App-specific SELinux domain for VrCore.

Move VrCore from untrusted_app_25 into its own domain so we can have
finer control of its IPC surface.

Bug: 36367417
Test: manual
Change-Id: Ib02a58a0a45b7b86c05e3e585437b2f9d68687fe

7 files changed, 129 insertions, 0 deletions

diff --git a/vrcore/sepolicy/certs/vrcore-dummy.x509.pem b/vrcore/sepolicy/certs/vrcore-dummy.x509.pem
new file mode 100644
index 0000000..e97c8a0
--- /dev/null
+++ b/vrcore/sepolicy/certs/vrcore-dummy.x509.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcDCCAlgCCQCFHG8aEu9gBzANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEV
+MBMGA1UECgwMR29vZ2xlLCBJbmMuMRAwDgYDVQQLDAdBbmRyb2lkMRUwEwYDVQQD
+DAx2cmNvcmUtZHVtbXkwHhcNMTcwNDA0MjAyMTM5WhcNNDQwODE5MjAyMTM5WjB6
+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
+bnRhaW4gVmlldzEVMBMGA1UECgwMR29vZ2xlLCBJbmMuMRAwDgYDVQQLDAdBbmRy
+b2lkMRUwEwYDVQQDDAx2cmNvcmUtZHVtbXkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCuYPF9qZ9fXdaz4UZW0U2DxX88paS6+t7NF7KAys+5vl9k+wh1
+cwPIOSfH1d+pNSLCQfYtg11qHX8edavZ90kwXcYU871t26F6vU0jpBNj1zlk/K5o
+j2AErm5lof0tPqPOiBA+IQtTpWiulLZEAKtgFopuIW546CSVjrF5CwP0JRcQh+6e
+JByP9Jrwhc3GTEhQH/DIhrW1sUNMIPDqCJq/Mxb1PAc9RnEqtj0tAYPYdiEHFXTS
+HXqKeSdPbCOcWkrsjV7MHtYvm2VakGcnqP+ywPw8UjTAcOieBasa83KsDdNz19lB
+HlVqsvSnc6I/dpjhmOQXS0zUFDFQo6OeHuvVAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBADi2L4lLPC5jTA4Mu7mXWfv8sLBrbMysI5NlxvMukChKfFYm6fS7PbkeRhqA
+S1Bs8g268RBPaIGRwSONWqU8dlgOVMyXBTiezxqirLBb1ZuXNDVaW3ABcNgkcMXo
+kQqUmEYufD2mJrvIUQyBlzJFZ0Miw02dJgAK1PkrFRPRR72YRxeqGrc8L8gzXTBo
+BhajiknrXgJdOp7PTfWGTGJS8y07JNpkWfhoWuaoE+Sb3Sdc5CDX7wQjSnhN5niI
+Tn/xrbUlJh1Udo2ty5xeE1YzVRwjADcXmK9UarIORTeP3UBjspKXwk1jEBqoeKgj
+Bh47840aKrdGtIOGzFQRy8qEmGc=
+-----END CERTIFICATE-----
diff --git a/vrcore/sepolicy/certs/vrcore-release.x509.pem b/vrcore/sepolicy/certs/vrcore-release.x509.pem
new file mode 100644
index 0000000..0018dc5
--- /dev/null
+++ b/vrcore/sepolicy/certs/vrcore-release.x509.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuTCCAqGgAwIBAgIJAJ5sYs0DwTtAMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEPMA0G
+A1UEAwwGdnJjb3JlMB4XDTE2MDEyMDA1MjE0NVoXDTQzMDYwNzA1MjE0NVowczEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50
+YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSBJbmMuMRAwDgYDVQQLDAdBbmRyb2lk
+MQ8wDQYDVQQDDAZ2cmNvcmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDOWHL268X/9Rb3z5JMO2gfGKzYkaZbWpa5rkJGYxk97U13ptjJWCmLj6GCwFgb
+4E3XOY+dT+Lwtpypu8HWuC88v28yHrP4db3idvqZgRGt7pqCsZ8OwLO0axt7lZbH
