From cb1a8297c34aa62fc2635b1b43b698e09ad1566f Mon Sep 17 00:00:00 2001 From: Bowen Lai Date: Fri, 3 Jan 2025 03:16:24 +0000 Subject: [PATCH] Set up access control rule for aocxd avc: 12-25 14:34:43.292 root 7005 7005 W binder:7005_1: type=1400 audit(0.0:23): avc: denied { call } for scontext=u:r:aocxd:s0 tcontext=u:r:aocxdallowdomain:s0:c512,c768 tclass=binder permissive=0 11-27 14:56:33.645 1000 422 422 E SELinux : avc: denied { find } for pid=7360 uid=10267 name=aocx.IAocx/default scontext=u:r:aocxdallowdomain:s0:c512,c768 tcontext=u:object_r:aocx:s0 tclass=service_manager permissive=0 Test: make -j64 Bug: 385663354 Flag: EXEMPT bugfix Change-Id: I7888e89710cfb671fb26180f8b2bc3152e1ced89 --- aoc/aoc.mk | 4 +++- aoc/sepolicy/allowlist/aocxd_neverallow.te | 11 +++++++++++ aoc/sepolicy/allowlist/aocxdallowdomain.te | 6 ++++++ aoc/sepolicy/allowlist/attributes | 2 ++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 aoc/sepolicy/allowlist/aocxd_neverallow.te create mode 100644 aoc/sepolicy/allowlist/aocxdallowdomain.te create mode 100644 aoc/sepolicy/allowlist/attributes diff --git a/aoc/aoc.mk b/aoc/aoc.mk index 13d849c..2a0a449 100644 --- a/aoc/aoc.mk +++ b/aoc/aoc.mk @@ -1,4 +1,6 @@ -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += \ + device/google/gs-common/aoc/sepolicy \ + device/google/gs-common/aoc/sepolicy/allowlist PRODUCT_PACKAGES += dump_aoc \ aocd \ diff --git a/aoc/sepolicy/allowlist/aocxd_neverallow.te b/aoc/sepolicy/allowlist/aocxd_neverallow.te new file mode 100644 index 0000000..50170a2 --- /dev/null +++ b/aoc/sepolicy/allowlist/aocxd_neverallow.te @@ -0,0 +1,11 @@ +# set up rule to control the access to aocxd +neverallow { + domain + -hwservicemanager + -servicemanager + -vndservicemanager + -system_suspend_server + -dumpstate + -hal_audio_default + -aocxdallowdomain +} aocxd:binder { call transfer }; diff --git a/aoc/sepolicy/allowlist/aocxdallowdomain.te b/aoc/sepolicy/allowlist/aocxdallowdomain.te new file mode 100644 index 0000000..9637c04 --- /dev/null +++ b/aoc/sepolicy/allowlist/aocxdallowdomain.te @@ -0,0 +1,6 @@ +# Aocx AIDL service +allow aocxdallowdomain aocx:service_manager find; + +binder_call(aocxdallowdomain, aocxd) +# Allow aocxd asynchronous callback to aocxdallowdomain +binder_call(aocxd, aocxdallowdomain) diff --git a/aoc/sepolicy/allowlist/attributes b/aoc/sepolicy/allowlist/attributes new file mode 100644 index 0000000..b0440ca --- /dev/null +++ b/aoc/sepolicy/allowlist/attributes @@ -0,0 +1,2 @@ +# Allow domain to access aocx HAL API +attribute aocxdallowdomain;