From 90cf5a7fb34e586ac1676f3f8fc66b64bfebf8a7 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 18 Oct 2018 12:39:35 -0700
Subject: [PATCH] same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)
Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
---
private/isolated_app.te | 6 ------
private/system_server.te | 1 +
private/webview_zygote.te | 2 ++
private/zygote.te | 2 ++
public/app.te | 1 +
public/domain.te | 20 ++++----------------
public/hal_allocator.te | 1 +
public/hal_graphics_allocator.te | 1 +
public/perfprofd.te | 2 ++
9 files changed, 14 insertions(+), 22 deletions(-)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 95b008da1..85e80a5fa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -47,12 +47,6 @@ allow isolated_app webview_zygote_tmpfs:file read;
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
-# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
-# if needed.
-userdebug_or_eng(`
- auditallow isolated_app same_process_hal_file:file *;
-')
-
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow isolated_app traced:fd use;
diff --git a/private/system_server.te b/private/system_server.te
index 048e5b2b6..42a89d421 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -234,6 +234,7 @@ allow system_server hal_graphics_composer:fd use;
# Use RenderScript always-passthrough HAL
allow system_server hal_renderscript_hwservice:hwservice_manager find;
+allow system_server same_process_hal_file:file { execute read open getattr map };
# Offer HwBinder services
add_hwservice(system_server, fwk_scheduler_hwservice)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index ea0141266..75f70ac70 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -70,6 +70,8 @@ allow webview_zygote zygote:process sigchld;
# Allow apps access to /vendor/overlay
r_dir_file(webview_zygote, vendor_overlay_file)
+allow webview_zygote same_process_hal_file:file { execute read open getattr map };
+
#####
##### Neverallow
#####
diff --git a/private/zygote.te b/private/zygote.te
index ec04d8fbb..0e21d51ea 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -114,6 +114,8 @@ userdebug_or_eng(`
allow zygote ion_device:chr_file r_file_perms;
allow zygote tmpfs:dir r_dir_perms;
+allow zygote same_process_hal_file:file { execute read open getattr map };
+
# Let the zygote access overlays so it can initialize the AssetManager.
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
diff --git a/public/app.te b/public/app.te
index 800e891b4..7f0d5548e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -308,6 +308,7 @@ allow { appdomain -isolated_app } hal_camera:fd use;
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 3e7a0dcd6..dcd12b143 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -188,22 +188,10 @@ allow domain vendor_hal_file:dir r_dir_perms;
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
-# TODO(b/37211678): whitelist domains that actually need same process HALs.
-allow domain same_process_hal_file:file { execute read open getattr map };
-# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
-# same_process_hal_file label, which is what we are interested in.
-userdebug_or_eng(`
- auditallow {
- coredomain
- -zygote
- -hal_allocator_client
- # Graphics mapper clients.
- -hal_graphics_allocator_client
- # Renderscript clients include { system_server appdomain -isolated_app }.
- -appdomain
- -system_server
- } same_process_hal_file:file *;
-')
+allow {
+ domain
+ -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b7e3ca5a4..6417b6289 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -3,3 +3,4 @@ binder_call(hal_allocator_client, hal_allocator_server)
hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
+allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 41a324962..991e147c7 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -3,6 +3,7 @@ binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index a0fcf3751..47dfbf210 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -76,6 +76,8 @@ userdebug_or_eng(`
r_dir_file(perfprofd, vendor_file)
# Vendor apps.
r_dir_file(perfprofd, vendor_app_file)
+ # SP HAL files.
+ r_dir_file(perfprofd, same_process_hal_file)
# simpleperf will set security.perf_harden to enable access to perf_event_open()
set_prop(perfprofd, shell_prop)
--
GitLab