From 00657834b8a0200f9000a81237b7f45d6ea966d9 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 25 Apr 2017 09:27:54 -0700
Subject: [PATCH] Assert ban on framework <-> vendor comms over VndBinder
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.
Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.
P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.
Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
---
private/app_neverallows.te | 4 ++++
public/domain.te | 21 +++++++++++++++++++++
public/init.te | 8 +++++++-
public/servicemanager.te | 7 ++++++-
4 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0f0f57766..7827c8b11 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -21,6 +21,10 @@ neverallow all_untrusted_apps debugfs_type:file read;
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow all_untrusted_apps property_socket:sock_file write;
diff --git a/public/domain.te b/public/domain.te
index f63433624..1e5c16cd6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -559,6 +559,27 @@ full_treble_only(`
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
diff --git a/public/init.te b/public/init.te
index e997e1338..6d43ef463 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,7 +205,13 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
auditallow init {
dev_type
-alarm_device
diff --git a/public/servicemanager.te b/public/servicemanager.te
index bba9c6eda..3cf5a464d 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,7 +9,12 @@ type servicemanager_exec, exec_type, file_type;
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
# Access to all (system and vendor) service_contexts
# TODO(b/36866029) access to nonplat_service_contexts
--
GitLab