From a730e50bd93cd058b271ce3a4affcc6ac75da58b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 3 Jan 2014 20:44:07 -0800
Subject: [PATCH] Don't allow zygote init:binder call

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50
---
 domain.te     | 4 ++++
 unconfined.te | 2 +-
 zygote.te     | 1 -
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index ff641bd3a..4aa9c10e6 100644
--- a/domain.te
+++ b/domain.te
@@ -166,3 +166,7 @@ neverallow { domain -init } proc_security:file { append write };
 
 # No domain should be allowed to ptrace init.
 neverallow domain init:process ptrace;
+
+# Init can't receive binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow domain init:binder call;
diff --git a/unconfined.te b/unconfined.te
index 45c829201..bdebf3a2c 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -38,5 +38,5 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer set_context_mgr };
+allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
 allow unconfineddomain property_type:property_service set;
diff --git a/zygote.te b/zygote.te
index 5d1f489ed..9092457e4 100644
--- a/zygote.te
+++ b/zygote.te
@@ -47,7 +47,6 @@ allow zygote zygote_exec:file { execute_no_trans open };
 
 # handle bugreports b/10498304
 allow zygote ashmem_device:chr_file execute;
-allow zygote init:binder call;
 allow zygote shell_data_file:file { write getattr };
 allow zygote system_server:binder { transfer call };
 allow zygote servicemanager:binder { call };
-- 
GitLab