+myjDXMhGZv6b3gU26QSiJl90U7q0kJDE7puyln05PTbkQQuAK3BwGQfPahLvzYiK
+PpOoQ15Ly7D74+uz7iw77CYLQsr3aQveeJCC1CCdC9K3pWqaszaIPu2IhjLeVBGD
+1clWbJ29bS58eCsCFR4hQpOU7NndrJ+CiyibNZ07EmQxX25qjdgu6WRxp7fHMw+a
+ZJy/u90WfXcb6/ArpSLdEjY1AgMBAAGjUDBOMB0GA1UdDgQWBBTg9K8anPkFlHUN
+EBENPAqgTvm50DAfBgNVHSMEGDAWgBTg9K8anPkFlHUNEBENPAqgTvm50DAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQA/Pm+xcYEJZm7bbLabnEYLeWcB
+/OkDoE5rggmaEB3hJuy4pqcpNo8FaTvuQaEPwIZxdr+wyJdTR4ZouCsDOISAySdd
+YL0vFDtR1DeT8GpJX0PIQpebbO7Hp9tgl4RYecoznZXO/MRlKztLRYQ8QfRyZ+gz
++dXazxjempI0ibzSUG7lDC1tbVzVd5r3ZOZB5PteEPUbL/odpd3qJQ/pQcqA3bWo
++rhHTmjuzOdLLvZvwjz6JCK0V9ts+x2DCrpNvou1Kaqu0PR4WNik5YqBwOaU6D+K
+Z1Rd59XOCbYlf5ga33SEtJ5Xe4+9J5sTcE/jXLYj3IyI98QDKPtiJq5p4DpZ
+-----END CERTIFICATE-----
diff --git a/vrcore/sepolicy/certs/vrcore.x509.pem b/vrcore/sepolicy/certs/vrcore.x509.pem
new file mode 100644
index 0000000..8a0efe4
--- /dev/null
+++ b/vrcore/sepolicy/certs/vrcore.x509.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuTCCAqGgAwIBAgIJAOyCeaG1M1i8MA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEPMA0G
+A1UEAwwGdnJjb3JlMB4XDTE2MDEyMDA1MjE0NFoXDTQzMDYwNzA1MjE0NFowczEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50
+YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSBJbmMuMRAwDgYDVQQLDAdBbmRyb2lk
+MQ8wDQYDVQQDDAZ2cmNvcmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC4bQmXAJecoOHgskWm0YHQkGifyF7j3d6RfYFX9mgY9miqg2LPbRXFgUnT10Eh
+KQ+vcZtyhkxPMIs1cxudOQeeURurZ/+ufH0GZyfgWBd6km9Ee4VW7vGr1ZPgv2Ab
+AgDD+PK324cJWD1G6SOlpTO1p9dCLsflWvpu5XnJV0/s4/TvaooL2Mo//h+xglhM
+7lV9UzZGdcde0K/qhR5z6l1AJ6fVBf551YJ6PV7hek/XO0HQZstfLxaSPdOO4Kk0
+RxzNBbcnKOkoNMZ2DczGl/p2T8QElWz4qYvTYvNjJjfw1CZvMMrVPvfqW88aKoQp
+dzfH0Rydgw3Y2ixtNgIZtB5/AgMBAAGjUDBOMB0GA1UdDgQWBBRguTHVQL8376tc
+kHNrBr9d1ofOkTAfBgNVHSMEGDAWgBRguTHVQL8376tckHNrBr9d1ofOkTAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAsJHzMpt1EVeo0IYg1otZAt2VM
+ATYsG1QRa3zsw/4SsTJsUrJesDGJUIzJCMLxvTGXGrW3yD1l6XufFMNFW+42Dai9
+NiJbbhRbOSFzYXuw9jxUP6WXNhGk9OjlApZK0ZZSWJD0CKHRl6k7rrx2Z5wPAnzW
+SfzPRY1Gk7gNoORQzql4QzZKlRvoljhOAyNsjPdo3TGBxgtT1M2J0GlR/6/+TTUy
+jiv1zqecRd7UAMshlz/dNDvgC+uaIy6NT++B8vOVZZhBYWjECawkBy9qH4ZXUwWJ
++luhSnDk9R0GEDG0PZ3TLi9FYQKemaG1ORCsQIIxcOsw2IszL/dEJ2CEf/HT
+-----END CERTIFICATE-----
diff --git a/vrcore/sepolicy/keys.conf b/vrcore/sepolicy/keys.conf
new file mode 100644
index 0000000..6aaa751
--- /dev/null
+++ b/vrcore/sepolicy/keys.conf
@@ -0,0 +1,11 @@
+# Allow VrCore to be put in an app-specific SELinux domain.
