From 3e307a4de570a64437e3071ae398ed291ba82098 Mon Sep 17 00:00:00 2001 From: Dan Cashman <dcashman@google.com> Date: Wed, 21 Jun 2017 10:00:32 -0700 Subject: [PATCH] Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832 --- private/app_neverallows.te | 61 ++++++++++++++++++++++++++++++++------ public/attributes | 9 ++++++ 2 files changed, 61 insertions(+), 9 deletions(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 09177240e..3c159d5f1 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -132,20 +132,63 @@ neverallow all_untrusted_apps *:hwservice_manager ~find; # incidence rate of security issues than system/core components and have # access to lower layes of the stack (all the way down to hardware) thus # increasing opportunities for bypassing the Android security model. +# +# Safe services include: +# - same process services: because they by definition run in the process +# of the client and thus have the same access as the client domain in which +# the process runs +# - coredomain_hwservice: are considered safe because they do not pose risks +# associated with reason #2 above. +# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been +# designed for use by any domain. +# - hal_graphics_allocator_hwservice: because these operations are also offered +# by surfaceflinger Binder service, which apps are permitted to access +# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec +# Binder service which apps were permitted to access. neverallow all_untrusted_apps { hwservice_manager_type - # Same process services are safe because they by definition run in the process - # of the client and thus have the same access as the client domain in which - # the process runs -same_process_hwservice - -coredomain_hwservice # neverallows for coredomain HwBinder services are below - -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain - # These operations are also offered by surfaceflinger Binder service which - # apps are permitted to access + -coredomain_hwservice + -hal_configstore_ISurfaceFlingerConfigs -hal_graphics_allocator_hwservice - # HwBinder version of mediacodec Binder service which apps were permitted to - # access -hal_omx_hwservice + -untrusted_app_visible_hwservice +}:hwservice_manager find; +neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302 +# Make sure that the following services are never accessible by untrusted_apps +neverallow all_untrusted_apps { + default_android_hwservice + hal_audio_hwservice + hal_bluetooth_hwservice + hal_bootctl_hwservice + hal_camera_hwservice + hal_contexthub_hwservice + hal_drm_hwservice + hal_dumpstate_hwservice + hal_fingerprint_hwservice + hal_gatekeeper_hwservice + hal_gnss_hwservice + hal_graphics_composer_hwservice + hal_health_hwservice + hal_ir_hwservice + hal_keymaster_hwservice + hal_light_hwservice + hal_memtrack_hwservice + hal_nfc_hwservice + hal_oemlock_hwservice + hal_power_hwservice + hal_sensors_hwservice + hal_telephony_hwservice + hal_thermal_hwservice + hal_tv_cec_hwservice + hal_tv_input_hwservice + hal_usb_hwservice + hal_vibrator_hwservice + hal_vr_hwservice + hal_weaver_hwservice + hal_wifi_hwservice + hal_wifi_supplicant_hwservice + hidl_base_hwservice }:hwservice_manager find; # HwBinder services offered by core components (as opposed to vendor components) # are considered somewhat safer due to point #2 above. diff --git a/public/attributes b/public/attributes index 90740d456..cde55da19 100644 --- a/public/attributes +++ b/public/attributes @@ -144,6 +144,15 @@ attribute socket_between_core_and_vendor_violators; # TODO(b/36463595) attribute vendor_executes_system_violators; +# hwservices that are accessible from untrusted applications +# WARNING: Use of this attribute should be avoided unless +# absolutely necessary. It is a temporary allowance to aid the +# transition to treble and will be removed in a future platform +# version, requiring all hwservices that are labeled with this +# attribute to be submitted to AOSP in order to maintain their +# app-visibility. +attribute untrusted_app_visible_hwservice; + # PDX services attribute pdx_endpoint_dir_type; attribute pdx_endpoint_socket_type; -- GitLab