Merge "Assert ban on framework <-> vendor comms over VndBinder" into oc-dev

a9d7b895 · Alex Klyubin · Android (Google) Code Review · 26564ce7 · 00657834 · a9d7b895
Commit a9d7b895 authored 7 years ago by Alex Klyubin Committed by Android (Google) Code Review 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -21,6 +21,10 @@ neverallow all_untrusted_apps debugfs_type:file read;
 # services.
 neverallow all_untrusted_apps service_manager_type:service_manager add;

+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
 # Do not allow untrusted apps to connect to the property service
 # or set properties. b/10243159
 neverallow all_untrusted_apps property_socket:sock_file write;

--- a/public/domain.te
+++ b/public/domain.te
@@ -559,6 +559,27 @@ full_treble_only(`
  } servicemanager:binder { call transfer };
 ')

+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+  } vndbinder_device:chr_file rw_file_perms;
+  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+  } vndservice_manager_type:service_manager *;
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+  } vndservicemanager:binder *;
+')
+
 # On full TREBLE devices, socket communications between core components and vendor components are
 # not permitted.
 full_treble_only(`

--- a/public/init.te
+++ b/public/init.te
@@ -205,7 +205,13 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read

 # init should not be able to read or open generic devices
 # TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+  dev_type
+  -kmem_device
+  -port_device
+  -device
+  -vndbinder_device
+  }:chr_file { read open };
 auditallow init {
  dev_type
  -alarm_device

--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,7 +9,12 @@ type servicemanager_exec, exec_type, file_type;
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+  domain
+  -init
+  -hwservicemanager
+  -vndservicemanager
+}:binder transfer;

 # Access to all (system and vendor) service_contexts
 # TODO(b/36866029) access to nonplat_service_contexts