Treble devices use binderized HALs

All HALs which are represented by hal_* attributes in SELinux policy are required to run in binderized mode on Treble devices. This commit thus makes the SELinux policy for Treble devices no longer associate domains in hal_x_client with hal_x attribute, which is what was granting domains hosting clients of hal_x the rules needed to run this HAL in-process. The result is that core components have now less access. This commit has no effect on non-Treble devices. Test: Device boots -- no new denials Test: Play movie using Google Play Movies and Netflix Test: Play YouTube clip in YouTube app and in Chrome Test: Unlock lock screen using fingerprint Test: Using Google Camera, take a photo, an HDR+ photo, record a video with sound, a slow motion video with sound. Photos and videos display/play back fine (incl. sound). Test: adb screencap Test: $ monitor take screenshot Test: In all tests, no deials to do with hal_*, except pre-existing denials to do with hal_gnss. Bug: 37160141 Bug: 34274385 Bug: 34170079 Change-Id: I1ca91d43592b466114af13898f5909f41e59b521

Treble devices use binderized HALs
All HALs which are represented by hal_* attributes in SELinux policy are required to run in binderized mode on Treble devices. This commit thus makes the SELinux policy for Treble devices no longer associate domains in hal_x_client with hal_x attribute, which is what was granting domains hosting clients of hal_x the rules needed to run this HAL in-process. The result is that core components have now less access. This commit has no effect on non-Treble devices. Test: Device boots -- no new denials Test: Play movie using Google Play Movies and Netflix Test: Play YouTube clip in YouTube app and in Chrome Test: Unlock lock screen using fingerprint Test: Using Google Camera, take a photo, an HDR+ photo, record a video with sound, a slow motion video with sound. Photos and videos display/play back fine (incl. sound). Test: adb screencap Test: $ monitor take screenshot Test: In all tests, no deials to do with hal_*, except pre-existing denials to do with hal_gnss. Bug: 37160141 Bug: 34274385 Bug: 34170079 Change-Id: I1ca91d43592b466114af13898f5909f41e59b521
22157e7a · Alex Klyubin · 4d24a775 · 22157e7a · 22157e7a
Commit 22157e7a authored 7 years ago by Alex Klyubin
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -197,11 +197,6 @@ binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)

-# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
-# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
-# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
-typeattribute system_server socket_between_core_and_vendor_violators;
-
 hal_client_domain(system_server, hal_wifi_supplicant)

 # Talk to tombstoned to get ANR traces.

--- a/public/te_macros
+++ b/public/te_macros
@@ -175,15 +175,17 @@ define(`hal_client_domain', `
 typeattribute $1 halclientdomain;
 typeattribute $1 $2_client;

-# TODO(b/34170079): Make the inclusion of the rules below conditional,
-# once we know at build time whether a HAL is going to run in
-# passthrough or binderized mode.
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
 allow $2 vendor_file:file { read open getattr execute };
 ')
+')

 #####################################
 # passthrough_hal_client_domain(domain, hal_type)