DO NOT MERGE: Revert "Revert "Remove neverallow preventing hwservice access for apps.""

This reverts commit ceed7204. New HALs services that are added in the policy while the CL was reverted will are not made visible to applications by default. They are: hal_neuralnetworks_hwservice hal_wifi_offload_hwservice system_net_netd_hwservice thermalcallback_hwservice Bug: 64578796 Test: Boot device Change-Id: I84d65baddc757a5b0a38584430eff79a383aa8e0 Signed-off-by: Sandeep Patil <sspatil@google.com>

DO NOT MERGE: Revert "Revert "Remove neverallow preventing hwservice access for apps.""
This reverts commit ceed7204. New HALs services that are added in the policy while the CL was reverted will are not made visible to applications by default. They are: hal_neuralnetworks_hwservice hal_wifi_offload_hwservice system_net_netd_hwservice thermalcallback_hwservice Bug: 64578796 Test: Boot device Change-Id: I84d65baddc757a5b0a38584430eff79a383aa8e0 Signed-off-by: Sandeep Patil <sspatil@google.com>
c9d4a86d · Sandeep Patil · 1d5131e9 · c9d4a86d · c9d4a86d · c9d4a86d
Commit c9d4a86d authored 7 years ago by Sandeep Patil
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -137,21 +137,68 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #    incidence rate of security issues than system/core components and have
 #    access to lower layes of the stack (all the way down to hardware) thus
 #    increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+#   of the client and thus have the same access as the client domain in which
+#   the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+#   associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
+#   designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+#   by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+#   Binder service which apps were permitted to access.
 neverallow all_untrusted_apps {
  hwservice_manager_type
-  # Same process services are safe because they by definition run in the process
-  # of the client and thus have the same access as the client domain in which
-  # the process runs
  -same_process_hwservice
-  -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+  -coredomain_hwservice
-  -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+  -hal_configstore_ISurfaceFlingerConfigs
-  # These operations are also offered by surfaceflinger Binder service which
-  # apps are permitted to access
  -hal_graphics_allocator_hwservice
-  # HwBinder version of mediacodec Binder service which apps were permitted to
-  # access
  -hal_omx_hwservice
  -hal_cas_hwservice
+  -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+  default_android_hwservice
+  hal_audio_hwservice
+  hal_bluetooth_hwservice
+  hal_bootctl_hwservice
+  hal_camera_hwservice
+  hal_contexthub_hwservice
+  hal_drm_hwservice
+  hal_dumpstate_hwservice
+  hal_fingerprint_hwservice
+  hal_gatekeeper_hwservice
+  hal_gnss_hwservice
+  hal_graphics_composer_hwservice
+  hal_health_hwservice
+  hal_ir_hwservice
+  hal_keymaster_hwservice
+  hal_light_hwservice
+  hal_memtrack_hwservice
+  hal_neuralnetworks_hwservice
+  hal_nfc_hwservice
+  hal_oemlock_hwservice
+  hal_power_hwservice
+  hal_sensors_hwservice
+  hal_telephony_hwservice
+  hal_thermal_hwservice
+  hal_tv_cec_hwservice
+  hal_tv_input_hwservice
+  hal_usb_hwservice
+  hal_vibrator_hwservice
+  hal_vr_hwservice
+  hal_weaver_hwservice
+  hal_wifi_hwservice
+  hal_wifi_offload_hwservice
+  hal_wifi_supplicant_hwservice
+  hidl_base_hwservice
+  system_net_netd_hwservice
+  thermalcallback_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.

--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -5,7 +5,6 @@
 (typeattribute hal_wifi_keystore)
 (typeattribute hal_wifi_keystore_client)
 (typeattribute hal_wifi_keystore_server)
-(typeattribute untrusted_app_visible_hwservice)
 ;; types removed from current policy
 (type asan_reboot_prop)

--- a/public/attributes
+++ b/public/attributes
@@ -148,6 +148,15 @@ expandattribute socket_between_core_and_vendor_violators false;
 attribute vendor_executes_system_violators;
 expandattribute vendor_executes_system_violators false;
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary.  It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
 # PDX services
 attribute pdx_endpoint_dir_type;
 attribute pdx_endpoint_socket_type;