From 81ade3dd1dc111889fae06570963f760cb882726 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 11 Oct 2018 19:22:07 -0700
Subject: [PATCH] Audit access to same_process_hal_file.

same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.

Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
---
 private/isolated_app.te |  6 ++++++
 public/domain.te        | 15 +++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 85e80a5fa..95b008da1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -47,6 +47,12 @@ allow isolated_app webview_zygote_tmpfs:file read;
 # suppress denials to /data/local/tmp
 dontaudit isolated_app shell_data_file:dir search;
 
+# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
+# if needed.
+userdebug_or_eng(`
+  auditallow isolated_app same_process_hal_file:file *;
+')
+
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 allow isolated_app traced:fd use;
diff --git a/public/domain.te b/public/domain.te
index b47922752..04774ed81 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -188,7 +188,22 @@ allow domain vendor_hal_file:dir r_dir_perms;
 
 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
+# TODO(b/37211678): whitelist domains that actually need same process HALs.
 allow domain same_process_hal_file:file { execute read open getattr map };
+# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
+# same_process_hal_file label, which is what we are interested in.
+userdebug_or_eng(`
+  auditallow {
+    coredomain
+    -zygote
+    -hal_allocator_client
+    # Graphics mapper clients.
+    -hal_graphics_allocator_client
+    # Renderscript clients include { system_server appdomain -isolated_app }.
+    -appdomain
+    -system_server
+  } same_process_hal_file:file *;
+')
 
 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs
-- 
GitLab