+[@VRCORE]
+ALL : device/google/vrservices/vrcore/sepolicy/certs/vrcore-release.x509.pem
+
+# Release builds of Android should not trust development builds of VrCore.
+# Unfortnately the infrastructure requires a certificate for each build variant,
+# so switch to a bogus, unused cert for user builds.
+[@VRCORE_DEV]
+ENG       : device/google/vrservices/vrcore/sepolicy/certs/vrcore.x509.pem
+USERDEBUG : device/google/vrservices/vrcore/sepolicy/certs/vrcore.x509.pem
+USER      : device/google/vrservices/vrcore/sepolicy/certs/vrcore-dummy.x509.pem
diff --git a/vrcore/sepolicy/mac_permissions.xml b/vrcore/sepolicy/mac_permissions.xml
new file mode 100644
index 0000000..10989bd
--- /dev/null
+++ b/vrcore/sepolicy/mac_permissions.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+    <signer signature="@VRCORE" >
+      <package name="com.google.vr.vrcore" >
+        <seinfo value="vrcore" />
+      </package>
+    </signer>
+    <signer signature="@VRCORE_DEV" >
+      <package name="com.google.vr.vrcore" >
+        <seinfo value="vrcore" />
+      </package>
+    </signer>
+</policy>
diff --git a/vrcore/sepolicy/seapp_contexts b/vrcore/sepolicy/seapp_contexts
new file mode 100644
index 0000000..7d28d38
--- /dev/null
+++ b/vrcore/sepolicy/seapp_contexts
@@ -0,0 +1,4 @@
+# The default domain for vrcore processes.
+user=_app seinfo=vrcore name=com.google.vr.vrcore* domain=vrcore_app type=app_data_file levelFrom=all
+# A fallback in case vrcore is missing something critical that untrusted_app provides.
+user=_app seinfo=vrcore name=com.google.vr.vrcore:app domain=untrusted_app type=app_data_file levelFrom=all
diff --git a/vrcore/sepolicy/vrcore_app.te b/vrcore/sepolicy/vrcore_app.te
new file mode 100644
index 0000000..4515b50
--- /dev/null
+++ b/vrcore/sepolicy/vrcore_app.te
@@ -0,0 +1,36 @@
+###
+### VrCore was historically an untrusted_app, but it was moved into its own
+### domain to tighten access to VrCore-specific IPC services and
+### opportunistically eliminate legacy untrusted_app rules.
+###
+
+type vrcore_app, domain;
+
+app_domain(vrcore_app)
+net_domain(vrcore_app)
+bluetooth_domain(vrcore_app)
+
+# Services from untrusted_app_all.
+# Should be kept in sync with untrusted_app_all.
+allow vrcore_app audioserver_service:service_manager find;
+allow vrcore_app cameraserver_service:service_manager find;
+allow vrcore_app drmserver_service:service_manager find;
+allow vrcore_app mediaserver_service:service_manager find;
+allow vrcore_app mediaextractor_service:service_manager find;
+allow vrcore_app mediametrics_service:service_manager find;
+allow vrcore_app mediadrmserver_service:service_manager find;
+allow vrcore_app mediacasserver_service:service_manager find;
+allow vrcore_app nfc_service:service_manager find;
+allow vrcore_app radio_service:service_manager find;
+allow vrcore_app surfaceflinger_service:service_manager find;
+allow vrcore_app app_api_service:service_manager find;
+
+# VrCore-specific services.
+allow vrcore_app vr_manager_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow vrcore_app self:process ptrace;
+
+# Access to /data/media for screenshots.
+allow vrcore_app media_rw_data_file:dir create_dir_perms;
+allow vrcore_app media_rw_data_file:file create_file_perms;