emulator: move sepolicy to goldfish project

The sepolicies are emulator specific and are installed
under vendor partition, move them to the right location.

BUG: 110030159
Change-Id: I6acc27a3b787a3fafd9373c84492537185b184c5
Merged-In: I6acc27a3b787a3fafd9373c84492537185b184c5
This commit is contained in:
bohu 2018-06-13 10:18:07 -07:00
parent 378da0f328
commit 4abeb75f32
54 changed files with 7 additions and 372 deletions

View File

@ -77,7 +77,7 @@ BOARD_USES_METADATA_PARTITION := true
BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
# Android Verified Boot (AVB):

View File

@ -1,8 +0,0 @@
alanstokes@google.com
bowgotsai@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
sspatil@google.com
tomcherry@google.com
trong@google.com

View File

@ -1 +0,0 @@
set_prop(adbd, ctl_mdnsd_prop);

View File

@ -1 +0,0 @@
allow audioserver bootanim:binder call;

View File

@ -1,9 +0,0 @@
allow bootanim self:process execmem;
allow bootanim ashmem_device:chr_file execute;
#TODO: This can safely be ignored until b/62954877 is fixed
dontaudit bootanim system_data_file:dir read;
allow bootanim graphics_device:chr_file { read ioctl open };
typeattribute bootanim system_writes_vendor_properties_violators;
set_prop(bootanim, qemu_prop)

View File

@ -1,2 +0,0 @@
allow cameraserver system_file:dir { open read };
allow cameraserver hal_allocator:fd use;

View File

@ -1,14 +0,0 @@
# Network namespace creation
type createns, domain;
type createns_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(createns)
allow createns self:capability { sys_admin net_raw setuid setgid };
allow createns varrun_file:dir { add_name search write };
allow createns varrun_file:file { create mounton open read write };
#Allow createns itself to be run by init in its own domain
domain_auto_trans(goldfish_setup, createns_exec, createns);
allow createns goldfish_setup:fd use;

View File

@ -1 +0,0 @@
type qemu_device, dev_type, mlstrustedobject;

View File

@ -1,20 +0,0 @@
# DHCP client
type dhcpclient, domain;
type dhcpclient_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(dhcpclient)
net_domain(dhcpclient)
allow dhcpclient execns:fd use;
set_prop(dhcpclient, net_eth0_prop);
allow dhcpclient self:capability { net_admin net_raw };
allow dhcpclient self:udp_socket create;
allow dhcpclient self:netlink_route_socket { write nlmsg_write };
allow dhcpclient varrun_file:dir search;
allow dhcpclient self:packet_socket { create bind write read };
allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
SIOCSIFADDR
SIOCSIFNETMASK
SIOCSIFMTU
SIOCGIFHWADDR };

View File

@ -1,12 +0,0 @@
# DHCP server
type dhcpserver, domain;
type dhcpserver_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(dhcpserver)
net_domain(dhcpserver)
allow dhcpserver execns:fd use;
get_prop(dhcpserver, net_eth0_prop);
allow dhcpserver self:udp_socket { ioctl create setopt bind };
allow dhcpserver self:capability { net_raw net_bind_service };

View File

@ -1,3 +0,0 @@
allow domain qemu_device:chr_file rw_file_perms;
get_prop(domain, qemu_prop)

View File

@ -1,27 +0,0 @@
# Network namespace transitions
type execns, domain;
type execns_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(execns)
allow execns varrun_file:dir search;
allow execns varrun_file:file r_file_perms;
allow execns self:capability { sys_admin setuid setgid };
allow execns nsfs:file { open read };
#Allow execns itself to be run by init in its own domain
domain_auto_trans(init, execns_exec, execns);
# Allow dhcpclient to be run by execns in its own domain
domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
# Allow dhcpserver to be run by execns in its own domain
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
# Allow hostapd_nohidl to be run by execns in its own domain
domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
# Allow execns to read createns proc file to get the namespace file
allow execns createns:file read;
allow execns createns:dir search;
allow execns createns:lnk_file read;

View File

@ -1,4 +0,0 @@
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type varrun_file, file_type, data_file_type, mlstrustedobject;
type mediadrm_vendor_data_file, file_type, data_file_type;
type nsfs, fs_type;

View File

@ -1,47 +0,0 @@
# goldfish
/dev/block/mtdblock0 u:object_r:system_block_device:s0
/dev/block/mtdblock1 u:object_r:userdata_block_device:s0
/dev/block/mtdblock2 u:object_r:cache_block_device:s0
# ranchu
/dev/block/vda u:object_r:system_block_device:s0
/dev/block/vdb u:object_r:cache_block_device:s0
/dev/block/vdc u:object_r:userdata_block_device:s0
/dev/block/vdd u:object_r:metadata_block_device:s0
/dev/block/vde u:object_r:system_block_device:s0
/dev/goldfish_pipe u:object_r:qemu_device:s0
/dev/goldfish_sync u:object_r:qemu_device:s0
/dev/qemu_.* u:object_r:qemu_device:s0
/dev/ttyGF[0-9]* u:object_r:serial_device:s0
/dev/ttyS2 u:object_r:console_device:s0
/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
/vendor/bin/createns u:object_r:createns_exec:s0
/vendor/bin/execns u:object_r:execns_exec:s0
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
# data
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0

View File

@ -1,20 +0,0 @@
# On the emulator, device tree dir is configured to be
# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to
# /sys/devices/platform/ANDR0001:00/properties/android/
genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0
# We expect /sys/class/power_supply/* and everything it links to to be labeled
# as sysfs_batteryinfo.
genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0
# /sys/class/rtc
genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
# /sys/class/net
genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
# /proc/<pid>/ns
genfscon nsfs / u:object_r:nsfs:s0

View File

@ -1,47 +0,0 @@
# goldfish-setup service: runs init.goldfish.sh script
type goldfish_setup, domain;
type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(goldfish_setup)
# TODO(b/79502552): Invalid property access from emulator vendor
#set_prop(goldfish_setup, debug_prop);
allow goldfish_setup self:capability { net_admin net_raw };
allow goldfish_setup self:udp_socket { create ioctl };
allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
wakelock_use(goldfish_setup);
allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
# Set system properties to start services
set_prop(goldfish_setup, ctl_default_prop);
# Set up WiFi
allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
allow goldfish_setup self:capability { sys_module sys_admin };
allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
allow goldfish_setup execns_exec:file rx_file_perms;
allow goldfish_setup proc_net:file rw_file_perms;
allow goldfish_setup proc:file r_file_perms;
allow goldfish_setup nsfs:file r_file_perms;
allow goldfish_setup system_data_file:dir getattr;
allow goldfish_setup kernel:system module_request;
set_prop(goldfish_setup, qemu_prop);
get_prop(goldfish_setup, net_share_prop);
# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
allow goldfish_setup system_file:file execute_no_trans;
# Allow goldfish_setup to run init.wifi.sh
allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
#Allow goldfish_setup to run createns in its own domain
domain_auto_trans(goldfish_setup, createns_exec, createns);
# iw
allow goldfish_setup sysfs:file { read open };
# iptables
allow goldfish_setup system_file:file lock;
allow goldfish_setup self:rawip_socket { create getopt setopt };
# Allow goldfish_setup to read createns proc file to get the namespace file
allow goldfish_setup createns:file { read };
allow goldfish_setup createns:dir { search };
allow goldfish_setup createns:lnk_file { read };

View File

@ -1,3 +0,0 @@
vndbinder_use(hal_camera_default);
allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
hal_client_domain(hal_camera_default, hal_graphics_composer)

View File

@ -1 +0,0 @@
vndbinder_use(hal_cas_default);

View File

@ -1,2 +0,0 @@
vndbinder_use(hal_drm_default);
hal_client_domain(hal_drm_default, hal_graphics_composer)

View File

@ -1,14 +0,0 @@
# define SELinux domain
type hal_drm_widevine, domain;
hal_server_domain(hal_drm_widevine, hal_drm)
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine)
allow hal_drm mediacodec:fd use;
allow hal_drm { appdomain -isolated_app }:fd use;
vndbinder_use(hal_drm_widevine);
hal_client_domain(hal_drm_widevine, hal_graphics_composer);
allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;

View File

@ -1,5 +0,0 @@
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
# hal_fingerprint no longer directly accesses fingerprintd_data_file.
typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;

View File

@ -1,3 +0,0 @@
#============= hal_gnss_default ==============
allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };

View File

@ -1,2 +0,0 @@
allow hal_graphics_allocator_default graphics_device:dir search;
allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write };

View File

@ -1,3 +0,0 @@
#============= hal_graphics_composer_default ==============
allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };

View File

@ -1 +0,0 @@
allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read };

View File

@ -1,2 +0,0 @@
# Allow to read /sys/class/power_supply directory
allow healthd sysfs:dir r_dir_perms;

View File

@ -1,16 +0,0 @@
type hostapd_nohidl, domain;
type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hostapd_nohidl)
net_domain(hostapd_nohidl)
allow hostapd_nohidl execns:fd use;
allow hostapd_nohidl self:capability { net_admin net_raw };
allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
allow hostapd_nohidl self:packet_socket { create setopt };
allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
# hostapd will attempt to search sysfs but it's not needed and will spam the log
dontaudit hostapd_nohidl sysfs_net:dir search;

View File

@ -1,2 +0,0 @@
allow init tmpfs:lnk_file create_file_perms;
dontaudit init kernel:system module_request;

View File

@ -1,16 +0,0 @@
# IPv6 proxying
type ipv6proxy, domain;
type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(ipv6proxy)
net_domain(ipv6proxy)
# Allow ipv6proxy to be run by execns in its own domain
domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy);
allow ipv6proxy execns:fd use;
allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
allow ipv6proxy self:packet_socket { bind create read };
allow ipv6proxy self:netlink_route_socket nlmsg_write;
allow ipv6proxy varrun_file:dir search;
allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };

