Add GIA (Google Input interface Abstraction layer) related SEPolicy rules and AIDL compatibility matrices.

AVC evidences: 10-29 16:53:50.756 1305 1305 I binder:1305_2: type=1400 audit(0.0:24): avc: denied { search } for name="goog_touch_interface" dev="sysfs" ino=110634 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=dir permissive=1 10-29 16:53:50.756 1305 1305 I binder:1305_2: type=1400 audit(0.0:25): avc: denied { read } for name="interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 10-29 16:53:50.756 1305 1305 I binder:1305_2: type=1400 audit(0.0:26): avc: denied { open } for path="/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 10-29 16:53:50.756 1305 1305 I binder:1305_2: type=1400 audit(0.0:27): avc: denied { getattr } for path="/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 10-29 16:53:50.756 1305 1305 I binder:1305_2: type=1400 audit(0.0:28): avc: denied { write } for name="interactive_calibrate" dev="sysfs" ino=110738 scontext=u:r:gia:s0 tcontext=u:object_r:sysfs_touch_gti:s0 tclass=file permissive=1 Test: Build succeed. Test: Manually, checked whether GIA service is started successfully via command `service list`. Bug: 367881686 Flag: build.RELEASE_PIXEL_GIA_ENABLED Change-Id: I8069521425ff1e830d759252bf8bf460f4dc6f32 Signed-off-by: Kai Hsieh <kaihsieh@google.com>
2024-09-21 13:38:00 +08:00 · 2024-09-21 13:38:00 +08:00 · 1f83bb110e
commit 1f83bb110e
parent d9f390d180
9 changed files with 65 additions and 0 deletions
--- a/input/gia/aidl/compatibility_matrix.xml
+++ b/input/gia/aidl/compatibility_matrix.xml
@ -0,0 +1,10 @@
+<compatibility-matrix type="framework" version="1.0">
+    <hal format="aidl" optional="true">
+        <name>com.google.input.gia.core</name>
+        <interface>
+            <name>IGiaService</name>
+            <instance>default</instance>
+        </interface>
+        <version>1</version>
+    </hal>
+</compatibility-matrix>
--- a/input/gia/aidl/manifest.xml
+++ b/input/gia/aidl/manifest.xml
@ -0,0 +1,10 @@
+<manifest type="device" version="1.0">
+    <hal format="aidl" optional="true">
+        <name>com.google.input.gia.core</name>
+        <interface>
+            <name>IGiaService</name>
+            <instance>default</instance>
+        </interface>
+        <version>1</version>
+    </hal>
+</manifest>
--- a/input/gia/gia.mk
+++ b/input/gia/gia.mk
@ -0,0 +1,11 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy
+
+PRODUCT_PACKAGES += gia
+PRODUCT_PACKAGES += com.google.input.gia.giaservicemanager
+
+PRODUCT_SOONG_NAMESPACES += vendor/google/interfaces
+PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core
+PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core-servicemanager
+
+DEVICE_MANIFEST_FILE += device/google/gs-common/input/gia/aidl/manifest.xml
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/input/gia/aidl/compatibility_matrix.xml
--- a/input/gia/sepolicy/attributes
+++ b/input/gia/sepolicy/attributes
@ -0,0 +1,2 @@
+# This macro produces: define hal_gia, hal_gia_client, hal_gia_server
+hal_attribute(gia)
--- a/input/gia/sepolicy/file_contexts
+++ b/input/gia/sepolicy/file_contexts
@ -0,0 +1,2 @@
+# chmod +x in SEPolicy language
+/vendor/bin/gia    u:object_r:gia_exec:s0
--- a/input/gia/sepolicy/gia.te
+++ b/input/gia/sepolicy/gia.te
@ -0,0 +1,18 @@
+# SEPolicies for GIA (Google Input interface Abstraction layer)
+type gia, domain;
+type gia_exec, exec_type, vendor_file_type, file_type;
+
+# Macro transferring gia_exec to the gia domain
+init_daemon_domain(gia)
+
+# let this domain use the hal service
+hal_client_domain(gia, hal_gia)
+# allow binder communication with service_manager
+binder_use(gia)
+
+# let this domain serve the hal service
+hal_server_domain(gia, hal_gia)
+
+# allow gia for accessing touch related system file-nodes
+allow gia sysfs_touch_gti:dir r_dir_perms;
+allow gia sysfs_touch_gti:file rw_file_perms;
--- a/input/gia/sepolicy/hal_gia.te
+++ b/input/gia/sepolicy/hal_gia.te
@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_gia_client, hal_gia_server)
+
+# allow client to find the service & allow server to register the service
+hal_attribute_service(hal_gia, hal_gia_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_gia_server)
--- a/input/gia/sepolicy/service.te
+++ b/input/gia/sepolicy/service.te
@ -0,0 +1,2 @@
+# Declares GIA related services
+type hal_gia_service, hal_service_type, protected_service, service_manager_type;
--- a/input/gia/sepolicy/service_contexts
+++ b/input/gia/sepolicy/service_contexts
@ -0,0 +1,2 @@
+# Attaches GIA services to the cooresponding SEPolicy group
+com.google.input.gia.core.IGiaService/default     u:object_r:hal_gia_service:s0