summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorInseob Kim <inseob@google.com>2023-08-08 20:46:03 +0900
committerInseob Kim <inseob@google.com>2023-08-08 15:11:08 +0000
commitac8048a4f7b0db2afaecce852d4bd25922dd2021 (patch)
treef1a1faa2cd2b9061e0580c03d48f56502631c31f
parent3377a38d65e7b70d023589436918fefe9a0c2e28 (diff)
downloadzuma-sepolicy-ac8048a4f7b0db2afaecce852d4bd25922dd2021.tar.gz
Move coredomain seapp contexts to system_ext
Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: Ib8d191a6c07278b51eec88cd8142adf6c1a45668 Merged-In: Ib8d191a6c07278b51eec88cd8142adf6c1a45668
Diffstat
-rw-r--r--private/debug_camera_app.te16
-rw-r--r--private/google_camera_app.te16
-rw-r--r--private/seapp_contexts11
-rw-r--r--public/debug_camera_app.te1
-rw-r--r--public/google_camera_app.te1
-rw-r--r--system_ext/private/pixeldisplayservice_app.te11
-rw-r--r--system_ext/private/seapp_contexts3
-rw-r--r--system_ext/public/pixeldisplayservice_app.te1
-rw-r--r--vendor/debug_camera_app.te15
-rw-r--r--vendor/google_camera_app.te17
-rw-r--r--vendor/pixeldisplayservice_app.te12
-rw-r--r--vendor/seapp_contexts16
-rw-r--r--zuma-sepolicy.mk1
13 files changed, 61 insertions, 60 deletions
diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te
new file mode 100644
index 0000000..8250e42
--- /dev/null
+++ b/private/debug_camera_app.te
@@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+ app_domain(debug_camera_app)
+ net_domain(debug_camera_app)
+
+ allow debug_camera_app app_api_service:service_manager find;
+ allow debug_camera_app audioserver_service:service_manager find;
+ allow debug_camera_app cameraserver_service:service_manager find;
+ allow debug_camera_app mediaextractor_service:service_manager find;
+ allow debug_camera_app mediametrics_service:service_manager find;
+ allow debug_camera_app mediaserver_service:service_manager find;
+
+ # Allows GCA_Eng & GCA-Next to access the PowerHAL.
+ hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/private/google_camera_app.te b/private/google_camera_app.te
new file mode 100644
index 0000000..4ce84af
--- /dev/null
+++ b/private/google_camera_app.te
@@ -0,0 +1,16 @@
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/private/seapp_contexts b/private/seapp_contexts
new file mode 100644
index 0000000..38c4e6e
--- /dev/null
+++ b/private/seapp_contexts
@@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te
new file mode 100644
index 0000000..6f49768
--- /dev/null
+++ b/public/debug_camera_app.te
@@ -0,0 +1 @@
+type debug_camera_app, domain;
diff --git a/public/google_camera_app.te b/public/google_camera_app.te
new file mode 100644
index 0000000..c93038c
--- /dev/null
+++ b/public/google_camera_app.te
@@ -0,0 +1 @@
+type google_camera_app, domain;
diff --git a/system_ext/private/pixeldisplayservice_app.te b/system_ext/private/pixeldisplayservice_app.te
new file mode 100644
index 0000000..9d603b7
--- /dev/null
+++ b/system_ext/private/pixeldisplayservice_app.te
@@ -0,0 +1,11 @@
+typeattribute pixeldisplayservice_app coredomain;
+
+app_domain(pixeldisplayservice_app);
+
+allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
+allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow pixeldisplayservice_app app_api_service:service_manager find;
+
+allow pixeldisplayservice_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 3e1fa34..c3ec6d3 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,3 +1,6 @@
# SystemUI
user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all
user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all
+
+# PixelDisplayService
+user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/pixeldisplayservice_app.te b/system_ext/public/pixeldisplayservice_app.te
new file mode 100644
index 0000000..2c608b4
--- /dev/null
+++ b/system_ext/public/pixeldisplayservice_app.te
@@ -0,0 +1 @@
+type pixeldisplayservice_app, domain;
diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te
index eb7ccde..86394cf 100644
--- a/vendor/debug_camera_app.te
+++ b/vendor/debug_camera_app.te
@@ -1,16 +1,4 @@
-type debug_camera_app, domain, coredomain;
-
userdebug_or_eng(`
- app_domain(debug_camera_app)
- net_domain(debug_camera_app)
-
- allow debug_camera_app app_api_service:service_manager find;
- allow debug_camera_app audioserver_service:service_manager find;
- allow debug_camera_app cameraserver_service:service_manager find;
- allow debug_camera_app mediaextractor_service:service_manager find;
- allow debug_camera_app mediametrics_service:service_manager find;
- allow debug_camera_app mediaserver_service:service_manager find;
-
# Allows GCA-Eng & GCA-Next access the GXP device and properties.
allow debug_camera_app gxp_device:chr_file rw_file_perms;
get_prop(debug_camera_app, vendor_gxp_prop)
@@ -19,9 +7,6 @@ userdebug_or_eng(`
allow debug_camera_app edgetpu_app_service:service_manager find;
allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
- # Allows GCA_Eng & GCA-Next to access the PowerHAL.
- hal_client_domain(debug_camera_app, hal_power)
-
# Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
')
diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te
index fd09abc..c0f13ef 100644
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@@ -1,26 +1,9 @@
-type google_camera_app, domain, coredomain;
-app_domain(google_camera_app)
-net_domain(google_camera_app)
-
-allow google_camera_app app_api_service:service_manager find;
-allow google_camera_app audioserver_service:service_manager find;
-allow google_camera_app cameraserver_service:service_manager find;
-allow google_camera_app mediaextractor_service:service_manager find;
-allow google_camera_app mediametrics_service:service_manager find;
-allow google_camera_app mediaserver_service:service_manager find;
-
# Allows GCA to acccess the GXP device.
allow google_camera_app gxp_device:chr_file rw_file_perms;
# Allow GCA to access the GXP properies.
get_prop(google_camera_app, vendor_gxp_prop)
-# Allows GCA to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
# Allows GCA to find and access the EdgeTPU.
allow google_camera_app edgetpu_app_service:service_manager find;
allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te
index 7320d00..e9c8d78 100644
--- a/vendor/pixeldisplayservice_app.te
+++ b/vendor/pixeldisplayservice_app.te
@@ -1,14 +1,2 @@
-type pixeldisplayservice_app, domain, coredomain;
-
-app_domain(pixeldisplayservice_app);
-
-allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
-allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
-
allow pixeldisplayservice_app hal_pixel_display_service:service_manager find;
binder_call(pixeldisplayservice_app, hal_graphics_composer_default)
-
-# Standard system services
-allow pixeldisplayservice_app app_api_service:service_manager find;
-
-allow pixeldisplayservice_app cameraserver_service:service_manager find;
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index f994993..ed23ae5 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -7,25 +7,9 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
# Domain for connectivity monitor
user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-# PixelDisplayService
-user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
-
-# Google Camera
-user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
-
-# Google Camera Eng
-user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
-
-# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
-user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
-
-# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
-user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
-
# Qorvo UWB system app
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
# CccDkTimeSyncService
user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
-
diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk
index 579a50f..2d80f55 100644
--- a/zuma-sepolicy.mk
+++ b/zuma-sepolicy.mk
@@ -6,6 +6,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private
# unresolved SELinux error log with bug tracking
BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/public
PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private
# system_ext
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-13 17:09:24 +0000