From a099830e3df674a8cded09e66aec1aef5634bbe1 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Fri, 9 Feb 2018 11:31:56 -0800
Subject: [PATCH] Prevent vendor_init from using binder or sockets

Bug: 72809699
Test: build
Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24
---
 public/domain.te            | 1 +
 public/servicemanager.te    | 1 +
 public/vendor_init.te       | 3 +++
 vendor/vndservicemanager.te | 2 +-
 4 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index 6f5055219..13e4ba9ef 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -389,6 +389,7 @@ neverallow * init:process ptrace;
 # Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow * init:binder *;
+neverallow * vendor_init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
diff --git a/public/servicemanager.te b/public/servicemanager.te
index c7cd738ba..87e3a2217 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,7 @@ allow servicemanager self:binder set_context_mgr;
 allow servicemanager {
   domain
   -init
+  -vendor_init
   -hwservicemanager
   -vndservicemanager
 }:binder transfer;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dbb20fd7b..dd7479fcb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -4,6 +4,9 @@ type vendor_init, domain, mlstrustedsubject;
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };
 
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open write };
 
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index f956af82b..dbc88faed 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@ init_daemon_domain(vndservicemanager);
 allow vndservicemanager self:binder set_context_mgr;
 
 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
 
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
 
-- 
GitLab