From d5f90a52e710e80c94e64780317ea196ef6bdab6 Mon Sep 17 00:00:00 2001 From: bohu Date: Fri, 26 May 2017 10:26:15 -0700 Subject: [PATCH] build-emulator: fully treblize emulator image Install emulator specific binaries and libraries to vendor partition; update selinux; add vndk. BUG: 37511975 Test: build user build, launch emualtor, run CTS. Change-Id: I70f58947e98b41b195d77b4347d2efdc09348392 --- target/board/generic/sepolicy/adbd.te | 1 + target/board/generic/sepolicy/audioserver.te | 1 + target/board/generic/sepolicy/bootanim.te | 3 +- target/board/generic/sepolicy/cameraserver.te | 2 + target/board/generic/sepolicy/file.te | 1 - target/board/generic/sepolicy/file_contexts | 25 +++++-- .../board/generic/sepolicy/goldfish_setup.te | 27 ++----- .../generic/sepolicy/hal_drm_widevine.te | 11 +++ target/board/generic/sepolicy/init.te | 1 + target/board/generic/sepolicy/mediacodec.te | 1 + target/board/generic/sepolicy/netd.te | 2 + target/board/generic/sepolicy/priv_app.te | 5 ++ target/board/generic/sepolicy/qemu_props.te | 5 +- target/board/generic/sepolicy/qemud.te | 8 -- target/board/generic/sepolicy/rild.te | 1 - .../board/generic/sepolicy/system_server.te | 1 - target/board/generic/sepolicy/vold.te | 1 + target/board/generic/sepolicy/zygote.te | 3 + target/product/emulator.mk | 74 +++++++++++++++---- 19 files changed, 113 insertions(+), 60 deletions(-) create mode 100644 target/board/generic/sepolicy/adbd.te create mode 100644 target/board/generic/sepolicy/audioserver.te create mode 100644 target/board/generic/sepolicy/cameraserver.te create mode 100644 target/board/generic/sepolicy/hal_drm_widevine.te create mode 100644 target/board/generic/sepolicy/mediacodec.te create mode 100644 target/board/generic/sepolicy/priv_app.te delete mode 100644 target/board/generic/sepolicy/qemud.te delete mode 100644 target/board/generic/sepolicy/rild.te create mode 100644 target/board/generic/sepolicy/vold.te diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te new file mode 100644 index 000000000..9546c1a47 --- /dev/null +++ b/target/board/generic/sepolicy/adbd.te @@ -0,0 +1 @@ +set_prop(adbd, ctl_mdnsd_prop); diff --git a/target/board/generic/sepolicy/audioserver.te b/target/board/generic/sepolicy/audioserver.te new file mode 100644 index 000000000..c3c4a3a3d --- /dev/null +++ b/target/board/generic/sepolicy/audioserver.te @@ -0,0 +1 @@ +allow audioserver bootanim:binder call; diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te index b4b1eef83..4be1c8a20 100644 --- a/target/board/generic/sepolicy/bootanim.te +++ b/target/board/generic/sepolicy/bootanim.te @@ -1,4 +1,5 @@ allow bootanim self:process execmem; allow bootanim ashmem_device:chr_file execute; - +#TODO: This can safely be ignored until b/62954877 is fixed +dontaudit bootanim system_data_file:dir read; set_prop(bootanim, qemu_prop) diff --git a/target/board/generic/sepolicy/cameraserver.te b/target/board/generic/sepolicy/cameraserver.te new file mode 100644 index 000000000..6cf5d6ae4 --- /dev/null +++ b/target/board/generic/sepolicy/cameraserver.te @@ -0,0 +1,2 @@ +allow cameraserver system_file:dir { open read }; +allow cameraserver hal_allocator:fd use; diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te index 9227f8018..f4ae9e43b 100644 --- a/target/board/generic/sepolicy/file.te +++ b/target/board/generic/sepolicy/file.te @@ -1,2 +1 @@ -type qemud_socket, file_type; type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts index d1a1e8cef..f550f4db2 100644 --- a/target/board/generic/sepolicy/file_contexts +++ b/target/board/generic/sepolicy/file_contexts @@ -7,16 +7,29 @@ /dev/block/vda u:object_r:system_block_device:s0 /dev/block/vdb u:object_r:cache_block_device:s0 /dev/block/vdc u:object_r:userdata_block_device:s0 +/dev/block/vdd u:object_r:metadata_block_device:s0 +/dev/block/vde u:object_r:system_block_device:s0 /dev/goldfish_pipe u:object_r:qemu_device:s0 /dev/goldfish_sync u:object_r:qemu_device:s0 /dev/qemu_.