Update binder-related policy.

The binder_transfer_binder hook was changed in the kernel, obsoleting the receive permission and changing the target of the transfer permission. Update the binder-related policy to match the revised permission checking. Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Update binder-related policy.
The binder_transfer_binder hook was changed in the kernel, obsoleting the receive permission and changing the target of the transfer permission. Update the binder-related policy to match the revised permission checking. Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
9ce99e39 · Stephen Smalley · Gerrit Code Review · 1f5939a9 · 9ce99e39 · 9ce99e39
Commit 9ce99e39 authored 12 years ago by Stephen Smalley Committed by Gerrit Code Review 12 years ago
--- a/access_vectors
+++ b/access_vectors
@@ -871,7 +871,6 @@ class binder
 	call
 	set_context_mgr
 	transfer
-	receive
 }
 class zygote

--- a/app.te
+++ b/app.te
@@ -188,10 +188,8 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
-binder_transfer(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
-binder_transfer(appdomain, appdomain)
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -13,7 +13,6 @@ r_dir_file(mediaserver, sdcard)
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
-binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 allow mediaserver kernel:system module_request;

--- a/servicemanager.te
+++ b/servicemanager.te
@@ -11,4 +11,4 @@ init_daemon_domain(servicemanager)
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder { receive transfer };
+allow servicemanager domain:binder transfer;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -12,6 +12,7 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system)
 binder_service(surfaceflinger)
+allow surfaceflinger init:binder transfer;
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;

--- a/system.te
+++ b/system.te
@@ -8,7 +8,6 @@ app_domain(system_app)
 # Perform binder IPC to any app domain.
 binder_call(system_app, appdomain)
-binder_transfer(system_app, appdomain)
 # Read and write system data files.
 # May want to split into separate types.
@@ -121,9 +120,6 @@ binder_use(system)
 binder_call(system, binderservicedomain)
 binder_call(system, appdomain)
 binder_service(system)
-# Transfer other Binder references.
-binder_transfer(system, binderservicedomain)
-binder_transfer(system, appdomain)
 # Read /proc/pid files for Binder clients.
 r_dir_file(system, appdomain)

--- a/te_macros
+++ b/te_macros
@@ -152,10 +152,8 @@ allow $1 $3:unix_dgram_socket sendto;
 # binder_use(domain)
 # Allow domain to use Binder IPC.
 define(`binder_use', `
-# Get Binder references from the servicemanager.
+# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder call;
+allow $1 servicemanager:binder { call transfer };
-# Transfer and receive own Binder references.
-allow $1 self:binder { transfer receive };
 # Map /dev/ashmem with PROT_EXEC.
 allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
@@ -166,19 +164,14 @@ allow $1 ashmem_device:chr_file execute;
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
 define(`binder_call', `
-# First we receive a Binder ref to the server, then we call it.
+# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { receive call };
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
 # Receive and use open files from the server.
 allow $1 $2:fd use;
 ')
-#####################################
-# binder_transfer(clientdomain, serverdomain)
-# Allow clientdomain to transfer Binder references created by serverdomain.
-define(`binder_transfer', `
-allow $1 $2:binder transfer;
-')
 #####################################
 # binder_service(domain)
 # Mark a domain as being a Binder service domain.

--- a/unconfined.te
+++ b/unconfined.te
@@ -20,5 +20,5 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain domain:binder { call transfer };
 allow unconfineddomain property_type:property_service set;