selinux: New aocx service

Add new aocxd server domain - Allow aocxd to access AOC resources - Add new aocx binder vendor service Allow audio hal to find and talk to aocx avc error tcontext=u:object_r:binder_device:s0 tclass=chr_file or tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file avc: denied { add } for pid=1073 uid=0 name=aocx.IAocx scontext=u:r:aocxd:s0 tcontext=u:object_r:aocx:s0 tclass=service_manager avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:aocxd:s0 tclass=binder BUG: 315853303 Change-Id: Ide16a2be9f032bef60f43d4d3daa6372ae06b057
2023-12-26 23:27:00 +00:00 · 2023-12-26 23:27:00 +00:00 · 6b92b30e7b
commit 6b92b30e7b
parent 29e115e63e
8 changed files with 39 additions and 5 deletions
--- a/aoc/aoc.mk
+++ b/aoc/aoc.mk
@ -1,7 +1,8 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy

 PRODUCT_PACKAGES += dump_aoc \
-		    aocd
+		    aocd \
+		    aocxd

 ifeq (,$(filter aosp_%,$(TARGET_PRODUCT)))
 # IAudioMetricExt HIDL
@ -23,4 +24,5 @@ PRODUCT_PACKAGES_DEBUG += \
 	aocdump \
 	aocutil \
 	aoc_audio_cfg \
-	vp_util
+	vp_util \
+	aocx_tool
--- a/aoc/sepolicy/aocxd.te
+++ b/aoc/sepolicy/aocxd.te
@ -0,0 +1,25 @@
+# aocxd server domain
+type aocxd, domain;
+type aocxd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocxd)
+
+# sysfs operations
+allow aocxd sysfs_aoc:dir search;
+
+# dev operations
+allow aocxd aoc_device:chr_file rw_file_perms;
+
+# allow inotify to watch for additions/removals from /dev
+allow aocxd device:dir r_dir_perms;
+
+# set properties
+set_prop(aocxd, vendor_aoc_prop);
+
+# allow binder access
+vndbinder_use(aocxd);
+
+# allow managing wakelocks
+wakelock_use(aocxd);
+
+# add aocx service to the domain
+add_service(aocxd, aocx);
--- a/aoc/sepolicy/file_contexts
+++ b/aoc/sepolicy/file_contexts
@ -27,11 +27,13 @@
 /dev/acd-audio_ap_offload_rx        u:object_r:aoc_device:s0
 /dev/acd-audio_ap_offload_tx        u:object_r:aoc_device:s0
 /dev/acd-mel_processor              u:object_r:aoc_device:s0
+/dev/acd-aocx_control               u:object_r:aoc_device:s0

 # AoC vendor binaries
 /vendor/bin/aocd                    u:object_r:aocd_exec:s0
 /vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
 /vendor/bin/dump/dump_aoc           u:object_r:dump_aoc_exec:s0
+/vendor/bin/aocxd                   u:object_r:aocxd_exec:s0

 # AoC audio files
 /vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
--- a/aoc/sepolicy/vndservice.te
+++ b/aoc/sepolicy/vndservice.te
@ -0,0 +1 @@
+type aocx, vndservice_manager_type;
--- a/aoc/sepolicy/vndservice_contexts
+++ b/aoc/sepolicy/vndservice_contexts
@ -0,0 +1 @@
+aocx.IAocx    u:object_r:aocx:s0
--- a/audio/sepolicy/aidl/service.te
+++ b/audio/sepolicy/aidl/service.te
@ -1,3 +1,3 @@
 # Audio
 type hal_audio_ext_service, hal_service_type, service_manager_type;
-type hal_audio_parameter_parser_service, service_manager_type;
+type hal_audio_parameter_parser_service, service_manager_type;
--- a/audio/sepolicy/aidl/service_contexts
+++ b/audio/sepolicy/aidl/service_contexts
@ -1,4 +1,3 @@
 # Audio
 vendor.google.whitechapel.audio.extension.IAudioExtension/default    u:object_r:hal_audio_ext_service:s0
-android.media.audio.IHalAdapterVendorExtension/default               u:object_r:hal_audio_parameter_parser_service:s0
-
+android.media.audio.IHalAdapterVendorExtension/default               u:object_r:hal_audio_parameter_parser_service:s0
--- a/audio/sepolicy/common/hal_audio_default.te
+++ b/audio/sepolicy/common/hal_audio_default.te
@ -34,3 +34,7 @@ userdebug_or_eng(`
 ')

 wakelock_use(hal_audio_default);
+
+vndbinder_use(hal_audio_default);
+allow hal_audio_default aocx:service_manager find;
+binder_call(hal_audio_default, aocxd);