write really necessary ?
auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
# Allow app to access the graphic allocator HAL
binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
+# App can access configstore HAL which is read only
+binder_call({ appdomain -isolated_app }, hal_configstore)
+
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 15ab764..5e47b68 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,3 +100,7 @@
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827..2b0515a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 94a2a53..d5cf3f7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index aa224ec..d4bdef9 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -5,3 +5,6 @@
# Find out whether a HAL in passthrough/in-process mode or
# binderized/out-of-process mode
hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/private/halserverdomain.te b/private/halserverdomain.te
index 7be8360..f36e0e7 100644
--- a/private/halserverdomain.te
+++ b/private/halserverdomain.te
@@ -7,3 +7,6 @@
# Find HAL implementations
allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 0aff9f5..3808c83 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -9,7 +9,6 @@
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
-binder_call(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
diff --git a/private/system_server.te b/private/system_server.te
index 6029243..d1f9bc3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,10 +14,6 @@
allow system_server zygote_tmpfs:file read;
-# Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
-
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -151,8 +147,6 @@
unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
-# TODO(b/35707797): Remove this socket access.
-unix_socket_send(system_server, wpa, hal_wifi_supplicant_server)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
@@ -423,13 +417,6 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
-# Create a socket for receiving info from wpa.
-allow system_server wpa_socket:dir rw_dir_perms;
-allow system_server system_wpa_socket:sock_file create_file_perms;
-
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
-
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -636,6 +623,12 @@
allow system_server debugfs_tracing_instances:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# allow system_server to exec shell on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+ allow system_server shell_exec:file rx_file_perms;
+')
+
###
### Neverallow rules
###
@@ -657,7 +650,12 @@
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
-neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
+neverallow system_server {
+ file_type
+ -toolbox_exec
+ -logcat_exec
+ with_asan(`-shell_exec')
+}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs.
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c5702d..9922451 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -2,6 +2,9 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
binder_call(bootanim, audioserver)
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 2314433..7d5be49 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -2,6 +2,8 @@
type bufferhubd, domain, mlstrustedsubject;
type bufferhubd_exec, exec_type, file_type;
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
pdx_server(bufferhubd)
use_pdx(bufferhubd, performanced)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f2364a7..d1b55cf 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,7 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index c9c64dc..53414e2 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@
type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 9631c9c..5f7da0b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,8 +66,8 @@
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -410,11 +410,15 @@
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index abecbda..ff36956 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -15,7 +15,6 @@
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
-hwbinder_use(gatekeeperd)
hal_client_domain(gatekeeperd, hal_gatekeeper)
###
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index d5723b9..884b6fc 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -4,3 +4,5 @@
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
+# allow reading /proc/interrupts for all hal impls
+allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index c428eba..618a2ee 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,4 @@
-# call into gatekeeperd process (callbacks)
-# TODO: This rules is unlikely to be needed because Gatekeeper HIDL
-# says there are no callbacks
-binder_call(hal_gatekeeper, gatekeeperd)
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 45999be..e434751 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,3 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 61b15ca..130a8f6 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,3 +17,36 @@
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -rild
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 8d2c0ea..ed10f8d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -18,12 +18,6 @@
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-# TODO(b/35707797): Remove this socket access.
-unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
-
-# HIDL interface exposed by WPA.
-hwbinder_use(hal_wifi_supplicant)
-binder_call(hal_wifi_supplicant, system_server)
# Create a socket for receiving info from wpa
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 20a7229..77074f4 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,6 +2,9 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
+# serving android.hidl.manager@1.0 and android.hidl.token@1.0
+typeattribute hwservicemanager halserverdomain;
+
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6ab90eb..f0e7e9a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -4,6 +4,10 @@
typeattribute mediacodec mlstrustedsubject;
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
binder_use(mediacodec)
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index a641bf7..46140b3 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -4,6 +4,9 @@
typeattribute mediaserver mlstrustedsubject;
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
diff --git a/public/sensord.te b/public/sensord.te
index bffe3cd..3211f81 100644
--- a/public/sensord.te
+++ b/public/sensord.te
@@ -2,6 +2,9 @@
type sensord, domain, mlstrustedsubject;
type sensord_exec, exec_type, file_type;
+hal_client_domain(sensord, hal_graphics_allocator)
+allow sensord hal_graphics_allocator:fd use;
+
pdx_server(sensord)
use_pdx(sensord, bufferhubd)
use_pdx(sensord, performanced)
diff --git a/public/te_macros b/public/te_macros
index 60de568..aeb2916 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -148,26 +148,6 @@
typeattribute $1 bluetoothdomain;
')
-# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
-#####################################
-# hal_impl_domain(domain[, hal_type_attr])
-# Allow a base set of permissions required for a domain to host a
-# HAL implementation.
-#
-# Optionally, the type of the HAL can be specified as the second
-# argument. This is useful for HALs which may have multiple
-# implementations. Attributes are used to group the various
-# implementations of such HALs.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_impl_domain(hal_foo_default, hal_foo)
-#
-define(`hal_impl_domain', `
-typeattribute $1 halserverdomain;
-ifelse($2, `', `', `typeattribute $1 $2;')
-')
-
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
@@ -314,6 +294,20 @@
')
#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
@@ -406,6 +400,12 @@
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4e74f00..a781341 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -28,4 +28,5 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000..9357042
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)
