Set up access control rule for aocxd

avc: 12-25 14:34:43.292 root 7005 7005 W binder:7005_1: type=1400 audit(0.0:23): avc: denied { call } for scontext=u:r:aocxd:s0 tcontext=u:r:aocxdallowdomain:s0:c512,c768 tclass=binder permissive=0 11-27 14:56:33.645 1000 422 422 E SELinux : avc: denied { find } for pid=7360 uid=10267 name=aocx.IAocx/default scontext=u:r:aocxdallowdomain:s0:c512,c768 tcontext=u:object_r:aocx:s0 tclass=service_manager permissive=0 Test: make -j64 Bug: 385663354 Flag: EXEMPT bugfix Change-Id: I7888e89710cfb671fb26180f8b2bc3152e1ced89
2025-01-03 03:16:24 +00:00
parent 244e746f73
commit cb1a8297c3
4 changed files with 22 additions and 1 deletions
--- a/aoc/aoc.mk
+++ b/aoc/aoc.mk
@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    device/google/gs-common/aoc/sepolicy \
+    device/google/gs-common/aoc/sepolicy/allowlist

 PRODUCT_PACKAGES += dump_aoc \
 		    aocd \
--- a/aoc/sepolicy/allowlist/aocxd_neverallow.te
+++ b/aoc/sepolicy/allowlist/aocxd_neverallow.te
@@ -0,0 +1,11 @@
+# set up rule to control the access to aocxd
+neverallow {
+  domain
+  -hwservicemanager
+  -servicemanager
+  -vndservicemanager
+  -system_suspend_server
+  -dumpstate
+  -hal_audio_default
+  -aocxdallowdomain
+} aocxd:binder { call transfer };
--- a/aoc/sepolicy/allowlist/aocxdallowdomain.te
+++ b/aoc/sepolicy/allowlist/aocxdallowdomain.te
@@ -0,0 +1,6 @@
+# Aocx AIDL service
+allow aocxdallowdomain aocx:service_manager find;
+
+binder_call(aocxdallowdomain, aocxd)
+# Allow aocxd asynchronous callback to aocxdallowdomain
+binder_call(aocxd, aocxdallowdomain)
--- a/aoc/sepolicy/allowlist/attributes
+++ b/aoc/sepolicy/allowlist/attributes
@@ -0,0 +1,2 @@
+# Allow domain to access aocx HAL API
+attribute aocxdallowdomain;