From 7b281b63f25d9cc28e3950db8b7cc1d09248c133 Mon Sep 17 00:00:00 2001 From: Lopy Cheng Date: Fri, 2 Dec 2022 12:03:15 +0800 Subject: [PATCH] hal_graphics_composer_default: add sepolicy for display Fix avc denied issues. Bug: 260769163 Bug: 261105029 Bug: 261933075 Bug: 261933169 Bug: 262178623 Test: There is no AVC denied log after reboot Change-Id: I291877a0f70f25a43f49a96a2b280be925bb98c5 --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 2 - legacy/whitechapel_pro/genfs_contexts | 27 --------- legacy/whitechapel_pro/service.te | 1 - legacy/whitechapel_pro/service_contexts | 1 - legacy/whitechapel_pro/vndservice.te | 2 - legacy/whitechapel_pro/vndservice_contexts | 2 - tracking_denials/dumpstate.te | 1 - .../hal_graphics_composer_default.te | 60 ------------------- vendor/dumpstate.te | 2 + vendor/file.te | 2 + vendor/file_contexts | 4 ++ vendor/genfs_contexts | 18 ++++++ vendor/hal_graphics_composer_default.te | 40 +++++++++++++ vendor/service.te | 1 + vendor/service_contexts | 1 + vendor/vndservice.te | 3 + vendor/vndservice_contexts | 2 + 18 files changed, 73 insertions(+), 97 deletions(-) delete mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 vendor/dumpstate.te create mode 100644 vendor/file.te create mode 100644 vendor/hal_graphics_composer_default.te create mode 100644 vendor/service.te create mode 100644 vendor/service_contexts create mode 100644 vendor/vndservice_contexts diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 672be660..db630ebb 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -49,7 +49,6 @@ type persist_camera_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; -type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index de0d4ef1..27ef3c57 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -10,7 +10,6 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 @@ -125,7 +124,6 @@ /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 -/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 9d21f598..9521c47a 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -79,33 +79,6 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19472000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19471000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 - -genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 - genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 # mediacodec_samsung diff --git a/legacy/whitechapel_pro/service.te b/legacy/whitechapel_pro/service.te index b87c99e1..21f7c51a 100644 --- a/legacy/whitechapel_pro/service.te +++ b/legacy/whitechapel_pro/service.te @@ -1,2 +1 @@ -type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_uwb_vendor_service, service_manager_type, hal_service_type; diff --git a/legacy/whitechapel_pro/service_contexts b/legacy/whitechapel_pro/service_contexts index 5df34411..d4777d15 100644 --- a/legacy/whitechapel_pro/service_contexts +++ b/legacy/whitechapel_pro/service_contexts @@ -1,2 +1 @@ -com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/legacy/whitechapel_pro/vndservice.te b/legacy/whitechapel_pro/vndservice.te index 7f116c48..94c8a0af 100644 --- a/legacy/whitechapel_pro/vndservice.te +++ b/legacy/whitechapel_pro/vndservice.te @@ -1,4 +1,2 @@ type rls_service, vndservice_manager_type; -type vendor_displaycolor_service, vndservice_manager_type; -type vendor_surfaceflinger_vndservice, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/legacy/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts index e7fb4338..10452a38 100644 --- a/legacy/whitechapel_pro/vndservice_contexts +++ b/legacy/whitechapel_pro/vndservice_contexts @@ -1,4 +1,2 @@ rlsservice u:object_r:rls_service:s0 -displaycolor u:object_r:vendor_displaycolor_service:s0 -Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 media.ecoservice u:object_r:eco_service:s0 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 04820cc0..fe7e9e99 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -5,7 +5,6 @@ dontaudit dumpstate euiccpixel_app:process { signal }; dontaudit dumpstate fuse:dir { search }; dontaudit dumpstate hal_audio_default:binder { call }; dontaudit dumpstate hal_confirmationui_default:binder { call }; -dontaudit dumpstate hal_graphics_composer_default:binder { call }; dontaudit dumpstate hal_health_default:binder { call }; dontaudit dumpstate modem_efs_file:dir { getattr }; dontaudit dumpstate modem_img_file:dir { getattr }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index 8eb96888..