View File

@ -1,13 +0,0 @@
# goldfish logcat service: runs logcat -Q in logpersist domain
# See global logcat.te/logpersist.te, only set for eng & userdebug,
# allow for all builds in a non-conflicting manner.
domain_auto_trans(init, logcat_exec, logpersist)
# Read from logd.
unix_socket_connect(logpersist, logdr, logd)
# Write to /dev/ttyS2 and /dev/ttyGF2.
allow logpersist serial_device:chr_file { write open };
get_prop(logpersist, qemu_cmdline)

View File

@ -1 +0,0 @@
allow mediacodec system_file:dir { open read };

View File

@ -1,3 +0,0 @@
dontaudit netd self:capability sys_module;
#TODO: This can safely be ignored until b/62954877 is fixed
dontaudit netd kernel:system module_request;

View File

@ -1,5 +0,0 @@
#TODO: b/62908025
dontaudit priv_app firstboot_prop:file { getattr open };
dontaudit priv_app device:dir { open read };
dontaudit priv_app proc_interrupts:file { getattr open read };
dontaudit priv_app proc_modules:file { getattr open read };

View File

@ -1,5 +0,0 @@
type qemu_prop, property_type;
type qemu_cmdline, property_type;
type radio_noril_prop, property_type;
type net_eth0_prop, property_type;
type net_share_prop, property_type;

View File

@ -1,8 +0,0 @@
qemu. u:object_r:qemu_prop:s0
qemu.cmdline u:object_r:qemu_cmdline:s0
vendor.qemu u:object_r:qemu_prop:s0
ro.emu. u:object_r:qemu_prop:s0
ro.emulator. u:object_r:qemu_prop:s0
ro.radio.noril u:object_r:radio_noril_prop:s0
net.eth0. u:object_r:net_eth0_prop:s0
net.shared_net_ip u:object_r:net_share_prop:s0

View File

@ -1,10 +0,0 @@
# qemu-props service: Sets system properties on boot.
type qemu_props, domain;
type qemu_props_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(qemu_props)
set_prop(qemu_props, qemu_prop)
# TODO(b/79502552): Invalid property access from emulator vendor
#set_prop(qemu_props, qemu_cmdline)
set_prop(qemu_props, qemu_cmdline)

View File

@ -1,3 +0,0 @@
# Allow the radio to read these properties, they only have an SELinux label in
# the emulator.
get_prop(radio, net_eth0_prop);

View File

@ -1,3 +0,0 @@
# Allow rild to read these properties, they only have an SELinux label in the
# emulator.
get_prop(rild, net_eth0_prop);

View File

@ -1 +0,0 @@
allow shell serial_device:chr_file rw_file_perms;

View File

@ -1,5 +0,0 @@
allow surfaceflinger self:process execmem;
allow surfaceflinger ashmem_device:chr_file execute;
typeattribute surfaceflinger system_writes_vendor_properties_violators;
set_prop(surfaceflinger, qemu_prop)

View File

@ -1 +0,0 @@
get_prop(system_server, radio_noril_prop)

View File

@ -1 +0,0 @@
set_prop(vendor_init, qemu_prop)

View File

@ -1 +0,0 @@
dontaudit vold kernel:system module_request;

View File

@ -1,5 +0,0 @@
typeattribute zygote system_writes_vendor_properties_violators;
set_prop(zygote, qemu_prop)
# TODO (b/63631799) fix this access
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;

View File

@ -94,7 +94,7 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
# Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification.

View File

@ -67,8 +67,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_SEPOLICY_DIRS += \
build/target/board/generic/sepolicy \
build/target/board/generic_x86/sepolicy
device/generic/goldfish/sepolicy/common \
device/generic/goldfish/sepolicy/x86
# Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification.

View File

@ -1,8 +0,0 @@
alanstokes@google.com
bowgotsai@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
sspatil@google.com
tomcherry@google.com
trong@google.com

View File

@ -1 +0,0 @@
allow domain cpuctl_device:dir search;

View File

@ -1 +0,0 @@
allow healthd self:capability sys_nice;

View File

@ -1 +0,0 @@
allow init tmpfs:lnk_file create_file_perms;

View File

@ -1 +0,0 @@
allow installd self:process execmem;

View File

@ -1,2 +0,0 @@
allow zygote self:process execmem;
allow zygote self:capability sys_nice;

View File

@ -65,8 +65,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_SEPOLICY_DIRS += \
build/target/board/generic/sepolicy \
build/target/board/generic_x86/sepolicy
device/generic/goldfish/sepolicy/common \
device/generic/goldfish/sepolicy/x86
# Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification.

View File

@ -61,4 +61,4 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_FLASH_BLOCK_SIZE := 512
TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common