selinux: New aocx service

Add new aocxd server domain - Allow aocxd to access AOC resources - Add new aocx binder vendor service Allow audio hal to find and talk to aocx avc error tcontext=u:object_r:binder_device:s0 tclass=chr_file or tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file avc: denied { add } for pid=1073 uid=0 name=aocx.IAocx scontext=u:r:aocxd:s0 tcontext=u:object_r:aocx:s0 tclass=service_manager avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:aocxd:s0 tclass=binder BUG: 315853303 Change-Id: Ide16a2be9f032bef60f43d4d3daa6372ae06b057
2023-12-26 23:27:00 +00:00 · 2023-12-26 23:27:00 +00:00 · 6b92b30e7b
commit 6b92b30e7b
parent 29e115e63e
8 changed files with 39 additions and 5 deletions
--- a/aoc/aoc.mk
+++ b/aoc/aoc.mk
@ -1,7 +1,8 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
 PRODUCT_PACKAGES += dump_aoc \
-		    aocd
+		    aocd \
 		    aocxd
 ifeq (,$(filter aosp_%,$(TARGET_PRODUCT)))
 # IAudioMetricExt HIDL
@ -23,4 +24,5 @@ PRODUCT_PACKAGES_DEBUG += \
 	aocdump \
 	aocutil \
 	aoc_audio_cfg \
-	vp_util
+	vp_util \
 	aocx_tool
--- a/aoc/sepolicy/aocxd.te
+++ b/aoc/sepolicy/aocxd.te
@ -0,0 +1,25 @@
 # aocxd server domain
 type aocxd, domain;
 type aocxd_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(aocxd)
 # sysfs operations
 allow aocxd sysfs_aoc:dir search;
 # dev operations
 allow aocxd aoc_device:chr_file rw_file_perms;
 # allow inotify to watch for additions/removals from /dev
 allow aocxd device:dir r_dir_perms;
 # set properties
 set_prop(aocxd, vendor_aoc_prop);
 # allow binder access
 vndbinder_use(aocxd);
 # allow managing wakelocks
 wakelock_use(aocxd);
 # add aocx service to the domain
 add_service(aocxd, aocx);
--- a/aoc/sepolicy/file_contexts
+++ b/aoc/sepolicy/file_contexts
@ -27,11 +27,13 @@
 /dev/acd-audio_ap_offload_rx        u:object_r:aoc_device:s0
 /dev/acd-audio_ap_offload_tx        u:object_r:aoc_device:s0
 /dev/acd-mel_processor              u:object_r:aoc_device:s0
 /dev/acd-aocx_control               u:object_r:aoc_device:s0
 # AoC vendor binaries
 /vendor/bin/aocd                    u:object_r:aocd_exec:s0
 /vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
 /vendor/bin/dump/dump_aoc           u:object_r:dump_aoc_exec:s0
 /vendor/bin/aocxd                   u:object_r:aocxd_exec:s0
 # AoC audio files
 /vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
--- a/aoc/sepolicy/vndservice.te
+++ b/aoc/sepolicy/vndservice.te
@ -0,0 +1 @@
 type aocx, vndservice_manager_type;
--- a/aoc/sepolicy/vndservice_contexts
+++ b/aoc/sepolicy/vndservice_contexts
@ -0,0 +1 @@
 aocx.IAocx    u:object_r:aocx:s0
--- a/audio/sepolicy/aidl/service.te
+++ b/audio/sepolicy/aidl/service.te
@ -1,3 +1,3 @@
 # Audio
 type hal_audio_ext_service, hal_service_type, service_manager_type;
-type hal_audio_parameter_parser_service, service_manager_type;
+type hal_audio_parameter_parser_service, service_manager_type;
--- a/audio/sepolicy/aidl/service_contexts
+++ b/audio/sepolicy/aidl/service_contexts
@ -1,4 +1,3 @@
 # Audio
 vendor.google.whitechapel.audio.extension.IAudioExtension/default    u:object_r:hal_audio_ext_service:s0
-android.media.audio.IHalAdapterVendorExtension/default               u:object_r:hal_audio_parameter_parser_service:s0
+android.media.audio.IHalAdapterVendorExtension/default               u:object_r:hal_audio_parameter_parser_service:s0
--- a/audio/sepolicy/common/hal_audio_default.te
+++ b/audio/sepolicy/common/hal_audio_default.te
@ -34,3 +34,7 @@ userdebug_or_eng(`
 ')
 wakelock_use(hal_audio_default);
 vndbinder_use(hal_audio_default);
 allow hal_audio_default aocx:service_manager find;
 binder_call(hal_audio_default, aocxd);