From c9d4a86d0ab87ab3ba3849ffc0baafc046518b0f Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 11 Aug 2017 16:00:23 -0700
Subject: [PATCH] DO NOT MERGE: Revert "Revert "Remove neverallow preventing
 hwservice access for apps.""

This reverts commit ceed720415bc9c4a431af5cfc86aef814c3a91cc.

New HALs services that are added in the policy while the CL was reverted
will are not made visible to applications by default. They are:
  hal_neuralnetworks_hwservice
  hal_wifi_offload_hwservice
  system_net_netd_hwservice
  thermalcallback_hwservice

Bug: 64578796
Test: Boot device

Change-Id: I84d65baddc757a5b0a38584430eff79a383aa8e0
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/app_neverallows.te   | 65 +++++++++++++++++++++++++++++++-----
 private/compat/26.0/26.0.cil |  1 -
 public/attributes            |  9 +++++
 3 files changed, 65 insertions(+), 10 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 46c7e2225..9ad7cfed6 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -137,21 +137,68 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #    incidence rate of security issues than system/core components and have
 #    access to lower layes of the stack (all the way down to hardware) thus
 #    increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+#   of the client and thus have the same access as the client domain in which
+#   the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+#   associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
+#   designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+#   by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+#   Binder service which apps were permitted to access.
 neverallow all_untrusted_apps {
   hwservice_manager_type
-  # Same process services are safe because they by definition run in the process
-  # of the client and thus have the same access as the client domain in which
-  # the process runs
   -same_process_hwservice
-  -coredomain_hwservice # neverallows for coredomain HwBinder services are below
-  -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
-  # These operations are also offered by surfaceflinger Binder service which
-  # apps are permitted to access
+  -coredomain_hwservice
+  -hal_configstore_ISurfaceFlingerConfigs
   -hal_graphics_allocator_hwservice
-  # HwBinder version of mediacodec Binder service which apps were permitted to
-  # access
   -hal_omx_hwservice
   -hal_cas_hwservice
+  -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+  default_android_hwservice
+  hal_audio_hwservice
+  hal_bluetooth_hwservice
+  hal_bootctl_hwservice
+  hal_camera_hwservice
+  hal_contexthub_hwservice
+  hal_drm_hwservice
+  hal_dumpstate_hwservice
+  hal_fingerprint_hwservice
+  hal_gatekeeper_hwservice
+  hal_gnss_hwservice
+  hal_graphics_composer_hwservice
+  hal_health_hwservice
+  hal_ir_hwservice
+  hal_keymaster_hwservice
+  hal_light_hwservice
+  hal_memtrack_hwservice
+  hal_neuralnetworks_hwservice
+  hal_nfc_hwservice
+  hal_oemlock_hwservice
+  hal_power_hwservice
+  hal_sensors_hwservice
+  hal_telephony_hwservice
+  hal_thermal_hwservice
+  hal_tv_cec_hwservice
+  hal_tv_input_hwservice
+  hal_usb_hwservice
+  hal_vibrator_hwservice
+  hal_vr_hwservice
+  hal_weaver_hwservice
+  hal_wifi_hwservice
+  hal_wifi_offload_hwservice
+  hal_wifi_supplicant_hwservice
+  hidl_base_hwservice
+  system_net_netd_hwservice
+  thermalcallback_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 7106a90a5..40bec840f 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -5,7 +5,6 @@
 (typeattribute hal_wifi_keystore)
 (typeattribute hal_wifi_keystore_client)
 (typeattribute hal_wifi_keystore_server)
-(typeattribute untrusted_app_visible_hwservice)
 
 ;; types removed from current policy
 (type asan_reboot_prop)
diff --git a/public/attributes b/public/attributes
index 7ee7dafbf..ffd6316ae 100644
--- a/public/attributes
+++ b/public/attributes
@@ -148,6 +148,15 @@ expandattribute socket_between_core_and_vendor_violators false;
 attribute vendor_executes_system_violators;
 expandattribute vendor_executes_system_violators false;
 
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary.  It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
 # PDX services
 attribute pdx_endpoint_dir_type;
 attribute pdx_endpoint_socket_type;
-- 
GitLab