Skip to content
Snippets Groups Projects
Commit 2234f9ff authored by Nick Kralevich's avatar Nick Kralevich
Browse files

gatekeeperd: neverallow non-system_server binder call 

The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
parent 84f580ac
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
gatekeeperd.te
+ 3
1
View file @ 2234f9ff
...@@ -4,13 +4,14 @@ type gatekeeperd_exec, exec_type, file_type; ...@@ -4,13 +4,14 @@ type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd # gatekeeperd
init_daemon_domain(gatekeeperd) init_daemon_domain(gatekeeperd)
binder_use(gatekeeperd) binder_use(gatekeeperd)
binder_service(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms; allow gatekeeperd tee_device:chr_file rw_file_perms;
# need to find KeyStore and add self # need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find }; allow gatekeeperd gatekeeper_service:service_manager { add find };
# Need to add auth tokens to KeyStore # Need to add auth tokens to KeyStore
allow gatekeeperd keystore_service:service_manager find;
binder_call(gatekeeperd, keystore)
allow gatekeeperd keystore:keystore_key { add_auth }; allow gatekeeperd keystore:keystore_key { add_auth };
# For permissions checking # For permissions checking
...@@ -19,3 +20,4 @@ allow gatekeeperd permission_service:service_manager find; ...@@ -19,3 +20,4 @@ allow gatekeeperd permission_service:service_manager find;
neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find; neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
neverallow { domain -system_server } gatekeeperd:binder call;
system_server.te
+ 1
0
View file @ 2234f9ff
...@@ -122,6 +122,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt }; ...@@ -122,6 +122,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC. # Perform Binder IPC.
binder_use(system_server) binder_use(system_server)
binder_call(system_server, binderservicedomain) binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
binder_call(system_server, appdomain) binder_call(system_server, appdomain)
binder_call(system_server, dumpstate) binder_call(system_server, dumpstate)
binder_service(system_server) binder_service(system_server)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment