Vendor domains must not use Binder am: f5446eb1 am: 2fe065d7

am: 49ce4394 Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26

Vendor domains must not use Binder am: f5446eb1 am: 2fe065d7
68e6109d · Alex Klyubin · android-build-merger · 463f9a49 · 49ce4394 · 68e6109d
Commit 68e6109d authored Mar 24, 2017 by Alex Klyubin Committed by android-build-merger Mar 24, 2017
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute tombstoned coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(tombstoned)
--- a/private/toolbox.te
+++ b/private/toolbox.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute toolbox coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(toolbox)
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute tzdatacheck coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(tzdatacheck)
--- a/private/ueventd.te
+++ b/private/ueventd.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute ueventd coredomain;
-# public, but conceptually should go with this
 tmpfs_domain(ueventd)
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute uncrypt coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(uncrypt)
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -17,6 +17,8 @@
 ### seapp_contexts.
 ###
+typeattribute untrusted_app coredomain;
 app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)


--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -19,6 +19,8 @@
 ### seapp_contexts.
 ###
+typeattribute untrusted_app_25 coredomain;
 app_domain(untrusted_app_25)
 untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)


--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
 ###
 ### Untrusted v2 sandbox apps.
 ###
+typeattribute untrusted_v2_app coredomain;
 app_domain(untrusted_v2_app)
 net_domain(untrusted_v2_app)
 bluetooth_domain(untrusted_v2_app)


--- a/private/update_engine.te
+++ b/private/update_engine.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute update_engine coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(update_engine);
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute update_verifier coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(update_verifier)
--- a/private/vdc.te
+++ b/private/vdc.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute vdc coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(vdc)
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
+typeattribute virtual_touchpad coredomain;
 init_daemon_domain(virtual_touchpad)
--- a/private/vold.te
+++ b/private/vold.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute vold coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(vold)
 # Switch to more restrictive domains when executing common tools


--- a/private/watchdogd.te
+++ b/private/watchdogd.te
+typeattribute watchdogd coredomain;
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
 # webview_zygote is an auxiliary zygote process that is used to spawn
 # isolated_app processes for rendering untrusted web content.
+typeattribute webview_zygote coredomain;
 # The webview_zygote needs to be able to transition domains.
 typeattribute webview_zygote mlstrustedsubject;


--- a/private/wificond.te
+++ b/private/wificond.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute wificond coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(wificond)
--- a/private/zygote.te
+++ b/private/zygote.te
 # zygote
+typeattribute zygote coredomain;
 typeattribute zygote domain_deprecated;
 typeattribute zygote mlstrustedsubject;


--- a/public/attributes
+++ b/public/attributes
@@ -115,6 +115,13 @@ attribute binderservicedomain;
 # recovery for A/B devices.
 attribute update_engine_common;
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients


--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,10 @@ allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
@@ -420,6 +423,24 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } binder_device:chr_file rw_file_perms;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } servicemanager:binder { call transfer };
+')
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
  domain


--- a/public/te_macros
+++ b/public/te_macros
@@ -394,6 +394,18 @@ define(`non_system_app_set', `{ appdomain -system_app }')
 #
 define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
 #####################################
 # Userdebug or eng builds
 # SELinux rules which apply only to userdebug or eng builds