* u:object_r:qemu_device:s0 -/dev/socket/qemud u:object_r:qemud_socket:s0 /dev/ttyGF[0-9]* u:object_r:serial_device:s0 /dev/ttyS2 u:object_r:console_device:s0 -/system/bin/qemud u:object_r:qemud_exec:s0 /sys/qemu_trace(/.*)? u:object_r:sysfs_writable:s0 -/system/etc/init.goldfish.sh u:object_r:goldfish_setup_exec:s0 -/system/vendor/bin/init.ranchu-core.sh u:object_r:goldfish_setup_exec:s0 -/system/vendor/bin/init.ranchu-net.sh u:object_r:goldfish_setup_exec:s0 -/system/bin/qemu-props u:object_r:qemu_props_exec:s0 +/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 +/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 +/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 + +/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 + +/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0 diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te index 78d20fca0..bcd49bdc4 100644 --- a/target/board/generic/sepolicy/goldfish_setup.te +++ b/target/board/generic/sepolicy/goldfish_setup.te @@ -1,29 +1,12 @@ # goldfish-setup service: runs init.goldfish.sh script type goldfish_setup, domain; -type goldfish_setup_exec, exec_type, file_type; +type goldfish_setup_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(goldfish_setup) -# Inherit open file to shell (interpreter) for script. -allow goldfish_setup shell_exec:file rx_file_perms; - -# Run ifconfig, route commands to configure interfaces and routes. -allow goldfish_setup system_file:file execute_no_trans; -allow goldfish_setup toolbox_exec:file rx_file_perms; allow goldfish_setup self:capability { net_admin net_raw }; -allow goldfish_setup self:udp_socket create_socket_perms; +allow goldfish_setup self:udp_socket { create ioctl }; +allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; - -wakelock_use(goldfish_setup) -net_domain(goldfish_setup) - -# Set net.eth0.dns*, debug.sf.nobootanimation -set_prop(goldfish_setup, system_prop) -set_prop(goldfish_setup, debug_prop) - -# Set ro.radio.noril -set_prop(goldfish_setup, radio_noril_prop) - -# Stop ril-daemon service (by setting ctl.stop to ril-daemon, which -# transforms to a permission check on ctl.ril-daemon). -set_prop(goldfish_setup, ctl_rildaemon_prop) +wakelock_use(goldfish_setup); +allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; diff --git a/target/board/generic/sepolicy/hal_drm_widevine.te b/target/board/generic/sepolicy/hal_drm_widevine.te new file mode 100644 index 000000000..c1a63ca74 --- /dev/null +++ b/target/board/generic/sepolicy/hal_drm_widevine.te @@ -0,0 +1,11 @@ +# define SELinux domain +type hal_drm_widevine, domain; +hal_server_domain(hal_drm_widevine, hal_drm) + +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_widevine) + +allow hal_drm mediacodec:fd use; +allow hal_drm { appdomain -isolated_app }:fd use; + +hal_client_domain(hal_drm_widevine, hal_graphics_composer); diff --git a/target/board/generic/sepolicy/init.te b/target/board/generic/sepolicy/init.te index 3aa81d1b5..84a4e8dbf 100644 --- a/target/board/generic/sepolicy/init.te +++ b/target/board/generic/sepolicy/init.te @@ -1 +1,2 @@ allow init tmpfs:lnk_file create_file_perms; +dontaudit init kernel:system module_request; diff --git a/target/board/generic/sepolicy/mediacodec.te b/target/board/generic/sepolicy/mediacodec.te new file mode 100644 index 000000000..acf4e59b9 --- /dev/null +++ b/target/board/generic/sepolicy/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec system_file:dir { open read }; diff --git a/target/board/generic/sepolicy/netd.te b/target/board/generic/sepolicy/netd.te index 2b002ec9c..09a28b996 100644 --- a/target/board/generic/sepolicy/netd.te +++ b/target/board/generic/sepolicy/netd.te @@ -1 +1,3 @@ dontaudit netd self:capability sys_module; +#TODO: This can safely be ignored until b/62954877 is fixed +dontaudit netd kernel:system module_request; diff --git a/target/board/generic/sepolicy/priv_app.te b/target/board/generic/sepolicy/priv_app.te new file mode 100644 index 000000000..3d16f32b0 --- /dev/null +++ b/target/board/generic/sepolicy/priv_app.te @@ -0,0 +1,5 @@ +#TODO: b/62908025 +dontaudit priv_app firstboot_prop:file { getattr open }; +dontaudit priv_app device:dir { open read }; +dontaudit priv_app proc_interrupts:file { getattr open read }; +dontaudit priv_app proc_modules:file { getattr open read }; diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te index d5571fd22..0f5ec8c94 100644 --- a/target/board/generic/sepolicy/qemu_props.te +++ b/target/board/generic/sepolicy/qemu_props.te @@ -1,12 +1,9 @@ # qemu-props service: Sets system properties on boot. type qemu_props, domain; -type qemu_props_exec, exec_type, file_type; +type qemu_props_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(qemu_props) -# Set properties. set_prop(qemu_props, qemu_prop) set_prop(qemu_props, dalvik_prop) -set_prop(qemu_props, config_prop) -set_prop(qemu_props, opengles_prop) set_prop(qemu_props, qemu_cmdline) diff --git a/target/board/generic/sepolicy/qemud.te b/target/board/generic/sepolicy/qemud.te deleted file mode 100644 index eee21c406..000000000 --- a/target/board/generic/sepolicy/qemud.te +++ /dev/null @@ -1,8 +0,0 @@ -# qemu support daemon -type qemud, domain; -type qemud_exec, exec_type, file_type; - -init_daemon_domain(qemud) - -# Access /dev/ttyS1 and /dev/ttyGF1. -allow qemud serial_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te deleted file mode 100644 index e148b6c13..000000000 --- a/target/board/generic/sepolicy/rild.te +++ /dev/null @@ -1 +0,0 @@ -unix_socket_connect(rild, qemud, qemud) diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te index f9e277b8a..906309563 100644 --- a/target/board/generic/sepolicy/system_server.te +++ b/target/board/generic/sepolicy/system_server.te @@ -1,3 +1,2 @@ -unix_socket_connect(system_server, qemud, qemud) get_prop(system_server, opengles_prop) get_prop(system_server, radio_noril_prop) diff --git a/target/board/generic/sepolicy/vold.te b/target/board/generic/sepolicy/vold.te new file mode 100644 index 000000000..5f3bdd446 --- /dev/null +++ b/target/board/generic/sepolicy/vold.te @@ -0,0 +1 @@ +dontaudit vold kernel:system module_request; diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te index a90f02b1a..e97d895c3 100644 --- a/target/board/generic/sepolicy/zygote.te +++ b/target/board/generic/sepolicy/zygote.te @@ -1 +1,4 @@ set_prop(zygote, qemu_prop) +# TODO (b/63631799) fix this access +# Suppress denials to storage. Webview zygote should not be accessing. +dontaudit webview_zygote mnt_expand_file:dir getattr; diff --git a/target/product/emulator.mk b/target/product/emulator.mk index 5a5fb8e1b..0e1e581cd 100644 --- a/target/product/emulator.mk +++ b/target/product/emulator.mk @@ -36,11 +36,13 @@ PRODUCT_PACKAGES += \ libGLESv2_emulation \ libGLESv1_enc \ qemu-props \ - qemud \ camera.goldfish \ camera.goldfish.jpeg \ camera.ranchu \ camera.ranchu.jpeg \ + keystore.goldfish \ + keystore.ranchu \ + gatekeeper.ranchu \ lights.goldfish \ gps.goldfish \ gps.ranchu \ @@ -62,7 +64,9 @@ PRODUCT_PACKAGES += \ android.hardware.graphics.mapper@2.0-impl \ hwcomposer.goldfish \ hwcomposer.ranchu \ + sh_vendor \ vintf \ + toybox_vendor \ CarrierConfig PRODUCT_PACKAGES += \ @@ -72,40 +76,78 @@ PRODUCT_PACKAGES += \ android.hardware.soundtrigger@2.0-impl PRODUCT_PACKAGES += \ - android.hardware.keymaster@3.0-impl \ - android.hardware.keymaster@3.0-service + android.hardware.keymaster@3.0-impl \ + android.hardware.keymaster@3.0-service PRODUCT_PACKAGES += \ android.hardware.gnss@1.0-service \ android.hardware.gnss@1.0-impl PRODUCT_PACKAGES += \ - android.hardware.sensors@1.0-impl \ - android.hardware.sensors@1.0-service + android.hardware.sensors@1.0-impl \ + android.hardware.sensors@1.0-service + +PRODUCT_PACKAGES += \ + android.hardware.drm@1.0-service \ + android.hardware.drm@1.0-impl PRODUCT_PACKAGES += \ android.hardware.power@1.0-service \ android.hardware.power@1.0-impl -# camera service treble disable until all backwards compat is complete -PRODUCT_PROPERTY_OVERRIDES += \ - camera.disable_treble=1 +PRODUCT_PACKAGES += \ + camera.device@1.0-impl \ + android.hardware.camera.provider@2.4-service \ + android.hardware.camera.provider@2.4-impl \ + +PRODUCT_PACKAGES += \ + android.hardware.gatekeeper@1.0-impl \ + android.hardware.gatekeeper@1.0-service + +# need this for gles libraries to load properly +# after moving to /vendor/lib/ +PRODUCT_PACKAGES += \ + android.hardware.renderscript@1.0.vndk-sp\ + android.hardware.graphics.allocator@2.0.vndk-sp\ + android.hardware.graphics.mapper@2.0.vndk-sp\ + android.hardware.graphics.common@1.0.vndk-sp\ + libhwbinder.vndk-sp\ + libbase.vndk-sp\ + libcutils.vndk-sp\ + libhardware.vndk-sp\ + libhidlbase.vndk-sp\ + libhidltransport.vndk-sp\ + libutils.vndk-sp\ + libc++.vndk-sp\ + libRS_internal.vndk-sp\ + libRSDriver.vndk-sp\ + libRSCpuRef.vndk-sp\ + libbcinfo.vndk-sp\ + libblas.vndk-sp\ + libft2.vndk-sp\ + libpng.vndk-sp\ + libcompiler_rt.vndk-sp\ + libbacktrace.vndk-sp\ + libunwind.vndk-sp\ + liblzma.vndk-sp\ + libz.vndk-sp\ + PRODUCT_COPY_FILES += \ - device/generic/goldfish/fstab.goldfish:root/fstab.goldfish \ - device/generic/goldfish/init.goldfish.rc:root/init.goldfish.rc \ - device/generic/goldfish/init.goldfish.sh:system/etc/init.goldfish.sh \ - device/generic/goldfish/init.ranchu-core.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.ranchu-core.sh \ - device/generic/goldfish/init.ranchu-net.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.ranchu-net.sh \ - device/generic/goldfish/init.ranchu.rc:root/init.ranchu.rc \ - device/generic/goldfish/ueventd.goldfish.rc:root/ueventd.goldfish.rc \ + device/generic/goldfish/init.ranchu-core.sh:vendor/bin/init.ranchu-core.sh \ + device/generic/goldfish/init.ranchu-net.sh:vendor/bin/init.ranchu-net.sh \ device/generic/goldfish/init.ranchu.rc:root/init.ranchu.rc \ device/generic/goldfish/fstab.ranchu:root/fstab.ranchu \ + device/generic/goldfish/fstab.ranchu.early:root/fstab.ranchu.early \ device/generic/goldfish/ueventd.ranchu.rc:root/ueventd.ranchu.rc \ - device/generic/goldfish/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml \ device/generic/goldfish/input/goldfish_rotary.idc:system/usr/idc/goldfish_rotary.idc \ + device/generic/goldfish/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml \ + device/generic/goldfish/data/etc/permissions/privapp-permissions-goldfish.xml:system/etc/permissions/privapp-permissions-goldfish.xml \ + device/generic/goldfish/data/etc/config.ini:config.ini \ frameworks/native/data/etc/android.hardware.usb.accessory.xml:system/etc/permissions/android.hardware.usb.accessory.xml PRODUCT_PACKAGE_OVERLAYS := device/generic/goldfish/overlay PRODUCT_CHARACTERISTICS := emulator + +PRODUCT_FULL_TREBLE_OVERRIDE := true