Audit access to same_process_hal_file.
same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.
Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 85e80a5..95b008d 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -47,6 +47,12 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
+# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
+# if needed.
+userdebug_or_eng(`
+ auditallow isolated_app same_process_hal_file:file *;
+')
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow isolated_app traced:fd use;
diff --git a/public/domain.te b/public/domain.te
index b479227..04774ed 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -188,7 +188,22 @@
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
+# TODO(b/37211678): whitelist domains that actually need same process HALs.
allow domain same_process_hal_file:file { execute read open getattr map };
+# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
+# same_process_hal_file label, which is what we are interested in.
+userdebug_or_eng(`
+ auditallow {
+ coredomain
+ -zygote
+ -hal_allocator_client
+ # Graphics mapper clients.
+ -hal_graphics_allocator_client
+ # Renderscript clients include { system_server appdomain -isolated_app }.
+ -appdomain
+ -system_server
+ } same_process_hal_file:file *;
+')
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs