SELinux policies for PDX services

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

private/app.te

@@ -297,11 +297,14 @@ allow appdomain proc_meminfo:file r_file_perms;
 # For app fuse.
 allow appdomain app_fuse_file:file { getattr read append write };
 
-use_pdx({ appdomain -isolated_app -ephemeral_app }, surfaceflinger)
-use_pdx({ appdomain -isolated_app -ephemeral_app }, sensord)
-use_pdx({ appdomain -isolated_app -ephemeral_app }, performanced)
-# TODO: apps do not directly open the IPC socket for bufferhubd.
-use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, sensors_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, pose_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
 
 ###
 ### CTS-specific rules

private/file_contexts

@@ -130,7 +130,19 @@
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
 /dev/socket/mtpd	u:object_r:mtpd_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
-/dev/socket/pdx(/.*)?	u:object_r:pdx_socket:s0
+/dev/socket/pdx/system/buffer_hub	u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client	u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance	u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client	u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/sensors	u:object_r:pdx_sensors_dir:s0
+/dev/socket/pdx/system/vr/sensors/client	u:object_r:pdx_sensors_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/pose	u:object_r:pdx_pose_dir:s0
+/dev/socket/pdx/system/vr/pose/client	u:object_r:pdx_pose_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display	u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client	u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager	u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot	u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync	u:object_r:pdx_display_vsync_endpoint_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/racoon	u:object_r:racoon_socket:s0
 /dev/socket/rild	u:object_r:rild_socket:s0

private/surfaceflinger.te

@@ -91,11 +91,15 @@ allow surfaceflinger system_server:fd use;
 allow surfaceflinger ion_device:chr_file r_file_perms;
 
 # pdx IPC
-pdx_server(surfaceflinger)
-
-use_pdx(surfaceflinger, bufferhubd)
-use_pdx(surfaceflinger, performanced)
-use_pdx(surfaceflinger, sensord)
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
+
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+pdx_client(surfaceflinger, sensors_client)
+pdx_client(surfaceflinger, pose_client)
 
 ###
 ### Neverallow rules

public/attributes

@@ -154,6 +154,20 @@ attribute socket_between_core_and_vendor_violators;
 # TODO(b/36463595)
 attribute vendor_executes_system_violators;
 
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+attribute pdx_channel_socket_type;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(sensors_client)
+pdx_service_attributes(pose_client);
+pdx_service_attributes(bufferhub_client)
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients

public/bufferhubd.te

@@ -4,8 +4,8 @@ type bufferhubd_exec, exec_type, file_type;
 
 hal_client_domain(bufferhubd, hal_graphics_allocator)
 
-pdx_server(bufferhubd)
-use_pdx(bufferhubd, performanced)
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
 
 # Access the GPU.
 allow bufferhubd gpu_device:chr_file rw_file_perms;
@@ -16,5 +16,5 @@ allow bufferhubd ion_device:chr_file r_file_perms;
 # Receive sync fence FDs from mediacodec. Note that mediacodec never directly
 # connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
 # those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use use_pdx macro.
+# Thus, there is no need to use pdx_client macro.
 allow bufferhubd mediacodec:fd use;

public/domain.te

@@ -640,7 +640,8 @@ full_treble_only(`
     unlabeled # used only by core domains
     core_data_file_type
     -app_data_file
-    -pdx_socket # used by VR layer
+    -pdx_endpoint_socket_type # used by VR layer
+    -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
 
   # Core domains are not permitted to create/open sockets owned by vendor domains

public/file.te

@@ -264,7 +264,6 @@ type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
 type misc_logd_file, coredomain_socket, file_type;
 type mtpd_socket, file_type, coredomain_socket;
 type netd_socket, file_type, coredomain_socket;
-type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
 type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
@@ -281,6 +280,22 @@ type zygote_socket, file_type, coredomain_socket;
 # UART (for GPS) control proc file
 type gps_control, file_type;
 
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
+type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(sensors_client, pdx_sensors_dir)
+pdx_service_socket_types(pose_client, pdx_pose_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
 # file_contexts files
 type file_contexts_file, file_type;
 

public/mediacodec.te

@@ -43,7 +43,7 @@ hal_client_domain(mediacodec, hal_graphics_allocator)
 # Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
 # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
 # between those two: it talks to mediacodec via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use use_pdx macro.
+# via PDX. Thus, there is no need to use pdx_client macro.
 allow mediacodec bufferhubd:fd use;
 
 ###

public/performanced.te

@@ -2,7 +2,7 @@
 type performanced, domain, mlstrustedsubject;
 type performanced_exec, exec_type, file_type;
 
-pdx_server(performanced)
+pdx_server(performanced, performance_client)
 
 # TODO: use file caps to obtain sys_nice instead of setuid / setgid.
 allow performanced self:capability { setuid setgid sys_nice };

public/sensord.te

@@ -5,9 +5,10 @@ type sensord_exec, exec_type, file_type;
 hal_client_domain(sensord, hal_graphics_allocator)
 allow sensord hal_graphics_allocator:fd use;
 
-pdx_server(sensord)
-use_pdx(sensord, bufferhubd)
-use_pdx(sensord, performanced)
+pdx_server(sensord, sensors_client)
+pdx_server(sensord, pose_client)
+pdx_client(sensord, bufferhub_client)
+pdx_client(sensord, performance_client)
 
 # Access /dev/ion
 allow sensord ion_device:chr_file r_file_perms;

public/te_macros

@@ -85,26 +85,73 @@ allow $1 tmpfs:dir { getattr search };
 # rules from underlying transport (e.g. UDS-based implementation).
 
 #####################################
-# pdx_server(domain)
-define(`pdx_server', `
-allow $1 pdx_socket:dir create_dir_perms;
-allow $1 pdx_socket:sock_file create_file_perms;
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
 ')
 
 #####################################
-# use_pdx(clientdomain, serverdomain)
-define(`use_pdx', `
-# Open the socket.
-allow $1 pdx_socket:dir r_dir_perms;
-allow $1 pdx_socket:sock_file rw_file_perms;
-# Use the socket.
-allow $1 $2:unix_stream_socket { connectto read write shutdown };
-# Clients recieve an event fd from the server.
-allow $1 $2:fd use;
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
 # Servers may receive sync fences, gralloc buffers, etc, from clients.
 # This could be tightened on a per-server basis, but keeping track of service
 # clients is error prone.
-allow $2 $1:fd use;
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
 ')
 
 #####################################

public/vr_hwc.te

@@ -24,7 +24,7 @@ allow vr_hwc ion_device:chr_file r_file_perms;
 
 # Allow connection to VR DisplayClient to get the primary display metadata
 # (ie: size).
-use_pdx(vr_hwc, surfaceflinger)
+pdx_client(vr_hwc, display_client)
 
 # Requires access to the permission service to validate that clients have the
 # appropriate VR permissions.