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,60 +0,0 @@ -# b/260769163 -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; -dontaudit hal_graphics_composer_default hal_power_default:binder { call }; -dontaudit hal_graphics_composer_default sysfs_leds:dir { search }; -dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_leds:file { open }; -dontaudit hal_graphics_composer_default sysfs_leds:file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; -# b/260921736 -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; -dontaudit hal_graphics_composer_default hal_power_default:binder { call }; -dontaudit hal_graphics_composer_default sysfs_leds:dir { search }; -dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_leds:file { open }; -dontaudit hal_graphics_composer_default sysfs_leds:file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; -# b/261105029 -dontaudit hal_graphics_composer_default boot_status_prop:file { getattr }; -dontaudit hal_graphics_composer_default boot_status_prop:file { map }; -dontaudit hal_graphics_composer_default boot_status_prop:file { open }; -dontaudit hal_graphics_composer_default boot_status_prop:file { read }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { getattr }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { map }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { open }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { read }; -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind }; -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create }; -dontaudit hal_graphics_composer_default hal_pixel_display_service:service_manager { add }; -dontaudit hal_graphics_composer_default hal_power_service:service_manager { find }; -dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search }; -dontaudit hal_graphics_composer_default persist_display_file:dir { search }; -dontaudit hal_graphics_composer_default persist_display_file:file { getattr }; -dontaudit hal_graphics_composer_default persist_display_file:file { open }; -dontaudit hal_graphics_composer_default persist_display_file:file { read }; -dontaudit hal_graphics_composer_default persist_file:dir { search }; -dontaudit hal_graphics_composer_default sysfs_display:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_display:file { open }; -dontaudit hal_graphics_composer_default sysfs_display:file { read }; -dontaudit hal_graphics_composer_default sysfs_display:file { write }; -dontaudit hal_graphics_composer_default sysfs_leds:file { write }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { getattr }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { map }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { open }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { read }; -dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { add }; -dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { find }; -dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add }; -dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { find }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; -dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; -dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; -# b/261933075 -dontaudit hal_graphics_composer_default dumpstate:fd { use }; -dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; -# b/262178623 -dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; -dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write }; diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te new file mode 100644 index 00000000..6de9f9a2 --- /dev/null +++ b/vendor/dumpstate.te @@ -0,0 +1,2 @@ +# allow HWC to output to dumpstate via pipe fd +dump_hal(hal_graphics_composer) diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 00000000..2ce98bb8 --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,2 @@ +# persist +type persist_display_file, file_type, vendor_persist_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index a9a8f36d..3da1eb50 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,10 +9,14 @@ /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# persist +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 + # Devices /dev/edgetpu-soc u:object_r:edgetpu_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index beb8b9ff..f30dc4fd 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -18,6 +18,24 @@ genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +# Display +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te new file mode 100644 index 00000000..94f4a3dd --- /dev/null +++ b/vendor/hal_graphics_composer_default.te @@ -0,0 +1,40 @@ +# allow HWC to access power hal +hal_client_domain(hal_graphics_composer_default, hal_power) + +# access sysfs R/W +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# socket / vnd service +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +# boot stauts prop +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) + +# allow HWC to output to dumpstate via pipe fd +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default hal_dumpstate_default:fd use; diff --git a/vendor/service.te b/vendor/service.te new file mode 100644 index 00000000..0c4726f3 --- /dev/null +++ b/vendor/service.te @@ -0,0 +1 @@ +type hal_pixel_display_service, service_manager_type, hal_service_type; diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 00000000..9592f86f --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 diff --git a/vendor/vndservice.te b/vendor/vndservice.te index b4386f8d..e3245a46 100644 --- a/vendor/vndservice.te +++ b/vendor/vndservice.te @@ -1 +1,4 @@ type hal_power_stats_vendor_service, vndservice_manager_type; + +type vendor_displaycolor_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts new file mode 100644 index 00000000..8c3c4a7d --- /dev/null +++ b/vendor/vndservice_contexts @@ -0,0 +1,2 @@ +displaycolor u:object_r:vendor_displaycolor_service:s0 +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0