From d9a89215f4e09a077ab26fc7580423a34b71d21a Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Thu, 10 Aug 2023 17:00:56 +0900 Subject: [PATCH] Move coredomain seapp contexts to system_ext Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: Ifcaa41df790cb2b720775563cc4cd5cdf10e5c50 Merged-In: Ifcaa41df790cb2b720775563cc4cd5cdf10e5c50 (cherry picked from commit 63200470b86cf00168cf717f49693fdee907104b) --- private/debug_camera_app.te | 16 +++++++++++++++ private/google_camera_app.te | 16 +++++++++++++++ private/seapp_contexts | 11 ++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/pixeldisplayservice_app.te | 11 ++++++++++ system_ext/private/seapp_contexts | 6 ++++++ system_ext/private/systemui_app.te | 17 ++++++++++++++++ system_ext/public/pixeldisplayservice_app.te | 1 + system_ext/public/systemui_app.te | 1 + vendor/debug_camera_app.te | 15 -------------- vendor/google_camera_app.te | 17 ---------------- vendor/pixeldisplayservice_app.te | 12 ----------- vendor/seapp_contexts | 20 ------------------- vendor/systemui_app.te | 18 ----------------- zumapro-sepolicy.mk | 1 + 16 files changed, 82 insertions(+), 82 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/pixeldisplayservice_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/private/systemui_app.te create mode 100644 system_ext/public/pixeldisplayservice_app.te create mode 100644 system_ext/public/systemui_app.te diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 0000000..8250e42 --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows GCA_Eng & GCA-Next to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 0000000..4ce84af --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,16 @@ +typeattribute google_camera_app coredomain; +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows GCA to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 0000000..38c4e6e --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 0000000..6f49768 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 0000000..c93038c --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/pixeldisplayservice_app.te b/system_ext/private/pixeldisplayservice_app.te new file mode 100644 index 0000000..9d603b7 --- /dev/null +++ b/system_ext/private/pixeldisplayservice_app.te @@ -0,0 +1,11 @@ +typeattribute pixeldisplayservice_app coredomain; + +app_domain(pixeldisplayservice_app); + +allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; +allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow pixeldisplayservice_app app_api_service:service_manager find; + +allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 0000000..1e85b73 --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,6 @@ +# PixelDisplayService +user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all + +# SystemUI +user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te new file mode 100644 index 0000000..c34c911 --- /dev/null +++ b/system_ext/private/systemui_app.te @@ -0,0 +1,17 @@ +typeattribute systemui_app coredomain; +app_domain(systemui_app) +allow systemui_app app_api_service:service_manager find; +allow systemui_app network_score_service:service_manager find; +allow systemui_app overlay_service:service_manager find; +allow systemui_app color_display_service:service_manager find; +allow systemui_app audioserver_service:service_manager find; +allow systemui_app cameraserver_service:service_manager find; +allow systemui_app mediaserver_service:service_manager find; +allow systemui_app mediaextractor_service:service_manager find; +allow systemui_app mediametrics_service:service_manager find; +allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; + +get_prop(systemui_app, keyguard_config_prop) +set_prop(systemui_app, bootanim_system_prop) +get_prop(systemui_app, qemu_hw_prop) diff --git a/system_ext/public/pixeldisplayservice_app.te b/system_ext/public/pixeldisplayservice_app.te new file mode 100644 index 0000000..2c608b4 --- /dev/null +++ b/system_ext/public/pixeldisplayservice_app.te @@ -0,0 +1 @@ +type pixeldisplayservice_app, domain; diff --git a/system_ext/public/systemui_app.te b/system_ext/public/systemui_app.te new file mode 100644 index 0000000..cb101a6 --- /dev/null +++ b/system_ext/public/systemui_app.te @@ -0,0 +1 @@ +type systemui_app, domain; diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index 4199b07..08bf626 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,23 +1,8 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows GCA-Eng & GCA-Next access the GXP device. allow debug_camera_app gxp_device:chr_file rw_file_perms; # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - - # Allows GCA_Eng & GCA-Next to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) ') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 8c030f4..35cd86e 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,24 +1,7 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows GCA to acccess the GXP device and search for the firmware file. allow google_camera_app gxp_device:chr_file rw_file_perms; allow google_camera_app vendor_fw_file:dir search; -# Allows GCA to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - -# Library code may try to access vendor properties, but should be denied -dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te index 7320d00..e9c8d78 100644 --- a/vendor/pixeldisplayservice_app.te +++ b/vendor/pixeldisplayservice_app.te @@ -1,14 +1,2 @@ -type pixeldisplayservice_app, domain, coredomain; - -app_domain(pixeldisplayservice_app); - -allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; -allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; - allow pixeldisplayservice_app hal_pixel_display_service:service_manager find; binder_call(pixeldisplayservice_app, hal_graphics_composer_default) - -# Standard system services -allow pixeldisplayservice_app app_api_service:service_manager find; - -allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 9c10fdd..ed23ae5 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,29 +7,9 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# PixelDisplayService -user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all - -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all - -# SystemUI -user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all -user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all - diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index b462eb3..034dd0a 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -1,21 +1,3 @@ -type systemui_app, domain, coredomain; -app_domain(systemui_app) -allow systemui_app app_api_service:service_manager find; -allow systemui_app network_score_service:service_manager find; -allow systemui_app overlay_service:service_manager find; -allow systemui_app color_display_service:service_manager find; -allow systemui_app audioserver_service:service_manager find; -allow systemui_app cameraserver_service:service_manager find; -allow systemui_app mediaserver_service:service_manager find; -allow systemui_app mediaextractor_service:service_manager find; -allow systemui_app mediametrics_service:service_manager find; -allow systemui_app radio_service:service_manager find; -allow systemui_app vr_manager_service:service_manager find; - -get_prop(systemui_app, keyguard_config_prop) -set_prop(systemui_app, bootanim_system_prop) -get_prop(systemui_app, qemu_hw_prop) - allow systemui_app pixel_battery_service_type:service_manager find; binder_call(systemui_app, pixel_battery_domain) diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk index a5757bf..f202935 100644 --- a/zumapro-sepolicy.mk +++ b/zumapro-sepolicy.mk @@ -6,6 +6,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/private # system_ext